Ubuntu Security Notice 6024-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Lin Ma discovered a race condition in the io_uring subsystem in the Linux kernel, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6024-1  
April 19, 2023

linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm,  
linux-lowlatency, linux-oracle, linux-raspi vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux: Linux kernel  
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems  
- linux-azure: Linux kernel for Microsoft Azure Cloud systems  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-kvm: Linux kernel for cloud environments  
- linux-lowlatency: Linux low latency kernel  
- linux-oracle: Linux kernel for Oracle Cloud systems  
- linux-raspi: Linux kernel for Raspberry Pi systems  
- linux-hwe-5.19: Linux hardware enablement (HWE) kernel

Details:

It was discovered that the Traffic-Control Index (TCINDEX) implementation  
in the Linux kernel contained a use-after-free vulnerability. A local  
attacker could use this to cause a denial of service (system crash) or  
possibly execute arbitrary code. (CVE-2023-1281)

Lin Ma discovered a race condition in the io_uring subsystem in the Linux  
kernel, leading to a null pointer dereference vulnerability. A local  
attacker could use this to cause a denial of service (system crash).  
(CVE-2023-0468)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

It was discovered that the network queuing discipline implementation in the  
Linux kernel contained a null pointer dereference in some situations. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2022-47929)

Thadeu Cascardo discovered that the io_uring subsystem contained a double-  
free vulnerability in certain memory allocation error conditions. A local  
attacker could possibly use this to cause a denial of service (system  
crash). (CVE-2023-1032)

It was discovered that the module decompression implementation in the Linux  
kernel did not properly handle return values in certain error conditions. A  
local attacker could use this to cause a denial of service (system crash).  
(CVE-2023-22997)

Lianhui Tang discovered that the MPLS implementation in the Linux kernel  
did not properly handle certain sysctl allocation failure conditions,  
leading to a double-free vulnerability. An attacker could use this to cause  
a denial of service or possibly execute arbitrary code. (CVE-2023-26545)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly handle a loop termination condition, leading to an  
out-of-bounds read vulnerability. A local attacker could use this to cause  
a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-26606)

Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel  
contained a null pointer dereference when handling certain messages from  
user space. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-28328)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   linux-image-5.19.0-1016-raspi   5.19.0-1016.23  
   linux-image-5.19.0-1016-raspi-nolpae  5.19.0-1016.23  
   linux-image-5.19.0-1020-gcp     5.19.0-1020.22  
   linux-image-5.19.0-1020-oracle  5.19.0-1020.23  
   linux-image-5.19.0-1021-kvm     5.19.0-1021.22  
   linux-image-5.19.0-1022-lowlatency  5.19.0-1022.23  
   linux-image-5.19.0-1022-lowlatency-64k  5.19.0-1022.23  
   linux-image-5.19.0-1023-aws     5.19.0-1023.24  
   linux-image-5.19.0-1023-azure   5.19.0-1023.24  
   linux-image-5.19.0-40-generic   5.19.0-40.41  
   linux-image-5.19.0-40-generic-64k  5.19.0-40.41  
   linux-image-5.19.0-40-generic-lpae  5.19.0-40.41  
   linux-image-aws                 5.19.0.1023.20  
   linux-image-azure               5.19.0.1023.19  
   linux-image-gcp                 5.19.0.1020.17  
   linux-image-generic             5.19.0.40.36  
   linux-image-generic-64k         5.19.0.40.36  
   linux-image-generic-lpae        5.19.0.40.36  
   linux-image-kvm                 5.19.0.1021.18  
   linux-image-lowlatency          5.19.0.1022.18  
   linux-image-lowlatency-64k      5.19.0.1022.18  
   linux-image-oracle              5.19.0.1020.17  
   linux-image-raspi               5.19.0.1016.15  
   linux-image-raspi-nolpae        5.19.0.1016.15  
   linux-image-virtual             5.19.0.40.36

Ubuntu 22.04 LTS:  
   linux-image-5.19.0-40-generic   5.19.0-40.41~22.04.1  
   linux-image-5.19.0-40-generic-64k  5.19.0-40.41~22.04.1  
   linux-image-5.19.0-40-generic-lpae  5.19.0-40.41~22.04.1  
   linux-image-generic-64k-hwe-22.04  5.19.0.40.41~22.04.13  
   linux-image-generic-hwe-22.04   5.19.0.40.41~22.04.13  
   linux-image-generic-lpae-hwe-22.04  5.19.0.40.41~22.04.13  
   linux-image-virtual-hwe-22.04   5.19.0.40.41~22.04.13

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6024-1  
   CVE-2022-3424, CVE-2022-41218, CVE-2022-47929, CVE-2023-0468,  
   CVE-2023-1032, CVE-2023-1281, CVE-2023-22997, CVE-2023-26545,  
   CVE-2023-26606, CVE-2023-28328

Package Information:  
   https://launchpad.net/ubuntu/+source/linux/5.19.0-40.41  
   https://launchpad.net/ubuntu/+source/linux-aws/5.19.0-1023.24  
   https://launchpad.net/ubuntu/+source/linux-azure/5.19.0-1023.24  
   https://launchpad.net/ubuntu/+source/linux-gcp/5.19.0-1020.22  
   https://launchpad.net/ubuntu/+source/linux-kvm/5.19.0-1021.22  
   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.19.0-1022.23  
   https://launchpad.net/ubuntu/+source/linux-oracle/5.19.0-1020.23  
   https://launchpad.net/ubuntu/+source/linux-raspi/5.19.0-1016.23  
   https://launchpad.net/ubuntu/+source/linux-hwe-5.19/5.19.0-40.41~22.04.1

Ubuntu Security Notice USN-6024-1

Ubuntu Security Notice 6025-1 - It was discovered that the Traffic-Control Index implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the OverlayFS implementation in the Linux kernel did not properly handle copy up operation in some conditions. A local attacker could possibly use this to gain elevated privileges.

    ==========================================================================Ubuntu Security Notice USN-6025-1April 19, 2023linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15,linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency,linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspivulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-lowlatency-hwe-5.15: Linux low latency kernel- linux-oracle-5.15: Linux kernel for Oracle Cloud systemsDetails:It was discovered that the Traffic-Control Index (TCINDEX) implementationin the Linux kernel contained a use-after-free vulnerability. A localattacker could use this to cause a denial of service (system crash) orpossibly execute arbitrary code. (CVE-2023-1281)It was discovered that the OverlayFS implementation in the Linux kernel didnot properly handle copy up operation in some conditions. A local attackercould possibly use this to gain elevated privileges. (CVE-2023-0386)Haowei Yan discovered that a race condition existed in the Layer 2Tunneling Protocol (L2TP) implementation in the Linux kernel. A localattacker could possibly use this to cause a denial of service (systemcrash). (CVE-2022-4129)It was discovered that the network queuing discipline implementation in theLinux kernel contained a null pointer dereference in some situations. Alocal attacker could use this to cause a denial of service (system crash).(CVE-2022-47929)It was discovered that the NTFS file system implementation in the Linuxkernel contained a null pointer dereference in some situations. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-4842)Kyle Zeng discovered that the IPv6 implementation in the Linux kernelcontained a NULL pointer dereference vulnerability in certain situations. Alocal attacker could use this to cause a denial of service (system crash).(CVE-2023-0394)It was discovered that the Human Interface Device (HID) support driver inthe Linux kernel contained a type confusion vulnerability in somesituations. A local attacker could use this to cause a denial of service(system crash). (CVE-2023-1073)It was discovered that a memory leak existed in the SCTP protocolimplementation in the Linux kernel. A local attacker could use this tocause a denial of service (memory exhaustion). (CVE-2023-1074)It was discovered that the NFS implementation in the Linux kernel did notproperly handle pending tasks in some situations. A local attacker coulduse this to cause a denial of service (system crash) or expose sensitiveinformation (kernel memory). (CVE-2023-1652)Lianhui Tang discovered that the MPLS implementation in the Linux kerneldid not properly handle certain sysctl allocation failure conditions,leading to a double-free vulnerability. An attacker could use this to causea denial of service or possibly execute arbitrary code. (CVE-2023-26545)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1018-gkeop   5.15.0-1018.23   linux-image-5.15.0-1027-raspi   5.15.0-1027.29   linux-image-5.15.0-1027-raspi-nolpae  5.15.0-1027.29   linux-image-5.15.0-1028-ibm     5.15.0-1028.31   linux-image-5.15.0-1031-gke     5.15.0-1031.36   linux-image-5.15.0-1031-kvm     5.15.0-1031.36   linux-image-5.15.0-1032-gcp     5.15.0-1032.40   linux-image-5.15.0-1033-oracle  5.15.0-1033.39   linux-image-5.15.0-1034-aws     5.15.0-1034.38   linux-image-5.15.0-1036-azure   5.15.0-1036.43   linux-image-5.15.0-1036-azure-fde  5.15.0-1036.43.1   linux-image-5.15.0-70-generic   5.15.0-70.77   linux-image-5.15.0-70-generic-64k  5.15.0-70.77   linux-image-5.15.0-70-generic-lpae  5.15.0-70.77   linux-image-5.15.0-70-lowlatency  5.15.0-70.77   linux-image-5.15.0-70-lowlatency-64k  5.15.0-70.77   linux-image-aws-lts-22.04       5.15.0.1034.33   linux-image-azure               5.15.0.1036.32   linux-image-azure-fde           5.15.0.1036.43.13   linux-image-azure-lts-22.04     5.15.0.1036.32   linux-image-gcp                 5.15.0.1032.27   linux-image-generic             5.15.0.70.68   linux-image-generic-64k         5.15.0.70.68   linux-image-generic-lpae        5.15.0.70.68   linux-image-gke                 5.15.0.1031.30   linux-image-gke-5.15            5.15.0.1031.30   linux-image-gkeop               5.15.0.1018.17   linux-image-gkeop-5.15          5.15.0.1018.17   linux-image-ibm                 5.15.0.1028.24   linux-image-kvm                 5.15.0.1031.27   linux-image-lowlatency          5.15.0.70.75   linux-image-lowlatency-64k      5.15.0.70.75   linux-image-oracle              5.15.0.1033.28   linux-image-raspi               5.15.0.1027.24   linux-image-raspi-nolpae        5.15.0.1027.24   linux-image-virtual             5.15.0.70.68Ubuntu 20.04 LTS:   linux-image-5.15.0-1031-gke     5.15.0-1031.36~20.04.1   linux-image-5.15.0-1032-gcp     5.15.0-1032.40~20.04.1   linux-image-5.15.0-1033-oracle  5.15.0-1033.39~20.04.1   linux-image-5.15.0-1034-aws     5.15.0-1034.38~20.04.1   linux-image-5.15.0-1036-azure   5.15.0-1036.43~20.04.1   linux-image-5.15.0-70-lowlatency  5.15.0-70.77~20.04.1   linux-image-5.15.0-70-lowlatency-64k  5.15.0-70.77~20.04.1   linux-image-aws                 5.15.0.1034.38~20.04.23   linux-image-azure               5.15.0.1036.43~20.04.26   linux-image-azure-cvm           5.15.0.1036.43~20.04.26   linux-image-gcp                 5.15.0.1032.40~20.04.1   linux-image-gke-5.15            5.15.0.1031.36~20.04.1   linux-image-lowlatency-64k-hwe-20.04  5.15.0.70.77~20.04.28   linux-image-lowlatency-hwe-20.04  5.15.0.70.77~20.04.28   linux-image-oracle              5.15.0.1033.39~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6025-1   CVE-2022-4129, CVE-2022-47929, CVE-2022-4842, CVE-2023-0386,   CVE-2023-0394, CVE-2023-1073, CVE-2023-1074, CVE-2023-1281,   CVE-2023-1652, CVE-2023-26545Package Information:   https://launchpad.net/ubuntu/+source/linux/5.15.0-70.77   https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1034.38   https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1036.43   https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1036.43.1   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1032.40   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1031.36   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1018.23   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1028.31   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1031.36   https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-70.77   https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1033.39   https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1027.29   https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1034.38~20.04.1   https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1036.43~20.04.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1032.40~20.04.1   https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1031.36~20.04.1 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-70.77~20.04.1 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1033.39~20.04.1

Ubuntu Security Notice USN-6025-1

U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against targets.
The intrusions, per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims.
The

Network Security / Cyber Espionage

U.K. and U.S. cybersecurity and intelligence agencies have warned of Russian nation-state actors exploiting now-patched flaws in networking equipment from Cisco to conduct reconnaissance and deploy malware against targets.

The intrusions, per the authorities, took place in 2021 and targeted a small number of entities in Europe, U.S. government institutions, and about 250 Ukrainian victims.

The activity has been attributed to a threat actor tracked as APT28, which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Russian General Staff Main Intelligence Directorate (GRU).

"APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742," the National Cyber Security Centre (NCSC) said.

CVE-2017-6742 (CVSS score: 8.8) is part of a set of remote code execution flaws that stem from a buffer overflow condition in the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and IOS XE Software.

In the attacks observed by the agencies, the threat actor weaponized the vulnerability to deploy a non-persistent malware dubbed Jaguar Tooth on Cisco routers that's capable of gathering device information and enabling unauthenticated backdoor access.

While the issues were patched in June 2017, they have since come under public exploitation as of January 11, 2018, underscoring the need for robust patch management practices to limit the attack surface.

Besides updating to the latest firmware to mitigate potential threats, the company is also recommending that users switch from SNMP to NETCONF or RESTCONF for network management.

Cisco Talos, in a coordinated advisory, said the attacks are part of a broader campaign against aging networking appliances and software from a variety of vendors to "advance espionage objectives or pre-position for future destructive activity."

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

This includes the installation of malicious software into an infrastructure device, attempts to surveil network traffic, and attacks mounted by "adversaries with preexisting access to internal environments targeting TACACS+/RADIUS servers to obtain credentials."

The alert comes months after the U.S. government sounded the alarm about China-based state-sponsored cyber actors leveraging network vulnerabilities to exploit public and private sector organizations since at least 2020.

Then earlier this year, Google-owned Mandiant highlighted efforts undertaken by Chinese state-sponsored threat actors to deploy bespoke malware on vulnerable Fortinet and SonicWall devices.

"Advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support \[endpoint detection and response\] solutions," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. and U.K. Warn of Russian Hackers Exploiting Cisco Router Flaws for Espionage

Out of bounds memory access in Service Worker API in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2134

CVE-2023-2133

Use after free in DevTools in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who convinced a user to enable specific preconditions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-2135

Heap buffer overflow in sqlite in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-2137

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

**Chrome Releases**

Release updates from the Chrome team

CVE-2023-2136: Stable Channel Update for Desktop

By Deeba Ahmed
The malware was identified by cybersecurity researchers at McAfee.
This is a post from HackRead.com Read the original post: Goldoson Android Malware Found in 60 Apps with 100M Downloads

****Goldson malware can collect data from apps installed on the device, as well as from Bluetooth- and Wi-Fi-connected devices.****

McAfee’s Mobile Research Team researchers discovered at least 60 malicious apps on Google Play Store infected with Android malware Goldoson. Collectively, these apps account for around 100 million installs on the Play Store and 8 million installs on the South Korean ONE Store. South Korean users are most vulnerable to downloading these apps.

**Goldoson Infiltrates Legit Apps on Play Store**

Researchers found that Goldoson Android malware has infiltrated the official Google Play Store via 60 legitimate apps. The malware component is based on a third-party library that all sixty apps use. Researchers assume that the developers mistakenly added it to the apps.

**Which Apps Are Infected with Goldoson?**

Some of the infected apps include the following:

Pikicast
GOM Player
LIVE Score
Infinite Slice
Real-Time Score
L.POINT with L.PAY
Swipe Brick Breaker
Bounce Brick Breaker
LOTTE WORLD Magicpass
Compass 9: Smart Compass
Korea Subway Info: Metroid
SomNote - Beautiful note app
GOM Audio - Music, Sync lyrics
Money Manager Expense & Budget

**How Does The Device Gets Infected?**

The Goldoson Android malware is designed to perform malicious actions on devices that download one of the 60 infected apps. Once the app is downloaded and launched, the malware library registers the app and receives its configuration from a remote server with an obfuscated domain.

This configuration sets the functions that the malware will run on the device, including ad-clicking and data-gathering features. The data collection function is activated every two days, and the collected data, along with the MAC address of connected Bluetooth and Wi-Fi devices, is transferred to a C2 server.

The ad-clicking feature is launched by loading and injecting HTML code into a hidden, customized WebView. This feature generates revenue through multiple URL visits. Overall, the Goldoson malware has been found in 60 different apps and has impacted a large number of downloads.

**What is Goldoson Malware Capable of?**

Goldson malware can collect data from apps installed on the device, as well as from Bluetooth- and Wi-Fi-connected devices. In addition, it can track users’ location and carry out ad fraud by clicking on ads in the background without alerting the user. Data collection relies on permissions given to an infected app when being installed. 

In a blog post, McAfee researchers stated that although Android 11 and above versions are generally considered safe against data theft due to their superior security protections, in 10% of the infected apps, Goldoson could collect sensitive data from devices running these versions.

McAfee responsibly alerted Google and the app developers, who promptly removed the malicious library from the apps. Apps in which they couldn’t remove the library were taken off the Play Store.

It is worth noting that malicious versions of these apps will still be available on third-party Android app stores even though on Play Store these apps will become safe with an update. Therefore, uninstall the app, and reinstall it from Play Store to be safe.

1.  Russian Android Spyware Tracks GPS Location
2.  Play Store Apps Drop Android Malware to Millions
3.  BRATA malware steals funds, factory resets phones

Goldoson Android Malware Found in 60 Apps with 100M Downloads

The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers.

Using Telegram as its command-and-control (C2) mechanism, a new strain of malware, a bot dubbed Zaraza, is capable of extracting login credentials from a victim's open browser and saving them to a file, as well as taking screenshots of open windows to be saved in a JPG file.

First identified by the Uptycs threat research team, the new bot is capable of stealing credentials from 38 Web browsers, including Google Chrome, Microsoft Edge, and Opera, among others. Once it successfully infects a victim's computer, it sends the information to a Telegram server, where it becomes accessible to potential threat actors. It's believed that the Zaraza bot is linked to Russian hackers, evidenced by the use of the name "Zaraza" which means "infection" in Russian, the researchers said in their report outlining the malware.

The type of login credentials that it steals range from bank accounts to email accounts to online wallets, as well as other sensitive and valuable website targets. This information can provide attackers with the opportunity to commit severe crimes such as identity theft and financial fraud, as well as grant access to personal identifiable information (PII) and, especially in the era of remote work, business accounts. This variant of malware and what it allows attackers to do potentially opens the floodgates to financial loss and "reputational damage," according to the analysis.

"To protect yourself against this malware," the Uptycs researchers wrote, "you should update your passwords regularly, follow online security best practices such as using strong passwords and multi-factor authentication, and ensure regular software and security system updates."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#google