The malware used in this campaign establishes a reverse shell to a C2 server and installs a Bash stealer that collects user data and account credentials.

Kaspersky discovered the potential supply chain compromise case while investigating suspicious domains, finding that the campaign has been underway for over three years.

Although the cybersecurity company informed the software vendor about it, it has not received a response, so the exact means of compromise remains blurry.

BleepingComputer has also contacted the vendor of Free Download Manager for a comment, but we haven't heard back by publication time.

Direct downloads and redirections

Kaspersky says that the official download page hosted on "freedownloadmanager[.]org" would sometimes redirect those attempting to download the Linux version to a malicious domain at "deb.fdmpkg[.]org," which hosts a malicious Debian package.

Due to this redirection happening only in some cases and not in all instances of attempted downloads from the official site, it is hypothesized that scripts targeted users with malicious downloads based on specific but unknown criteria.

The redirection captured in YouTube installation tutorial (BleepingComputer)

Kaspersky observed various posts on social media, Reddit, StackOverflow, YouTube, and Unix Stack Exchange, where the malicious domain was disseminated as a reliable source for getting the Free Download Manager tool.

Furthermore, a post on the official Free Download Manager website in 2021 illustrates how an infected user points out the malicious 'fdmpkg.org' domain and was told it is not affiliated with the official project.

On the same sites, users discussed problems with the software over the past three years, exchanging opinions about suspicious files and cron jobs it created, none realizing they were infected with malware.

While Kaspersky states that the redirection stopped in 2022, old YouTube videos [1, 2] clearly show download links on the official Free Download Manager, redirecting some users to malicious http://deb.fdmpkg[.]org URL rather than freedownloadmanager.org.

However, this redirection was not used for everyone, with another video from around the same time showing a user downloading the program from the official URL instead.

Deploying info-stealing malware

The malicious Debian package, which is used for installing software Debian-based Linux distributions, including Ubuntu and Ubuntu-based forks, drops a Bash information-stealing script and a crond backdoor that establishes a reverse shell from the C2 server.

The crond component creates a new cron job on the system that runs a stealer script upon system startup.

Kaspersky found that the crond backdoor is a variant of the 'Bew' malware in circulation since 2013, with the Bash stealer spotted in the wild and analyzed first in 2019. That said, the toolset isn't novel.

The Bash stealer version analyzed by Kaspersky collects system info, browsing history, passwords saved on browsers, RMM authentication keys, shell history, cryptocurrency wallet data, and account credentials for AWS, Google Cloud, Oracle Cloud Infrastructure, and Azure cloud services.

The Bash information-stealing malware

This collected data is then uploaded to the attackers' server, where it can be used to conduct further attacks or sold to other threat actors.

If you have installed the Linux version of the Free Download Manager between 2020 and 2022, you should check and see if the malicious version was installed.

To do this, look for the following files dropped by the malware, and if found, delete them:

• /etc/cron.d/collect

• /var/tmp/crond

• /var/tmp/bs

Despite the age of the malicious tools used in these attacks, the signs of suspicious activity on infected computers, and multiple social media reports, the malicious Debian package remained undetected for years.

Kaspersky says this is due to a combination of factors, including the rarity of malware on Linux and the limited spread due to only a portion of users being redirected to the unofficial URL.

Source

Certain systems were shut down due to a "cyber-security issue", the firm said.

But it added that its facilities remained "operational".

One customer at the MGM Grand in Las Vegas said she had walked into the wrong room because the hotel's digital keys were malfunctioning, and said staff had to distribute physical keys.

Staff offered her a complementary stay as compensation, she told the BBC.

She also posted a video on TikTok of slot machines and gambling games at the resort switched off.

Other people have taken to social media to complain about cancelled reservations, not being able to check in, make card payments or log in to their MGM accounts. One customer said he'd had to leave the MGM Grand in order to find cash to buy food.

In a statement posted on X, formerly known as Twitter, MGM Resorts said it had begun an investigation "with assistance from leading external cybersecurity experts".

"We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems," the statement said.

The company said its investigation was ongoing with the "nature and scope" of the cyber-attack still to be determined.

In a subsequent statement it said: "Our resorts including dining, entertainment and gaming are still operational.

"Our guests continue to be able to access their hotel rooms and our Front Desk is ready to assist our guests as needed," it added.

The company's main website is down. A message on its homepage says the site is "currently unavailable" and directs customers to contact the company via the phone, or through third-party websites.

Similar messages are displayed on websites for the firm's resorts. It owns hotels and casinos across the US, including some of the best-known locations in Las Vegas.

This is the second time in recent years that MGM Resorts has confirmed a cyber-security incident.

In 2019, one of the company's cloud services was breached, and hackers stole more than 10 million customer records. People's names, addresses and passport numbers were taken.

It is not yet known whether similar data has been stolen as a result of this latest cyber-attack.

Source

Chrome users are encouraged to update the stable version of the web browser to the new version immediately to protect the browser against potential attacks.

This is done easily on desktop systems: just load chrome://settings/help in the browser's address bar and wait for Chrome to find and download the security update. The page displays the installed version as well, which should be the following after the installation of the update:

• Chrome on Linux or Mac systems: 116.0.5845.187
• Chrome on Windows devices: 116.0.5845.187 or 116.0.5845.188
• Chrome Extended Stable for Mac: 116.0.5845.187
• Chrome Extended Stable for Windows: 116.0.5845.188

Google has not yet released the security update for Android Stable, only for Android Early Stable.

The critical security issue

Google provides information on the critical security issue in Chrome on its official Chrome Releases blog. The issue, a heap buffer overflow vulnerability in WebP, was reported to Google by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Toronto?s Munk School on September 6, 2023.

WebP is an image format  that "provides superior lossless and lossy compression for images on the web" according to Google. Google notes further that WebP images are on average 26% smaller in size compared to PNG images, and between 25% and 34% smaller than JPEG images.

WebP is a common image format on the Internet. While Google offers no additional details on the vulnerability, it does warn users that the issue is exploited in the wild already.  It is possible that the issue could be exploited by merely opening a website with specially crafted WebP images in Chrome is enough, but that is speculation at this point.

The security issue, CVE-2023-4863, is the fourth 0-day vulnerability that Google patched in Google Chrome in 2023. The previously fixed 0-day security issues were:

• CVE-2023-2033 – Type Confusion in V8 (Chrome 112)
• CVE-2023-2136  – Integer overflow in the Skia graphics library (Chrome 112)
• CVE-2023-3079  – Type Confusion in V8 (Chrome 114)

Google Chrome users should update the web browser immediately to patch the issue and protect the web browser against exploits. It is unclear if other Chromium-based browsers are also affected by the issue, but it seems likely. Watch out for security update notifications for Microsoft Edge, Brave, Vivaldi or Opera, if these browsers are used.

Source

In case you missed it, here's what happened last week. Researchers at The Citizen Lab at The University of Toronto's Munk School, who had been analyzing an iPhone belonging to a member of a civil society organization in Washington, had discovered that the device was targeted in a Pegasus mercenary spyware attack. The experts had also found that the attack used a zero-day, zero-click vulnerability which required no interaction from the user. There was not just one, but two security loopholes in the operating systems, that had been targeted by cybercriminals.

The researchers had quickly reached out to Apple to report about the issues and to share their findings with the company, to help protect other users from similar targeted attacks. Apple's Security Engineering and Architecture team had acknowledged the bugs, and confirmed the fact that the flaws have been actively exploited by hackers. The Cupertino company released a patch a few days ago, to fix the flaws in the iOS 16.6.1, iPadOS 16.6.1, and macOS Ventura 13.5.2 updates. Interestingly, Apple had confirmed to the folk at Citizen Lab that Lockdown Mode, which is available for the three operating systems, had been successful in preventing the security attack. This feature is not available in older versions of iOS, iPadOS, and macOS, so the only way to stay safe is to keep your device up to date with the latest security updates.

Apple releases iOS 15.7.9, iPadOS 15.7.9, macOS 12.6.9, macOS 11.7.10

Since Apple had not released an update for older versions of its operating systems last week, I had speculated that the vulnerabilities possibly didn't affect older versions of macOS, but I was wrong. Or was I partially right? According to the release notes that have been published on the company's website, only one of the 2 actively exploited issues that I mentioned in the previous article, were found to impact macOS 11 Big Sur and macOS 12 Monterey. And as it turns out, it appears that iOS 15 and iPadOS 15 were also vulnerable to the security risk. The good news is Apple has patched the issue on all 4 operating systems, in order to protect users who have the old devices.

The security loophole in question, which was tracked under CVE-2023-41064, could allow maliciously crafted images to lead to arbitrary code execution. Apple fixed a buffer overflow issue with improved memory handling, to mitigate the problem. The security patch is available as part of the following updates: iOS 15.7.9, iPadOS 15.7.9, macOS 12.6.9 Monterey, macOS 11.7.10 Big Sur.

iPhones and iPads that are eligible for receiving the update include the iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). It's great to see that Apple is being responsible in patching out security issues in iPhones that were released 7 years ago. It is even more impressive if you consider the fact that some Macs which run on Big Sur were launched over a decade ago.

Apple will release iOS 17 and iPadOS 17 today, during the iPhone 15 launch event.

Source

Meanwhile, Red Team rivals have not been immune to issues either as researchers discovered a YMM register-related vulnerability in Ryzen 3000, 4000, 5000, 7000 series chips called "Zenbleed".

Microsoft has published a Tech Community blog post today describing how IT admins and system admins can manage such vulnerable processors using a new Defender technology called "Hardware and Firmware Assessment" inside Microsoft Defender Vulnerability Management.

In the example image provided though, Microsoft shows an AMD Carrizo A10-8700P APU which is not affected by Zenbleed. Carrizo is based on the fourth-gen Bulldozer micro-architecture known as Excavator.

Microsoft explains:

Microsoft Defender Vulnerability Management Hardware and firmware assessment capability provides an inventory of known hardware and firmware in your organization. This allows you to identify devices with AMD processors that are potentially exposed to this vulnerability (these devices must be onboarded to the service).

To use this capability, you’ll need access Defender Vulnerability Management premium offering. You can do that via purchasing the Add-on or Standalone licenses or by simply joining the free trial.

In a section under that, Microsoft has shown how to identify vulnerable processors using the tool:

The following Advanced Hunting query provides a list of the potentially vulnerable devices with AMD processors:

DeviceTvmHardwareFirmware

| where ComponentType == "Processor"

| where Manufacturer contains "amd"

AMD has already announced that firmware patches that mitigate the Zenbleed vulnerability are on their way. You can bookmark this dedicated article we did to keep track of when the applicable firmware will be available.

Source

Fraudulent and scam cases are becoming more prevalent in India. We occasionally hear tales of people who have had their money stolen from them.

The easiest way to prevent being a victim of such scams is to be wary of strangers and do extensive background checks on everyone you speak to online. Furthermore, one should exercise extreme caution while investing money and should not do it merely on the advice of others or on the promise of high returns. Financial advice from strangers can frequently have rather disastrous outcomes.

An Ahmedabad-based software engineer who met a woman through a dating website and followed her suggestion to spend close to ₹1 crore in Bitcoin experienced a similar situation. The techie lost all of his money since the woman turned out to be a con artist.

Software engineer loses more than ₹1 crore

A software programmer lost ₹1 crore because a woman he met on a marriage website betrayed him. Fraud was committed against an Ahmedabad-based software engineer. He fell for a cryptocurrency fraud. He claimed to have lost ₹1 crore as a victim of fraud in his police complaint to Gandhinagar. The victim of fraud was Kuldeep Patel. 

Aditi was a young woman whom Kuldeep met online while searching for probable matches. He learned from the woman that she exports goods to the United Kingdom. Kuldeep was given the advice to make a deposit at Banocoin by the woman. Kuldeep did so by making a bank deposit of the funds.

A $78 profit was seen on the initial investment of one lakh. As a result, he began making larger investments. Deposits of ₹1.34 crore were made between July 20 and August 31. On September 3, he attempted to withdraw ₹2.59 lakh but was told the account had been frozen.

Kuldeep was instructed that he must deposit an additional ₹35 lakh in order to regain access to the account. Later, Kuldeep attempted to get in touch with the visitor he had met on the marriage website but was unsuccessful. This is how he came to the realisation that he was a fraud victim.

Ways to stay secure

Avoiding giving your hard-earned money to strangers is the best way to protect yourself from such frauds. There are many reputable financial investors available that are equipped to assist you with your investments. If you are unclear about what investments you should make, it is advisable to speak with professionals rather than believing strangers.

Additionally, scammers are increasingly targeting people through dating and marriage apps. Therefore, even if you want to trust someone you met on such an app, make sure to meet them a few times first and get to know them as well as you can before you truly trust them.

Source

The change, which is rolling out in the coming weeks, enables real-time checks for the Standard Protection feature as well. Google explains that this step is necessary, as cyber criminals run operations regularly that are set up and disabled in mere minutes.

The traditional Safe Browsing downloads definitions every 30 to 60 minutes, which sometimes resulted in reported sites having been pulled already before the information about them landed in Chrome.

Standard and enhanced real-time checks differ significantly though. Google made no mention of this in the announcement, but we have been told that the new functionality uses Fastly Oblivious HTTP Relays. This has also been confirmed by our colleagues over at Bleeping Computer, who were informed by Google Chrome product manager Jasika Bawa about it.

Google entered a partnership with Fastly in March 2023 to use Fastly's Oblivious HTTP relay for the Privacy Sandbox feature in Google Chrome. The main idea behind using the relays is to improve privacy for users by sending "partially hashed URLs" to Google's Safe Browsing engine. Personal information about users, such as the device's IP address or header information, is not submitted to Google as a consequence.

Google's Safe Browsing checks the submitted data against its database in real-time and returns to the browser whether the submitted URL should be blocked or not.

The lack of related data, such as metadata, prevents heuristic examinations of submitted addresses, however. In other words, the URL needs to have been flagged previously and added to Google's Safe Browsing database before it can protect Chrome users from opening that URL. Enhanced Protection does not have this limitation, as it submits more data to Google.

Google told Bleeping Computer that it is not using the data sent to Google servers for unrelated features, including advertisement.

Chrome users may also disable Safe Browsing in the Chrome web browser, but this is only advised if another form of protection is available.

Now You: Do you use Chrome and/or Safe Browsing?

Source

A FAMILY MEMBER’S hurried Google search for a last-second visa to visit New Zealand recently caused a headache—and provided a timely reminder of why Google faces a landmark US antitrust trial next week.

Tapping on the first link took us off to a website that after a few swipes charged $118 for the necessary paperwork. Only later did it emerge that we’d paid a so-called “internet-based travel technology company” and not a government agency, and been fleeced for more than double the required cost.

Fortunately, our panicked refund demand was fulfilled, but the miscue highlights a major frustration with Google that helped land it in court. The stacks of ads above its search results, like the visa link we clicked on, too often knock users off course from the information that they are seeking.

Colorado attorney general Phil Weiser, a co-lead in the case against Google that begins September 12, says the company has been able to load up on distracting ads because the search giant faces no real competition. “The more time that has passed, and the more Google has been able to establish and protect its dominance, the more aggressive it has been able to push these ads,” he says.

Weiser and the other state attorneys general bringing the case accuse Google of unlawfully amassing its 90 percent share of general online searches and leaving consumers worse off than if there had been true competition. Almost every weekday until late November, US District judge Amit Mehta will hear testimony in the case in his Washington, DC, courtroom.

Google CEO Sundar Pichai, executives from competitors and partners including Apple and Samsung, and a slew of antitrust experts are all expected to take the witness stand. Mehta’s ruling will follow months later, with years of appeals likely.

The Google case is the first to reach trial of a raft of government antitrust lawsuits launched against major tech companies after the Trump administration and state attorneys general stepped up enforcement and coordination in 2019. Millions in taxpayer dollars have been committed to the Google battle, one of the most expensive antitrust cases ever, Weiser says.

The US government’s last big court win against one of the tech giants came during the dotcom boom when Microsoft had to stop pushing its Internet Explorer browser over rival Netscape, at a time when slow connections and the need for installation discs entrenched default options.

The recent crop of cases has so far produced mixed results. Ongoing cases allege that Amazon artificially inflated prices and that Google’s industry-dominant ad business gave itself technical advantages that kept rivals at bay. States last week reached an undisclosed settlement with Google about its mobile app store business weeks before trial. Litigation tackling acquisitions by Meta and Microsoft hasn’t fared well, and although a case against Apple for extracting exorbitant fees from app developers remains possible, none has yet appeared.

In next week’s trial, Colorado, Tennessee, and the US Department of Justice are leading the plaintiffs, joined by every remaining US state except Alabama as well as Puerto Rico, Guam, and the District of Columbia. If Mehta sides with them, he will then oversee a second round of hearings to decide Google’s punishment.

No one faces prison time, and consumers won’t be owed a cash payout, but Google could be banned from certain business strategies, forced to sell off pieces of the company, or required to play nicer with rivals. “The trial is going to vindicate the theory that states can come together, share resources, and litigate against one of the most powerful companies,” says Weiser, who plans to watch his case from the courtroom at least once this month as deputies and hired aides make the arguments.

A best-case victory for Google would see Mehta decide that its disputed tactics actually enhanced competition in search, not weakened it. That would effectively say that the unfortunate experiences that my family, Weiser, and many others have suffered with Google’s increasingly brazen piles of search ads are not evidence of degraded quality and consumer harm. Kent Walker, Google’s president of global affairs, claims there’s more competition than ever. “People don’t use Google because they have to—they use it because they want to,” he says. “Our success is hard-fought and the result of our focus on building services that help Americans every day.”

The case against Google involves two allegations that it violated the Sherman Act, which bars some forms of maintaining a market monopoly. The first will see federal prosecutors argue that Google unlawfully pushed out rivals by sharing ad revenue with smartphone makers including Apple and Samsung, browser developers such as Mozilla, and wireless carriers including Verizon and AT&T in return for being made the default search provider on their systems. Google pays billions of dollars to these partners under the deals, but it makes billions more from getting ads in front of users everywhere. “Google has locked up critical channels for distribution,” Weiser says.

The nature of search is that the more data Google amasses about people’s interests and behavior through its dominance the more effective its search results and ads can be, keeping the money flowing. The company contends that this cycle was started fairly through good engineering rather than users being deterred from switching default providers on their phone or browser. “Google will argue that it has been able to benefit from network effects because it developed the best search engine,” says John Lopatka, a law professor at Pennsylvania State University following the case.

The government’s view is that it doesn’t matter whether consumers and partners choose Google, because it is superior to alternatives such as Microsoft Bing or DuckDuckGo, or because of how easy it is to switch a default search engine setting. The big payments to secure defaults, by their nature, deprive rivals of the ability to grow and improve, the argument goes, reducing the pressure on Google to innovate on protecting users’ privacy and providing better results. “It used to be you could have confidence you had the best of the internet coming to you,” says Sacha Haworth, executive director of the Tech Oversight Project, a US advocacy group. “Over time, Google has optimized search results not to present the best of the best but things that make it money.”

Google’s rebuttal will include that it invests significantly in perfecting its user experience, such as by constantly improving how it polices ads, shields users from security threats, and surfaces high-quality content. The revenue-sharing contracts could be spun as pro-competitive, for instance, because Google structured them to allow Android phone makers like Samsung to lower device prices and better compete with Apple. Internal documents from search rivals like Microsoft are expected to be used to argue that they simply made worse product bets over the years than Google and got beat fair and square.

The second allegation that Google violated the Sherman Act will be carried by a coalition of states led by Colorado and Tennessee. They accuse Google of unfairly delaying some support for competing search engines from SA360, its tool to help big-spending advertisers buy ads on search engines including Google, Baidu, and Yahoo. Google disputes that the law requires it to work with rivals, while the states say Google promised a neutral offering.

While these broad strokes of the case are well established, many of its details will be shrouded—and some got suppressed long ago. To protect Google’s confidential data, many days of the trial will be closed to the public and media. How much Google is paying partners for default status will be among the items heard only by Judge Mehta.

As of this week, it wasn’t clear whether Mehta would allow action from days of the case open to the public to be broadcast online, leaving it possible he will restrict the visibility of a proceeding concerned with public access to information. Public interest groups adverse to Google have been pushing for a remote-viewing option. “It is critical to shedding light on Google’s anticompetitive behavior,” says Katie Van Dyck, senior legal counsel for American Economic Liberties Project.

Prosecutors also are frustrated that Google encouraged employees to needlessly include attorneys on internal emails to keep the conversations from being used as evidence under attorney-client privilege and allowed the deletion of internal chats about business strategies relevant to the case. But the contents of those communications may not be the biggest mystery hanging over the trial.

Charlotte Slaiman, vice president at the competition advocacy group Public Knowledge, wonders what features the public has missed out on because of how Google’s power allegedly bred complacency. She points to the challenges she ran into using Google to find sugar-free muffin recipes for her toddler. “You just never know if those recipes are any good,” she says. “I imagine quality control is one of those things we would have if there were really competition in search.” It might just have spared headaches for millions of families.

Source

In a blog post, the company announced a new report from its Microsoft Threat Analysis Center (MTAC). The report, in PDF format, will be part of an ongoing series by the MTAC that will look at current cyber threats by various groups in different regions of the world. In this case, this week's report looks at threats that are based in eastern Asia, including China.

Microsoft stated in the report:

Since approximately March 2023, some suspected Chinese IO assets on Western social media have begun to leverage generative artificial intelligence (AI) to create visual content. This relatively high quality visual content has already drawn higher levels of engagement from authentic social media users. These images bear the hallmarks of diffusion-powered image generation and are more eye-catching than awkward visual content in previous campaigns.

Microsoft's blog post on this report adds that it expects China to keep improving and refining these generative AI-created social media images in the future, but it's currently unknown "how and when it will deploy it at scale."

Microsoft revealed earlier this summer that a China-affiliated hacker group known as Storm-0558 managed to get access to US and European government email accounts. Microsoft recently admitted that the group was able to obtain an MSA key to gain access to those accounts due to more than one flaw in its security methods. The company claims it has taken measures to close those security holes.

In August, Microsoft sent out a warning about another China-based threat actor group called Flax Typhoon. The company said this hacker group has been conducting espionage campaigns targeting Taiwan since 2021.

Source

Google is pushing the new advertising features into Chrome Stable slowly but steadily. Since the company is also in control of Chromium, the open source root of Google Chrome, it is also integrating these changes into that browser. This integration puts other companies and individuals who use Chromium as the source for their browsers in a precarious situation.

Several, including Brave Software, have announced already that they would disable these features in their browsers. Most cite user privacy as the main concern and to an extent also control of advertising on the Internet.

Vivaldi Technologies published a new article on the official blog yesterday in which it revealed that it won't enable Google Topics in the browser. Google Topics is one component of Google's Privacy Sandbox; it moves the tracking from the user level, which is mostly powered by cookies and site data currently, to the group level.

Instead of tracking individual users, their activity and creating profiles using the collected information, Google Topics will still analyze the activity and assign the individual user to groups. The analysis happens locally, according to Google. A user who visits lots of cats or dogs websites may be put into the Animal group. Sites and advertisers may use the information to display advertisement to the user that matches these interests.

Vivaldi Technologies explains that it "never had any faith in the Topics API from the very start", calling Topics a "deceitful attempt by Google to appear to be privacy-oriented while introducing new means of spying on their users". Integrating tracking and profiling into a browser is "fundamentally wrong", according to Vivaldi, which is why it will always oppose it.

The company confirms that the Topics API will never be enabled in the Vivaldi web browser. Two "things" would be needed to enable Topics in Vivaldi, and both of these have been disabled by Vivaldi engineers.

Not all browser makers have expressed their concerns as publicly as Vivaldi. Google plans to disable third-party cookies support in the second half of 2024, after several delays. and it is then that all Chromium-based browsers will either allow these in their browsers or disable them.

Now You: what is your favorite's browsers position in regards to Google's Privacy Sandbox?

Source

Source

(WEDNESDAY, SEPTEMBER 6, 2023) -- All 25 major car brands reviewed in Mozilla’s latest edition of *Privacy Not Included (*PNI) received failing marks for consumer privacy, a first in the buyer's guide’s seven-year history.

According to Mozilla research, popular global brands — including BMW, Ford, Toyota, Tesla, Kia, and Subaru — can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive. Researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics. Brands can then share or sell this data to third parties. Car brands can also take much of this data and use it to develop inferences about a driver’s intelligence, abilities, characteristics, preferences, and more.

In another first for Mozilla’s *Privacy Not Included research, none of the brands meet Mozilla’s Minimum Security Standards. Specifically, researchers couldn’t confirm whether any of the brands encrypt all of the personal information they store on vehicles, and only one of the brands (Mercedes) even replied to Mozilla’s questions about encryption.

The newest edition of *PNI examines the privacy and security flaws of car brands spanning five countries: the U.S., Germany, Japan, France, and South Korea. Researchers spent 600 hours reading privacy policies, downloading apps, and corresponding with brands; the full methodology can be found here.

"All new cars today are privacy nightmares on wheels that collect huge amounts of personal information."

JEN CALTRIDER, MOZILLA

The very worst offender is Nissan. The Japanese car manufacturer admits in their privacy policy to collecting a wide range of information, including sexual activity, health diagnosis data, and genetic data — but doesn’t specify how. They say they can share and sell consumers’ “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties.

Other top offenders include Volkswagen, which collects demographic data (like age and gender) and driving behaviors (like your seatbelt and braking habits) for targeted marketing purposes; Toyota, which features a near-incomprehensible galaxy of 12 privacy policy documents; Kia, whose privacy policy states they can collect information about your “sex life;” and Mercedes-Benz, which manufactures certain models with TikTok (an app with its own privacy issues) pre-installed. Analysts estimate that by 2030, car data monetization could be an industry worth $750 billion.

Not a single brand received Mozilla’s Best Of designation, though researchers identified Renault as the least problematic. The European brand must comply with General Data Protection Regulation (GDPR), a stringent law governing the way in which personal data is used, processed, and stored.

Says Jen Caltrider, *PNI Program Director: “Many people think of their car as a private space — somewhere to call your doctor, have a personal conversation with your kid on the way to school, cry your eyes out over a break-up, or drive places you might not want the world to know about. But that perception no longer matches reality. All new cars today are privacy nightmares on wheels that collect huge amounts of personal information."

Says Misha Rykov, *PNI Researcher: “This isn’t the first time Mozilla has uncovered an industry with terrible privacy practices. But cars are unique — their privacy flaws impact not just the driver, but also passengers and sometimes even nearby pedestrians. They can hear you, see you, and track you. Today, sitting in someone’s car is a lot like handing your phone over to the auto manufacturer."

Additional key findings include:

Apps add a new level of complexity (and creepiness). These days, few products come without an associated app — and autos are no exception. Today’s cars have apps that can be handy, helping you find your ride in a crowded parking lot or start your car remotely. But these apps are also an avenue for collecting even more personal data, like location and biometric information. Further, the governance of these apps can be convoluted: BMW USA, for example, manages an app for Toyota.

Many car brands engage in “privacy washing.” Privacy washing is the act of pretending to protect consumers’ privacy while not actually doing so — and many brands are guilty of this. For example, several have signed on to the automotive Consumer Privacy Protection Principles. But these principles are nonbinding and created by the automakers themselves. Further, signatories don't even follow their own principles, like Data Minimization (i.e. collecting only the data that is needed).

Meaningful consent is nonexistent. Often, “consent” to collect personal data is presumed by simply being a passenger in the car. For example, Subaru states that by being a passenger, you are considered a user — and by being a user, you have consented to their privacy policy. Several car brands also note that it is a driver’s responsibility to tell passengers about the vehicle's privacy policies.

Autos’ privacy policies and processes are especially bad. Legible privacy policies are uncommon, but they’re exceptionally rare in the automotive industry. Brands like Audi and Tesla feature policies that are confusing, lengthy, and vague. Some brands have more than five different privacy policy documents, an unreasonable number for consumers to engage with; Toyota has 12. Meanwhile, it’s difficult to find a contact with whom to discuss privacy concerns. Indeed, 12 companies representing 20 car brands didn’t even respond to emails from Mozilla researchers.

Car brands share personal information with law enforcement and governments. Hyundai’s privacy policy says, for example, that they can share data with law enforcement and governments based on “formal or informal” requests. Kia’s policy says they may share data in many scenarios “if, in our good faith opinion, such is required or permitted by law.” In other words: The threshold for sharing incredibly sensitive information is very low.

Data breaches are common. Serious data leaks and breaches are ordinary in the industry, from Tesla employees gawking at videos captured by consumers’ cars, to Volkswagen and Toyota leaking the personal information of millions of customers.

Consumers have very little control. While consumers can choose to not use a car app or try not to use connected services, that might mean their car doesn’t work properly — or at all. Consumers have almost zero control and options in regard to privacy, other than simply buying an older model. Regulators and policy makers are behind on this front.

_____

About *Privacy Not Included:

*Privacy Not Included is a buyers guide focused on privacy rather than price or performance. Launched in 2017, the guide has reviewed hundreds of products and apps. It arms shoppers with the information they need to protect the privacy of their friends and family, while also spurring the tech industry to do more to safeguard consumers.

Source

Notepad++ is a popular free source code editor that supports many programming languages, can be extended via plugins, and offers productivity-enhancing features such as multi-tabbed editing and syntax highlighting.

GitHub's security researcher Jaroslav Lobačevski reported the vulnerabilities in Notepad++ version 8.5.2 to the developers over the last couple of months. 

Proof of concept exploits have also been published for these flaws in the researcher's public advisory, making it essential for users to update the program as soon as possible.

Security flaws in Notepad++

The discovered vulnerabilities involve heap buffer write and read overflows in various functions and libraries used by Notepad++.

Here's a summary of the four flaws discovered by GitHub's researcher:

• CVE-2023-40031: Buffer overflow in the Utf8_16_Read::convert function due to incorrect assumptions about UTF16 to UTF8 encoding conversions.
• CVE-2023-40036: Global buffer read overflow in CharDistributionAnalysis::HandleOneChar caused by an array index order based on the buffer size, exacerbated by using the uchardet library.
• CVE-2023-40164: Global buffer read overflow in nsCodingStateMachine::NextState. This is linked to a specific version of the uchardet library used by Notepad++, vulnerable due to its dependency on the size of the charLenTable buffer.
• CVE-2023-40166: Heap buffer read overflow occurs in FileManager::detectLanguageFromTextBegining due to failing to check buffer lengths during file language detection.

The most severe of these flaws is CVE-2023-40031, assigned a CVSS v3 rating of 7.8 (high), potentially leading to arbitrary code execution.

However, a user disputes that it would be possible to perform code execution using this flaw due to the type of error it is.

"While it is technically a "buffer overflow" is really only an off-by-two bug with practically zero chance to allow for arbitrary code execution," reads a comment to a GitHub issue opened about the flaws.

The other three issues are medium-severity (5.5) problems that Lobačevski says might be leveraged to leak internal memory allocation information.

Fix coming

Despite Lobačevski's blog and proof of concept exploits being published on August 21, 2023, the Notepad++ development team did not rush to respond to the situation until the user community pressed for its resolution.

Eventually, on August 30, 2023, a public issue was created to acknowledge the problem, and fixes for the four flaws made it into the main code branch on September 3, 2023.

Notepad++ 8.5.7 has now been released and should be installed to fix the four vulnerabilities and other bugs listed in the changelog.

Source

On Thursday, the US announced sanctions and three indictments against nine Russian nationals who are alleged members of the TrickBot and Conti ransomware operations for attacks on more than 900 victims worldwide.

"The defendants charged in these three indictments across three different jurisdictions allegedly used their cyber knowledge and capabilities to victimize people and businesses around the world without regard for the damage they caused," said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department's Criminal Division

The individuals were allegedly involved in a wide variety of roles in the Conti ransomware operation, including overall managing of the cybercrime operation, crypting malware so it was undetectable, managing infrastructure, and developing malware, including the TrickBot botnet.

In other news, Cisco confirmed that ransomware gangs are exploiting a zero-day in Cisco VPN appliances after BleepingComputer's, SentinelOnes, and Rapid7's reporting on its abuse by the Akira ransomware operation.

Finally, Ragnar Locker claimed an August attack on Israel's Mayanei Hayeshua hospital, claiming to have stolen 1 TB of data.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @VK_Intel, @jorntvdw, @LawrenceAbrams, @PolarToffee, @FourOctets, @struppigel, @DanielGallagher, @malwareforme, @Ionut_Ilascu, @demonslay335, @billtoulas, @serghei, @fwosar, @malwrhunterteam, @Seifreed, @cloudsek, @SecurityAura, @SentinelOne, and @pcrisk.

September 4th 2023

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .rzkd and .rzml extensions.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .sub_to_crypto_nwo extension and drops a ransom note named Windows!System32.txt.

New Rival ransomware

PCrisk found a new ransomware named Rival that appends the .rival and drops a ransom note named FILES ENCRYPTED.txt.

September 6th 2023

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .rzew extension.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .sb4 extension.

September 7th 2023

US and UK sanction 11 TrickBot and Conti cybercrime gang members

The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations.

Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies

Three indictments in three different federal jurisdictions have been unsealed charging multiple Russian cybercrime actors involved in the Trickbot malware and Conti ransomware schemes.

September 8th 2023

Cisco warns of VPN zero-day exploited by ransomware gangs

Cisco is warning of a CVE-2023-20269 zero-day vulnerability in its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) that is actively exploited by ransomware operations to gain initial access to corporate networks.

Ragnar Locker claims attack on Israel's Mayanei Hayeshua hospital

The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, threatening to leak 1 TB of data allegedly stolen during the cyberattack.

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .hgml and .hgkd extensions.

That's it for this week! Hope everyone has a nice weekend!

Source

A Reddit user with the handle ‘Educational-Map-8145’ published a proof-of-concept exploit last week for a zero-day flaw in the Linux client of Atlas VPN. The exploit code works against the latest version of the client, 1.0.3.

According to the researcher, the Linux client of Atlas VPN, specifically the latest version (1.0.3), has an API endpoint that listens on localhost (127.0.0.1) over port 8076. This API offers a command-line interface (CLI) for performing various actions, such as disconnecting a VPN session using the URL http://127.0.0.1:8076/connection/stop.

The problem with this configuration is that this API does not perform any authentication, which allows anyone to issue commands to the CLI, even a website you visit.

The head of Atlas VPN’s IT department on Tuesday, several days later, posted on Reddit an acknowledgment of the flaw, apologizing for the delay in responding and noting that the company’s IT workers were fixing the issue.

Edvardas Garbenis, a cybersecurity researcher and publisher at Atlas VPN, confirmed that information.

“We’re aware of the security vulnerability that affects our Linux client. We take security and user privacy very seriously. Therefore, we’re actively working on fixing it as soon as possible,” Garbenis told LinuxInsider. “Once resolved, our users will receive a prompt to update their Linux app to the latest version.”

Garbenis did not provide a timeline to resolve the vulnerability. However, he confirmed that the issue is limited to the Linux client and does not affect other Atlas VPN apps.

Details Revealed

The Reddit post indicated that the vulnerability affects Atlas VPN Linux client version 1.0.3. As a result, a malicious actor can disconnect the Linux application and encrypted traffic between a Linux user and the VPN gateway, potentially disclosing the user’s IP address.

The Reddit cyber researcher said in the post that they are not yet aware of its use in the wild. However, the poster also questioned the reliability and security of Atlas VPN.

The root cause of the vulnerability consists of two parts, according to the Reddit poster. A daemon (atlasvpnd) manages the connections, and a client (atlasvpn) provides user controls to connect, disconnect, and list services.

Rather than having a local socket or other secure means to connect, the Linux app opens an API on localhost on port 8076 without any authentication. Any program running on the accessing computer — including the web browser — can use this port. A malicious JavaScript on any website can craft a request to that port and disconnect the VPN.

“If it then runs another request, this leaks the user’s home IP address to ANY website using the exploit code,” according to the Reddit poster.

Flaw Maybe Not So Unique

Depending on the infrastructure setup, often a VPN sits at the perimeter, allowing access to internal and external networks. Also, security solutions that are inline trust the incoming and outgoing traffic, noted Mayuresh Dani, manager of threat research at IT, security, and compliance firm Qualys.

“Endpoint VPN clients are present on all devices today, increasing the attack surface. This positioning makes VPNs an attractive target for both external and internal threat actors,” he told LinuxInsider.

Given today’s hybrid work environment, a compromised VPN could result in the loss of sensitive personal information. It also allows external attackers access to the internal networks, he added.

VPN Popularity Leads to Security Slip-Ups

The VPN provider marketplace is now crowded and competitive. About 33% of all internet users rely on VPNs to mask their identity or shift their origin location.

“It is a huge market, but with a lot of players. It can be difficult to differentiate providers by anything other than cost. And when the costs per user are very low, that can lead to rushed software trying to capture the market,” Shawn Surber, senior director of technical account management at converged endpoint management firm Tanium, suggested to LinuxInsider.

The assumption that cross-origin resource sharing (CORS) protection would prevent it might have caused the vulnerability. However, engineers designed that security feature to prevent data theft and loading of outside resources, not to address the vulnerability in question.

In the Atlas VPN scenario, the attack uses a simple command instead, which slips through the CORS gauntlet, he explained. In this case, it turns off the VPN, immediately exposing the user’s IP and general location.

“This is a pretty significant problem for the VPN users. It does not, as yet, appear to expose any other data or provide an avenue for installation of malware,” he noted.

Tool for New Cyberattacks

Any information is good information for a malicious actor. An experienced adversary will know how to use that information to their advantage in an attack campaign, offered Nick Rago, field CTO at API security company Salt Security.

Social engineering plays a role in the first wave of a cyberattack campaign. Disabling a targeted user’s VPN and exposing their IP and geolocation let bad actors leverage that information to craft a more convincing and effective phishing attack tailored to the targeted user, he said of the potential danger of the Atlas VPN Linux vulnerability.

“Proper endpoint protection here is key so that an organization’s security team can discover if any interfaces, such as an open, unexposed API, is present on their employee systems, and, if allowed to exist, block any attempt to use that interface in an unexpected manner,” he told LinuxInsider.

VPN Cybersecurity Reminder

The recent vulnerability discovered in Atlas VPN’s Linux client version 1.0.3 is a stark reminder of the potential risks associated with VPN services, even as they aim to enhance security and privacy.

While Atlas VPN is actively addressing the issue, users should remain vigilant and stay updated with software patches.

This case also underscores the critical need for rigorous security measures, including proper endpoint protection, by VPN services and consumers who rely on them.

Given today’s increasingly complex cybersecurity landscape, every weak link in the security chain can have significant consequences.

Source

Source

Source

MICROSOFT SAID IN June that a China-backed hacking group had stolen a cryptographic key from the company's systems. This key allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies. At the time of the disclosure, however, Microsoft did not explain how the hackers were able to compromise such a sensitive and highly guarded key, or how they were able to use the key to move between consumer- and enterprise-tier systems. But a new postmortem published by the company on Wednesday explains a chain of slipups and oversights that allowed the improbable attack.

Such cryptographic keys are significant in cloud infrastructure because they are used to generate authentication “tokens” that prove a user’s identity for accessing data and services. Microsoft says it stores these sensitive keys in an isolated and strictly access-controlled “production environment.” But during a particular system crash in April 2021, the key in question was an incidental stowaway in a cache of data that crossed out of the protected zone.

“All the best hacks are deaths by 1,000 paper cuts, not something where you exploit a single vulnerability and then get all the goods,” says Jake Williams, a former US National Security Agency hacker who is now on the faculty of the Institute for Applied Network Security.

After the fateful crash of a consumer signing system, the cryptographic key ended up in an automatically generated “crash dump” of data about what had happened. Microsoft's systems are meant to be designed so signing keys and other sensitive data don't end up in crash dumps, but this key slipped through because of a bug. Worse still, the systems built to detect errant data in crash dumps failed to flag the cryptographic key.

With the crash dump seemingly vetted and cleared, it was moved from the production environment to a Microsoft “debugging environment,” a sort of triage and review area connected to the company's regular corporate network. Once again though, a scan designed to spot the accidental inclusion of credentials failed to detect the key's presence in the data.

Sometime after all of this occurred in April 2021, the Chinese espionage group, which Microsoft calls Storm-0558, compromised the corporate account of a Microsoft engineer. With this account, the attackers could access the debugging environment where the ill-fated crash dump and key were stored. Microsoft says it no longer has logs from this era that directly show the compromised account exfiltrating the crash dump, “but this was the most probable mechanism by which the actor acquired the key.” Armed with this crucial discovery, the attackers were able to start generating legitimate Microsoft account access tokens.

Another unanswered question about the incident had been how the attackers used a cryptographic key from the crash log of a consumer signing system to infiltrate the enterprise email accounts of organizations like government agencies. Microsoft said on Wednesday that this was possible because of a flaw related to an application programming interface that the company had provided to help customer systems cryptographically validate signatures. The API had not been fully updated with libraries that would validate whether a system should accept tokens signed with consumer keys or enterprise keys, and as a result, many systems could be tricked into accepting either.

The company says it has fixed all of the bugs and lapses that cumulatively exposed the key in the debugging environment and allowed it to sign tokens that would be accepted by enterprise systems. But the recap does not describe how attackers compromised the engineer's corporate account, and Microsoft did not immediately respond to WIRED's request for comment about how the account breach occurred. This is important information for fully understanding how the attack played out, says independent security researcher Adrian Sanabria. He adds, too, that the fact Microsoft kept limited logs during this time period is significant. As part of its response to the Storm-0558 hacking spree overall, the company said in July that it would expand the cloud logging capabilities that it offers for free.

“It's particularly notable because one of the complaints about Microsoft is that they don't set up their own customers for security success,” Sanabria says. “Logs disabled by default, security features are an add-on requiring additional spending, or more premium licenses. It appears they themselves got bit by this practice.”

As Williams from the Institute for Applied Network Security points out, organizations like Microsoft must face highly motivated and well-resourced attackers who are unusually capable of capitalizing on the most esoteric or improbable mistakes. He says that from reading Microsoft's latest updates on the situation, he is more sympathetic to why the situation played out the way it did.

“You'll only hear about highly complex hacks like this in an environment like Microsoft's,” he says. “In any other organization, the security is relatively so weak that a hack doesn't need to be complex. And even when environments are pretty secure, they often lack the telemetry—along with the retention—needed to investigate something like this. Microsoft is a rare organization that has both. Most organizations wouldn't even store logs like this for a few months, so I'm impressed that they had as much telemetry as they did."

Source

The California-based Mozilla Foundation reviewed 25 car brands and said none of them fully satisfied its standards on privacy and that no other product category had ever received as poor a review, including makers of sex toys or mental health apps.

"Modern cars are a privacy nightmare" at a time when "car makers have been bragging about their cars being 'computers on wheels'", said Mozilla, which is best known for its privacy-conscious Firefox web browser.

"While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines," Mozilla said.

Tesla was the worst offender, according to the study, with Nissan coming in second and singled out for seeking some of the "creepiest categories" of data, including sexual activity.

The study found that a staggering 84 percent of car brands admitted to sharing users' personal data with service providers, data brokers, and other undisclosed businesses.

Most of them, 76 percent, said they sold on their customers' data and more than half said they share data with government and law enforcement on request.

Today's connected vehicles not only mine data from driving, but track in-vehicle entertainment and third-party functions such as satellite radio or maps.

An overwhelming majority of car brands, 92 percent, were found to provide users with little to no control over their personal data with only France's Renault and its Dacia brand allowing users the right to delete data, probably out of compliance with European Union law.

Mozilla complained that none of the car brands - which also included Ford, Chevrolet, Toyota, Volkswagen, and BMW - would confirm they met the foundation's minimum security standards when 68 percent were subject to data leaks, hacks or breaches in the last three years.

Source

Source

The newest chips, i.e., Intel's 12th Gen Alder Lake and the 13th Gen Raptor Lake parts come with Intel's TDX which prevents the exploitation of stale data. Microsoft and Intel are working with one another and the issue is mitigated via firmware Microcode update (MCU).

On the security advisory published by Microsoft about this issue, the tech giant had a section that guided users in case they wanted to disable the mitigation provided for Downfall if users felt they weren't affected. Interestingly, however, Microsoft has since erased this provided mitigation-removal as well as the section that described it from its website and has updated the changelog and explained why with the following message "Removed the content to disable the GDS mitigation as that option is no longer available."

The removal of this mitigation involved making tweaks to the registry. Here is the archived version of it:

Disable the mitigation

If you do not consider GDS to be part of your threat model, you might choose to turn off (disable) the mitigation in a bare-metal environment.

Note Disabling the mitigation when Hyper-V (Virtualization) is enabled is not in scope of this current implementation.

To disable the GDS mitigation in Windows, you must have the following installed, as appropriate for your environment:

• On supported Windows 10 and Windows 11 environments, you must have installed the Windows update dated on or after August 22, 2023.
• On supported Windows Server environments, you must have installed the Windows update dated on or after September 12, 2023.

After the appropriate Windows update is installed, you must set the following feature flag in the registry:

Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Value name: FeatureSettingsOverride

Value type: REG_DWORD

Value data: 0x2000000 (hex)

If this registry value does not already exist, run the following command to disable the GDS mitigation:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 33554432 /f

You can find the security advisory about Intel's Downfall (GDS) on this (KB5029778) support page on Microsoft's official website.

Source

At the same time, Google announced Topics API, an alternative to FLoC. Topics API will identify your interests and store them locally on your system, and share them with the advertisers when you visit a website.

The Topics API enables interest-based advertising (IBA) without tracking the sites a user visits. The browser observes and records topics that appear to be of interest to the user, based on their browsing activity. This information is recorded on the user's device.

Now, Google has started rolling out Topics API which is expected to replace third-party cookies. The feature was a part of Google's version 115 release and is slowing making its way to everyone. If you are not comfortable sharing your interests with third-parties then you can turn off the feature by following the steps below:

1. Open Google Chrome and click on the three dots on the top-right corner of the browser
2. Navigate to Settings > Privacy and Security > Ad privacy. Here you will see three options, Ad topics, Site-suggested ads and Ad measurement

   

    

3. Click on each of them and turn off the toggle on the top. You can also decide to block certain topics which you don't want to shared with third-party advertisers

   

    

Unfortunately, this is not a perfect way to make yourself anonymous when browsing online as websites could have their own tracking mechanisms like tracking pixels, cookies and more. That being said, turning off Topics API is a start and if you are concerned about your presence online then you can switch to a privacy-focused browser like Brave or DuckDuckGo.

Source

Atlas VPN is a VPN product that offers a cost-effective solution based on WireGuard and supports all major operating systems.

In a proof of concept exploit shared on Reddit, a researcher describes how the Linux client of Atlas VPN, specifically the latest version, 1.0.3, has an API endpoint that listens on localhost (127.0.0.1) over port 8076.

This API offers a command-line interface (CLI) for performing various actions, such as disconnecting a VPN session using the http://127.0.0.1:8076/connection/stop URL.

However, this API does not perform any authentication, allowing anyone to issue commands to the CLI, even a website you are visiting.

Atlas VPN API leads to zero-day exploit

A Reddit user named 'Educational-Map-8145' published a PoC exploit on Reddit that abuses the Atlas VPN Linux API to reveal a user's real IP addresses.

This PoC creates a hidden form that is automatically submitted by JavaScript to connect to the http://127.0.0.1:8076/connection/stop API endpoint URL.

When this API endpoint is accessed, it automatically terminates any active Atlas VPN sessions that hide a user's IP address.

Once the VPN connection is disconnected, the PoC will connect to the api.ipify.org URL to log the visitor's actual IP address.

This is a severe privacy breach for any VPN user as it exposes their approximate physical location and actual IP address, allowing them to be tracked and nullifying one of the core reasons for using a VPN provider.

Amazon cybersecurity engineer Chris Partridge tested and confirmed the exploit, creating the video below to demonstrate that it can be leveraged to reveal an IP address.

Partridge further explained that the PoC bypasses existing CORS (Cross-Origin Resource Sharing) protections on web browsers because the requests are sent to the Atlas VPN API as form submissions.

"Form submissions are exempt from CORS for legacy/compatibility reasons, they're considered a "simple request" by the CORS spec," Partridge told BleepingComputer.

Normally, CORS would block requests made by scripts in web pages to different domains than the origin domain. In the case of this exploit, it would be requests made by any website to a visitor's localhost at "http://127.0.0.1:8076/connection/stop."

However, Partridge explained to BleepingComputer that using a form submission to "bypass" CORS would not allow a website to see any response from the form submission.

However, in this case, the response is not necessary, as the form submission is simply used to access the URL to disconnect the Atlas VPN connection in Linux.

"Assumption being that forms should already guard against CSRF. Which as we can see today, is not a good assumption and has lead to some unintended consequences," warned Partridge.

Fix coming in upcoming patch

The Reddit user claims that they contacted Atlas VPN about the problem but was ignored, and since the company didn't have a bug bounty program in place, public disclosure was the only logical option left.

Atlas VPN eventually responded to the issue four days after the disclosure, apologizing to the reporter and promising to release a fix for its Linux client as soon as possible. Also, Linux users will be notified when the update is available.

In response to our request for a comment, a spokesperson for Atlas VPN has sent the following:

"We're aware of the security vulnerability that affects our Linux client. We take security and user privacy very seriously. Therefore, we're actively working on fixing it as soon as possible. Once resolved, our users will receive a prompt to update their Linux app to the latest version.

The vulnerability affects Atlas VPN Linux client version 1.0.3. As the researcher stated, due to the vulnerability, the application and, hence, encrypted traffic between a user and the VPN gateway can be disconnected by a malicious actor. This could lead to the user's IP address disclosure.

We greatly appreciate the cybersecurity researchers' vital role in identifying and addressing security flaws in systems, which helps safeguard against potential cyberattacks, and we thank them for bringing this vulnerability to our attention. We will implement more security checks in the development process to avoid such vulnerabilities in the future. Should anyone come across any other potential threats related to our service, please contact us via security@Atlas VPN.com." - Atlas VPN.

Given the critical nature of this zero-day vulnerability, which remains exploitable until a patch is released, Linux client users are strongly advised to take immediate precautions, including considering an alternative VPN solution..

Source

These three WiFi routers are popular high-end models within the consumer networking market, currently available on the ASUS website, favored by gamers and users with demanding performance needs.

The flaws, which all have a CVSS v3.1 score of 9.8 out of 10.0, are format string vulnerabilities that can be exploited remotely and without authentication, potentially allowing remote code execution, service interruptions, and performing arbitrary operations on the device.

Format string flaws are security problems arising from unvalidated and/or unsanitized user input within the format string parameters of certain functions. They can lead to various issues, including information disclosure and code execution.

Attackers exploit these flaws using specially crafted input sent to the vulnerable devices. In the case of the ASUS routers, they would target certain administrative API functions on the devices.

The flaws

The three vulnerabilities that were disclosed earlier today by the Taiwanese CERT are the following:

1. CVE-2023-39238: Lack of proper verification of the input format string on the iperf-related API module ‘ser_iperf3_svr.cgi’.
2. CVE-2023-39239: Lack of proper verification of the input format string in the API of the general setting function.
3. CVE-2023-39240: Lack of proper verification of the input format string on the iperf-related API module ‘ser_iperf3_cli.cgi’.

The above issues impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U in firmware versions 3.0.0.4.386_50460, 3.0.0.4.386_50460, and 3.0.0.4_386_51529 respectively.

The recommended solution is to apply the following firmware updates:

• RT-AX55: 3.0.0.4.386_51948 or later
• RT-AX56U_V2: 3.0.0.4.386_51948 or later
• RT-AC86U: 3.0.0.4.386_51915 or later

ASUS released patches that address the three flaws in early August 2023 for RT-AX55, in May 2023 for AX56U_V2, and in July 2023 for RT-AC86U.

Users who haven’t applied security updates since then should consider their devices vulnerable to attacks and prioritize the action as soon as possible.

Furthermore, as many consumer router flaws target the web admin console, it is strongly advised to turn off the remote administration (WAN Web Access) feature to prevent access from the internet.

Source

The Controller General of Defence Accounts, a department in India’s Defense Ministry, released the advisory on the Remote Access Trojan called DogeRAT, originally brought to notice by the cybersecurity startup CloudSEK. The note said the malware, targeting Android users primarily located in India, is distributed via social media and messaging platforms as legitimate apps such as ChatGPT, Opera Mini and even as “premium versions” of YouTube, Netflix and Instagram.

“Once installed on a victim’s device, the malware gains unauthorized access to sensitive data including contacts, messages and banking credentials,” the advisory dated August 24 said.

The malware can commandeer infected devices, allowing hackers to send spam, initiate unauthorized payments, alter files, and even capture photos and keystrokes; it can also track the user’s location and record audio, the note said.

While the origin of the threat remains unknown, the advisory highlights that a group of cybercriminals used Telegram to disseminate fake versions of popular apps such as ChatGPT, Instagram, Opera Mini, and YouTube in a recent incident.

The Defense Ministry has asked its departments and officials to refrain from downloading apps from unverified third-party platforms and clicking on links from unknown senders. They are also advised to keep smartphones updated with the latest software and security patches and to install an antivirus app.

In its blog post in late May, CloudSEK said the open-source Android malware, based on Java, targeted customers across multiple industries, including banking and entertainment. The startup also noted that while most of the campaign initially targeted users in India, it is intended to have a global reach.

DogeRAT’s author showed in a post on GitHub that the malware campaign could be launched using a Telegram bot and an open-source NodeJS app hosting platform, CloudSEK researchers said.

The emergency of the advisory was first reported by the local outlet Moneycontrol.

With India’s rise in digitization, cybersecurity breaches have surged in the nation, now the world’s second-largest internet market after China. The Indian IT ministry reported a 171% increase in cybersecurity incidents affecting government departments, rising to 192,439 in 2022 from 70,798 in 2018.

One of the significant cybersecurity incidents targeted India’s biggest public medical institution, All India Institute of Medical Sciences (AIIMS), in New Delhi last year. The ransomware attack impacted five servers containing a total of 1.3 terabytes of data, the government disclosed in its response to the parliament in December.

Source