Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.

Thursday, November 9, 2023 08:11

*   Spammers are exploiting the "Release scores" feature of Google Forms quizzes to deliver email.
*   The emails originate from Google's own servers and consequently may have an easier time bypassing anti-spam protections and finding the victim's inbox.
*   Volumes of these messages hovered near noise levels but have recently spiked into the hundreds.

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms. In particular, spammers have discovered that they can create a new quiz in Google Forms, use the victim’s email address to respond to the quiz, and then abuse the “Release Scores” feature of the Google Form to deliver their spam to the victim. Because the spam messages emanate from Google itself, the messages have a good chance of landing in the victim’s inbox.

A histogram showing the volume of “Score released:” emails for the past two years.

Cisco Talos examined a recent spam campaign in which the Subject headers all contained the text, “Score released:”. During our investigation, we quickly realized these messages were being generated through a feature of Google Forms’ quizzes. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently.

**Google Forms’ quizzes**

In Google Forms, when creating a new form, an author can choose to “Make this a quiz.” Choosing to release grades “Later, after manual review,” enforces the collection of email addresses in the quiz.

An example Google Forms quiz is configured to release grades after manual review.

Elsewhere, under the settings for Responses, choosing “Responder input” allows a spammer to fill in their form using any victim’s email address.

An example form configured to allow responder-controlled values for email addresses.

Once the form is configured in this way, a link to the form can be obtained and accessed by the spammer. The spammer then fills out the form using the victim’s email address and submits it. Whether the question in the quiz is answered does not matter. Afterward, the fake quiz responses generated by the attacker can be viewed.

Quiz responses as seen by the Google Forms quiz owner.

Clicking the “Release scores” dialog in the upper right will prompt the form owner to “Send emails and release” the scores. The message delivered as part of the email can be customized to include any text or URL, and the message will then be delivered by Google using the “From:” address of the Google account that created the quiz. Because the email messages generated using this technique emanate from Google’s servers, they stand a good chance of being delivered to the victim’s inbox. 

**Google Forms quiz spam used in an elaborate cryptocurrency scam**

A recent example of one of these Google Forms quiz score release spam attacks appears below. 

An example of a recent spam campaign utilizing the “Release scores” feature of Google Forms quizzes.

When the victim clicks the “View” button in this email, they are directed to the fake form response generated by the spammer.

Clicking “View” on a “Scores released:” spam directs the victim to the spammer-generated form response.

In this particular form response, the spammer has provided a link “>>> GO TO THE SITE” which points to another Google Form that asks the victim to confirm their email address. At this stage of the attack, when an email address is entered into the second form, the victim is provided a form response containing a link to an external website: go-procoinwhu\[.\]top. 

After the victim “confirms” their email address they are presented with a link to a third party website.

The go-procoinwhu\[.\]top domain was created only just created on October 28, 2023, but it is already seeing a large uptick in the number of DNS queries requesting it.

Clicking the go-procoinwhu\[.\]top link in the Google Form response results in a 302 redirect from Cloudflare, which directs the victim to https://hdlgr\[.\]dudicyqehama\[.\]top/, which is also hosted by Cloudflare. This domain was also recently created (October 25, 2023), and exhibits a very similar DNS traffic pattern in Umbrella Investigate.

When the victim navigates to the dudicyqehama.top website, they are presented with an elaborate scam website that claims that the victim possesses more than 1.3 Bitcoin in their account as a result of “automatic cloud Bitcoin mining,” which the site claims is worth more than $46,000 USD. 

A malicious cryptocurrency-related website claims the victim has over 1.3 BTC. 

Once the victim clicks “Continue,” they are brought into the main website “login page.” The username and password are pre-filled into the login form, so the victim only needs to click the “Sign in” button. 

A fake login form for the scammer's website. The username/password are pre-filled into the form.

Once logged in, it is readily apparent that the website goes to great lengths to appear legitimate. The site even includes a group chat feature near the bottom where you can see various other users discussing cryptocurrency-related topics. As a logged-in user, the victim can even comment. Watching the text scroll by in the chat, it becomes apparent that they are recycling the same comments over and over, and these are not real users.

The scammer's website tries very hard to look legitimate. They even include a fake group chat.

When the victim attempts to claim their Bitcoin from the main site, they are redirected to what looks like a live chat with an agent named “Sophia.”

When the victim tries to claim their BTC they are directed to a “live” chat with an agent named “Sophia.”

Sophia chats with us for a moment before sending a form to fill out to collect the Bitcoin.

Sophia sends the victim a form to fill out to collect their BTC. 

The form asks the victim to fill in their name, email address and the cashout method the user prefers. 

The victim must fill out a form indicating how they wish to receive the money from the BTC they exchanged for USD.

Once the form has been filled out and submitted, the victim is again redirected back to the chat with Sophia, who proceeds to give us a button to kick off the currency exchange of BTC into USD.

Sophia finishes chatting with the victim and provides a button to facilitate the Currency Exchange.

Now, we can begin to see the end game for this particular scam. The victim is instructed that to claim the almost $48,000 USD, the victim must pay an “exchange fee” of 0.25%, or $64 USD.

To receive the USD from the converted BTC, the victim must pay an exchange fee of 0.25%.

When the victim clicks “Exchange Bitcoin,” they are presented with one last form where the victim is prompted to enter their name, email and phone number. 

A payment form from the scammers. They are asking for $64.

Clicking “Pay” brings up a QR code for the BTC wallet of the spammers. Fortunately, nobody has fallen for this scam and paid the attackers, as the connected Bitcoin wallet was empty as of November 6, 2023.

The BTC wallet the attackers are using to receive the “exchange fee.”

The amount of setup work necessary to conduct a spam attack such as this, combined with the extraordinary attention to detail put into the social engineering for the subsequent cryptocurrency scam, demonstrates just how far cybercriminals will go when it comes to separating victims from even a small amount of money. As is usually the case with scams such as this, when something sounds too good to be true, it often is.

**IOCs**

IOCs for this research can also be found in our GitHub repository here.

Spammers abuse Google Forms’ quiz to deliver scams

By Deeba Ahmed
Palo Alto's Unit 42 Reveals Chinese APT Spying on 24 Cambodian Government Entities as Part of Long-Term Cyberespionage.
This is a post from HackRead.com Read the original post: Chinese APT Posing as Cloud Services to Spy on Cambodian Government

Cybersecurity researchers are confident that the targeted organizations are “still compromised” by “two prominent Chinese APT” groups.

Palo Alto Networks’ Unit 42 cybersecurity researchers have discovered that Chinese APT groups could be involved in a long-term espionage campaign against Cambodian government organizations using infrastructure masqueraded as cloud backup services.

According to the Unit 42 report, researchers noted network connections—specifically inbound connections—primarily originating from 24 Cambodian government organizations.

The researchers also believe that these organizations are ‘still compromised’ by ‘two prominent Chinese APT’ actors due to the infrastructure’s characteristics and the enduring persistence of these connections over several months.

It is worth noting that the certainty about the involvement of two **Chinese APT groups** stemmed from monitoring telemetry data, which established a clear link with these groups.

“We assess that these organizations are likely the targets of long-term cyberespionage activities that have leveraged this infrastructure for persistent access to government networks of interest,” said the Santa Clara, California-based cybersecurity giant.

These organizations were communicating regularly with the infrastructure between September and October 2023. Many of these organizations provided critical services to the following industries.

*   Politics
*   Commerce
*   Human rights
*   National defense
*   Election oversight
*   Natural resources
*   Telecommunications
*   National treasury and finance

The research emerged just days after **Canada banned the Chinese WeChat app** from all government devices due to spying concerns, prompting employees to promptly uninstall the application.

Researchers noted that organizations in these sectors could be targets of interest because of storing vast amounts of sensitive information, including financial data, classified government data, and PII (personally identifiable information) of citizens. They discovered at least six target-facing IP addresses used in the campaign, each hosting numerous subdomains. 

These domains were masqueraded as cloud storage services, which is the perfect alibi to create a sense of legitimacy to the unusually high traffic the server may observe during “high activity levels from the actor, such as data exfiltration from the victim network,” researchers wrote in their **blog post**.

Moreover, they had “high confidence” that these IP addresses served as the C2 infrastructure for the actor, and running the Cowrie honeypot on port 2222. Most likely, this honeypot was a cover to trick network defenders and security researchers investigating the “anomalous activity.”

In addition, they observed IP filtering on this infrastructure. It was used for blocking connections from IP ranges from known Palo Alto Networks several Big Tech and cybersecurity firms, and a number of VPS and cloud hosting providers. 

These C2 ports open only when the actor is active (between 08:30 and 17:30 UTC +08:00 (China Standard Time) on weekdays (Monday to Friday)) and remain closed otherwise. This means the actor is filtering connections to the malicious infrastructure to reduce the risk of C2 profiling by IP scanners or to evade detection.

Infrastructure overview of the Chinese APT groups (Unit42)

“This pattern might indicate the actor is attempting to avoid detection by blending into regular Cambodian business hours which are UTC +07:00.”

However, between September 29-October 8 2023, during China’s Golden Week and Special Working Days, the APT actors ceased their activity. This suggests that the attackers are based in **China** and following the country’s regular working hours, thus, validating Unit 42’s assessment regarding the attackers.

It is worth noting that Cambodia is **among** the signatories of the Chinese Belt and Road Initiative. The countries share strong economic and diplomatic relations. China has made significantly high investments to **modernize** Cambodia’s Ream Naval Base, despite that the project sparked **concerns** within the West. After completion, this base will become China’s first overseas outpost in Southeast Asia. This indicates that Cambodia is an important ally of China.

****_RELATED ARTICLES_****

1.  **Who Killed the IoT Zombie Mozi Botnet – China or India?**
2.  **Chinese Scammers Use Fake Loan Apps for Money Laundering**
3.  **Chinese Silent Skimmer Attack Hits Businesses in APAC and NALA regions**
4.  **Chinese Hackers Stole 60,000 US State Department Emails from Microsoft**
5.  **Chinese Smishing Triad Gang Hits US Users in Extensive Cybercrime Attack**
6.  **Chinese Hackers Stole Microsoft’s Signing Key to Breach Outlook Accounts**

Chinese APT Posing as Cloud Services to Spy on Cambodian Government

Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called MuddyC2Go as part of attacks targeting Israel.
"The framework's web component is written in the Go programming language," Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday.
The tool has been attributed to MuddyWater, an Iranian

Iranian nation-state actors have been observed using a previously undocumented command-and-control (C2) framework called **MuddyC2Go** as part of attacks targeting Israel.

"The framework's web component is written in the Go programming language," Deep Instinct security researcher Simon Kenin said in a technical report published Wednesday.

The tool has been attributed to MuddyWater, an Iranian state-sponsored hacking crew that's affiliated to the country's Ministry of Intelligence and Security (MOIS).

The cybersecurity firm said the C2 framework may have been put to use by the threat actor since early 2020, with recent attacks leveraging it in place of PhonyC2, another custom C2 platform from MuddyWater that came to light in June 2023 and has had its source code leaked.

Typical attack sequences observed over the years have involved sending spear-phishing emails bearing malware-laced archives or bogus links that lead to the deployment of legitimate remote administration tools.

The installation of the remote administration software paves the way for the delivery of additional payloads, including PhonyC2.

MuddyWater's modus operandi has since received a facelift, using password-protected archives to evade email security solutions and distributing an executable instead of a remote administration tool.

"This executable contains an embedded PowerShell script that automatically connects to MuddyWater's C2, eliminating the need for manual execution by the operator," Kenin explained.

The MuddyC2Go server, in return, sends a PowerShell script, which runs every 10 seconds and waits for further commands from the operator.

While the full extent of MuddyC2Go's features are unknown, it's suspected to be a framework that's responsible for generating PowerShell payloads in order to conduct post-exploitation activities.

"We recommend disabling PowerShell if it is not needed," Kenin said. "If it is enabled, we recommend close monitoring of PowerShell activity."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MuddyC2Go: New C2 Framework Iranian Hackers Using Against Israel

In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).


Skip to content

GitLab 

**XXE in eclipse IDE**

**Basic information**

**Project name:** org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi

**Project id:** {id}

**What are the affected versions?**

probably all

**Details of the issue**

SonarLint reports many possible XXE attacks in eclipse IDE's sourcecode. for example: 

**Steps to reproduce**

Don't know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", ... which should be normally self contained and do not require access from external sources.

**Do you know any mitigations of the issue?**

https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace "SAXParserFactory.newInstance();" with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML\_External\_Entity\_Prevention\_Cheat\_Sheet.html

CVE-2023-4218: XXE in eclipse IDE (#8) · Issues · Eclipse Projects Security / vulnerability-reports · GitLab

Russia's most notorious military hackers successfully sabotaged Ukraine's power grid for the third time last year. And in this case, the blackout coincided with a physical attack.

The notorious unit of Russia's GRU military intelligence agency known as Sandworm remains the only team of hackers to have ever triggered blackouts with their cyberattacks, turning off the lights for hundreds of thousands of Ukrainian civilians not once, but twice within the past decade. Now it appears that in the midst of Russia's full-scale war in Ukraine, the group has achieved another dubious distinction in the history of cyberwar: It targeted civilians with a blackout attack at the same time missile strikes hit their city, an unprecedented and brutal combination of digital and physical warfare.

Cybersecurity firm Mandiant today revealed that Sandworm, a cybersecurity industry name for Unit 74455 of Russia's GRU spy agency, carried out a third successful power grid attack targeting a Ukrainian electric utility in October of last year, causing a blackout for an unknown number of Ukrainian civilians. In this case, unlike any previous hacker-induced blackouts, Mandiant says the cyberattack coincided with the start of a series of missile strikes targeting Ukrainian critical infrastructure across the country, which included victims in the same city as the utility where Sandworm triggered its power outage. Two days after the blackout, the hackers also used a piece of data-destroying "wiper" malware to erase the contents of computers across the utility's network, perhaps in an attempt to destroy evidence that could be used to analyze their intrusion.

Mandiant, which has worked closely with the Ukrainian government on digital defense and investigations of network breaches since the start of the Russian invasion in February of 2022, declined to name the targeted electric utility or the city where it was located. Nor would it offer information like the length of the resulting power loss or the number of civilians affected.

Mandiant does note in its report on the incident that as early as two weeks before the blackout, Sandworm's hackers appear to have already possessed all the access and capabilities necessary to hijack the industrial control system software that oversees the flow of power at the utility's electrical substations. Yet it appears to have waited to carry out the cyberattack until the day of Russia's missile strikes. While that timing may be coincidental, it more likely suggests coordinated cyber and physical attacks, perhaps designed to sow chaos ahead of those air strikes, complicate any defense against them, or add to their psychological effect on civilians.

"The cyber incident exacerbates the impact of the physical attack," says John Hultquist, Mandiant's head of threat intelligence, who has tracked Sandworm for nearly a decade and named the group in 2014. "Without seeing their actual orders, it's really hard on our side to make a determination of whether or not that was on purpose. I will say that this was carried out by a military actor and coincided with another military attack. If it was a coincidence, it was a terribly interesting coincidence."

Nimbler, Stealthier Cybersaboteurs

The Ukrainian government's cybersecurity agency, SSSCIP, declined to fully confirm Mandiant's findings in response to a request from WIRED, but it didn't dispute them. SSSCIP's deputy chair, Viktor Zhora, wrote in a statement that the agency responded to the breach last year, working with the victim to "minimize and localize the impact." In an investigation over the two days following the near-simultaneous blackout and missile strikes, he says, the agency confirmed that the hackers had found a "bridge" from the utility's IT network to its industrial control systems and planted malware there capable of manipulating the grid.

Mandiant's more detailed breakdown of the intrusion shows how the GRU's grid hacking has evolved over time to become far more stealthy and nimble. In this latest blackout attack, the group used a "living off the land" approach that has become more common among state-sponsored hackers seeking to avoid detection. Instead of deploying their own custom malware, they exploited the legitimate tools already present on the network to spread from machine to machine before finally running an automated script that used their access to the facility's industrial control system software, known as MicroSCADA, to cause the blackout.

In Sandworm's 2017 blackout that hit a transmission station north of the capital of Kyiv, by contrast, the hackers used a custom-built piece of malware known as Crash Override or Industroyer, capable of automatically sending commands over several protocols to open circuit-breakers. In another Sandworm power grid attack in 2022, which the Ukrainian government has described as a failed attempt to trigger a blackout, the group used a newer version of that malware known as Industroyer2.

Sandworm Hackers Caused Another Blackout in Ukraine—During a Missile Strike

Face recognition technology has been controversial for years. Cops in the UK are drastically increasing the amount they use it.

A Beyoncé gig, the coronation of King Charles, and the British Formula One Grand Prix all have one thing in common: Thousands of people at the events, which all took place earlier this year, had their faces scanned by police-operated face recognition tech.

Backed by the Conservative government, police forces across England and Wales are being told to rapidly expand their use of the highly controversial technology, which globally has led to false arrests, misidentifications, and lives derailed. Police have been told to double their use of face searches against databases by early next year—45 million passport photos could be opened up to searches—and police are increasingly working with stores to try to identify shoplifters. Simultaneously, more regional police forces are testing real-time systems in public places.

The rapid expansion of face recognition comes at a time when trust in policing levels are at record lows, following a series of high-profile scandals. Civil liberties groups, experts, and some lawmakers have called for bans on the use of face recognition technology, particularly in public places, saying it infringes on people’s privacy and human rights, and isn’t a “proportionate” way to find people suspected of committing crimes.

“In the democratic world, we are an outlier at the moment,” says Madeleine Stone, a senior advocacy officer with Big Brother Watch, a privacy-focused group that has called for a ban and “immediate stop” on live face recognition, a proposal backed by 65 UK lawmakers. The EU, which the UK left in 2016, may ban the real-time use of face recognition systems, and one of its highest courts has called the technology “highly intrusive.” Various US states have banned police from using the technology.

Cops in England and Wales can hunt for potential criminals using two main kinds of face recognition. First, there are live face recognition systems (LFR): These usually include cameras mounted on police vans that scan people’s faces as they walk by and check them against a “watchlist” of wanted people. The LFR technology is deployed for some big events and announced in advance by the police. Second, there’s retrospective face recognition (RFR), where images from CCTV, smartphones, and doorbell cameras can be fed into a system that tries to identify the person based on millions of existing photos. Police use of both systems is increasing.

Two police forces in England and Wales—London’s Metropolitan Police and South Wales Police—have embraced LFR, using the technology for multiple years. (Police in Scotland, where policing is overseen locally, don’t use live systems but are reportedly increasing their use of RFR). So far this year, the Met and South Wales Police have used LFR on 22 separate occasions, according to statistics published on their websites.

Across 13 deployments, an estimated 247,764 people have passed the Met’s cameras this year, including at the King’s coronation and a soccer match between Arsenal and Tottenham. In 2023 so far, the Met’s system has pinged 18 times when it has matched a person with someone on the predetermined watchlist. Twelve of those people have been arrested. South Wales Police has used LFR nine times this year, scanning an estimated 705,290 faces and arresting two people.

Researchers and academics have long shown face recognition technologies to be biased or less accurate for people of color, particularly Black people. In all of the LFR uses by the Met and South Wales police forces this year, their figures show, there have been no false alerts or misidentifications. In short, every time the system made a match, it was correct, according to the departments’ data. The data published by the police forces show the LFR systems they are using are set to an accuracy threshold of either 0.6 or 0.64. A study conducted by the National Physical Laboratory, a UK public sector research organization, recommended the threshold setting of 0.64 as a way to reduce biased and incorrect matches.

Pete Fussey, a professor at the University of Essex who previously audited the Met’s face recognition, says that the report shows the algorithms may still be discriminatory and biased, but setting the thresholds neutralizes the system entirely. “If you desensitize the system, then you'll get fewer matches and fewer of those will be wrong,” Fussey says. Big Brother Watch’s Stone says it “brings into question the necessity and proportionality of the whole endeavor if you’re having dozens of police officers standing around the street looking at iPads just to make one arrest.” Stone argues “it’s not a good use of time.”

A spokesperson for the Home Office, the government department responsible for policing in England and Wales, says it is “committed” to giving police the technology they need to help solve crimes. “Technology such as facial recognition helps the police quickly and accurately identify those wanted for serious crimes, as well as missing or vulnerable people,” the spokesperson says, claiming it “frees up police time and resources.” They point to a blog post about police use of face recognition technologies.

“Live facial recognition isn't just deployed on its own. It's in support of wider policing operations,” says detective chief inspector Jamie Townsend, who is the operational lead for the Met's face recognition. A policing operation may make 30 arrests in an area with face recognition contributing two or three of them, he says.

Townsend says that the biometric data of people isn’t stored when they are scanned by LFR cameras, and he considers the system to be “precision policing” as it allows for the identification of specific individuals. The Home Office’s blog post claims LFR has led to the arrest of sex offenders and someone wanted for possessing a knife. South Wales Police did not respond to WIRED’s request for comment at the time of writing.

Two other UK police forces have tried LFR in recent months, raising concerns about how the technology will be used going forward and who is put on the watchlists of people the systems are looking for. There are more than 30 police forces that have not used LFR, although the government has said it is “very supportive” of more forces using it.

Around 380,000 people had their faces scanned by Northamptonshire police over three days at the British Grand Prix in July, according to public records requests. No arrests were made. A Freedom of Information Act request from Big Brother Watch revealed the force had placed 790 people on the watchlist for the event while only 234 were wanted for arrest. “It was largely individuals who were not wanted for any criminal reasons, which leads us to believe that these were protesters who were being put on watchlists,” Stone says. The previous year’s British Grand Prix was disrupted by protesters.

A statement from Northamptonshire Police says the watchlist “included a range of offences from organized crime to aggravated trespass, which had the potential of leading to the death or serious injury of the public, racing drivers and staff, especially if there was a repeat of the 2022 track incursion. We were not targeting those taking part in lawful, peaceful protests.”

Police forces are also being encouraged to ramp up the use of after-the-fact, retrospective face recognition. All police forces across the UK have the ability to run searches for faces against the Police National Database, which has more than 16 million photos and includes millions of images that should have been deleted years ago. In 2022, according to data from freedom of information requests, there were 85,158 face searches—up 330 percent on the previous year. Policing minister Chris Philp said in October that he wants the number of searches to double by May 2024.

Fussey, the University of Essex professor, says retrospective face recognition is often thought to be more “benign” than live face recognition, but he doesn't believe it is the case. “The issues and harms and human rights implications are the same, whether it's live or retrospective,” he says, adding there is a lot of ambiguity around how the technology is being used.

In August 2020, the UK’s Court of Appeal ruled that South Wales Police’s use of LFR was unlawful. Since then, police forces using the technology say they have changed their procedures in response to the court decision, and the Home Office spokesperson says there is a “comprehensive legal framework in the UK” that requires police to use the technology only when it is “necessary, proportionate, and fair.”

Many disagree. A wide-ranging review from the Ada Lovelace Institute, a nonprofit, says there is “legal uncertainty” about the use of LFR. Another report by University of Cambridge academics, from the Minderoo Centre for Technology and Democracy, concluded that three examined police deployments of face recognition “failed to meet the minimum ethical and legal standards.”

“It’s wholly legitimate for police to use technology to keep the public safe,” says Fussey, who recently completed a report on proposals to change the oversight of biometrics in the UK. “The question is about how lawful and necessary it is,” he says. “At the moment, we’re in a situation where the legal basis isn’t clear. There’s no external oversight of how it’s used, how it’s authorized, who’s on the watchlist.”

Police Use of Face Recognition Is Sweeping the UK

Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.

**Note:**

An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver.

**chromedriver Command Injection vulnerability**

Moderate severity GitHub Reviewed Published Nov 9, 2023 to the GitHub Advisory Database • Updated Nov 9, 2023

GHSA-hm92-vgmw-qfmx: chromedriver Command Injection vulnerability

Cross Site Scripting vulnerability in MLDB.ai v.2017.04.17.0 allows a remote attacker to execute arbitrary code via a crafted payload to the public_html/doc/index.html.

\- CVE ID

CVE-2023-46492

\- Name of affected product and versions

github.com/mldbai/mldb

version <= 2017.04.17.0

\- Problem type

Attacker can execute arbitrary javascript code in victim's browser by sending specifically crafted url that exploits DOM based XSS in container\_files/public\_html/doc/index.html.

\- Description

There is a DOM based XSS vulnerability in container\_files/public\_html/doc/index.html due to setting iframe src with unsanitized user input from location.hash.

CVE-2023-46492: gist:a75b618419d5afb137cd5a29e8156420

Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.

The majority of malvertising campaigns delivering malicious utilities that we have tracked so far typically deceive victims with pages that are almost the exact replica of the software vendor being impersonated. For example, we have seen fake websites appearing like the real Webex, AnyDesk or KeePass home page.

In a new campaign, we observed a threat actor copying a legitimate Windows news portal (WindowsReport.com) to distribute a malicious installer for the popular processor tool CPU-Z.

This type of website is often visited by geeks and system administrators to read the latest computer reviews, learn some tips and download software utilities. The Windows Report was never compromised and is legitimate, but rather threat actors copied its content to trick users.

This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection. We have informed Google with the relevant details for takedown.

**Google ad and filtering**

The malicious ad is for CPU-Z, a popular utility for Windows users that want to troubleshoot their processor and other computer hardware details. The advertiser shows as Scott Cooper and is likely a compromised or fake identity.

One common technique used by threat actors to evade detection is to employ cloaking. Anyone clicking on the ad and who’s not the intended victim will see a standard blog with a number of articles.

We had previously identified another malicious ad using almost the same template.

**Redirect to Windows news site lookalike**

To show what happens when an actual victim clicks on the ad, here is the network traffic related to it as seen in the image below. This time, the corporatecomf\[.\]online website is no longer used to show a blog with articles but instead does a redirect (302 HTTP code) to another domain at workspace-app\[.\]online.

This domain uses content from the legitimate Windows portal WindowsReport.com and looks almost identical:

People who searched for CPU-Z and clicked the ad are now at the download page for the software, where they may wrongly assume that it is legitimate. The URL in the address bar does not match the real one, though.

There are several other domains hosted on the same IP address (74.119.192.188) also used in malvertising campaigns:

**Signed MSIX installer**

The payload is a digitally signed MSIX installer which contains a malicious PowerShell script, a loader known as FakeBat:

The script shows the malware command and control server as well as the remote payload (Redline stealer):

We are blocking the malvertising domains for all Malwarebytes customers:

ThreatDown, powered by Malwarebytes, already detected the final infostealer payload and we have added coverage for the its command and control servers as well.

It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page.

The download is also a signed MSI installer, which increases the chances for it to look legitimate from the operating system and antivirus software. These MSI loaders are quite common and allow threat actors to update the final payload by simply swapping a PowerShell script.

Software downloads have been a big target for the past year with criminals using a variety of tricks to deceive users and install malware. In an enterprise environment, it may be wise to verify a file’s checksum to ensure it has not been tampered with by comparing its SHA256 hash sum with what is posted on the vendor’s website.

**Indicators of Compromise**

Ad domains

argenferia\[.\]com  
realvnc\[.\]pro  
corporatecomf\[.\]online  
cilrix-corp\[.\]pro  
thecoopmodel\[.\]com  
winscp-apps\[.\]online  
wireshark-app\[.\]online  
cilrix-corporate\[.\]online  
workspace-app\[.\]online

Payload URLs

thecoopmodel\[.\]com/CPU-Z-x86.msix
kaotickontracting\[.\]info/account/hdr.jpg
ivcgroup\[.\]in/temp/Citrix-x64.msix
robo-claim\[.\]site/order/team.tar.gpg
argenferia\[.\]com/RealVNC-x64.msix

Payloads

55d3ed51c3d8f56ab305a40936b446f761021abfc55e5cc8234c98a2c93e99e1
9acbf1a5cd040c6dcecbe4e8e65044b380b7432f46c5fbf2ecdc97549487ca88
419e06194c01ca930ed5d7484222e6827fd24520e72bfe6892cfde95573ffa16
cf9589665615375d1ad22d3b84e97bb686616157f2092e2047adb1a7b378cc95

C2s

11234jkhfkujhs\[.\]site
11234jkhfkujhs\[.\]top
94.131.111\[.\]240
81.177.136\[.\]179

 Malvertiser copies PC news site to deliver infostealer 

An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ifname field in the sub_391B8 function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Tag

#git