Google has removed a screen recording app named “iRecorder – Screen Recorder” from the Play Store after it was found to sneak in information stealing capabilities nearly a year after the app was published as an innocuous app.
The app (APK package name “com.tsoft.app.iscreenrecorder”), which accrued over 50,000 installations, was first uploaded on September 19, 2021. The malicious functionality Read More
Related Posts
PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner
PHP Servers Vulnerability Exploited To Inject PacketCrypt Cryptocurrency Miner
A significant PHP server vulnerability identified as CVE-2024-4577 was exploited to inject PacketCrypt Classic Cryptocurrency Miner.
This PHP CGI Argument Injection vulnerability allows an attacker to obtain remote code execution (RCE) on a vulnerable PHP version mostly running under Windows using Chinese and Japanese language locales.
The vulnerability was identified by Orange Tsai in June 2024. Watchtwr Labs followed up with a proof of concept exploit and a detailed blog article.
The vulnerability has seen several exploit attempts, indicating strong exploitability and quick adoption by threat actors.
Command injection and several malware attacks, such as Gh0st RAT, RedTail cryptominers, and XMRig, have been exploited.
PacketCrypt Classic Cryptocurrency Miner On PHP Servers
According to senior consultant and researcher Yee Ching Tok research, web URL activity seems to exploit the PHP servers that are susceptible (such as the most recent CVE-2024-4577) or misconfigured PHP servers that allow unfettered public access to php-cgi.exe
First, dr0p.exe retrieved a secondary file pkt1.exe (e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562) from 23.27.51.244.
According to Shodan, the US-based IP address had four open ports (22, 80, 110, and 6664) and was running the EvilBit Block Explorer on port 80.
The file pkt1.exe additionally runs an executable packetcrypt.exe and includes a PacketCrypt (PKT Classic) wallet address (pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a) as one of its parameters.
Therefore, if you haven’t upgraded your PHP servers in a long time, this might serve as an informative reminder to system owners to patch and audit their web servers for vulnerabilities and unexpected performance problems brought on by crypto miners.
ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free
Apache fixes remote code execution bypass in Tomcat web server
Apache fixes remote code execution bypass in Tomcat web server
Apache has released a security update that addresses an important vulnerability in Tomcat web server that could lead to an attacker achieving remote code execution. […] Read More
SquareX Researchers Uncover OAuth Vulnerability in Chrome Extensions Days Before Major Breach
SquareX Researchers Uncover OAuth Vulnerability in Chrome Extensions Days Before Major Breach
SquareX, an industry-first Browser Detection and Response (BDR) solution, leads the way in browser security. About a week ago, SquareX reported large-scale attacks targeting Chrome Extension developers aimed at taking over the Chrome Extension from the Chrome Store.
On December 25th, 2024, a malicious version of Cyberhaven’s browser extension was published on the Chrome Store that allowed the attacker to hijack authenticated sessions and exfiltrate confidential information.
The malicious extension was available for download for more than 30 hours before being removed by Cyberhaven. The data loss prevention company declined to comment on the extent of the impact when approached by the press, but the extension had over 400,000 users on the Chrome Store at the time of the attack.
Unfortunately, the attack took place as SquareX’s researchers had identified a similar attack with a video demonstrating the entire attack pathway just a week before the Cyberhaven breach.
The attack begins with a phishing email impersonating Chrome Store containing a supposed violation of the platform’s “Developer Agreement”, urging the receiver to accept the policies to prevent their extension from being removed from Chrome Store. Upon clicking on the policy button, the user gets prompted to connect their Google account to a “Privacy Policy Extension”, which grants the attacker access to edit, update and publish extensions on the developer’s account.
Extensions have become an increasingly popular way for attackers to gain initial access. This is because most organizations have limited purview on what browser extensions their employees are using. Even the most rigorous security teams typically do not monitor subsequent updates once an extension is whitelisted.
SquareX researchers, in their extensive study presented at DEFCON 32, highlighted critical vulnerabilities in MV3-compliant Chrome extensions.
They demonstrated how such extensions could be exploited to hijack video stream feeds, silently add unauthorized GitHub collaborators, and exfiltrate session cookies, among other malicious activities.
Attackers can weaponize this vulnerability by either creating an innocuous extension that is later updated with malicious capabilities post-installation or by compromising trusted extensions with substantial user bases such as deceiving their developers into granting unauthorized access.
This was notably seen in the Cyberhaven breach, where attackers used a malicious version of an extension to steal corporate credentials across various websites and web applications.
The publicly available developer contact emails listed on the Chrome Web Store exacerbate the issue. These emails, typically intended for bug reports, allow attackers to easily target numerous extension developers simultaneously.
Even in large organizations, support emails are often routed to individual developers who may lack the necessary security expertise to recognize these sophisticated social engineering attacks.
Based on SquareX’s disclosure and the Cyberhaven breach that occurred within a span of two weeks, there is significant evidence to suggest that similar attacks are targeting other browser extension providers on a broad scale.
SquareX strongly recommends that organizations and users exercise rigorous caution when installing or updating browser extensions and perform comprehensive security reviews to mitigate these risks.
SquareX team understands that it can be non-trivial to evaluate and monitor every single browser extension in the workforce amidst all the competing security priorities, especially when it comes to zero-day attacks. As demonstrated in the video, the fake privacy policy app involved in Cyberhaven’s breach was not even detected by any popular threat feeds.
SquareX’s Browser Detection and Response (BDR) solution takes this complexity off security teams by:
- Blocking OAuth interactions to unauthorized websites to prevent employees from accidentally giving attackers unauthorized access to your Chrome Store account
- Blocking and/or flagging any suspicious extension updates containing new, risky permissions
- Blocking and/or flagging any suspicious extensions with a surge of negative reviews
- Blocking and/or flagging installations of sideloaded extensions
- Streamline all requests for extension installations outside the authorized list for quick approval based on company policy
- Full visibility on all extensions installed and used by employees across the organization
SquareX’s founder Vivek Ramachandran warns: “Identity attacks targeting browser extensions similar to this OAuth attack will only become more prevalent as employees rely on more browser-based tools to be productive at work.
Similar variants of these attacks have been used in the past to steal cloud data from apps like Google Drive and One Drive and we will only see attackers get more creative in exploiting browser extensions.
Companies need to remain vigilant and minimize their supply chain risk without hampering employee productivity by equipping them with the right browser native tools.”
About SquareX:
SquareX helps organizations detect, mitigate, and threat-hunt client-side web attacks happening against their users in real-time.
SquareX’s industry-first Browser Detection and Response (BDR) solution, takes an attack-focused approach to browser security, ensuring enterprise users are protected against advanced threats like malicious QR Codes, Browser-in-the-Browser phishing, macro-based malware, and other web attacks encompassing malicious files, websites, scripts, and compromised networks.
With SquareX, enterprises can provide contractors and remote workers with secure access to internal applications, and enterprise SaaS, and convert the browsers on BYOD / unmanaged devices into trusted browsing sessions.
For more details, you can reach out to junice@sqrx.com.
The post SquareX Researchers Uncover OAuth Vulnerability in Chrome Extensions Days Before Major Breach appeared first on Cyber Security News.