### Impact
A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.

The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.

### Patches
- [Sentry SaaS](https://sentry.io): The fix was deployed on Jan 14, 2025.
- [Self-Hosted Sentry](https://github.com/getsentry/self-hosted): If only a single organization is allowed (`SENTRY_SINGLE_ORGANIZATION = True`), then no action is needed. Otherwise, users should upgrade to version 25.1.0 or higher.

### Workarounds
No known workarounds.

### References
- https://github.com/getsentry/sentry/pull/83407

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-22146

**Sentry's improper authentication on SAML SSO process allows user impersonation**

Critical severity GitHub Reviewed Published Jan 15, 2025 in getsentry/sentry • Updated Jan 15, 2025

**Affected versions**

\>= 21.12.0, < 25.1.0

**Description**

**Impact**

A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.

The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.

**Patches**

*   Sentry SaaS: The fix was deployed on Jan 14, 2025.
*   Self-Hosted Sentry: If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Otherwise, users should upgrade to version 25.1.0 or higher.

**Workarounds**

No known workarounds.

**References**

*   getsentry/sentry#83407

**References**

*   GHSA-7pq6-v88g-wf3w
*   getsentry/sentry#83407
*   getsentry/sentry@6db508f

Published to the GitHub Advisory Database

Jan 15, 2025

Last updated

Jan 15, 2025

GHSA-7pq6-v88g-wf3w: Sentry's improper authentication on SAML SSO process allows user impersonation

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-20086

**Mattermost fails to properly validate post props**

Moderate severity GitHub Reviewed Published Jan 15, 2025 to the GitHub Advisory Database • Updated Jan 15, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 10.2.0, < 10.2.1

\>= 10.1.0, <= 10.1.3

\>= 10.0.0, <= 10.0.3

\>= 9.11.0, <= 9.11.5

< 8.0.0-20241127161322-25ff7a3779a5

**Patched versions**

10.2.1

10.1.4

10.0.4

9.11.6

8.0.0-20241127161322-25ff7a3779a5

Published to the GitHub Advisory Database

Jan 15, 2025

Last updated

Jan 15, 2025

GHSA-5m7j-6gc4-ff5g: Mattermost fails to properly validate post props

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-20088

**Mattermost fails to properly validate post props**

Moderate severity GitHub Reviewed Published Jan 15, 2025 to the GitHub Advisory Database • Updated Jan 15, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 10.2.0, < 10.2.1

\>= 10.1.0, <= 10.1.3

\>= 10.0.0, <= 10.0.3

\>= 9.11.0, <= 9.11.5

< 8.0.0-20241127161322-25ff7a3779a5

**Patched versions**

10.2.1

10.1.4

10.0.4

9.11.6

8.0.0-20241127161322-25ff7a3779a5

Published to the GitHub Advisory Database

Jan 15, 2025

Last updated

Jan 15, 2025

GHSA-45v9-w9fh-33j6: Mattermost fails to properly validate post props

BeyondTrust has patched all cloud instances of the vulnerability and has released patches for self-hosted versions.

Source: ktdesign via Adobe Stock

NEWS BRIEF

The Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, otherwise known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog.

The medium-severity security bug was found as a part of BeyondTrust's Remote Support SaaS Service security investigation, which was launched after a major data breach at the US Treasury Department. Silk Typhoon, a Chinese hacking group, was reportedly responsible for the December 2024 cyberattack, in which threat actors were able to gain credentials to Treasury workstations through the third-party vendor and then steal data. On Dec. 18, BeyondTrust reported identifying BT24-11 within its self-hosted and cloud Remote Support and Privileged Remote Access products, after reporting BT24-10 just two days prior.

On Jan. 6, in its latest update, BeyondTrust reported that its forensic investigation is nearly complete and that all software-as-a-service instances of BeyondTrust Remote Support have been fully patched with no new identified victims.

"All cloud instances have been patched for this vulnerability," BeyondTrust stated in the update. "We have also released a patch for self-hosted versions."

CISA stated that the vulnerability "can be exploited by an attacker with existing administrative privileges to inject commands and run as a site user." That would allow a remote attacker to execute underlying operating system commands.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

CISA: Second BeyondTrust Vulnerability Added to KEV Catalog

Evidence suggests that some of the payloads and extensions may date as far back as April 2023.

Source: VS148 via Shutterstock

A Christmas Eve phishing attack resulted in an unknown party taking over a Cyberhaven employee's Google Chrome Web Store account and publishing a malicious version of Cyberhaven's Chrome extension. While the problematic extension was removed within an hour of its discovery, the malicious activity highlights gaps in browser security that exist at most organizations and the necessity of getting a handle on the problem now, as extension poisoning is expected to be a persistent issue.

Further research into the incident suggests that this attack was likely part of two separate, but potentially related, campaigns to target multiple extension developers to distribute malicious extensions, experts say. The campaigns may have begun as early as April 2023.

"Currently we know about two different campaigns that have been targeting different objectives," says Amit Assaraf, CEO of Extension Total, a third-party extension security platform provider. Extension Total researchers have uncovered several malicious extensions over the past several weeks and have been looking at how they relate to each other.

**A Tale of Two Campaigns**

One campaign created extensions that steal cookies, session tokens, and possibly passwords, and targeted Facebook and OpenAI accounts, Assaraf says. The campaign relied on phishing to target extension developers and a malicious OAUTH application to take over Google Chrome Web Store accounts. Cyberhaven was one of the victims of this campaign.

There is some disagreement among experts over when the first malicious extension associated with this campaign appeared. Assaraf points to the Chrome extension "GPT 4 Summary with OpenAI," which was added to the Google Chrome Web Store in August. John Tuckner, founder of browser-extension management service Secure Annex, believes the "AI Assistant – ChatGPT and Gemini for Chrome" extension, which was uploaded to the Chrome Web Store in May, was the first extension used by this campaign.

"As far as I can tell, that is the first example of this type of code being used, but some of the related domain registrations go back to around Sept. 25, 2023, so this could have been planned for a while," Tuckner says.

Both extensions are no longer on the Chrome Web Store.

Regardless of when this campaign began, the impact has been widespread. Researchers have found 22 extensions related to it so far, affecting 1.46 million users, Assaraf says. Some of these have been removed completely from the Chrome Web Store, and others have been updated to a "safe" version.

The second campaign is aimed at tracking user activity, telemetry, and sites visited, "probably with intention to sell this data," Assaraf says. Its earliest appearance was in April 2023, and researchers have identified 15 extensions thus far as belonging to this campaign.

A Google spokesperson says the company has shut down malicious Chrome Web Store accounts identified as part of this investigation and continues to investigate reports from Extension Total regarding extensions still available in the store.

It's unclear at this time whether one attacker is behind both campaigns, though there is evidence — shared JavaScript payloads injected into unauthorized updates between August 2024 and December 2024 — suggesting "a synchronized campaign," says Bugcrowd founder Casey John Ellis.

"This also suggests centralized control over the hijacked developer accounts and a common threat actor," he says.

At this point, both campaigns appear to be contained; no additional extensions have been discovered, according to Assaraf.

**Extensions as Low-Hanging Fruit for Attackers**

Cyberhaven's internal security team was able to respond to the breach quickly, which helped expose the breadth of the extension poisoning. Many of the affected extensions are hobbyist projects, which means they likely do not have the tools or security support to be regularly monitoring for malware.

Therein lies the dilemma for detecting malicious Chrome extensions in the wild, experts say. It also explains why ensuring that extensions used within a corporate browser are safe is such a tricky scenario for organizations to navigate. While some are managed by companies with dedicated teams to ensure the extensions remain clean, many are maintained by private individuals and, thus, don't have this kind of oversight.

That complicates security within a corporate environment because browsers, like Chrome, grant extensions broad permissions, including access to sensitive user data, cookies, and even the ability to capture credentials and sessions, according to Matt Johansen, security researcher at Vulnerable U.

"Extensions still operate with a significant degree of trust, and once compromised, they can access everything a user can," Johansen says. "They also have less scrutiny to install than traditional desktop software, even in enterprises."

Because of their ability to compromise so many users and have access to so much information by poisoning a browser extension, it's a no-brainer for attackers.

"Controlling an extension gives an adversary a powerful vantage point for all browser activities," concurs Lionel Litty, chief security architect at Menlo Security.

Indeed, poisoning a Chrome extension is "actually a very convenient way for attackers to spread malicious code," Assaraf adds. "You only need to fool one person, one developer, and you get access to hundreds of thousands of machines," he says.

People often forget they've installed browser extensions, yet they continue to run in the background and update automatically, giving attackers wide access to sensitive data, he adds.

**Closing the Browser Security Gap**

Given their reach, why, then, are browsers and their extensions given such little thought when it comes to an organization's security posture? It could merely be that their security teams are so overwhelmed with responsibilities that browsers are the least of their worries — though that could now change, notes Secure Annex's Tuckner.

Organizations can take specific steps now to shore up the security of extensions running in corporate browsers, he says. Teams should start with collecting a real-time inventory of the browsers in the organization and which extensions are installed on them. This step should be followed by enrolling browsers in some kind of centralized management to set up an allowlist of known extensions, keeping only those that "drive core business value" and adding future ones on a case-by-case basis, Tuckner adds. The inventory will help security teams understand the scope of an incident when something happens.

"Few teams choose to or are able to prioritize browser security on top of everything else that they have to deal with," he says. "Many see browser security as a lower-risk item, but I believe that is quickly changing with incidents like this."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Extension Poisoning Campaign Highlights Gaps in Browser Security

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

Source: DD Images via Shutterstock

North Korea's Lazarus threat group has launched a fresh wave of attacks targeting software developers, using recruitment tactics on job-hiring platforms. This time, the group is using job postings on LinkedIn to lure freelance developers in particular into downloading malicious Git repositories; these contain malware for stealing source code, cryptocurrency, and other sensitive data.

The SecurityScorecard STRIKE team on Jan. 9 discovered the ongoing attack, dubbed Operation 99, in which attackers pose as recruiters to entice the developers with project tests or code reviews, the researchers revealed in a report (PDF) published today.

"Victims are tricked into cloning malicious Git repositories that connect to a command-and-control (C2) server, initiating a series of data-stealing implants," according to the post.

Attackers are using various payloads that work across Windows, macOS, and Linux in the campaign, using a layered malware delivery system with modular components that adapt to different targets. Downloaders such as Main99 retrieve and execute payloads that include Payload 99/73, brow99/73, and MCLIP, which perform tasks like keylogging, clipboard monitoring, file exfiltration from development environments, and browser credential theft.

Related:Zero-Day Security Bug Likely Fueling Fortinet Firewall Attacks

The malware also steals from application source code, secrets and configuration files, and cryptocurrency-related assets such as wallet keys and mnemonics, according to the researchers. The latter are used to facilitate direct financial theft, furthering Lazarus' goals to fund the regime of North Korean leader Kim Jong Un.

"By embedding the malware into developer workflows, the attackers aim to compromise not only individual victims, but also the projects and systems they contribute to," according to the report.

**North Korea's History of Targeting Developers**

The campaign builds on previous tactics by the group to target developers with various malware, including 2021's Operation Dream Job, in which the group sent fake job offers to specific organizational targets. When opened, they installed Trojan programs to collect information and send it back to the attackers.

Lazarus' long history of using the technology job market to target victims also includes another campaign called DEV#POPPER, which targeted software developers worldwide for data theft by having attackers pose as recruiters for nonexistent jobs.

North Korean threat groups also have turned the tables and used their own cyber spies to infiltrate global organizations for cyber espionage. The now-infamous case of security firm KnowBe4 accidentally hiring a North Korean hacker shows how convincing these campaigns can be.  

Related:Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

While a Department of Justice operation in May disrupted North Korea's widespread IT freelance operation with the indictment of several people for helping state-sponsored actors establish fake freelancer identities and evade sanctions, the latest campaign demonstrates that Lazarus remains undaunted.

Amid all this, the new campaign shows an evolution in tactics, the researchers said.

"In this instance, Lazarus is demonstrating a higher level of sophistication and focus compared to previous campaigns," says Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. These include using AI-generated profiles to pose as recruiters that appear highly authentic and realistic, "enabling them to effectively deceive victims," he adds.

"By presenting complete and convincing profiles, they offer what seem to be genuine job opportunities to developers," Sherstobitoff says. In some cases, Lazarus even compromises existing LinkedIn accounts to lend heft to their credibility, he adds.

The group also is employing more advanced techniques for obfuscation and encryption, making their malicious activities significantly more difficult to detect and analyze, Sherstobitoff says.

Related:Fake CrowdStrike 'Job Interviews' Become Latest Hacker Tactic

**Job Seekers, Exercise Caution**

Indeed, as these campaigns become more sophisticated through the use of AI and advanced social engineering, it's becoming "easier for attackers to gain the confidence of their targets, demonstrating a significant evolution in the level of precision and realism in their campaigns," Sherstobitoff says.

For this reason, mitigation strategies "should fundamentally center around reinforcing social engineering awareness and adhering to the basics of cybersecurity for everyday employees," he says. As a general rule, if a job offer or opportunity seems too good to be true, it likely is, and "should be approached with skepticism," Sherstobitoff says.

"Employees also should exercise extreme caution when interacting with recruiters, particularly if asked to download files, clone repositories, or engage with unfamiliar software," especially over platforms like LinkedIn or email, he says. "These channels can be easily manipulated by attackers posing as legitimate entities."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Lazarus APT Evolves Developer-Recruitment Attacks

Ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

Matias Madou, Co-Founder & CTO, Secure Code Warrior

January 15, 2025

5 Min Read

Source: Nils Ackermann via Alamy Stock Vector

COMMENTARY

The advent of artificial intelligence (AI) coding tools undoubtedly signifies a new chapter in modern software development. With 63% of organizations currently piloting or deploying AI coding assistants into their development workflows, the genie is well and truly out of the bottle, and the industry must now make careful moves to integrate it as safely and efficiently as possible.

The OWASP Foundation has long been a champion of secure coding best practices, providing extensive coverage on how developers can best defend their codebases from exploitable vulnerabilities. Its recent update to the OWASP Top 10 for Large Language Model (LLM) Applications reveals the emerging and most potent threats perpetuated by AI-generated code and generative AI (GenAI) applications, and this is an essential starting point for understanding and mitigating the threats likely to rear their ugly heads. 

We must focus on integrating solid, foundational controls around developer risk management if we want to see more secure, higher quality software in the future, not to mention make a dent in the flurry of global guidelines that demand applications are released that are secure by design.

**The Perilous Crossover Between AI-Generated Code and Software Supply Chain Security**

Prompt Injection's ranking as the No. 1 entry on the latest OWASP Top 10 was unsurprising, given its function as a direct natural language command telling the software what to do (for better or worse). However, Supply Chain Vulnerabilities, which have a much more significant impact at the enterprise level, came in at No. 3. 

OWASP's advice mentions several attack vectors comprising this category of vulnerability, elements such as implementing pretrained models that are also precompromised with backdoors, malware and poisoned data, or vulnerable LoRA adapters that, ironically, are used to increase efficiency, but can, in turn, compromise the base LLM. These present potentially grave, widespread exploitable issues that can permeate the whole supply chain in which they are used.

Sadly, many developers are not skill- and process-enabled enough to navigate these problems safely, and this is even more apparent when assessing AI-generated code for business logic flaws. While not specifically listed as a category, as is apparent in OWASP’s Top 10 Web Application Security Risks, this is partly covered in No. 6, Excessive Agency. Often, a developer will vastly overprivilege the LLM for it to operate more seamlessly, especially in testing environments, or misinterpret how real users will interact with the software, leaving it vulnerable to exploitable logic bugs. These, too, affect supply chain applications and, overall, require a developer to apply critical thinking and threat modeling principles to overcome them. Unchecked AI tool use, or adding AI-powered layers to existing codebases, adds to the overall complexity and is a significant area of developer-driven risk.

**Data Exposure Is a Serious Concern Requiring Serious Awareness**

Sensitive Information Disclosure is second on the new list, but it should be a chief concern for enterprise security leaders and development managers. As OWASP points out, this vector can affect both the LLM itself and its application context, leading to personally identifiable information (PII) exposure, and disclosure of proprietary algorithms and business data.

The nature of how the technology operates can mean that exposing this data is as simple as using cunning prompts rather than actively "hacking" a code-level vulnerability, and "the grandma exploit" is a prime example of sensitive data being exposed due to lax security controls over executable prompts. Here, ChatGPT was duped into revealing the recipe for napalm when prompted to assume the role of a grandmother reading a bedtime story. A similar technique was also used to extract Windows 11 keys. 

Part of the reason this is made possible is through poorly configured model outputs that can expose proprietary training data, which can then be leveraged in inversion attacks to eventually circumvent the security controls. This is a high-risk area for those who are feeding training data into their own LLMs, and the use of the technology requires companywide, role-based security awareness upskilling. The developers building the platform must be well-versed in input validation and data sanitization (as in, these skills are verified and assessed before they can commit code), and every end user must be trained to avoid feeding sensitive data that can be spat out at a later date.

While this may seem trivial on a small scale, at the government or enterprise level, with the potential for tens of thousands of employees to inadvertently participate in exposing sensitive data, it's a significant expansion of an already unwieldy attack surface that must be addressed.

**Are You Paying Attention to Retrieval-Augmented Generation (RAG)?**

Perhaps the most notable new entry in the 2025 list is featured at No. 8, Vector and Embedding Weaknesses. With enterprise LLM applications often utilizing RAG technology as part of the software architecture, this is a vulnerability category to which the industry must pay close attention.

RAG is essential for model performance enhancement, often acting as the "glue" that provides contextual cues between pre-trained models and external knowledge sources. This is made possible by implementing vectors and embeddings, but if they are not implemented securely they can lead to disastrous data exposure, or pave the way for serious data poisoning and embedding inversion attacks. 

A comprehensive understanding of both core business logic and least-privilege access control should be considered a security skills baseline for developers working on internal models. However, realistically, the best-case scenario would involve utilizing the highest-performing, security-skilled developers and their AppSec counterparts to perform comprehensive threat modeling and ensure sufficient logging and monitoring.

As with all LLM technology, while this is a fascinating emerging space, it should be crafted and used with a high level of security knowledge and care. This list is a powerful, up-to-date foundation for the current threat landscape, but the environment will inevitably grow and change quickly. The way in which developers create applications is sure to be augmented in the next few years, but ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

**About the Author**

Co-Founder & CTO, Secure Code Warrior

Matias Madou is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company, Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences, including RSA Conference, Black Hat, DEF CON, BSIMM, OWASP AppSec, and BruCon.

Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.

OWASP's New LLM Top 10 Shows Emerging AI Threats

An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

**Table of contents**

*   Overview
*   Criminals impersonate Google Ads
*   Lures hosted on Google Sites
*   Phishing for Google account credentials
*   Victimology
*   Who is behind these campaigns?
*   Fuel for other malware and scam campaigns
*   Indicators of Compromise

**Overview**

Online criminals are targeting individuals and businesses that advertise via Google Ads by phishing them for their credentials — ironically — via fraudulent Google ads.

The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages. We believe their goal is to resell those accounts on blackhat forums, while also keeping some to themselves to perpetuate these campaigns.

This is the most egregious malvertising operation we have ever tracked, getting to the core of Google’s business and likely affecting thousands of their customers worldwide. We have been reporting new incidents around the clock and yet keep identifying new ones, even at the time of publication.

The following diagram illustrates at a high level the mechanism by which advertisers are getting fleeced:

_Figure 1: Process flow for this Google Ads heist campaign_

_Back to top_

**Criminals impersonate Google Ads**

Advertisers are constantly trying to outbid each other to reach potential customers by buying ad space on the world’s number one search engine. This earned Google a whopping $175 billion in search-based ad revenues in 2023. Suffice to say, the budgets spent in advertising can be considerable and of interest to crooks for a number of reasons.

We first started noticing suspicious activity related to Google accounts somewhat accidentally, and after a deeper look we were able to trace it back to malicious ads for… Google Ads itself! Very quickly we were overwhelmed by the onslaught of fraudulent “Sponsored” results, specifically designed to impersonate Google Ads, as can be seen in _Figure 2_:

_Figure 2: A malicious ad masquerading as Google Ads_

While it is hard to believe such a thing could actually happen, the proof is there when you click on the 3-dot menu that shows more information about the advertiser. We have partially masked the victim’s name, but clearly it is not Google; they are just one of the many accounts that have already been compromised and abused to trick more users:

_Figure 3: The advertiser behind this ad is not affiliated with Google at all_

People who will see those ads are individuals or businesses that want to advertise on Google Search or already do. Indeed, we saw numerous ads specifically for each scenario, sign up or sign in, as seen in _Figure 4_:

_Figure 4: Two ads for signing up and sign in to Google Ads respectively_

The fake ads for Google Ads come from a variety of individuals and businesses, in various locations. Some of those hacked accounts already had hundreds of other legitimate ads running, and one of them was for a popular Taiwanese electronics company.

_Figure 5: Victim accounts spending their own budgets on fake Google Ads_

To get an idea of the geographic scope of these campaigns, we performed the same Google search simultaneously from several different geolocations (using proxies). First, here’s the malicious ad from a U.S. IP address belonging to a business registered in Paraguay:

_Figure 6: U.S.-based search showing fake Google ad_

Now, here’s that same ad that appears on Google Search in several other countries:

_Figure 7: The same ad found in different countries_

_Back to top_

**Lures hosted on Google Sites**

Once victims click on those fraudulent ads, they are redirected to a page that looks like Google Ads’ home page, but oddly enough, it us hosted on Google Sites. These pages act as a sort of gateway to external websites specifically designed to steal the usernames and passwords from the coveted advertisers’ Google accounts.

_Figure 8: A malicious Google Sites page impersonating Google Ads_

There’s a good reason to use Google Sites, not only because it’s a free and a disposable commodity but also because it allows for complete impersonation. Indeed, you cannot show a URL in an ad unless your landing page (final URL) matches the same domain name. While that is a rule meant to protect abuse and impersonation, it is one that is very easy to get around.

_Figure 9: The rule that stipulates display URLs and final URLs must have matching domains_

Looking back at the ad and the Google Sites page, we see that this malicious ad does not strictly violate the rule since _sites**.google.com**_ uses the same root domains ads _ads**.google.com**_. In other words, it is allowed to show this URL in the ad, therefore making it indistinguishable from the same ad put out by Google LLC..

_Figure 10: The malicious ad does not violate Google’s rule on the use of the display URL_

_Back to top_

**Phishing for Google account credentials**

After the victims click on the “Start now” button found on the Google Sites page, they are redirected to a different site which contains a phishing kit. JavaScript code fingerprints users while they go through each step to ensure all important data is being surreptitiously collected.

_Figure 12: The actual phishing page that follows_

Finally, all the data is combined with the username and password and sent to the remote server via a POST request. We see that criminals even receive the victim’s geolocation, down to the city and internet service provider.

_Figure 12: POST web request with victim’s details_

_Back to top_

**Victimology**

There are multiple online reports of people who saw the fake Google Ads and shared their experiences:

*   Help with removing a dangerous scam in Google Ads (_Google Ads Help forum_)
*   Google Ads Phishing Scam (_Reddit_)
*   It’s just me or Google just sponsored a link to a phising site for Google ads? (_Reddit_)
*   Be aware of fake google page, clicked by accident (_Reddit_)
*   Warning! First sponsorized google answer for “Google ads” is a phishing attempt ! (_BlueSky_)

We were able to get in touch with a couple of victims who not only saw the ads but were actually scammed and lost money. Thanks to their testimony and our own research, we have a better idea of the criminals’ modus operandi:

*   Victim enters their Google account information into phishing page
*   Phishing kit collects unique identifier, cookies, credentials
*   Victim may receive an email indicating a login from an unusual location (Brazil)
*   If the victim fails to stop this attempt, a new administrator is added to the Google Ads account via a different Gmail address
*   Threat actor goes on a spending spree, locks out victim if they can

_Back to top_

**Who is behind these campaigns?**

We identified two main groups of criminals running this scheme but the more prolific by far is one made of Portuguese speakers likely operating out of Brazil. Victims have also shared that they had received a notification from Google indicating suspicious logins from Brazil. Unfortunately, those notifications often came too late or where dismissed as legitimate, and the criminals already had time to do some damage.

We should also note a third campaign that is very different from the other two, and where the threat actors’ main goal is to distribute malware. The Google Ads phishing scheme may have been a temporary run which was not their main focus.

**Brazilian team**

In the span of a few days, we reported over 50 fraudulent ads to the Google Ad team all coming from this Brazilian group. We quickly realized that no matter how many reported incidents and takedowns, the threat actors managed to keep at least one malicious ad 24/7.

_Figure 13_ shows the network traffic resulting from a click on the ad. You will see multiple hops before finally arriving to the phishing portal. The second URL shows the crooks are using a paid service to detect fake traffic.

Figure 13: Network traffic from the ‘Brazilian campaign’

Within the JavaScript code part of the phishing kit, there are comments in Portuguese. _Figure 14_ shows a portion of the code that does browser fingerprinting, which is a way of identifying users. Browser language, system CPU, memory, screen-width, and time zone are some of the data points collected and then hashed.

Figure 14: Identifying users via various settings

**Asian team**

The second group is using advertiser accounts from Hong Kong and appears to be Asia-based, perhaps from China. Interestingly, they also use the same kind of delivery chain by leveraging Google sites. However, their phishing kit is entirely different from their Brazilian counterparts.

Figure 15: Web traffic for the ‘Chinese campaign’

_Figure 16_ below shows a code extract with comments in Chinese, as well as a function called _xianshi_, which could be in reference to a Chinese general of the late Qing dynasty or even a superhero from more modern gaming and literature.

Figure 16: Code with comments in Chinese

**Third campaign (possibly Eastern European)**

We observed another campaign which has a very different modus operandi. Google Sites is not involved at all, and instead they rely on a fake CAPTCHA lure and heavy obfuscation of the phishing page.

Interestingly, the malicious ad we found was for Google Authenticator, despite the obvious ads-goo\[.\]click domain name. However, for about day or so, the redirect from that domain lead directly to a phishing portal hosted at _ads-overview\[.\]com_.

The reason why we suggest the threat actors may be Eastern Europeans here is because of the type of redirects and obfuscation. There is also a distant feel of ‘software download via Google ads’ we have reported on previously (see _Threat actor impersonates Google via fake ad for Authenticator_).

Figure 17: A malicious ad for Google Authenticator and fake CAPTCHA

A PHP script (_cloch.php_) then determines if the visitor is genuine or not (likely doing a server-side IP check). VPNs, bot and detection tools will get a “white” page showing some bogus instructions on how to run a Google Ads campaign. Victims are instead redirected to _ads-overview\[.\]com_ which is a phishing portal for Google accounts.

Figure 18: Cloaking in action with a ‘white’ page or the phishing page

When we checked back on this campaign a few days later, we saw that the ad URL now redirected to a fake Google Authenticator site, likely to download malware. The redirection mechanism is shown in _Figure_ 20:

Figure 19: Web traffic for fake Google Authenticator site

_Back to top_

**Fuel for other malware and scam campaigns**

Stolen Google Ads accounts are a valuable commodity among thieves. As we have detailed it many times on this blog, there are constant malvertising campaigns leveraging compromised advertiser accounts to buy ads that push scams or deliver malware.

*   Printer problems? Beware the bogus help
*   Malicious ad distributes SocGholish malware to Kaiser Permanente employees
*   Hello again, FakeBat: popular loader returns after months-long hiatus
*   Large scale Google Ads campaign targets utility software

If you think about it for a second, crooks are using someone else’s budget to further continue spreading malfeasance. Whether those dollars are spent towards legitimate ads or malicious ones, Google still earns revenues from those ad campaigns. The losers are the hacked advertisers and innocent victims that are getting phished.

As result, taking action on compromised ad accounts plays a key part in driving down malvertising attacks. Google has yet to show that it takes definitive steps to freeze such accounts until their security is restored, despite their own policy on the subject (_Figure 20_). For example, we recently saw a case where the same advertiser that had already been reported 30 times, was still active.

_Figure 20: Google’s policy regarding violations_

As the scourge of fraudulent ads continues, we urge users to pay particular attention to sponsored results. Ironically, it’s quite possible that individuals and businesses that run ad campaigns are not using an ad-blocker (to see their ads and those from their competitors), making them even more susceptible to fall for these phishing schemes.

**We don’t just report on threats—we block them**

_Cybersecurity risks should never spread beyond a headline. Keep threats off by downloading Malwarebytes Browser Guard today._

_Back to top_

**Indicators of Compromise**

Fake Google Sites pages

sites\[.\]google\[.\]com/view/ads-goo-vgsgoldx  
sites\[.\]google\[.\]com/view/ads-word-cmdw  
sites\[.\]google\[.\]com/view/ads-word-makt  
sites\[.\]google\[.\]com/view/ads-word-whishw  
sites\[.\]google\[.\]com/view/ads-word-wwesw  
sites\[.\]google\[.\]com/view/ads-word-xvgt  
sites\[.\]google\[.\]com/view/ads3dfod6hbadvhj678  
sites\[.\]google\[.\]com/view/adwoord  
sites\[.\]google\[.\]com/view/aluado01  
sites\[.\]google\[.\]com/view/ap-rei-pandas  
sites\[.\]google\[.\]com/view/appsd-adsd  
sites\[.\]google\[.\]com/view/asd-app-goo  
sites\[.\]google\[.\]com/view/connectsing/addss  
sites\[.\]google\[.\]com/view/connectsingyn/ads  
sites\[.\]google\[.\]com/view/entteraccess  
sites\[.\]google\[.\]com/view/exercitododeusvivo  
sites\[.\]google\[.\]com/view/fjads  
sites\[.\]google\[.\]com/view/goitkm/google-ads  
sites\[.\]google\[.\]com/view/hdgstt  
sites\[.\]google\[.\]com/view/helpp2k  
sites\[.\]google\[.\]com/view/hereon/1sku4yf  
sites\[.\]google\[.\]com/view/hgvfvd  
sites\[.\]google\[.\]com/view/joaope-defeijao  
sites\[.\]google\[.\]com/view/jthsjd  
sites\[.\]google\[.\]com/view/logincosturms/ads  
sites\[.\]google\[.\]com/view/logins-words-officails  
sites\[.\]google\[.\]com/view/logins-words-officsdp  
sites\[.\]google\[.\]com/view/marchatrasdemarcha  
sites\[.\]google\[.\]com/view/newmanage/page  
sites\[.\]google\[.\]com/view/one-vegas  
sites\[.\]google\[.\]com/view/one-vegasw  
sites\[.\]google\[.\]com/view/onvg-ads-word  
sites\[.\]google\[.\]com/view/oversmart/new  
sites\[.\]google\[.\]com/view/pandareidel  
sites\[.\]google\[.\]com/view/polajdasod6hbad  
sites\[.\]google\[.\]com/view/ppo-ads  
sites\[.\]google\[.\]com/view/quadrilhadohomemtanacasakaraio  
sites\[.\]google\[.\]com/view/ricobemnovinhos  
sites\[.\]google\[.\]com/view/s-ad-offica  
sites\[.\]google\[.\]com/view/s-wppa  
sites\[.\]google\[.\]com/view/sdawjj  
sites\[.\]google\[.\]com/view/semcao  
sites\[.\]google\[.\]com/view/sites-gb  
sites\[.\]google\[.\]com/view/soarnovo  
sites\[.\]google\[.\]com/view/so-ad-reisd  
sites\[.\]google\[.\]com/view/spiupiupp-go  
sites\[.\]google\[.\]com/view/start-smarts  
sites\[.\]google\[.\]com/view/start-smarts/homepage/  
sites\[.\]google\[.\]com/view/umcincosetequebratudo  
sites\[.\]google\[.\]com/view/vewsconnect  
sites\[.\]google\[.\]com/view/vinteequatroporquarenta  
sites\[.\]google\[.\]com/view/xvs-wods-ace  
sites\[.\]google\[.\]com/view/zeroumnaoezerodois  
sites\[.\]google\[.\]com/view/zeroumonlinecomosmp

Phishing domains

account-costumers\[.\]site  
account-worda-ads\[.\]benephica\[.\]com  
account-worda-ads\[.\]cacaobliss\[.\]pt  
account\[.\]universitas-studio\[.\]es  
accounts-ads\[.\]site  
accounts\[.\]google\[.\]lt1l\[.\]com  
accounts\[.\]goosggles\[.\]com  
accounts\[.\]lichseagame\[.\]com  
accousnt-ads\[.\]tmcampos\[.\]pt  
accousnt\[.\]benephica\[.\]pt  
accousnt\[.\]hyluxcase\[.\]me  
accousnt\[.\]whenin\[.\]pt  
ads-goo\[.\]click  
ads-goog\[.\]link  
ads-google\[.\]io-es\[.\]com  
ads-overview\[.\]com  
ads1.google.lt1l.com  
ads1\[.\]google\[.\]veef8f\[.\]com  
adsettings\[.\]site  
adsg00gle-v3\[.\]vercel\[.\]app  
adsgsetups\[.\]shop  
advertsing-acess\[.\]site  
advertsing-v3\[.\]site  
as\[.\]vn-login\[.\]shop  
benephica\[.\]pt  
cacaobliss\[.\]pt  
colegiopergaminho\[.\]pt  
docs-pr\[.\]top  
tmcampos\[.\]pt  
vietnamworks\[.\]vn-login\[.\]shop

_Back to top_

 The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads 

Lilith >_> of Cisco Talos discovered these vulnerabilities. 
Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  
The Wavlink AC3000 wireless router is one of the

Wednesday, January 15, 2025 08:00

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._ 

Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  

The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. 

Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability disclosure policy. Wavlink has declined to release a patch for these vulnerabilities.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Static login vulnerability **

An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials.  

Static Login 

*   TALOS-2024-2034 (CVE-2024-39754): Static login 

**Ten .cgi vulnerabilities **

An unauthenticated HTTP request can trigger the following types of vulnerabilities: 

touchlist\_sync.cgi 

*   TALOS-2024-1999 (CVE-2022-2488): Arbitrary code execution 
*   TALOS-2024-2000 (CVE-2024-34166): Command injection 
*   TALOS-2024-2046 (CVE-2024-36258): Buffer overflow  

Login.cgi 

*   TALOS-2024-2017 (CVE-2024-39363): Persistent XXS 
*   TALOS-2024-2018 (CVE-2024-39759-CVE-2024-39761): Command injection 
*   TALOS-2024-2019 (CVE-2024-36290): Buffer overflow  
*   TALOS-2024-2036 (CVE-2024-39608): Unauthenticated firmware upload  

internet.cgi 

*   TALOS-2024-2020 (CVE-2024-39762-CVE-2024-39765): Command injection 
*   TALOS-2024-2021 (CVE-2024-39288): Buffer overflow 
*   TALOS-2024-2022 (CVE-2024-39768-CVE-2024-39770): Buffer overflow  

firewall.cgi 

*   TALOS-2024-2023 (CVE-2024-39367): Command injection  

adm.cgi 

*   TALOS-2024-2024 (CVE-2024-39756): Buffer overflow 
*   TALOS-2024-2025 (CVE-2024-37184): Buffer overflow 
*   TALOS-2024-2026 (CVE-2024-39294): Buffer overflow 
*   TALOS-2024-2027 (CVE-2024-39358): Buffer overflow 
*   TALOS-2024-2028 (CVE-2024-21797): Command injection 
*   TALOS-2024-2029 (CVE-2024-37357): Buffer overflow 
*   TALOS-2024-2030 (CVE-2024-39774): Buffer overflow 
*   TALOS-2024-2031 (CVE-2024-39370): Arbitrary code execution 
*   TALOS-2024-2032 (CVE-2024-37186): OS command injection 
*   TALOS-2024-2033 (CVE-2024-39781-CVE-2024-39783): OS Command injection 

wireless.cgi 

*   TALOS-2024-2039 (CVE-2024-39357): Buffer overflow 
*   TALOS-2024-2040 (CVE-2024-39359): Buffer overflow 
*   TALOS-2024-2041 (CVE-2024-36493): Buffer overflow 
*   TALOS-2024-2042 (CVE-2024-39603): Buffer overflow 
*   TALOS-2024-2043 (CVE-2024-39757): Buffer overflow 
*   TALOS-2024-2044 (CVE-2024-34544): Command injection 

usbip.cgi 

*   TALOS-2024-2045 (CVE-2024-36272): Buffer overflow 

qos.cgi 

*   TALOS-2024-2047 (CVE-2024-36295): Command injection 
*   TALOS-2024-2048 (CVE-2024-39299): Buffer overflow 
*   TALOS-2024-2049 (CVE-2024-39801-CVE-2024-39803): Buffer overflow 

openvpn.cgi 

*   TALOS-2024-2050 (CVE-2024-39798-CVE-2024-39800): Configuration control 
*   TALOS-2024-2051 (CVE-2024-38666): Configuration control 

nas.cgi 

*   TALOS-2024-2052 (CVE-2024-39602): Configuration control 
*   TALOS-2024-2053 (CVE-2024-39793-CVE-2024-39795): Configuration control 
*   TALOS-2024-2054 (CVE-2024-39360): Command injection 
*   TALOS-2024-2055 (CVE-2024-39280): Configuration control 
*   TALOS-2024-2056 (CVE-2024-39788-CVE-2024-39790): Configuration control 
*   TALOS-2024-2057 (CVE-2024-39786-CVE-2024-39787): Directory traversal 
*   TALOS-2024-2058 (CVE-2024-39784-CVE-2024-39785): Command injection 

**Three .sh vulnerabilities **

Attackers can send specially crafted HTTP requests. A man-in-the-middle attack can trigger the fw\_check.sh and update\_filter\_url.sh vulnerabilities. 

testsave.sh 

*   TALOS-2024-2035 (CVE-2024-39773): Firmware update 

fw\_check.sh 

*   TALOS-2024-2037 (CVE-2024-39273): Firmware upload  

update\_filter\_url.sh 

*   TALOS-2024-2038 (CVE-2024-39604): Argument injection

Slew of WavLink vulnerabilities

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection…

CVE-2024-44243, a critical macOS vulnerability discovered recently by Microsoft, can allow attackers to bypass Apple’s System Integrity Protection (SIP). Learn how this vulnerability can be exploited and how to protect your devices from this threat.

A recently discovered macOS vulnerability tracked as CVE-2024-44243, has raised alarms for jeopardizing the security of Apple devices. This vulnerability, uncovered by Microsoft Threat Intelligence, allows attackers to circumvent Apple’s robust System Integrity Protection (SIP) mechanism.

****How Does It Work?****

The flaw is found in the Storage Kit daemon, allowing local attackers with root privileges to exploit low-complexity attacks. According to Microsoft’s technical blog, shared with Hackread.com, CVE-2024-44243 exploits a weakness in the macOS storage management system. By leveraging the “storagekitd” daemon, attackers can potentially load third-party kernel extensions, bypassing the strict controls imposed by SIP.  

****What are the Implications?****

System Integrity Protection (SIP) is a crucial cybersecurity measure for macOS systems, protecting against malware and attackers. Bypassing it can significantly compromise the system’s security, Microsoft noted. Such as, attackers can install malicious software at the kernel level, and gain deep access to the system and data.

Moreover, malicious software can establish a persistent presence on the system, making it difficult to remove and potentially enabling future attacks. Also, attackers could bypass TCC (Transparency, Consent, and Control), Apple’s privacy framework, allowing unauthorized access to user data and sensitive information.  The vulnerability creates a wider attack surface, enabling attackers to exploit other vulnerabilities and escalate their privileges.

****Mitigating the Threat****

Apple has released security updates to address CVE-2024-44243. All macOS users must update their systems to the latest version to patch this vulnerability.

Microsoft’s responsible disclosure to Apple and their joint efforts to address this threat highlights the importance of shared knowledge and coordinated action in safeguarding user security. 

While we focus on patching vulnerabilities to protect ourselves from cyberattacks, it is important to remember that social engineering scams remain a prevalent threat. 

A recent campaign discovered by Group-IB targeted Apple iOS and Android users with fake trading apps. These apps were designed to steal from unsuspecting cryptocurrency investors. Therefore, staying informed about the latest threats, practicing safe online habits, and keeping software updated, are essential to minimize cybersecurity risks.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) commented on this stating, _“_This exposes the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls._“_ 

“Security teams should ensure macOS systems are patched with the latest updates, closely monitor for unusual disk management or privileged process behaviour, and implement endpoint detection tools that watch for unsigned kernel extensions,“ Jason explained. _“_Regular integrity checks, principle-of-least-privilege policies, and strict compliance with Apple’s security guidelines further reduce exposure to this critical threat._“_

Tag

#auth