A proposed plan to charge users for the platform's coveted blue check mark has, unsurprisingly, inspired attackers to try to dupe people into giving up their credentials.

One of Elon Musk's proposed first moves after his Twitter takeover seems to have backfired, at least from a security perspective. A teaser by the platform proposing to charge users a monthly fee to have verified accounts confirming them as a public persona or entity — and thus earn the distinction of a coveted blue check mark by their account name — has spawned a phishing campaign aiming to take advantage of the controversy surrounding the move.  

A number of Twitter users claim to have received phishing emails that use the lure of losing their verified status to try to fool them into supplying their credentials. The scam works via a Google doc made to look like a Twitter help page, according to users.

Several of those who were targeted (natch) took to Twitter to warn others about it on Monday, including two reporters: Zach Whittaker, security editor for TechCrunch, and Kevin Collier from NBC News.

"Twitter's ongoing verification chaos is now a cybersecurity problem," Whittaker tweeted, subsequently posting a report on TechCrunch about the scam. "It looks like some people (including in our newsroom) are getting crude phishing emails trying to trick people into turning over their Twitter credentials."

Collier reported that the email he received "apparently slipped right by Outlook's robust protections," though he himself was not fooled. "Didn't get me but I bet this gets somebody," Collier wrote in the post.

The email, according to screenshots both Whittaker and Collier posted, is sent from a Gmail account, twittercontactcenter\[at\]gmail.com, which Collier said is a "dead giveaway" that it's bogus. It warns the targeted user that "the verification badge will be $19.99 per month for some users after November 2, 2022," and that Twitter currently is unable to verify some "famous or well-known people."

The email goes on to inform targets that they need to provide a confirmation of who they are to receive the verification badge "for free," and provides a button to "Provide Information" and a link to the "Help Center" to find out about updated rules for the verification program.

Clicking on the button leads to a Google Doc with another link to a Google site that lets users host web content, according to Whittaker's report. The phishing page itself is designed to look like Twitter's help page and contains an embedded frame from another site, which is hosted by Beget, a Russian web hosting provider, according to the report.

The page asks users to provide their Twitter username, password, and phone number, which could allow an attacker to break into an account without two-factor authentication enabled.

To mitigate damage from the campaign, Google took swift action to take down the phishing site a short time after TechCrunch alerted the company, Whittaker wrote.

**Capitalizing on Controversy**

Security professionals noted that it's not surprising that a threat actor has taken advantage of the commotion currently surrounding Twitter. Leveraging a controversial situation that elicits an emotional response not only spells a cybercriminal opportunity, but also boosts the chance of a phishing campaign's success, Patrick Harr, CEO at SlashNext, an anti-phishing company, wrote in an email to Dark Reading.

"These types of social-engineering phishing attempts are very effective because they play on emotion and instigated immediate action," he said. "Before the victim has time to think if this is phishing, they quickly jump to action."

The obfuscation tactics used in the campaign also make it easier to hide from threat-detection engines because they likely won't flag Google Docs, a trusted service — which, at least in Collier's case, was exactly what happened, security professionals noted.

Indeed, the campaign and its ability to bypass email scanners stresses why it's important for people to remain vigilant when receiving emails from unknown sources, and protect all of their accounts with multifactor authentication (MFA) and other security buffers, observed Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM).

"Make sure you always use MFA, a password manager that creates strong unique passwords for every account, and never give over personal information or credentials details on websites without first verifying authenticity," he advised in an email to Dark Reading.

**Twitter Exodus?**

For his part, Musk in a tweet on Tuesday seemed to corroborate that implementing the controversial verification fee would be a first order of business — the news of which first surfaced in a report on The Verge Monday.

However, after some verified account holders claimed they would leave rather than pay the reported fee of $20 a month for their blue check mark — including high-profile users such as author Stephen King — Musk suggested lowering the price.

"Twitter's current lords & peasants system for who has or doesn't have a blue check mark is bull\*\*\*\*," he tweeted. "Power to the people! Blue for $8/month."

Musk's mere purchase of Twitter in a $44 billion deal — after a highly publicized, months-long back-and-forth between the company and the multibillionaire founder of Tesla — has already drawn the derision of celebrity users of the platform, some of whom already told followers they were closing their accounts.

The verification debacle occurring now is just fuel for the fire, adding to a growing controversy that is likely music to the ears of threat actors, who thrive on social, political, and economic conflict as an opportunity to commit cybercrime, security professionals observed.

"Cybercriminals have long exploited volatile situations for their own gain, especially newsworthy, current events," noted Darren Guccione, CEO and co-founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. "The recent acquisition and upheaval at Twitter is the latest example."

Musk's Twitter-Verification Payment Tease Spurs Cyberattackers

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.
The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.
According to Malwarebytes, the websites are designed to generate

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.

The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.

According to Malwarebytes, the websites are designed to generate revenues through pay-per-click ads, and worse, prompt users to install cleaner apps on their phones with the goal of deploying additional malware.

The list of apps is as follows -

*   Bluetooth App Sender (com.bluetooth.share.app) - 50,000+ downloads
*   Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices) - 1,000,000+ downloads
*   Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb) - 10,000+ downloads
*   Mobile transfer: smart switch (com.mobile.faster.transfer.smart.switch) - 1,000+ downloads

It's no surprise that malicious apps have devised new ways to get past Google Play Store security protections. One of the more popular tactics adopted by threat actors is to introduce time-based delays to conceal their malicious behavior.

Malwarebytes' analysis found the apps to have an approximately four-day waiting period before opening the first phishing site in Chrome browser, and then proceed to launch more tabs every two hours.

The apps are part of a broader malware operation called HiddenAds, which has been active since at least June 2019 and has a track record of illicitly earning revenues by redirecting users to advertisements.

The findings also come as researchers from Guardio Labs disclosed details of a malvertising campaign dubbed Dormant Colors that leverages rogue Google Chrome and Microsoft Edge extensions to hijack user search queries to an actor-controlled domain.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

These Android Apps with a Million Play Store Installations Redirect Users to Malicious Sites

Underwater cables keep the internet online. When they congregate in one place, things get tricky.

The Asia-Africa-Europe-1 internet cable travels 15,500 miles along the seafloor, connecting Hong Kong to Marseille, France. As it snakes through the South China Sea and toward Europe, the cable helps provide internet connections to more than a dozen countries, from India to Greece. When the cable was cut on June 7, millions of people were plunged offline and faced temporary internet blackouts.

The cable, also known as AAE-1, was severed where it briefly passes across land through Egypt. One other cable was also damaged in the incident, with the cause of the damage unknown. However, the impact was immediate. “It affected about seven countries and a number of over-the-top services,” says Rosalind Thomas, the managing director of SAEx International Management, which plans to create a new undersea cable connecting Africa, Asia, and the US. “The worst was Ethiopia, that lost 90 percent of its connectivity, and Somalia thereafter also 85 percent.” Cloud services belonging to Google, Amazon, and Microsoft were all also disrupted, subsequent analysis revealed.

While connectivity was restored in a few hours, the disruption highlights the fragility of the world’s 550-plus subsea internet cables, plus the outsized role Egypt and the nearby Red Sea have in the internet’s infrastructure. The global network of underwater cables forms a large part of the internet’s backbone, carrying the majority of data around the world and eventually linking up to the networks that power cell towers and Wi-Fi connections. Subsea cables connect New York to London and Australia to Los Angeles.

Sixteen of these submarine cables—which are often no thicker than a hosepipe and are vulnerable to damage from ships’ anchors and earthquakes—pass 1,200 miles through the Red Sea before they hop over land in Egypt and get to the Mediterranean Sea, connecting Europe to Asia. The last two decades have seen the route emerge as one of the world’s largest internet chokepoints and, arguably, the internet’s most vulnerable place on Earth. (The region, which also includes the Suez Canal, is also a global choke point for shipping and the movement of goods. Chaos ensued when the container ship _Ever Given_ got wedged in the canal in 2021.)

“Where there are chokepoints, there are single points of failure,” Nicole Starosielski, an associate professor of media, culture, and communication at New York University and an author on submarine cables. “Because it's a site of intense concentration of global movement, that does make it more vulnerable than many places around the world.”

The area has also recently gained attention from the European Parliament, which in a June report highlighted it as a risk for widespread internet disruption. “The most vital bottleneck for the EU concerns the passage between the Indian Ocean and the Mediterranean via the Red Sea because the core connectivity to Asia runs via this route,” the report says, flagging extremism and maritime terrorism are risks in the area.

Pyramid Scheme

Look at Egypt on a map of the world’s subsea internet cables and it immediately becomes clear why internet experts have been concerned about the area for years. The 16 cables in the area are concentrated through the Red Sea and touch land in Egypt, where they make a 100-mile journey across the country to reach the Mediterranean Sea. (Cable maps don’t show the exact locations of cables.)

It has been estimated that around 17 percent of the world’s internet traffic travels along these cables and passes through Egypt. Alan Mauldin, the research director of telecoms market research firm TeleGeography, says last year the region had 178 terabits of capacity, or 178,000,000 Mbps—the US has median home internet speeds of 167 Mbps.

The Most Vulnerable Place on the Internet

Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3723

Use after free in Feedback service on Chrome OS in Google Chrome on Chrome OS prior to 107.0.5304.62 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. (Chrome security severity: Medium)

CVE-2022-3658

Inappropriate implementation in Full screen mode in Google Chrome on Android prior to 107.0.5304.62 allowed a remote attacker to hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chrome security severity: Medium)

CVE-2022-3660

Use after free in Layout in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3654

Type confusion in V8 in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3652: Stable Channel Update for Desktop

Organizations should update to the latest encryption (version 3.0.7) as soon as possible, but there's no need for Heartbleed-like panic, security experts say.

Security experts described two highly anticipated vulnerabilities that the OpenSSL Project team patched Tuesday as issues that need to be addressed quickly, but not necessarily meriting a drop-everything-else type of emergency response.

The release of version 3.0.7 of the almost ubiquitously used cryptographic library addresses two buffer overflow vulnerabilities, which exist in OpenSSL versions 3.0.0 to 3.0.6.

Leading up to the disclosure, security experts had warned that one of the issues, originally characterized as a "critical" remote code-execution issue, could present a Heartbleed-level, all-hands-on-deck problem. Thankfully, that doesn't seem to be the case — and in disclosing the flaw, the OpenSSL project team said it had decided to downgrade the threat to "high" based on feedback from organizations that had tested and analyzed the bug.

**A Pair of Buffer Overflows**

The first bug (CVE-2022-3602) could indeed — under a specific set of circumstances — enable RCE, which originally led some security experts to worry that the flaw could have industry-wide repercussions. But it turns out that there are mitigating circumstances: For one, it's difficult to exploit, as explained below. Also, not all systems are impacted.

Specifically, only browsers that support OpenSSL 3.0.0 through 3.0.6, such as Firefox and Internet Explorer, are impacted at this time, according to Mark Ellzey, senior security researcher at Censys; notably unaffected is Google Chrome, which is the leading Internet browser.

"The impact is expected to be minimal due to the complexity of the attack and the limitations in how it can be carried out," he says. "Organizations should brush up on their phishing training and keep an eye on threat intelligence sources to ensure they are prepared if they are targeted by an attack such as this."

To boot, Alex Ilgayev, lead security researcher at Cycode, noted that the flaw can't be exploited on certain Linux distributions; and, many modern OS platforms implement stack overflow protections to mitigate against threats like these in any event, Ilgayev says.

The second vulnerability (CVE-2022-3786), which was uncovered while a fix for the original flaw was being developed, could be used to trigger denial of service (DoS) conditions. The OpenSSL team assessed the vulnerability as being of high severity but ruled out the possibility of it being used for RCE exploitation.

Both vulnerabilities are tied to a functionality called Punycode for encoding internationalized domain names.

"Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible," the OpenSSL team said in a blog accompanying the bug disclosure and release of the new version of the cryptographic library. "If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible."

**Not Another Heartbleed**

The bug disclosure is sure to tamp down — for the moment, at least — the widespread concern sparked by the OpenSSL team's notification last week of its then-impending bug disclosure. The description of the first flaw as being "critical," in particular, had prompted several comparisons to 2014's "Heartbleed" bug — the only other bug in OpenSSL to earn a critical rating. That bug (CVE-2014-0160) impacted a wide swathe of the Internet and even now has not be fully addressed at many organizations.

"Heartbleed was exposed by default on any software that used a vulnerable version of OpenSSL, and it was very easily exploitable by attackers to see cryptographic keys and passwords stored in server memory," says Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center. "The two vulnerabilities just reported in OpenSSL are serious but not of the same magnitude."

**OpenSSL Bugs Are Hard to Exploit...**

To exploit either of the new flaws, vulnerable servers would need to request client certificate authentication, which is not the norm, Knudsen says. And vulnerable clients would need to connect to a malicious server, which is a commonplace and defensible attack vector, he says.

"Nobody's hair should be on fire about these two vulnerabilities, but they are serious and should be handled with appropriate speed and diligence," he notes.

In a blog post, the SANS Internet Storm Center meanwhile described the OpenSSL update as fixing a buffer overrun during the certificate verification process. For an exploit to work, the certificate would need to contain a malicious Punycode-encoded name, and the vulnerability would be triggered only after the certificate chain is verified.

"An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts," SANS ISC noted. "This does not appear to be exploitable against servers. For servers, this may be exploitable if the server requests a certificate from the client."

Bottom line: The likelihood of exploitation is low since the vulnerability is complex to exploit, as is the flow and requirements to trigger it, Cycode's Ilgayev says. Plus, it affects a relatively small number of systems, compared to those using pre-3.0 versions of OpenSSL.

**...But Do Be Diligent**

At the same time, it is important to keep in mind that hard-to-exploit vulnerabilities have been exploited in the past, Ilgayev says, pointing to a zero-click exploit that the NSO Group developed for a vulnerability in iOS last year.

"\[Also\], like the OpenSSL team says, there is 'no way of knowing how every platform and compiler combination has arranged the buffers on the stack,' and therefore remote code execution may still be possible on some platforms," he cautions.

And indeed, Ellzey outlines one scenario for how attackers could exploit CVE-2022-3602, the flaw that OpenSSL team had originally assessed as critical.

"An attacker would host a malicious server and attempt to get victims to authenticate to it with an application vulnerable to OpenSSL v3.x, potentially through traditional phishing tactics," he says, although the scope is limited due to the exploit being predominantly client-side.

Vulnerabilities such as this highlight the importance of having a software bill of materials (SBOM) for every binary used, Ilgayev notes. "Looking at package managers is not enough as this library could be linked and compiled in various configurations that will affect the exploitability," he says.

The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

Tag

#google