An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.

From: Hyunwoo Kim <imv4bel@gmail.com>
To: eli.billauer@gmail.com, arnd@arndb.de, gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org
Subject: \[PATCH\] char: xillybus: Fix use-after-free in xillyusb\_open()
Date: Sat, 22 Oct 2022 10:54:04 -0700	\[thread overview\]
Message-ID: <20221022175404.GA375335@ubuntu> (raw)

A race condition may occur if the user physically removes
the USB device while calling open() for this device node.

This is a race condition between the xillyusb\_open() function and
the xillyusb\_disconnect() function, which may eventually result in UAF.

So, add a mutex to the xillyusb\_open() and xillyusb\_disconnect()
functions to avoid race contidion.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
 drivers/char/xillybus/xillyusb.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/drivers/char/xillybus/xillyusb.c b/drivers/char/xillybus/xillyusb.c
index 39bcbfd908b4..d615f74dcf36 100644
--- a/drivers/char/xillybus/xillyusb.c
+++ b/drivers/char/xillybus/xillyusb.c
@@ -63,6 +63,7 @@ static const struct usb\_device\_id xillyusb\_table\[\] = {
 };
 
 MODULE\_DEVICE\_TABLE(usb, xillyusb\_table);
+static DEFINE\_MUTEX(disconnect\_mutex);
 
 struct xillyusb\_dev;
 
@@ -1237,9 +1238,13 @@ static int xillyusb\_open(struct inode \*inode, struct file \*filp)
 	int rc;
 	int index;
 
+	mutex\_lock(&disconnect\_mutex);
+
 	rc = xillybus\_find\_inode(inode, (void \*\*)&xdev, &index);
\-	if (rc)
+	if (rc) {
+		mutex\_unlock(&disconnect\_mutex);
 		return rc;
+	}
 
 	chan = &xdev->channels\[index\];
 	filp->private\_data = chan;
@@ -1379,6 +1384,8 @@ static int xillyusb\_open(struct inode \*inode, struct file \*filp)
 			request\_read\_anything(chan, OPCODE\_SET\_PUSH);
 	}
 
+	mutex\_unlock(&disconnect\_mutex);
+
 	return 0;
 
 unfifo:
@@ -1410,10 +1417,14 @@ static int xillyusb\_open(struct inode \*inode, struct file \*filp)
 
 	kref\_put(&xdev->kref, cleanup\_dev);
 
+	mutex\_unlock(&disconnect\_mutex);
+
 	return rc;
 
 unmutex\_fail:
 	mutex\_unlock(&chan->lock);
+	mutex\_unlock(&disconnect\_mutex);
+
 	return rc;
 }
 
@@ -1698,6 +1709,8 @@ static int xillyusb\_release(struct inode \*inode, struct file \*filp)
 	struct xillyusb\_dev \*xdev = chan->xdev;
 	int rc\_read = 0, rc\_write = 0;
 
+	mutex\_lock(&disconnect\_mutex);
+
 	if (filp->f\_mode & FMODE\_READ) {
 		struct xillyfifo \*in\_fifo = chan->in\_fifo;
 
@@ -1760,6 +1773,8 @@ static int xillyusb\_release(struct inode \*inode, struct file \*filp)
 
 	kref\_put(&xdev->kref, cleanup\_dev);
 
+	mutex\_unlock(&disconnect\_mutex);
+
 	return rc\_read ? rc\_read : rc\_write;
 }
 
@@ -2172,6 +2187,8 @@ static void xillyusb\_disconnect(struct usb\_interface \*interface)
 	int rc;
 	int i;
 
+	mutex\_lock(&disconnect\_mutex);
+
 	xillybus\_cleanup\_chrdev(xdev, &interface->dev);
 
 	/\*
@@ -2228,6 +2245,8 @@ static void xillyusb\_disconnect(struct usb\_interface \*interface)
 	xdev->dev = NULL;
 
 	kref\_put(&xdev->kref, cleanup\_dev);
+
+	mutex\_unlock(&disconnect\_mutex);
 }
 
 static struct usb\_driver xillyusb\_driver = {
-- 
2.25.1


Dear,


This race condition can occur in the flow of:
\`\`\`
                cpu0                                                cpu1
       1. xillyusb\_open()
          xillybus\_find\_inode()
          mutex\_lock(&unit\_mutex);
          unit = iter;
          mutex\_unlock(&unit\_mutex);
                                                             2. xillyusb\_disconnect()
                                                                xillybus\_cleanup\_chrdev()
                                                                mutex\_lock(&unit\_mutex);
                                                                kfree(unit);
                                                                mutex\_unlock(&unit\_mutex);
       3. \*private\_data = unit->private\_data;   // UAF

\`\`\`

Because the interval between 1 and 3 in xillyusb\_open() is very short, this race condition is usually rare.

However, if someone wants to trigger this UAF, they can use the technique presented in this paper:
https://www.usenix.org/system/files/sec21-lee-yoochan.pdf

This is a method to increase the execution time between No. 1 and No. 3 using the Reschedule IPI.
This means you will be able to trigger the UAF much more reliably.

Here is the KASAN log:
\`\`\`
\[   66.645661\] ==================================================================
\[   66.645678\] BUG: KASAN: use-after-free in xillybus\_find\_inode+0x2c6/0x2ea \[xillybus\_class\]
\[   66.645712\] Read of size 8 at addr ffff88811eb45f90 by task xillyusb\_test/2143

\[   66.645735\] CPU: 2 PID: 2143 Comm: xillyusb\_test Not tainted 6.1.0-rc1+ #10
\[   66.645752\] Hardware name: Gigabyte Technology Co., Ltd. B460MDS3H/B460M DS3H, BIOS F3 05/27/2020
\[   66.645762\] Call Trace:
\[   66.645772\]  <TASK>
\[   66.645783\]  dump\_stack\_lvl+0x49/0x63
\[   66.645808\]  print\_report+0x177/0x46e
\[   66.645828\]  ? kasan\_complete\_mode\_report\_info+0x7c/0x210
\[   66.645846\]  ? xillybus\_find\_inode+0x2c6/0x2ea \[xillybus\_class\]
\[   66.645871\]  kasan\_report+0xb0/0x140
\[   66.645891\]  ? xillybus\_find\_inode+0x2c6/0x2ea \[xillybus\_class\]
\[   66.645917\]  \_\_asan\_report\_load8\_noabort+0x14/0x20
\[   66.645932\]  xillybus\_find\_inode+0x2c6/0x2ea \[xillybus\_class\]
\[   66.645960\]  xillyusb\_open+0xa6/0x1030 \[xillyusb\]
\[   66.645990\]  ? endpoint\_alloc+0x6d0/0x6d0 \[xillyusb\]
\[   66.646014\]  ? \_\_kasan\_check\_write+0x14/0x20
\[   66.646028\]  ? \_raw\_spin\_lock+0x88/0xe0
\[   66.646044\]  ? try\_module\_get.part.0+0xb8/0x1a0
\[   66.646062\]  chrdev\_open+0x230/0x6d0
\[   66.646082\]  ? cdev\_device\_add+0x1f0/0x1f0
\[   66.646099\]  ? fsnotify\_perm.part.0+0x1d9/0x4e0
\[   66.646118\]  do\_dentry\_open+0x449/0x1000
\[   66.646132\]  ? inode\_permission+0x125/0x560
\[   66.646148\]  ? cdev\_device\_add+0x1f0/0x1f0
\[   66.646167\]  vfs\_open+0x9f/0xd0
\[   66.646181\]  path\_openat+0xd58/0x3eb0
\[   66.646199\]  ? kasan\_save\_alloc\_info+0x1e/0x30
\[   66.646212\]  ? \_\_kasan\_slab\_alloc+0x90/0xa0
\[   66.646229\]  ? kmem\_cache\_alloc+0x1f6/0x310
\[   66.646244\]  ? getname\_flags.part.0+0x52/0x490
\[   66.646260\]  ? getname+0x7a/0xb0
\[   66.646275\]  ? \_\_x64\_sys\_openat+0x128/0x210
\[   66.646288\]  ? do\_syscall\_64+0x59/0x90
\[   66.646306\]  ? path\_lookupat+0x660/0x660
\[   66.646328\]  do\_filp\_open+0x1b1/0x3e0
\[   66.646344\]  ? debug\_smp\_processor\_id+0x17/0x20
\[   66.646363\]  ? may\_open\_dev+0xd0/0xd0
\[   66.646378\]  ? getname\_flags.part.0+0x52/0x490
\[   66.646399\]  ? \_raw\_spin\_lock\_bh+0xe0/0xe0
\[   66.646422\]  do\_sys\_openat2+0x132/0x450
\[   66.646435\]  ? recalc\_sigpending+0x144/0x1c0
\[   66.646450\]  ? build\_open\_flags+0x450/0x450
\[   66.646465\]  ? sigprocmask+0x201/0x360
\[   66.646478\]  ? \_\_ia32\_sys\_ssetmask+0x1d0/0x1d0
\[   66.646495\]  \_\_x64\_sys\_openat+0x128/0x210
\[   66.646509\]  ? \_\_ia32\_compat\_sys\_open+0x1b0/0x1b0
\[   66.646526\]  ? debug\_smp\_processor\_id+0x17/0x20
\[   66.646545\]  do\_syscall\_64+0x59/0x90
\[   66.646560\]  ? syscall\_exit\_to\_user\_mode+0x26/0x50
\[   66.646578\]  ? do\_syscall\_64+0x69/0x90
\[   66.646593\]  ? debug\_smp\_processor\_id+0x17/0x20
\[   66.646610\]  ? fpregs\_assert\_state\_consistent+0x52/0xc0
\[   66.646630\]  ? exit\_to\_user\_mode\_prepare+0x49/0x1a0
\[   66.646644\]  ? syscall\_exit\_to\_user\_mode+0x26/0x50
\[   66.646662\]  ? do\_syscall\_64+0x69/0x90
\[   66.646675\]  ? exit\_to\_user\_mode\_prepare+0x16a/0x1a0
\[   66.646689\]  ? syscall\_exit\_to\_user\_mode+0x26/0x50
\[   66.646706\]  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
\[   66.646722\] RIP: 0033:0x4534e4
\[   66.646736\] Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 d6 ab 02 00 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 18 ac 02 00 8b 44
\[   66.646751\] RSP: 002b:00007f8130000140 EFLAGS: 00000293 ORIG\_RAX: 0000000000000101
\[   66.646771\] RAX: ffffffffffffffda RBX: 00007f8130000640 RCX: 00000000004534e4
\[   66.646784\] RDX: 0000000000000000 RSI: 00000000004b1008 RDI: 00000000ffffff9c
\[   66.646795\] RBP: 00000000004b1008 R08: 0000000000000000 R09: 00007ffc22c66baf
\[   66.646806\] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
\[   66.646817\] R13: 0000000000000000 R14: 000000000041b2a0 R15: 00007f812f800000
\[   66.646834\]  </TASK>

\[   66.646848\] Allocated by task 2115:
\[   66.646859\]  kasan\_save\_stack+0x26/0x50
\[   66.646875\]  kasan\_set\_track+0x25/0x40
\[   66.646888\]  kasan\_save\_alloc\_info+0x1e/0x30
\[   66.646898\]  \_\_kasan\_kmalloc+0xb4/0xc0
\[   66.646911\]  kmalloc\_trace+0x4a/0xb0
\[   66.646924\]  xillybus\_init\_chrdev+0xf2/0x815 \[xillybus\_class\]
\[   66.646944\]  xillyusb\_probe.cold+0xa61/0xadf \[xillyusb\]
\[   66.646966\]  usb\_probe\_interface+0x266/0x740
\[   66.646981\]  really\_probe+0x1fa/0xa80
\[   66.646993\]  \_\_driver\_probe\_device+0x2cb/0x490
\[   66.647005\]  driver\_probe\_device+0x4e/0x140
\[   66.647017\]  \_\_driver\_attach+0x1a3/0x520
\[   66.647028\]  bus\_for\_each\_dev+0x11e/0x1c0
\[   66.647039\]  driver\_attach+0x3d/0x60
\[   66.647050\]  bus\_add\_driver+0x449/0x5a0
\[   66.647061\]  driver\_register+0x219/0x390
\[   66.647073\]  usb\_register\_driver+0x228/0x400
\[   66.647084\]  0xffffffffc033202d
\[   66.647094\]  do\_one\_initcall+0x97/0x310
\[   66.647109\]  do\_init\_module+0x19a/0x630
\[   66.647120\]  load\_module+0x6ca4/0x7d90
\[   66.647131\]  \_\_do\_sys\_finit\_module+0x134/0x1d0
\[   66.647142\]  \_\_x64\_sys\_finit\_module+0x72/0xb0
\[   66.647153\]  do\_syscall\_64+0x59/0x90
\[   66.647164\]  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

\[   66.647182\] Freed by task 2089:
\[   66.647191\]  kasan\_save\_stack+0x26/0x50
\[   66.647205\]  kasan\_set\_track+0x25/0x40
\[   66.647218\]  kasan\_save\_free\_info+0x2e/0x50
\[   66.647228\]  \_\_\_\_kasan\_slab\_free+0x174/0x1e0
\[   66.647241\]  \_\_kasan\_slab\_free+0x12/0x20
\[   66.647255\]  slab\_free\_freelist\_hook+0xd0/0x1a0
\[   66.647267\]  \_\_kmem\_cache\_free+0x193/0x2c0
\[   66.647280\]  kfree+0x79/0x120
\[   66.647291\]  xillybus\_cleanup\_chrdev+0x3c1/0x570 \[xillybus\_class\]
\[   66.647311\]  xillyusb\_disconnect+0xfe/0x790 \[xillyusb\]
\[   66.647332\]  usb\_unbind\_interface+0x187/0x7c0
\[   66.647345\]  device\_remove+0x117/0x170
\[   66.647357\]  device\_release\_driver\_internal+0x418/0x660
\[   66.647369\]  device\_release\_driver+0x12/0x20
\[   66.647381\]  bus\_remove\_device+0x28f/0x540
\[   66.647392\]  device\_del+0x501/0xc30
\[   66.647407\]  usb\_disable\_device+0x2a5/0x660
\[   66.647418\]  usb\_disconnect.cold+0x1f9/0x620
\[   66.647431\]  hub\_event+0x16d3/0x3d20
\[   66.647446\]  process\_one\_work+0x778/0x11c0
\[   66.647459\]  worker\_thread+0x544/0x1180
\[   66.647471\]  kthread+0x280/0x320
\[   66.647481\]  ret\_from\_fork+0x1f/0x30

\[   66.647501\] Last potentially related work creation:
\[   66.647510\]  kasan\_save\_stack+0x26/0x50
\[   66.647524\]  \_\_kasan\_record\_aux\_stack+0xb6/0xd0
\[   66.647534\]  kasan\_record\_aux\_stack\_noalloc+0xb/0x20
\[   66.647544\]  kvfree\_call\_rcu+0xaf/0xa50
\[   66.647555\]  memcg\_reparent\_list\_lrus+0x477/0x790
\[   66.647566\]  mem\_cgroup\_css\_offline+0x1ea/0x310
\[   66.647579\]  css\_killed\_work\_fn+0xe4/0x380
\[   66.647590\]  process\_one\_work+0x778/0x11c0
\[   66.647602\]  worker\_thread+0x544/0x1180
\[   66.647614\]  kthread+0x280/0x320
\[   66.647623\]  ret\_from\_fork+0x1f/0x30

\[   66.647642\] The buggy address belongs to the object at ffff88811eb45f80
                which belongs to the cache kmalloc-64 of size 64
\[   66.647656\] The buggy address is located 16 bytes inside of
                64-byte region \[ffff88811eb45f80, ffff88811eb45fc0)

\[   66.647677\] The buggy address belongs to the physical page:
\[   66.647686\] page:000000009bdb1cfb refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88811eb45a00 pfn:0x11eb45
\[   66.647701\] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
\[   66.647720\] raw: 0017ffffc0000200 ffffea000481fec8 ffffea0004544b48 ffff888100042640
\[   66.647731\] raw: ffff88811eb45a00 000000000020001e 00000001ffffffff 0000000000000000
\[   66.647738\] page dumped because: kasan: bad access detected

\[   66.647751\] Memory state around the buggy address:
\[   66.647760\]  ffff88811eb45e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
\[   66.647771\]  ffff88811eb45f00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
\[   66.647781\] >ffff88811eb45f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
\[   66.647790\]                          ^
\[   66.647800\]  ffff88811eb46000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\[   66.647810\]  ffff88811eb46080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\[   66.647818\] ==================================================================
\[   66.647826\] Disabling lock debugging due to kernel taint
\`\`\`


Regards,
Hyunwoo Kim.

next             reply	other threads:\[~2022-10-22 17:54 UTC|newest\]

**Thread overview:** 4+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2022-10-22 17:54 Hyunwoo Kim \[this message\]**
2022-10-23 14:19 \` \[PATCH\] char: xillybus: Fix use-after-free in xillyusb\_open() Eli Billauer
2022-10-23 14:26   \` Hyunwoo Kim
2022-10-24  7:10     \` Eli Billauer

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20221022175404.GA375335@ubuntu \\
    --to=imv4bel@gmail.com \\
    --cc=arnd@arndb.de \\
    --cc=eli.billauer@gmail.com \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=linux-kernel@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-45888: [PATCH] char: xillybus: Fix use-after-free in xillyusb_open()

'Tis the season for swindlers and hackers. Use these tips to spot frauds and keep your payment info secure.

Black Friday attracts crowds, and crowds attract scammers, and that means you need to take extra care when shopping online over the Black Friday and Cyber Monday weekend. There'll be people out there eager to relieve you of more money than you'll save on a TV set or a gaming console.

The following precautions apply any time of year, but it's worth reminding yourself of them every time a serious holiday season comes around. In the rush to get gifts sorted, it's all too easy to miss a warning sign, or get complacent about online security.

Update All Your Software

Keeping programs and operating systems up to date is important enough that Microsoft, Apple, Google, Mozilla, and all the other big names in tech now make it difficult for anyone to lag behind with their updates—most of the time you'll be prompted regularly to install new versions of your software, and it might even happen automatically in the background without you noticing.

The biggest retail event of the year has grown into an entire month of sales that ebb and flow. Here’s how to make the most of it.

Today's browsers, apps, and OSes are adept at spotting scams as they happen, whether it's phishing emails (designed to lure you to a fake shopping or banking site) or unauthorized logins on your accounts. To make the most of this built-in security, ensure you're running the latest versions across the board, which means the latest security patches—if you've been putting off updates on your phone or your computer, then get them done ahead of Black Friday.

If you do have a laptop that's too old to run the latest versions of Windows or macOS, avoid using it if possible—you'll be safer shopping on your phone, as long as it's running the most recent Android or iOS updates. On Android, you can check for updates via **System** and **System Update** in Settings; on iOS, it's **Settings** and then **General** and **Software Update**.

Be Wary of Email and Social Media Deals

You're likely to be inundated with special offers over email and social media this Black Friday, but be careful when it comes to clicking through on deals that come from suspicious sources (stores you've never shopped at before, for example). Always check that the link you clicked sent you to the website you were expecting to visit.

There's no hard and fast way to guarantee you'll never get caught out by a dodgy link (apart from just ignoring them all completely), but you can minimize the risk: Check that the social media account or email address sending the link is genuine, head to the site in question in a separate browser window to see whether you can find the same offer advertised, and be sure the offer you're looking at is the one that was promoted.

If your browser is up to date, as we mentioned above, dangerous links should be blocked before you reach them, but we'd still recommend being wary. You'll see some great offers advertised over social media and email, but no discount is worth the risk of exposing yourself to scammers.

Make sure all your devices are updated before shopping.

Android via David Nield

Do Your Research

Wherever possible, stick to trusted stores online. All the major players have robust security procedures in place, so the chances of them (and you) getting hacked are smaller. Still, if you're buying from any site, always check you're on the store website you think you are by checking in your browser's address bar.

We're not saying you should never shop at smaller outlets, but make sure they're using HTTPS technology (indicated with a padlock in your browser's address bar). Look for contact details, an office with a physical address, and reviews left by other users (Trustpilot can be helpful here). See if they're on Twitter and Facebook—and whether those accounts are actually active.

Debit and credit card issuers will usually protect you against fraud—check their policies online if you're not sure about yours—but nevertheless, keep an eye on your bank accounts throughout the Black Friday weekend to make sure only the amounts you're expecting to be debited are going out.

Double-Check Deals

Retailers change their prices all the time—especially online—so a "big discount" you see might only apply to whatever the price was last week, not what it's been over the course of the past year. Price trackers such as CamelCamelCamel can help you work out whether you're getting a genuine bargain or just something that was already heavily reduced.

Checking out product reviews on the web is a useful way of determining how current something is and how much you should be spending on it. Are you looking at the genuine article, or just a cheap knock-off? Is the gadget you're about to buy future-proofed with the latest tech or will it be out of date in six months? And (especially on Amazon) is it being sent from your current region or the other side of the world? Who's the actual seller? Make sure you read what previous buyers have to say via the user reviews before spending your money.

Just be aware that stores also use the occasion to try and shift their remaining stock of older, less popular products. Make sure you're looking at what you're buying and not just the price drop.

CamelCamelCamel will show you previous price drops on Amazon.

CamelCamelCamel via David Nield

Protect Your Accounts

As always, keep your accounts locked down and protected on Black Friday. Use strong, unique passwords for all your accounts (a dedicated password manager or your browser's password management system can help here), and turn on two-factor authentication on every account that offers it (Microsoft, Apple, Google, Facebook, and Twitter ones all do, for a start).

While it may seem convenient to quickly set up a new shopping account with your “usual” password, it only takes one account sharing the same password to get exposed, and all the others can come tumbling down after it. If you're using the latest versions of Chrome and Safari, you'll notice you can now use a strong password suggested by your browser (the option should pop up automatically when you're in a password field).

If you're planning on shopping at outlets where you haven't purchased anything before, it's a good idea to get these accounts set up ahead of time—this means you aren't rushing when it comes to thinking up new passwords and entering potentially sensitive information into your web browser.

Guard Your Payment Info

Many places that you're shopping at on Black Friday and Cyber Monday will already have your payment info on file, but if you're entering details into a new site, again make sure the padlock symbol is showing in the address bar—the full URL should also begin “https://”, which indicates that your payment details will be encrypted in transit.

If you’re on vacation or out of town, we recommend waiting until you get back home before buying anything—or at least using the cellular data on your phone to make a connection rather than a public Wi-Fi hotspot, as it's much harder for hackers to intercept your details (or look over your shoulder as you're typing them). If you are shopping in-store, be careful to guard your PIN numbers and other sensitive details when you're surrounded by crowds—or even just one shop assistant.

As tempting as Black Friday offers might be, it's usually a good idea to shop in as few places as possible, if you can: The fewer companies that hold your payment data, the less likely you are to be victim to a data breach, and the risk of those breaches are really down to the company's security policies rather than any precautions you can take.

How to Avoid Black Friday Scams Online

The cyber espionage group known as Bahamut has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information.
The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET said in a new

The cyber espionage group known as **Bahamut** has been attributed as behind a highly targeted campaign that infects users of Android devices with malicious apps designed to extract sensitive information.

The activity, which has been active since January 2022, entails distributing rogue VPN apps through a fake SecureVPN website set up for this purpose, Slovak cybersecurity firm ESET said in a new report shared with The Hacker News.

At least eight different variants of the spyware apps have been discovered to date, with them being trojanized versions of legitimate VPN apps like SoftVPN and OpenVPN.

The tampered apps and their updates are pushed to users through the fraudulent website. It's also suspected that the targets are carefully selected, since launching the app requires the victim to enter an activation key to enable the features.

This implies the use of an undetermined distribution vector, although past evidence shows that it could take the form of spear-phishing emails, SMS messages, or direct messages on social media apps.

The activation key mechanism is also designed to communicate with an actor-controlled server, effectively preventing the malware from being accidentally triggered right after launch on a non-targeted user device.

Bahamut was unmasked in 2017 by Bellingcat as a hack-for-hire operation targeting government officials, human rights groups, and other high-profile entities in South Asia and the Middle East with malicious Android and iOS apps to spy on its victims.

"Perhaps the most distinctive aspect of Bahamut's tradecraft that BlackBerry discovered is the group's use of original, painstakingly crafted websites, applications and personas," BlackBerry noted in October 2020.

Earlier this year, Cyble detailed two sets of phishing attacks orchestrated by the group to push counterfeit Android apps masquerading as chat applications.

The latest wave follows a similar trajectory, tricking users into installing seemingly innocuous VPN apps that can exfiltrate a wide swathe of information, including files, contact lists, SMSes, phone call recordings, locations, and messages from WhatsApp, Facebook Messenger, Signal, Viber, Telegram, and WeChat.

"The data exfiltration is done via the keylogging functionality of the malware, which misuses accessibility services," ESET researcher Lukáš Štefanko said.

In a sign that the campaign is well maintained, the threat actor initially packaged the malicious code within the SoftVPN application, before moving to OpenVPN, a shift explained by the fact that the actual SoftVPN app stopped functioning and it was no longer possible to establish a VPN connection.

"The mobile campaign operated by the Bahamut APT group is still active; it uses the same method of distributing its Android spyware apps via websites that impersonate or masquerade as legitimate services, as has been seen in the past," Štefanko added.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Bahamut Cyber Espionage Hackers Targeting Android Users with Fake VPN Apps

Months after a fix was issued by a vendor, downstream Android device manufacturers still haven't patched, highlighting a troubling trend.

It's called a "patch gap" and describes the time it takes a fix for a known vulnerability to trickle down from software vendor to individual device manufacturers. And the latest casualties are the millions of Pixel, Samsung, Xiaomi, and other Android device brands.  

According to Google's Project Zero, after its team discovered five separate bugs in the ARM Mali GPU driver, ARM  "promptly" issued a patch in July and August. Yet, Project Zero reported that every test device they looked at this week remains vulnerable. 

Until there's a better solution for tightening up the lag between the time a patch is issued and reaches the wider ecosystem, it's up to security teams to remain "vigilant," the Google Project Zero team advised. 

"Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies," the patch gap report explained. "Minimizing the 'patch gap' as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Patch Lag' Leaves Millions of Android Devices Vulnerable

Fueling the trend are the rising adoption of cloud computing solutions, technology advancements, stricter data safety regulations, and the move to digitalization, says Brandessence Market Research.

**LONDON, Nov. 23, 2022 /PRNewswire/** — The Global Penetration Testing Market is poised to reach a valuation of USD 5.28 Billion in 2028 from USD 1.87 Billion in 2021, registering a CAGR of 15.97% over the forecast duration.

Penetration test is referred to as a type of ethical hacking that is deliberately performed on a computer system to assess its security while identifying exploitable vulnerabilities. The testers adopt similar equipment, tool, and tactics used by cyberattacks. This is mainly done to deceive the criminals by distributing decoys and traps in the system that resemble the genuine assets. Organizations that are highly prone to cybercrime adopt this testing method to ensure the overall safety of their computer infrastructure.

The growth occurrences of cyberattacks, rising adoption of cloud computing solutions, along with technology advancements in the field are primarily augmenting the outlook of this business vertical. Further, the booming IT industry, stringent data safety regulations, and rapidly evolving technological infrastructure across various regions are creating lucrative opportunities for this marketplace to prosper.

Also, rising R&D activities in the field, surging digitalization trends across various industry verticals, coupled with increasing number of data centres worldwide, are adding traction to the development of Global Penetration Testing Market. Moreover, escalating demand for high-speed internet connection, rising popularity of remote working, and increasing incidences of cyberattack sophistication are stimulating the overall dynamics for this industry vertical. On the flip side, high costs pertaining to penetration tests and dearth of skilled professionals in the field are hindering the remuneration scope of this business sphere.

**Get Sample of \[email protected\] https://brandessenceresearch.com/downloadSample/PostId/2143**

**Competitive Hierarchy**

The prominent players characterizing the competitive Terrain of Global Penetration Testing Market are:

*   Checkmarx
*   Coalfire Systems
*   Core Security Technologies
*   FireEye
*   HackerOne Inc.
*   ImmuniWeb SA
*   Indium Software
*   International Business Machines Corporation
*   Netragard LLC
*   Netsparker Ltd
*   OffSec Services Limited
*   Micro Focus International plc
*   Acunetix
*   Others.

These companies are trying to enhance their position in the global market. They are adopting various strategies, including mergers & acquisitions, product launches, R&D investments, partnerships, and collaborations, among others to stay ahead of the curve.

**Global Penetration Testing Market Segmentation:**

**By Type:**

*   Wireless Network Penetration Testing Services
*   Network Penetration Testing
*   Web Application Penetration Testing
*   Social Engineering Penetration Testing
*   Mobile Application Penetration Testing
*   Others

**By Deployment:**

*   Cloud
*   On-premises

**By End-User:**

*   Healthcare
*   Government & Defense
*   Retail
*   BFSI
*   IT & Telecom
*   Others

**Category-Wise Outlook**

**Which is the leading deployment mode segment in this business sphere?**

The on-premises segment presently dominates the market in terms of volume share since it provides high control and flexibility to end-use enterprises which reducing the risks of data losses.

**Which end-user segment is poised to amass notable gains over the estimated timeline?**

The healthcare segment is anticipated to generate significant returns over the estimated timeline. This is credited to the rising adoption of EHR and telehealth solutions, which in turn increases the susceptibility of healthcare organizations to various forms of cybercrimes.

**Get Methodology @** **https://brandessenceresearch.com/requestMethodology/PostId/2143**

**Comparing the historical outlook and ongoing trends of this market**

This industry has been generating significant returns due to the presence of various expansion propellants across the globe.

There has been rising occurrence of cyberattacks across various industry verticals worldwide. In fact, the crime dwellers have begun adopting advanced technologies such as AI, analytics, and ML to sophisticate cyber-attacks. Such attacks tend to go unnoticed or undetected since most of the organizations lack preparedness and high-end tools. Many enterprises incur massive financial losses due to such attacks which in turn also affects their reputation in the market. This has increased the demand for effective tools and tactics to minimize the risk of sophisticated cybercrimes across numerous organizations.

The rising digitalization trend across a wide range of industries has resulted in the rising data privacy concerns. Due to widespread internet proliferation and growing adoption of smart devices, sectors such as healthcare, education, and retail, among others are trying to streamline their operations with an aim to reduce their overall expenses while leaving no room for human errors. But this has provided hackers with profitable opportunities since they can easily crack into the system of these organizations and procure confidential data. After getting their hands on these valuable assets, cybercriminals sell them on the dark web and earn massive profits. Therefore, many of these organizations have strengthened their cybersecurity entities which in turn is increasing the deployment of penetration testing solutions.

The onset of the COVID-19 pandemic is adding momentum to the progression of Global Penetration Testing market. Stringent lockdowns completely restricted the mobility of the masses and led to the temporary closure of commercial complexes. This pushed organizations to shift to a virtual mode of operations, thereby popularizing remote working trends. Unfortunately, this resulted in the surging occurrence of cyberattacks which in turn necessitated the deployment of effective tactics and tools to ensure user data safety and privacy during online communications, data transfer, and other activities.

**Region-Wise Insights**

**Which is the fastest growing region in this industry vertical?**

North America has emerged as one of the most rapidly growing regions in this marketplace owing to rapid internet proliferation, growing adoption of smart devices, and rising disposable income of the masses.

**How is Asia-Pacific faring in the marketplace?**

Asia Pacific is reckoned to capture a substantial revenue share over the forecast timeframe due to the rising occurrence of cyberattacks, the booming IT sector, and technological innovations in the field.

**Major Developments**

In June 2022, Synopsys announced the acquisition of Whitehat Security to strengthen its overall portfolio in this vertical.

**On Special Requirement,** **Penetration Testing Market Report is also available for regions listed below:**

**North America**

*   U.S, Canada

**Europe**

*   Germany, France, U.K., Italy, Spain, Sweden, Netherland, Turkey, Switzerland, Belgium, Rest of Europe

**Asia-Pacific**

*   South Korea, Japan, China, India, Australia, Philippines, Singapore, Malaysia, Thailand, Indonesia, Rest Of APAC

**Latin America**

*   Mexico, Colombia, Brazil, Argentina, Peru, Rest of Latin America

**Middle East and Africa**

*   Saudi Arabia, UAE, Egypt, South Africa, Rest Of MEA

**Purchase Copy of Report @ https://brandessenceresearch.com/Checkout?report\_id=2143**

**Related Reports:**

*   Security Information and Event Management Market is valued at USD 4.21 Billion in 2021 and is expected to reach USD 6.62 Billion by 2028 with a CAGR of 8.1% over the forecast period.
*   Security Orchestration Automation and Response (SOAR) Market is valued at USD 1.16 Billion in 2021 and is expected to reach USD 3.19 Billion by 2028 with a CAGR of 15.58% over the forecast period.
*   Application Security Market is valued at USD 7041.2 Million in 2021 and is expected to reach USD 20880.7 Million by 2028 with a CAGR of 16.8% over the forecast period.
*   Security and Vulnerability Management Market are valued at USD 11.26 Billion in 2021 and expected to reach USD 21.38 Billion by 2028 with a CAGR of 9.6% over the forecast period.
*   Chemical Sensor Market is valued at USD 25.46 Billion in 2021 and is expected to reach USD 42.23 Billion by 2028 with a CAGR of 7.5% over the forecast period.
*   Image Sensor Market is valued at USD 20.62 Billion in 2021 and is expected to reach USD 36.78 Billion by 2028 with a CAGR of 8.62% over the forecast period.
*   Ultrasonic Sensors Market is valued at USD 6.29 Billion in 2021 and expected to reach USD 13.74 Billion by 2028 with a CAGR of 11.8% over the forecast period.
*   Smart Sensors Market is valued at USD 42.74 Billion in 2021 and expected to reach USD 145.30 Billion by 2028 with the CAGR of 19.1% over the forecast period.
*   CMOS Image Sensor Market is valued at USD 16.82 Billion in 2021 and is expected to reach USD 23.04 Billion by 2028 with a CAGR of 8.65% over the forecast period.

**Brandessence Market Research & Consulting Pvt ltd.**

Brandessence Market Research publishes market research reports & business insights produced by highly qualified and experienced industry analysts. Our research reports are available in a wide range of industry verticals including aviation, food & beverage, healthcare, ICT, Construction, Chemicals, and lot more. Brand Essence Market Research report will be best fit for senior executives, business development managers, marketing managers, consultants, CEOs, CIOs, COOs, and Directors, governments, agencies, organizations, and Ph.D. Students. We have a delivery center in Pune, India, and our sales office is in London.

**Follow Us:** LinkedIn **Blog:** **Top 5 Electric Air Taxi Market**

SOURCE: Brandessence Market Research and Consulting Private Limited

Penetration Testing Market Size Is Projected to Reach $5.28B Globally by 2028

McAfee Total Protection prior to version 16.0.49 contains an uncontrolled search path element vulnerability due to the use of a variable pointing to a subdirectory that may be controllable by an unprivileged user. This may have allowed the unprivileged user to execute arbitrary code with system privileges.

NEW  **Introducing**

****Get savings**  
on protection**

The **Black Friday Sale** is here with all the discounts you expect on all-in-one protection.

Windows® | macOS® | Android™ | iOS® | ChromeOS™️

NEW  **Introducing**

****Personalized** protection**

All-in-one protection for your identity, privacy, and more. Includes antivirus, VPN, and Protection Score.

NEW  **Introducing**

****The ultimate protection** for your privacy**

We help you stay private and secure online with personal data removal from risky sites, $1M identity theft coverage, device protection, and more.

NEW  **Introducing**

****Stop fraud** before it starts**

Credit monitoring offers daily updates to your credit score, including alerts to changes that may signal identity fraud.​

NEW  **Introducing**

****Next-level confidence** for identity, privacy, and device protection​**

Our ultimate identity and privacy protection to confidently live life online, with comprehensive identity monitoring, credit monitoring, credit freeze and lock, up to $1M identity theft coverage, and help to remove your personal info online.

**Live your life online freely and confidently  
with award-winning online protection**

**$1 million in coverage**

Advanced plans include $1,000,000 coverage to cover eligible losses and fees due to identity theft and fraud.‡

**24/7/365 customer support**

Get around the clock assistance from friendly, knowledgable security experts.

**100% guaranteed**

We pledge to remove viruses on your devices or give you your money back, guaranteed.\*\*

****We’ve got your back****

Guided, personalized online protection that makes being safe simple, wherever you are.

**Do what you do online, we’ll protect your privacy**

**New!** Remove your personal info from the riskiest data broker sites that sell it with

Personal Data Cleanup

. We scan **2x data broker sites** compared to similar cybersecurity services. Available with our Premium and higher-tier plans.

Stay private with a **VPN** that turns on automatically for public Wi-Fi, protecting account credentials, search habits, and more.

**Take action to help prevent identity theft**

**New!**

Security Freeze

helps prevent unauthorized access to new or existing credit, bank, and utility accounts in your name. Available in Advanced plans.​

We help you monitor your email addresses, SSN, bank account and credit card numbers and more. If we detect a change, we'll alert you an average of **10 months sooner** than the competition.​​​

$1M identity theft coverage & restoration

is available in Advanced plans.​​

Get expanded monitoring with auto-renewal turned on.

**Protection Score keeps you safer**

Protection Score checks the health of your online protection and provides simple instructions to improve your security. Knowing how safe you are is the first step toward a safer life online—what's your Protection Score?

**Protect your computers and smartphones**

Get 24/7 protection with award-winning antivirus and safe browsing security. Avoid risky websites, and stay safe from phishing, viruses, hackers and ransomware.

Previous Next

**What our customers are saying**

I love the new UI experience, the app really needed the new look. The app **protects my device against viruses and malware really well**

\- Drew M

★ ★ ★ ★ ★

Use it on all my devices, trusted without problems! Also **the ID Protection is amazing...**.get it now.​

\- Joe

★ ★ ★ ★ ★

I feel much more **protected from identity theft, viruses, and malware**

\- M.B.

★ ★ ★ ★ ★

Easy to download and use. **Gives me peace of mind.**

\- Jeanne C

★ ★ ★ ★ ★

**I feel very secure with McAfee Security.** I get notifications of breaches and immediately take action to resolve them.

\- Kelly G

★ ★ ★ ★ ★

I have loved the VPN option and feel safer now when connecting to public wifi.

\- Su L

★ ★ ★ ★ ★

**Keeps me safe all the time,** is there right behind me doing its thing. Always a pleasure. Protects my desktop PC as well for going on 9 years now. No complaints.

\- Anglynn

★ ★ ★ ★ ★

Excellent! I am very happy with the way **McAfee blocks spam constantly** as well as other unwanted visitors.

\- Maxine P

★ ★ ★ ★ ★

Great relief from fear of Hackers. I have great confidence with McAfee products, they provide me **excellent service to all my family devices.** Keep up the good work.

\- Padma M

★ ★ ★ ★ ★

Makes me feel more safe when online. Love the VPN feature. Love the fact that it **keeps me informed about threats,** how to deal with or that they dealt with the problem.

\- Elain W

★ ★ ★ ★ ★

**VPN, Antivirus and safe WiFi all in one App.** Seemless automatic scanning. Has solved problems with Identity theft and unwanted spam. Great Safe Browsing feature.

\- Rudy C

★ ★ ★ ★ ★

I didn't realize how much of my personal information was out there.

\- Ed B

★ ★ ★ ★ ★

I like feeling confident that **McAfee is working to protect my personal information.**

\- Janis C

★ ★ ★ ★ ★

Easy to use and necessary to have. **Wonderful!**

\- Aris C

★ ★ ★ ★ ★

****Industry-leading** online  
protection loved by millions**

****Trusted security****

for over 600 million devices

****Highest rating****

for security by SE Labs

****42 million****

threats blocked per day

**Clean up and speed up with ​**McAfee PC Optimizer****

Get your PC running up to twice as fast and boost your internet with just a few clicks with PC Optimizer. We'll remove outdated files, optimize your system, and reclaim bandwidth. Say goodbye to frustrating lag and enjoy your life online.

****Try** McAfee Total Protection for free**

Stay safe. Experience more. With McAfee Total Protection, you can easily protect how you browse, game, and connect, now with identity and privacy protection. Try our all-in-one online protection free for 30 days. ​

Windows® | macOS® | Android™ | iOS® | ChromeOS™

****Complete protection** for your mobile online life**

With McAfee Mobile Security, extend your online protection and privacy with a simple, all-in-one security solution. Connect confidently from the palm of your hand wherever you go.

Scan this QR code to download the McAfee Security mobile app directly to your phone or tablet from the Apple or Google Play app store.

CVE-2022-43751: Antivirus, VPN, Identity & Privacy Protection | McAfee

An AI's "world" only includes the data on which it was trained, so it otherwise lacks context — opening the door for creative attacks from cyber adversaries.

Artificial intelligence and machine learning (AI/ML) systems trained using real-world data are increasingly being seen as open to certain attacks that fool the systems by using unexpected inputs.

At the recent Machine Learning Security Evasion Competition (MLSEC 2022), contestants successfully modified celebrity photos with the goal of having them recognized as a different person, while minimizing obvious changes to the original images. The most common approaches included merging two images — similar to a deepfake — and inserting a smaller image inside the frame of the original.

In another example, researchers from the Massachusetts Institute of Technology (MIT), University of California at Berkeley, and FAR AI found that a professional-level Go AI — that is, for the ancient board game — could be trivially beaten with moves that convinced the machine that the game had completed. While the Go AI could defeat a professional or amateur Go player because they used a logical set of movies, an adversarial attack could easily beat the machine by making decisions that no rational player would normally make.

These attacks highlight that while AI technology may work at superhuman levels and even be extensively tested in real-life scenarios, it continues to be vulnerable to unexpected inputs, says Adam Gleave, a doctoral candidate in artificial intelligence at the University of California at Berkeley, and one of the primary authors of the Go AI paper.

"I would default to assuming that any given machine learning system is insecure," he says. "\[W\]e should always avoid relying on machine learning systems, or any other individual piece of code, more than is strictly necessary \[and\] have the AI system recommend decisions but have a human approve them prior to execution."

All of this underscores a fundamental problem: Systems that are trained to be effective against "real-world" situations — by being trained on real-world data and scenarios — may behave erratically and insecurely when presented with anomalous, or malicious, inputs.

The problem crosses applications and systems. A self-driving car, for example, could handle nearly every situation that a normal driver might encounter while on the road, but act catastrophically during an anomalous event or one caused by an attacker, says Gary McGraw, a cybersecurity expert and co-founder of the Berryville Institute of Machine Learning (BIML).

"The real challenge of machine learning is figuring out how to be very flexible and do things as they are supposed to be done usually, but then to react correctly when an anomalous event occurs," he says, adding: "You typically generalize to what experts do, because you want to build an expert ... so it's what clueless people do, using surprise moves ... that can cause something interesting to happen."

**Fooling AI (And Users) Isn't Hard**

Because few developers of machine learning models and AI systems focus on adversarial attacks and using red teams to test their designs, finding ways to cause AI/ML systems to fail is fairly easy. MITRE, Microsoft, and other organizations have urged companies to take the threat of adversarial AI attacks more seriously, describing current attacks through the Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) knowledge base and noting that research into AI — often without any sort of robustness or security designed in — has skyrocketed.

Part of the problem is that non-experts who do not understand the mathematics behind machine learning often believe that the systems understand context and the world in which it operates. 

Large models for machine learning, such as the graphics-generating DALL-e and the prose-generating GPT-3, have massive data sets and emergent models that appear to result in a machine that reasons, says David Hoelzer, a SANS Fellow at the SANS Technical Institute. 

Yet, for such models, their "world" includes only the data on which they were trained, and so they otherwise lack context. Creating AI systems that act correctly in the face of anomalies or malicious attacks requires threat modeling that takes into account a variety of issues.

"In my experience, most who are building AI/ML solutions are not thinking about how to secure the ... solutions in any real ways," Hoelzer says. "Certainly, chatbot developers have learned that you need to be very careful with the data you provide during training and what kinds of inputs can be permitted from humans that might influence the training so that you can avoid a bot that turns offensive."

At a high level, there are three approaches to an attack on AI-powered systems, such as those for image recognition, says Eugene Neelou, technical director for AI safety at Adversa.ai, a firm focused on adversarial attacks on machine learning and AI systems.

Those are: embedding a smaller image inside the main image; mixing two sets of inputs — such as images — to create a morphed version; or adding specific noise that causes the AI system to fail in a specific way. This last method is typically the least obvious to a human, while still being effective against AI systems.

In a black-box competition to fool AI systems run by Adversa.ai, all but one contestant used the first two types of attacks, the firm stated in a summary of the contest results. The lesson is that AI algorithms do not make systems harder to attack, but easier because they increase the attack surface of regular applications, Neelou says.

"Traditional cybersecurity cannot protect from AI vulnerabilities — the security of AI models is a distinct domain that should be implemented in organizations where AI/ML is responsible for mission-critical or business-critical decisions," he says. "And it's not only facial recognition — anti-fraud, spam filters, content moderation, autonomous driving, and even healthcare AI applications can be bypassed in a similar way."

**Test AI Models for Robustness**

Like other types of brute-force attacks, rate limiting the number of attempted inputs can also help the creators of AI systems prevent ML attacks. In attacking the Go system, UC Berkeley's Gleave and the other researchers built their own adversarial system, which repeatedly played games against the targeted system, raising the victim AI's difficulty level as the adversary became increasingly successful.

The attack technique underscores a potential countermeasure, he says.

"We assume the attacker can train against a fixed 'victim' agent for millions of time steps," Gleave says. "This is a reasonable assumption if the 'victim' is software you can run on your local machine, but not if it's behind an API, in which case you might get detected as being abusive and kicked off the platform, or the victim might learn to stop being vulnerable over time — which introduces a new set of security risks around data poisoning but would help defend against our attack."

Companies should continue following security best practices, including the principle of least privilege — don't give workers more access to sensitive systems than they need or rely on the output of those systems more than necessary. Finally, design the entire ML pipeline and AI system for robustness, he says.

"I'd trust a machine learning system more if it had been extensively adversarially tested, ideally by an independent red team, and if the designers had used training techniques known to be more robust," Gleave says.

Adversarial AI Attacks Highlight Fundamental Security Issues

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX.
Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called **ViperSoftX**.

Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack.

ViperSoftX, which first came to light in February 2020, was characterized by Fortinet as a JavaScript-based remote access trojan and cryptocurrency stealer. The malware's use of a browser extension to advance its information-gathering goals was documented by Sophos threat analyst Colin Cowie earlier this year.

"This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others," Avast researcher Jan Rubín said in a technical write-up.

"ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing arbitrary additional payloads, or executing commands."

The distribution vector used to propagate ViperSoftX is typically achieved through cracked software for Adobe Illustrator and Microsoft Office that are hosted on file-sharing sites.

The downloaded executable file comes with a clean version of cracked software along with additional files that set up persistence on the host and harbor the ViperSoftX PowerShell script.

Newer variants of the malware are also capable of loading the VenomSoftX add-on, which is retrieved from a remote server, to Chromium-based browsers such as Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi.

This is achieved by searching for LNK files for the browser applications and modifying the shortcuts with a "\--load-extension" command line switch that points to the path where the unpacked extension is stored.

"The extension tries to disguise itself as well known and common browser extensions such as Google Sheets," Rubín explained. "In reality, the VenomSoftX is yet another information stealer deployed onto the unsuspecting victim with full access permissions to every website the user visits from the infected browser."

It's worth noting that the --load-extension tactic has also been put to use by another browser-based information stealer referred to as ChromeLoader (aka Choziosi Loader or ChromeBack).

VenomSoftX, like ViperSoftX, is also orchestrated to steal cryptocurrencies from its victims. But unlike the latter, which functions as a clipper to reroute fund transfers to an attacker-controlled wallet, VenomSoftX tampers with API requests to crypto exchanges to drain the digital assets.

Services targeted by the extension include Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin.

The development marks a new level of escalation to traditional clipboard swapping, while also not raising any immediate suspicion as the wallet address is replaced at a much more fundamental level.

Avast said it has detected and blocked over 93,000 infections since the start of 2022, with a majority of the impacted users located in India, the U.S., Italy, Brazil, the U.K., Canada, France, Pakistan, and South Africa.

An analysis of the hard-coded wallet addresses in the samples reveals that the operation has netted its authors a sum total of about $130,421 as of November 8, 2022, in various cryptocurrencies. The collective monetary gain has since dropped to $104,500.

"Since the transactions on blockchains/ledgers are inherently irreversible, when the user checks the transaction history of payments afterward, it is already too late," Rubín said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos

Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.1.0

PSID 

56c1bbdd9608

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A8: Cross Site Request Forgery (CSRF)

Publicly disclosed

2022-11-22

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Rafie Muhammad (Patchstack) in the WordPress All In One WP Security plugin (versions <= 5.1.0).

**Solution**

Update the WordPress All In One WP Security & Firewall plugin to the latest available version (at least 5.1.1).

**References**

CVE-2022-44737: WordPress All In One WP Security plugin <= 5.1.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities - Patchstack

**Tuesday, November 22 —** As the cyber skills gap widens to record new levels, disruptive cybersecurity training and upskilling platform, **Hack The Box** (HTB), has announced its **annual global University ‘Capture the Flag’ (CTF) competition** that will take place from **December 2-4, 2022**.

This year’s event, which is **open to students and academics at higher education institutions worldwide**, is designed to inspire and prepare a new generation of security professionals to join the fight against cybercrime, at a time when they are most needed with the global talent shortage standing at 3.4 million. 

**With attacks spiking 28% in the last quarter of 2022** alone, and cybercrime predicted to cost the global economy **$10.5 trillion** **by 2025**, students taking part will learn only the latest practical hacking skills needed to combat the ever-growing and evolving volume of sophisticated threats. Higher education professionals will also be introduced to innovative and effective new methods of gamified and hands-on teaching.

HTB’s University CTF will see students across the globe face **over 20 sophisticated cyber challenges**, testing their skills in Cloud, Crypto, Pwn, Web, Forensics and more. This year’s challenges replicate the latest attack scenarios and cybercriminal techniques, helping to ensure students of all levels are prepared for a career in modern day cybersecurity.

This year’s CTF aims to shine a light on cyberbullying and create an inclusive space where students all over the world can gain access to the latest skills and networks but also learn in an interactive**, enjoyable and safe environment**. Titled **‘Supernatural Hacks’** this year’s CTF focuses on helping students to interact safely online and build their digital citizenship, all whilst teams work together in a fictional wizarding world to defeat cybers darkest villains. Proceeds from the competition are being donated to Cybersmile, a multi-award- winning nonprofit organisation committed to digital wellbeing and tackling all forms of abuse and bullying online.

**Haris Pylarinos, CEO and co-founder of Hack The Box**, says: _“Universities are the breeding ground for the next generation of cyber professionals, and its critical students have experience tackling real world threats. The massive rise in the volume and sophistication of cyberattacks, means demand for new skills is booming and the old ways are no longer working.”_

_“CTFs are a highly effective way to learn hands-on cyber skills through fun, gamified content. We’re seeing students join to not only sharpen their skills but also network with like-minded peers looking to enter a career in cyber. The competition is also an opportunity for academics and universities to learn new teaching methods that promote a ‘hacking mindset’ approach, needed to match the current threat landscape.”_

**Haris continues** “_The game has changed in cyber. Arbitrary degree and qualification hiring criteria needs to be phased out and businesses must prioritise practical-based skills and training experience. This will help cut the red tape holding back an untapped pool of highly skilled cyber talent waiting in the wings._

_Meanwhile, for younger generations increasingly looking for professions with purpose, hacking presents not only lucrative career prospects but an opportunity to do meaningful work stopping cybercriminal online - protecting businesses, governments, hospitals, schools and individuals from dangerous real-life threats. We’re excited to continue preparing the hackers of the future.”_

Last year’s University CTF winners included players from some of the biggest universities and schools in the world, **University of Warwick**, **Hasso-Plattner Institute** and **42 Paris**. With more students looking to upskill themselves than ever, HTB University CTF has also seen a **191% increase in participatio**n from 2021 to 2021, with 2022 set to see record levels of participants.

Teams, consisting of 1- 20 players, can enter the CTF from anywhere. All skill levels are welcome with challenge categories ranging from ‘Beginner to Hard’. The CTF style will be Jeopardy and FullPwn. As well as cash, swag prizes, and certificates of attendance can be earned for taking part

Hack The Box’s University CTF is sponsored by EY.

**Registration closes on** **November 30. Sign up** **here.**

Tag

#ios