Researchers have uncovered a supply chain attack that tricked app and website developers into using copies of popular npm packages that contained malicious code to steal form data.
The post IconBurst software supply chain attack offers malicious versions of NPM packages appeared first on Malwarebytes Labs.

Researchers discovered evidence of a widespread software supply chain attack involving malicious Javascript packages offered via the npm package manager. The threat actors behind the IconBurst campaign used typosquatting to mislead developers looking for very popular packages.

**npm**

npm is short for Node package manager, a name that no longer covers the load. npm is a package manager for the JavaScript programming language maintained by npm, Inc. It consists of a command line client, also called npm, and an online database of public and paid-for private packages, called the npm registry. The free npm registry has become the center of JavaScript code sharing, and with more than one million packages, the largest software registry in the world.

Even non-developers may have heard of Node.js, a JavaScript runtime built on Chrome’s V8 JavaScript engine. Node.js is an open-source, cross-platform, back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside a web browser. npm is the default package manager for Node.js.

**Malicious fakes**

Researchers at ReversingLabs identified more than two dozen such NPM packages. The packages dated back up to six months, and contain obfuscated Javascript designed to steal form data from individuals using applications or websites that included the malicious packages.

The malicious packages serviced downstream mobile and desktop applications as well as websites. In one case, a malicious package has been downloaded more than 17,000 times. The attacker used a typosquatting technique to trick developers into using the malicious packages.

**Typosquatting**

Typosquatting is a term you may have seen when reading about Internet scams. In essence it relies on users making typos when entering a site or domain name. Sometimes typosquatting includes techniques like URL hijacking and domain mimicry, but mostly it relies on intercepting typos, hence the name.

In this case, the attackers offer up packages via public repositories with names that are very similar to legitimate packages like umbrellajs and packages published by ionic.io.

**Supply chain attack**

A supply chain attack, also called a value-chain or third-party attack, occurs when someone attacks you or your system through an outside partner or provider. Attackers can deploy supply chain attacks to exploit trust relationships between a target and external parties.

This attack can be categorized as a supply chain attack because the developer falling for the typosquatting trick is not the victim. Ultimately, the user filling out a form on a website created by the developer that used a contaminated package is the actual victim of the attack.

**Obfuscated code**

The researchers’ attention was drawn by the use of the same obfuscator in a wide range of npm packages over the past few months. Obfuscation, although uncommon, is not unheard of in open source development. Often obfuscation techniques aim to hide the underlying code from prying eyes, but the Javascript Obfuscator used in this attack also reduces the size of JavaScript files.

Following the obfuscation trail, the developers found similarly named packages that could be connected to one of a handful of NPM accounts.

**The goal**

After deobfuscation, it became clear that the authors integrated a known login stealing script into the popular npm packages. The script designed to steal information from online forms, originates from a hacking tool called “Hacking PUBG i’d”. PUBG is an online multiplayer shooter with an estimated billion players. Some of these packages are still available for download at the time of writing.

Once again this attack shows us that the way in which developers rely on the work of others is not backed up by a way to detect malicious code within open source libraries and modules.

The researchers’ blog contains a list of packages and associated hashes of the malicious packages for developers that suspect they may have fallen victim to this attack.

Stay safe, everyone!

IconBurst software supply chain attack offers malicious versions of NPM packages

As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.

Everyone uses browsers to access a wide range of networked systems, from shopping sites to enterprise management. As a result, browsers collect tons of sensitive information — from passwords to credit card data — that hackers are eager to get their hands on.

Moreover, browser vendors frequently add new features, which increases the risk of flaws in program code that hackers can exploit. And even though there seem to be a lot of different Web browsers, there are actually just two open source browser engines. Chrome, Vivaldi, Brave, and many other browsers are all built on the same engine, Chromium.

Even Microsoft killed Internet Explorer in 2021 and switched to Chromium with Edge. The only surviving alternative to Chromium is Mozilla Firefox, which uses a different engine; all the other browsers are proprietary corporate tools like Apple Safari. As a result of this consolidation, adversaries can closely focus on undercovering the vulnerabilities in the two browser engines.

**The Latest Critical Web Browser Vulnerabilities  
**Every month, we see myriad serious new Web browser vulnerabilities. In the first half of 2022, Chrome has announced three zero-day vulnerabilities. By exploiting CVE-2022-0609, hackers can corrupt data and execute code on vulnerable systems. CVE-2022-1096, which was discovered in the wild, affects the JavaScript V8 engine. CVE-2022-1364, which was also discovered in the wild, can be exploited to trigger remote code execution on a targeted system, and affects not just the nearly 3 billion users of Chrome, but also everyone using any other Chromium-based browser.

Mozilla is not immune from vulnerabilities, either. So far in 2022, we've seen CVE-2022-22753, a high-severity vulnerability that can enable an adversary to get admin rights in Windows; CVE-2022-22753, which could be abused to gain access to an arbitrary directory; and CVE-2022-1802 and CVE-2022-1529, which could be exploited to enable JavaScript code execution.

The problem is not just serious but growing: In the first quarter of 2022 alone, Chrome fixed 113 vulnerabilities, 13% more than in the same period in 2021, while Firefox fixed 88 vulnerabilities, a 12% jump from the first quarter of 2021. These increases make browsers a top target for hackers.

**How Hackers Attack Browsers  
**Hackers use multiple techniques to exploit browser vulnerabilities. Occasionally, they will discover a vulnerability that enables them to download and execute malicious code when a user simply visits a compromised site. From there, the code can download other malicious packages or steal sensitive data. Plug-ins are a common vector for these "drive-by download" attacks.

A more common tactic, however, is for hackers to send phishing emails that contain exploit kits targeting Web browsers. Indeed, Cisco's 2021 cybersecurity threat trend report found that about 90% of data breaches were due to phishing. A person clicks on a link in a phishing email, which opens a malicious page in their browser, which can exploit an unpatched vulnerability in the browser to deploy malware or steal data stored in the browser. For example, Magnitude actively targeted Chromium in October 2021.

**Strategies to Mitigate Risk From Browser Vulnerabilities  
**Organizations should combine multiple techniques to reduce their risk from browser vulnerabilities. The first is to keep all browsers updated. However, patching browsers can be problematic. Research shows that 83% of users run versions of Chrome that are vulnerable to zero-day attacks that have already been identified by Google. One reason is simply that many users do not like rebooting their browsers, which is often required as part of an update.

Another barrier to patching is that many people install browsers under their user profiles, into folders that system administrators cannot access without special tools. To overcome these issues, automate patching for third-party apps, including browsers; ensure your IT teams can force reboots remotely in a way that is convenient to end users; and manage applications installed under user profiles.

The second measure is to enforce multifactor authentication (MFA) on all critical systems and services. That way, hackers will be unable to access those resources even if they manage to steal a user's credentials.

Third, regularly clear the browser history on users' machines to erase stored passwords, and to clear their cookies as well, since they can enable attackers to access services such as email without the user's credentials. Ensure your IT teams can perform these tasks remotely and, ideally, automate them.

Fourth, remember the human factor. Be sure to roll out an extensive cybersecurity awareness program that educates all your users about security best practices and why they should follow them. In particular, teach them how to spot phishing emails and why to avoid using browser plug-ins or extensions, especially those that don't receive regular updates. In addition, train them to choose strong and unique passwords for each website they visit and not to store passwords in their browsers; to facilitate this, give them a password management app.

Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk

The heap buffer-overflow issue in Chrome for Android could be used for DoS, code execution, and more.

A zero-day security vulnerability in Google Chrome for Android is being actively exploited in the wild, the Internet giant says.

The issue is a high-severity heap-buffer overflow bug (tracked as CVE-2022-2294) in WebRTC. WebRTC is an HTML5 specification that allows webpages to play real-time audio and video content inside the browser.

"Google is aware that an exploit for CVE-2022-2294 exists in the wild," the company said in its advisory on the issue.

As usual, Google is keeping the vulnerability's technical details close to the vest until a majority of users have updated their browsers, but heap-buffer overflows in general are memory issues that can lead to a range of bad outcomes if exploited. Possible outcomes include crashing the device, denial of service (DoS), remote code execution (RCE), and security-service bypasses.

Patrick Tiquet, vice president of security and architecture at Keeper Security, did some delving into the issue, and says that bug does indeed allow RCE.

"CVE-2022-2294 is a serious vulnerability that could lead to arbitrary remote code-execution by simply visiting a malicious website," he says. "This could enable an attacker to perform a variety of actions on a target system, such as install malware or steal information. Windows and Android Chrome users should ensure that they install the latest updates to protect themselves."  

To address the flaw, Google released Chrome 103 (103.0.5060.71) for Android on Monday – it said that the update would be rolling out on Google Play "over the next few days."

The update fixes two other security bugs as well: One is a high-severity type-confusion bug (CVE-2022-2295) in Google's V8 open source JavaScript engine, which earned a $7,500 bug bounty for reporters avaue and Buff3tts at S.S.L.; and the other is an unspecified fix that was discovered internally. Type-confusion issues can also lead to code execution, crashes, and logical efforts.

Tiquet adds, "Web browsers are essential applications that nearly all cloud-based services have in common and are therefore high-priority targets - compromise of a web browser could be leveraged to compromise any cloud-based service accessed by that browser."

**Fourth Exploited Chrome Zero-Day Bug in 2022**

The WebRTC flaw is the fourth zero-day in Chrome so far this year. Notably, in April Google disclosed a type-confusion vulnerability that is already being exploited in the wild (CVE-2022-1364), which affects the JavaScript and WebAssembly engine in the browser.

Another type-confusion problem in V8 (CVE-2022-1096) was patched in March; and the third was patched in February (CVE-2022-0609), after it was exploited by a North Korean-backed state advanced persistent threat, according to the Google Threat Analysis Group (TAG).

"With so many business and cloud applications depending on a web interface, browser vulnerabilities can be problematic," Mike Parkin, senior technical engineer at Vulcan Cyber, says. "Especially one as widely used as Chrome. It’s even worse when there are known exploits in the wild that leverage the vulnerability. Fortunately, Google has already developed patches for this vulnerability on both desktop and mobile platforms and will have them rolled out quickly."

Google Chrome WebRTC Zero-Day Faces Active Exploitation

Google has patched a vulnerability in Chrome which was being exploited in the wild. Make sure you're using the latest version.
The post Update now! Chrome patches ANOTHER zero-day vulnerability appeared first on Malwarebytes Labs.

Google has released version 103.0.5060.114 for Chrome, now available in the Stable Desktop channel worldwide. The main goal of this new version is to patch CVE-2022-2294.

CVE-2022-2294  is a high severity heap-based buffer overflow weakness in the Web Real-Time Communications (WebRTC) component which is being exploited in the wild. This is the fourth Chrome zero-day to be patched in 2022.

**Heap buffer overflow**

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

**The vulnerability**

WebRTC on Chrome is the first true in-browser solution to real-time communications (RTC). It supports video, voice, and generic data to be sent between peers, allowing developers to build powerful voice- and video-communication solutions. The technology is available on all modern browsers as well as on native clients for all major platforms.

A WebRTC application will usually go through a common application flow. Access the media devices, open peer connections, discover peers, and start streaming. Since Google does not disclose details about the vulnerability until everyone has had ample opportunity to install the fix it is unclear in what stage the vulnerability exists.

**How to protect yourself**

If you’re a Chrome user on Windows or Mac, you should update as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

After the update the version should be 103.0.5060.114 or later.

Since WebRTC is a Chromium component, users of other Chromium based browsers may see a similar update.

Stay safe, everyone!

Update now! Chrome patches ANOTHER zero-day vulnerability

The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.

The heap buffer overflow issue in the browser’s WebRTC engine could allow attackers to execute arbitrary code.

While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.

Chrome 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.

The vulnerability, tracked as CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1**,** is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory,” according to the vulnerability’s listing on the Common Weakness Enumeration (CWE) website.

As per usual, Google did not reveal specific details about the bug, as it generally waits until most have updated to the patched version of the affected product. Indeed, updating is strongly recommended, as exploits for the vulnerability already exist in the wild, Google said.

Moreover, with scant details revealed about the flaw—a habit of Google’s that many security researchers find frustrating—at this point an update is really only way to defend against attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.

Buffer overflows generally lead to crashes or other attacks that make the affected program unavailable including putting the program into an infinite loop, according to the CWE listing.  Attackers can take advantage of the situation by using the crash to execute arbitrary code typically outside of the scope of the program’s security policy.

“Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code,” according to the listing. “Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.”

****Other Fixes****

In addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-2295 and reported June 16 by researchers “avaue” and “Buff3tts” at S.S.L., according to the post.

This is the third such flaw in the open-source engine used by Chrome and Chromium-based web browsers patched this year alone. In March a separate type-confusion issue in the V8 JavaScript engine tracked as CVE-2022-1096 and under active attack spurred a hasty patch  from Google.

Then in April, the company patched CVE-2022-1364, another type confusion flaw affecting Chrome’s use of V8 on which attackers already had pounced.

Another flaw patched in Monday’s Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 and tracked as CVE-2022-2296, according to Google. All of the flaws patched in this week’s update received a rating of high. The updates also includes several fixes from internal audits, fuzzing and other initiatives, Google said.

Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google in February already had patched a zero-day use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that was under active attack.

Google Patches Actively Exploited Chrome Bug

Google on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild.
The shortcoming, tracked as CVE-2022-2294, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native

Google on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild.

The shortcoming, tracked as **CVE-2022-2294**, relates to a heap overflow flaw in the WebRTC component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.

Heap buffer overflows, also referred to as heap overrun or heap smashing, occur when data is overwritten in the heap area of the memory, leading to arbitrary code execution or a denial-of-service (DoS) condition.

"Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code," MITRE explains. "When the consequence is arbitrary code execution, this can often be used to subvert any other security service."

Credited with discovering and reporting the flaw on July 1, 2022, is Jan Vojtesek from the Avast Threat Intelligence team. It's worth pointing out that the bug also impacts the Android version of Chrome.

As is usually the case with zero-day exploitation, details pertaining to the flaw as well as other specifics related to the campaign have been withheld to prevent further abuse in the wild and until a significant chunk of users are updated with a fix.

CVE-2022-2294 also marks the resolution of the fourth zero-day vulnerability in Chrome since the start of the year -

*   **CVE-2022-0609** - Use-after-free in Animation
*   **CVE-2022-1096** - Type confusion in V8
*   **CVE-2022-1364** - Type confusion in V8

Users are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Update Google Chrome Browser to Patch New Zero-Day Exploit Detected in the Wild

Plus: Indian hacker-for-hire groups, Chinese student espionage efforts, and more.

Your car is a data gold mine. Each trip you make produces a lot of data—from your location to your use of infotainment systems—and car manufacturers are getting better at using this information. One 2019 analysis found cars could generate up to 25 gigabytes of data per hour. As companies refine their ability to mine this data, your car could prove to be the next national security threat. This week, the Chinese town of Beidaihe banned Teslas from its streets as the country’s Communist party leaders gather in the area. One possible reason for the ban is that the cars could reveal sensitive details about China’s most senior figures.

Elsewhere, German mobile providers are testing “digital tokens” as a way to serve up personalized advertising on people’s phones. The trial of TrustPid by Vodafone and Deutsche Telekom generates pseudo-anonymous tokens based on people’s IP addresses and uses them to show personalized product recommendations. The move has been likened to “supercookies,” which have previously been used to track people without their permission. While Vodafone denies the system is akin to supercookies, privacy advocates say it is a step too far. “Companies that operate communication networks should neither track their customers nor should they help others to track them,” privacy researcher Wolfie Christl told WIRED.

In other stories this week, we’ve rounded up the critical updates from Android, Chrome, Microsoft, and others that emerged in June—you should make those updates now. We also looked at how the new ZuoRAT router malware has infected at least 80 targets worldwide. And we detailed how to use Microsoft Defender on all your Apple, Android, and Windows devices.

But that’s not all. We have a rundown of the week’s big security news that we haven’t been able to cover ourselves. Click on the headlines to read the full stories. And stay safe out there.

California’s gun database, dubbed the Firearms Dashboard Portal, was meant to improve transparency around the sale of weapons. Instead, when new data was added to it on June 27, the update proved to be a calamity. During the planned publication of new information, the California Department of Justice made a spreadsheet publicly accessible online and exposed more than 10 years of gun owner information. Included in the data breach were the names, dates of birth, genders, races, driver’s license numbers, addresses, and criminal histories of people who were granted or denied permits for concealed and carry weapons between 2011 and 2021. More than 40,000 CCW permits were issued in 2021; however, California’s justice department said financial information and Social Security numbers weren’t included in the data breach.

While the spreadsheet was online for under 24 hours, an initial investigation appears to indicate that the breach was more widespread than initially thought. In a press release issued on June 29, the Californian DOJ said other parts of its gun databases were also “impacted.” Information contained in the Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards may have been exposed in the breach, the department said, adding that it is investigating what information could have been revealed. Responding to the data breach, the Fresno County Sheriff’s Office said it was “worse than previously expected” and that some of the potentially impacted information “came as a surprise to us.”

Indian hacker-for-hire groups have been targeting lawyers and their clients across the globe for the better part of a decade, a Reuters investigation revealed this week. Hacking groups have used phishing attacks to gain access to confidential legal documents in more than 35 cases since 2013 and targeted at least 75 US and European companies, according to the report, which is partly based on a trove of 80,000 emails sent by Indian hackers over the past seven years. The investigation details how hack-for-hire groups operate and how private investigators take advantage of their ruthless nature. As Reuters published its investigation, Google’s Threat Analysis Group made public dozens of domains belonging to alleged hack-for-hire groups in India, Russia, and the United Arab Emirates.

Since 2009, the Chinese hacking group APT40 has targeted companies, government bodies, and universities around the world. APT40 has hit countries including the United States, United Kingdom, Germany, Cambodia, Malaysia, Norway, and more, according to security firm Mandiant. This week, a _Financial Times_ investigation found that Chinese university students have been tricked into working for a front company linked to APT40 and been involved in researching its hacking targets. The newspaper identified 140 potential translators who had applied to job ads at Hainan Xiandun, a company allegedly linked to APT40 and named in a US Department of Justice indictment in July 2021. Those applying for jobs at Hainan Xiandun were asked to translate sensitive US government documents and appear to have been “unwittingly drawn into a life of espionage,” according to the story.

In 2021, North Korean hackers stole around $400 million in crypto as part of the country’s efforts to evade international sanctions and bolster its nuclear weapons program. This week, investigators started linking the theft of around $100 million in cryptocurrency from Horizon Bridge, on June 23, to North Korean actors. Blockchain analysis firm Elliptic says it has uncovered “strong indications” that North Korea’s Lazarus Group may be linked to the Horizon Bridge hacking incident—and Ellipictic is not the only group to have made the connection. The attack is the latest in a string against blockchain bridges, which have become increasingly common targets in recent years. However, investigators say the ongoing crypto crash has wiped millions in value from North Korea’s crypto heists.

Gun Database Breach Leaks Details on Thousands of Owners

Dark Reading's digest of the other don't-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.

There's no such thing as a slow week for cybercrime, which means that covering the waterfront on all of the threat intelligence and interesting stories out there is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable trove of important happenings that we would be remiss not to mention.

To wit: Dangerous malware campaigns! Info-theft! YouTube Account Takeovers! Crypto under siege! Microsoft warnings!

In light of this, Dark Reading is debuting a weekly "in case you missed it" (ICYMI) digest, rounding up important news from the week that our editors just didn't have time to cover before.

This week, read on for more on the following, ICYMI:

*   Smart Factories Face Snowballing Cyberactivity
*   Lazarus Group Likely Behind $100M Crypto-Heist
*   8220 Gang Adds Atlassian Bug to Active Attack Chain
*   Critical Infrastructure Cyber Pros Feel Hopeless
*   Hacker Impersonates TrustWallet in Crypto Phishing Scam
*   Cookie-Stealing YTStealer Takes Over YouTube Accounts
*   Follina Bug Used to Spread XFiles Spyware

**Smart Factories Face Snowballing Cyberactivity**

A whopping 40% of smart factories globally have experienced a cyberattack, according to a survey out this week.

Smart factories – in which industrial Internet of things IIoT) sensors and equipment are used to reduce costs, obtain telemetry, and bolster automation – are officially a thing, with the digitization of manufacturing well underway. But cyberattackers are taking notice too, according to Capgemini Research Institute.

Among sectors, heavy industry faced the highest volume of cyberattacks (51%). Those attacks take many forms, too: 27% of firms have seen an increase of 20% or more in bot-herders taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of firms said they have seen an increase of 20% or more in employees or vendors bringing in infected devices, for instance.

"With the smart factory being one of the emblematic technologies of the transition to digitization, it is also a prime target for cyberattackers, who are scenting new blood," according to the report.

At the same time, the firm also uncovered that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.

**Lazarus Group Likely Behind $100M Crypto-Heist**

Security researchers are laying the $100 million hack of the Horizon Bridge crypto exchange at the feet of North Korea's notorious Lazarus Group advanced persistent threat.

Horizon Bridge enables users of the Harmony blockchain to interact with other blockchains. The heist occurred June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.

According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber-espionage, but also acts as a money-earner for the North Korean regime, researchers noted.

The thieves in this case have so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer, Elliptic noted, which essentially acts as a money launderer.

**8220 Gang Adds Atlassian Bug to Active Attack Chain**

The 8220 Gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks in order to distribute cryptominers and an IRC bot, Microsoft warned this week.

The Chinese-speaking threat group has been actively exploiting the bug since it was disclosed in early June.

"The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86\_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access," Microsoft's Security Intelligence Centre tweeted.

**Critical Infrastructure Cyber Pros Feel Hopeless**

A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs in the next year.

According to a survey from Bridewell, 42% feel a breach is inevitable and don't want to tarnish their career, while 40% say they are experiencing stress and burnout which is impacting their personal life.

Meanwhile more than two -thirds of the respondents say that the volume of threats and successful attacks has increased over the past year – and 69% say it is harder to detect and respond to threats.

**Hacker Impersonates TrustWallet in Crypto Phishing Scam**

More than 50,000 phishing emails sent from a malicious Zendesk account made their way to email boxes in recent weeks, looking to take over TrustWallet accounts and drain funds.

TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said that the phish impersonates the service, using a slick and convincing TrustWallet-branded site to ask for users' password recovery phrases on a sleek TrustWallet phishing page.

The emails, meanwhile, are unlikely to trigger email gateway filters, since they're being sent from Zendesk.com, which is a trusted, high-reputation domain.

"As NFTs and cryptocurrencies overall have seen a significant downturn in recent weeks, on-edge investors are likely to react quickly to emails about their crypto accounts," according to Vade's analysis this week.

**Cookie-Stealing YTStealer Takes Over YouTube Accounts**

A never-before-seen malware-as-a-service threat has emerged on Dark Web forums, aimed at taking over YouTube accounts.

Researchers at Intezer noted that the malware, which it straightforwardly calls YTStealer, works to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. The cookies are extracted from the browser’s database files in the user’s profile folder.

"To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store," according to the analysis. "\[That way\] the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything."

From there, YTStealer navigates to YouTube’s Studio content-management page and nabs data, including the channel name, how many subscribers it has, how old it is, if it is monetized, if it's an official artist channel, and if the name has been verified.

**Follina Bug Used to Spread X-Files Spyware**

A rash of cyberattacks is underway, looking to exploit the Microsoft Follina vulnerability to lift scores of sensitive information from victims.

Follina is a recently patched remote code-execution (RCE) bug that's exploitable through malicious Word documents. It started life as an unpatched zero-day that quickly caught on among cybercrime groups.

According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles stealer campaigns where Follina vulnerability was exploited as part of the delivery phase.

"The group that is selling the stealer is a Russia-region based and is currently looking to expand," researchers said. "Recent evidence suggests worldwide threat actor campaigns \[underway\]."

The stealer sniffs out data from all Chromium-based browsers, Opera, and Firefox, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials, and looks for predefined file types that are located on the victim's Desktop along with a screenshot. It also targets other clients, such as Steam, and crypto-wallets.

ICYMI: A Microsoft Warning, Follina, Atlassian, and More

Google on Thursday announced a slew of improvements to its password manager service aimed at creating a more consistent look and feel across different platforms.
Central to the changes is a "simplified and unified management experience that's the same in Chrome and Android settings," Ali Sarraf, Google Chrome product manager, said in a blog post.

The updates are also expected to automatically

Google on Thursday announced a slew of improvements to its password manager service aimed at creating a more consistent look and feel across different platforms.

Central to the changes is a "simplified and unified management experience that's the same in Chrome and Android settings," Ali Sarraf, Google Chrome product manager, said in a blog post.

The updates are also expected to automatically group multiple passwords for the same sites as well as introduce an option to manually add passwords. Although Google appears to be not ready yet to make Password Manager as a standalone app, users on Android can now add a shortcut to it on the homescreen.

In a related change on iOS, should users opt for Chrome as the default autofill provider, Password Manager comes with the ability to generate unique, strong passwords.

The built-in Password Checkup feature on Android is receiving an upgrade of its own too. Beyond checking for hacked credentials, it can further highlight weak and reused passwords à la Apple iOS. Google is also expanding the compromised password warnings to Chrome users across all operating systems.

Last but not least, Google is bringing a new "Touch-to-Login" to Chrome on Android that allows users to sign in to websites with a single tap after entering the credentials with autofill. It's worth noting that Apple implemented a similar feature in Safari with iOS 12.2.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Improves Its Password Manager to Boost Security Across All Platforms

It didn't have to be this way: So far 2022's tranche of zero-days shows too many variants of previously patched security bugs, according Google Project Zero.

So far this year, a total of 18 security vulnerabilities have been exploited as unpatched zero-days in the wild, according to an analysis – and half of those were preventable flaws.

According to Google's Project Zero, nine of the issues were simply variants of previously patched bugs, with four being variants of previous 2021 in-the-wild zero-day bugs. Since these are closely related to security weaknesses that have been seen before, it blows a hole in the theory that zero-day exploits are so advanced that defenders can't hope to catch them, Project Zero's Maddie Stone notes.

"\[After\] the original in-the-wild zero-day \[was\] patched, attackers came back with a variant of the original bug," she explains in a Thursday blog post. "Many of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched."

The slate of 2022 zero-days affects a wide range of platforms, including Apple iOS, Atlassian Confluence, Chromium, Google Pixel, Linux, WebKit, and, of course, Windows (including the Follina and PetitPotam vulns).

In some these cases (Windows win32k and Chromium), the proof-of-concept attack path was patched but not the root cause, so attackers could trigger the original vulnerability through a different path. In other cases, such as PetitPotam, the original vulnerability was patched but "at some point regressed so that attackers could exploit the same vulnerability again," Stone says.

"The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method," she says. "To do that effectively, we need correct and comprehensive fixes."

Tag

#chrome