Displaying items by tag: Security

Google’s Chrome (and derivatives) is one of the more popular browsers on the market. It reached the height of popularity via a well-orchestrated marketing push, dissatisfaction with Microsoft, and being one of the faster and more secure browsers (at the time). However, the popularity of the browser and some less than stellar security policies in the Chrome Web Store have made it a nice target for attackers.
Goggle recently removed a total of 32 malicious extensions from the store with downloads possibly totaling 75 million.

A couple of days ago an email was sent to me about a new tool kit being sold on the darker side of the internet. The claim what that this new tool could kill the processes behind “any” AV, EDR, or XDR running on Windows 7 and newer. The same email included a link to what was supposed to be proof of its efficacy. I opened the link in a sandbox on a controlled VM just to be sure the link was not malicious all on its own. What I saw was nothing all that new, although it was a bit worrying.

The RomCom backdoor malware appears to have a new campaign running. The new campaign is using impersonation attacks for different software packages (some real, some not). The goal is to trick the unwary into downloading, and hopefully launching malicious payloads. This type of campaign leverages ad services like Google Ads as a “trusted” platform using ads for software that is either often sought after or currently very popular, like ChatGPT, PDF readers, Remote Management software, etc. They are also, at times, leveraged as links in targeted or blanket phishing and social engineering attacks to get the malware on the targeted systems.

On May 19th 2023 Barracuda disclosed that there was a critical vulnerability in their Email Security Gateway appliances. This vulnerability is tracked under CVE-2023-2868 and is listed as a remote command injection vulnerability. The flaw is present in software versions 5.1.3.001 up to 9.2.0.006 for the ESG appliances only. As this was disclosed as a Zero-Day vulnerability there was an accelerated patch release schedules with the first patches made available on May 20th.

Apple’s System Integrity Protocol (SIP) has been something of a mix bag when it comes to security. It is a great feature from a raw and basic security viewpoint, but the same feature also has created challenges for the installation of third-party anti-malware and other security tools since its launch. All that aside, Microsoft, of all people, has shared details on a vulnerability that can be used by attackers to completely bypass the protections that SIP is supposed to offer.

This one will get filed in the “you knew it was going to happen” file. After the announcement of a few new top-level domains (TLDs) including .zip and .mov by Google the security world silently shook its head. The concept of using file extensions as TLDs is one that defies logic. As soon as I read about these new domains, I knew someone was going to create phishing or malware attacks with URLs that look like common file names. These attacks can leverage modern web design to make a target think they are using an application to run or open the file when they are really executing commands in the background to compromise their systems. Lo and behold! We now have file archiver in the browser as shown off by mr.d0x.

The leak of tools used by threat groups, and spying agencies are events of inestimable importance in both the threat group and security worlds. To threat groups this is like free money. They now have access to someone else’s development efforts meaning they can spend less money developing the next payload for their own interests. On the security side it means that there is a high potential to see new variants of these tools hitting the wild which they now must defend against. It also increases the attack pool which they must defend against since now even unsophisticated groups have access to all the fun tools.

Geoffrey Hinton, a former engineering fellow at Google and a vice president focusing on AI has made comments after his retirement from Google earlier this month (May 2023). Although his retirement was about more than his change of mind on AI (he was also 75), he has said that his concern has only grown seeing the state of AI and how hard organizations are pushing for it.

The Google Play Store is and has always been something of a playground for mobile malware groups. Over the past few years hundreds of malicious apps have been uncovered with tens of thousands of downloads. Everything from banking malware to information stealers and worse has been identified in the store. Google, to their credit, has tried to find a solution to this. The problem is that the mobile device theater is about as secure as the PC industry was in the late 90s given the shovel ware from mobile device makers, and then carriers.

In the never-ending saga of Ransomware, the threat groups that deploy or leverage this tool for financial gain are always looking for a new method of installation and ways to avoid increasingly sophisticated security measures. Although most organizations might not be employing overly sophisticated security, the really good targets might be. Even the use of advanced MDR/XDR makes the exposure window smaller when it comes to many ransomware attacks.