برچسب: information security

A “major” security issue in the Google Chrome web browser, as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content without requiring any user consent or interaction by simply visiting them.
The clipboard poisoning attack is said to have been accidentally introduced in Chrome version 104, according to developer Jeff Johnson.
While the problem exists in Apple Safari and Mozilla Firefox as well, what makes the issue severe in Chrome is that the requirement for a user gesture to copy content to the clipboard is currently broken.
User gestures include selecting a piece of text and pressing Control+C (or ⌘-C for macOS) or selecting “Copy” from the context menu.

“Therefore, a gesture as innocent as clicking on a link or pressing the arrow key to scroll down the page gives the website permission to overwrite your system clipboard,” Johnson noted.
The ability to substitute clipboard data poses security implications. In a hypothetical attack scenario, an adversary could lure a victim to visit a rogue landing page and rewrite the address of a cryptocurrency wallet previously copied by the target with one under their control, resulting in unauthorized fund transfers.
Alternatively, threat actors could overwrite the clipboard with a link to specially crafted websites, leading victims to download dangerous software.
“While you’re navigating a web page, the page can without your knowledge erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste,” Johnson explained.

Google is already aware of the issue and a patch is expected to be released soon, given the seriousness of the flaw and the likelihood of abuse by malicious actors.
In the interim, users are advised to refrain from opening web pages between any cut/copy and paste actions and verify their clipboard before carrying out sensitive operations on the web, such as financial transactions.
The development comes as Google released a new version of Chrome (105.0.5195.52/53/54) for Windows, macOS, and Linux with fixes for 24 shortcomings, 10 of which relate to use-after-free bugs in Network Service, WebSQL, WebSQL, PhoneHub, among others.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

More details have emerged about the operators behind the first-known phishing campaign specifically aimed at the Python Package Index (PyPI), the official third-party software repository for the programming language.
Connecting it to a threat actor tracked as JuiceLedger, cybersecurity firm SentinelOne, along with Checkmarx, described the group as a relatively new entity that surfaced in early 2022.
Initial “low-key” campaigns are said to have involved the use of rogue Python installer applications to deliver a .NET-based malware called JuiceStealer that’s engineered to siphon passwords and other sensitive data from victims’ web browsers.

The attacks received a significant facelift last month when the JuiceLedger actors targeted PyPi package contributors in a phishing campaign, resulting in the compromise of three packages with malware.

“The supply chain attack on PyPI package contributors appears to be an escalation of a campaign begun earlier in the year which initially targeted potential victims through fake cryptocurrency trading applications,” SentinelOne researcher Amitai Ben Shushan Ehrlich said in a report.
The goal is presumably to infect a wider audience with the infostealer through a mix of trojanized and typosquat packages, the cybersecurity firm added.

The development adds to growing concerns surrounding the security of the open source ecosystem, prompting Google to take steps to announce monetary rewards for finding flaws in its projects available in the public domain.
With account takeover attacks becoming a popular infection vector for attackers looking to poison software supply chains, PyPI has begun imposing a mandatory two-factor authentication (2FA) requirement for projects deemed “critical.”
“JuiceLedger appears to have evolved very quickly from opportunistic, small-scale infections only a few months ago to conducting a supply chain attack on a major software distributor,” SentinelOne said.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Twilio, which earlier this month became a sophisticated phishing attack, disclosed last week that the threat actors also managed to gain access to the accounts of 93 individual users of its Authy two-factor authentication (2FA) service.
The communication tools company said the unauthorized access made it possible for the adversary to register additional devices to those accounts. It has since identified and removed the illegitimately added devices from the impacted accounts.
Authy, acquired by Twilio in February 2015, allows safeguarding online accounts with a second security layer to prevent account takeover attacks. It’s estimated to have nearly 75 million users.
Twilio further noted its investigation as of August 24, 2022, turned up 163 affected customers, up from 125 it reported on August 10, whose accounts it said were hacked for a limited period of time.

Besides Twilio, the sprawling campaign, dubbed 0ktapus by Group-IB, is believed to have struck 136 companies, including Klaviyo, MailChimp, and an unsuccessful attack against Cloudflare that was thwarted by the company’s use of hardware security tokens.
Targeted companies span technology, telecommunications, and cryptocurrency sectors, with the campaign employing a phishing kit to capture usernames, passwords, and one-time passwords (OTPs) via rogue landing pages that mimicked the Okta authentication pages of the respective organizations.
The data was then secretly funneled to a Telegram account controlled by the cybercriminals in real-time, which enabled the threat actor to pivot and target other services in what’s called a supply chain attack aimed at DigitalOcean, Signal, and Okta, effectively widening the scope and scale of the intrusions.
In all, the phishing expedition is believed to have netted the threat actor at least 9,931 user credentials and 5,441 multi-factor authentication codes.
Okta, for its part, confirmed the credential theft had a ripple effect, resulting in the unauthorized access of a small number of mobile phone numbers and associated SMS messages containing OTPs through Twilio’s administrative console.
Stating that the OTPs have a five-minute validity period, Okta said the incident involved the attacker directly searching for 38 unique phone numbers on the console – nearly all of them belonging to one single entity – with the goal of expanding their access.
“The threat actor used credentials (usernames and passwords) previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for one-time passwords sent in those challenges,” Okta theorized.
Okta, which is tracking the hacking group under the moniker Scatter Swine, further revealed its analysis of the incident logs “uncovered an event in which the threat actor successfully tested this technique against a single account unrelated to the primary target.”

Like in the case of Cloudflare, the identity and access management (IAM) provider reiterated that it’s aware of several cases where the attacker sent out a blast of SMS messages targeting employees and their family members.
“The threat actor likely harvests mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations,” Okta pointed out.
Another supply chain victim of the campaign is food delivery service DoorDash, which said it detected “unusual and suspicious activity from a third-party vendor’s computer network,” prompting the company to disable the vendor’s access to its system to contain the breach.
According to the company, the break-in permitted the attacker to access names, email addresses, delivery addresses, and phone numbers associated with a “small percentage of individuals.” In select cases, basic order information and partial payment card information was also accessed.
DoorDash, which has directly notified affected users, noted that the unauthorized party also obtained delivery drivers’ (aka Dashers) names and phone numbers or email addresses, but emphasized that passwords, bank account numbers, and Social Security numbers were not accessed.
The San Francisco-based firm did not divulge additional details on who the third-party vendor is, but it told TechCrunch that the breach is linked to the 0ktapus phishing campaign.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Akasa Air, India’s newest commercial airline, exposed the personal data belonging to its customers that the company blamed on a technical configuration error.
According to security researcher Ashutosh Barot, the issue is rooted in the account registration process, leading to the exposure of details such as names, gender, email addresses, and phone numbers.
The bug was identified on August 7, 2022, the same day the low-cost airline commenced its operations in the country.

“I found an HTTP request which gave my name, email, phone number, gender, etc. in JSON format,” Barot said in a write-up. “I immediately changed some parameters in [the] request and I was able to see other user’s PII. It took around ~30 minutes to find this issue.”

Upon receiving the report, the company said it temporarily shut down parts of its system to incorporate additional security guardrails. It has also reported the incident to the Indian Computer Emergency Response Team (CERT-In).

Akasa Air emphasized that no travel-related information or payment details were left accessible and that there is no evidence the glitch was exploited in the wild.
The airline further said it has directly notified affected users of the incident, although the scale of the leak remains unclear, adding it “advised users to be conscious of possible phishing attempts.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Threat actors have begun to use the Tox peer-to-peer instant messaging service as a command-and-control method, marking a shift from its earlier role as a contact method for ransomware negotiations.
The findings from Uptycs, which analyzed an Executable and Linkable Format (ELF) artifact (“72client”) that functions as a bot and can run scripts on the compromised host using the Tox protocol.
Tox is a serverless protocol for online communications that offers end-to-end encryption (E2EE) protections by making use of the Networking and Cryptography library (NaCl, pronounced “salt”) for encryption and authentication.

“The binary found in the wild is a stripped but dynamic executable, making decompilation easier,” researchers Siddharth Sharma and Nischay Hedge said. “The entire binary appears to be written in C, and has only statically linked the c-toxcore library.”
It’s worth noting that c-toxcore is a reference implementation of the Tox protocol.

The reverse engineering undertaken by Uptycs shows that the ELF file is designed to write a shell script to the location “/var/tmp/” – a directory used for temporary file creation in Linux – and launch it, enabling it to run commands to kill crypto miner related processes.
Also executed is a second routine that allows it to run a number of specific commands (e.g., nproc, whoami, machine-id, etc.) on the system, the results of which are subsequently sent over UDP to a Tox recipient.

Additionally, the binary comes with capabilities to receive different commands through Tox, based on which the shell script is updated or gets executed on an ad-hoc basis. An “exit” command issued quits the Tox connection.
Tox has been historically used by ransomware actors as a communication mechanism, but the latest development marks the first time the protocol is being used to run arbitrary scripts on an infected machine.
“While the discussed sample does not do anything explicitly malicious, we feel that it might be a component of a coinminer campaign,” the researchers said. “Therefore, it becomes important to monitor the network components involved in the attack chains.”
The disclosure also arrives amid reports that the decentralized file system solution known as IPFS is being increasingly used for hosting phishing sites in an effort to make takedowns more difficult.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.