Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chrome. Show all posts

Choosing the Right Browser: Privacy Tips from Apple and Google

Apple vs. Google: The Battle for Browser Privacy

Apple has launched an ad campaign urging over a billion iPhone users to stop using Google Chrome, citing privacy concerns. This campaign has sparked a heated debate between two tech giants, Apple and Google, over the best way to protect user privacy online.

Apple’s Stance on Privacy

Apple has long positioned itself as a champion of user privacy. In its latest campaign, Apple highlights the extensive use of tracking cookies by Google Chrome. These cookies, Apple claims, follow users across the web, collecting data on their browsing habits. Apple argues that Chrome’s Incognito mode, which many users rely on for private browsing, isn’t truly private. According to Apple, Incognito mode still allows websites to track user activity, albeit to a lesser extent.

To counter these privacy concerns, Apple promotes its own browser, Safari, as a more secure alternative. Safari, Apple claims, uses Intelligent Tracking Prevention (ITP) to limit the ability of advertisers to track users across websites. This feature, combined with other privacy-focused tools, makes Safari a more attractive option for users who prioritize their online privacy.

Google’s Response

Google, on the other hand, has defended Chrome’s privacy practices. In response to Apple’s campaign, Google emphasized that Chrome is designed to keep user data safe and give users control over their privacy settings. Google points out that Chrome offers a range of privacy features, including the ability to block third-party cookies and manage site permissions.

Google also highlights its commitment to transparency. The company regularly updates its privacy policies and provides users with clear information about how their data is collected and used. Google argues that this transparency, combined with robust privacy controls, makes Chrome a trustworthy choice for users.

The Broader Context

This clash between Apple and Google is part of a larger conversation about online privacy. As more of our lives move online, the amount of data we generate has skyrocketed. This data is incredibly valuable to advertisers, who use it to target ads more effectively. However, this data collection has raised significant privacy concerns.

Many users are unaware of the extent to which their online activities are tracked. Even when using private browsing modes, such as Chrome’s Incognito mode, users may still be tracked by websites and advertisers. This has led to calls for greater transparency and stronger privacy protections.

Choosing the Right Browser

So, what does this mean for the average user? When choosing a browser, it’s important to consider your privacy needs. If you prioritize privacy and want to limit tracking as much as possible, Safari may be the better choice. Apple’s Intelligent Tracking Prevention and other privacy features can help protect your data from advertisers.

However, if you value customization and control over your browsing experience, Chrome offers a range of privacy tools that can be tailored to your needs. Google’s transparency about its data collection practices also provides users with a clear understanding of how their data is used.

Ultimately, the choice between Safari and Chrome comes down to personal preference. Both browsers have their strengths and weaknesses, and the best choice will depend on your individual privacy needs and browsing habits.

18-Year-Old Vulnerability in Firefox and Chrome Actively Exploited in Cyber Attacks

 

A security vulnerability, identified 18 years ago and known as "0.0.0.0 Day," has been discovered to allow malicious websites to bypass security measures in Google Chrome, Mozilla Firefox, and Apple Safari. This vulnerability enables these websites to interact with services on a local network, posing significant risks.

It is important to note that this vulnerability affects only Linux and macOS devices and does not impact Windows systems. On the affected devices, attackers can exploit this flaw to remotely change settings, gain unauthorized access to protected information, and, in some cases, execute remote code. Despite being reported in 2008, this issue remains unresolved in Chrome, Firefox, and Safari, although all three browsers have acknowledged the problem and are working on a fix. Researchers at Oligo Security have observed multiple threat actors exploiting this vulnerability as part of their attack strategies.

The 0.0.0.0 Day vulnerability arises from inconsistent security mechanisms across different browsers and the lack of standardization, which allows public websites to communicate with local network services using the "wildcard" IP address 0.0.0.0. Typically, this IP address represents all IP addresses on the local machine or all network interfaces on the host. It can also be used as a placeholder address in DHCP requests or interpreted as the localhost (127.0.0.1) in local networking. Malicious websites can send HTTP requests to 0.0.0.0 targeting services running on the user's local machine. Due to inconsistent security, these requests are often processed.

Existing protection mechanisms like Cross-Origin Resource Sharing (CORS) and Private Network Access (PNA) fail to prevent this risky activity, according to Oligo. Web browsers typically prevent websites from making requests to third-party sites and using the returned information to protect against malicious websites connecting to other URLs in a visitor's web browser where they may be authenticated, such as online banking portals or email servers.

Unfortunately, the risk isn't just theoretical. Oligo Security has identified several cases where the 0.0.0.0 Day vulnerability is actively exploited. One such case is the ShadowRay campaign, documented last March, targeting AI workloads running locally on developers' machines. The attack begins when a victim clicks on a link that triggers JavaScript to send an HTTP request to 'http://0[.]0[.]0[.]0:8265', typically used by Ray. 

These requests reach the local Ray cluster, leading to scenarios of arbitrary code execution, reverse shells, and configuration alterations. Another campaign targeting Selenium Grid was discovered by Wiz, where attackers use JavaScript on a public domain to send requests to 'http://0[.]0[.]0[.]0:4444.' These requests are routed to the Selenium Grid servers, enabling code execution or network reconnaissance. The "ShellTorch" vulnerability, reported by Oligo in October 2023, involves the TorchServe web panel being bound to the 0.0.0.0 IP address by default, exposing it to malicious requests.

In response to Oligo's disclosure, web browser developers are starting to take action. Google Chrome, the world's most popular web browser, plans to block access to 0.0.0.0 via a gradual rollout from version 128 to version 133. Mozilla Firefox, which does not yet implement PNA, has set the development of this feature as a high priority and has initiated temporary fixes, though no rollout dates have been provided. Apple has implemented additional IP checks on Safari and will block access to 0.0.0.0 in version 18, introduced with macOS Sequoia.

Until browser fixes are fully implemented, Oligo recommends that app developers take the following security measures:

- Implement PNA headers.
- Verify HOST headers to protect against DNS rebinding attacks.
- Do not trust localhost—add authorization, even locally.
- Use HTTPS whenever possible.
- Implement CSRF tokens, even for local apps.

Most importantly, developers should be aware that until these fixes are rolled out, it is still possible for malicious websites to route HTTP requests to internal IP addresses. This security consideration should be kept in mind when developing apps.

'0.0.0.0 Day' Vulnerability Puts Chrome, Firefox, Mozilla Browsers at Risk

 

A critical security bug known as "0.0.0.0 Day" has shook the cybersecurity world, leaving millions of users of popular browsers such as Chrome, Firefox, and Safari vulnerable to future assaults. This vulnerability allows malicious actors to possibly gain access to files, messages, credentials, and other sensitive data saved on a device within a private network, specifically "localhost.” 

What is 0.0.0.0 day flaw?

The term "0.0.0.0 Day" refers to a new vulnerability identified by Israeli cybersecurity startup Oligo that hackers can exploit before a fix is released. The zeroes indicate a lack of prior information or awareness of flaws. This makes it especially risky because users and developers are taken completely off guard. 

According to the research, the exploit consists of fraudulent websites luring browsers into allowing them to interface with APIs (Application Programming Interfaces) running on a user's local PC. These APIs are primarily intended for internal communication within applications and should not be available from other sources, such as websites. Attackers that exploit the 0.0.0.0 Day vulnerability could possibly get unauthorised access to sensitive information saved on a user's device, steal data, or even launch malware. 

Impact on key browsers 

The security ramifications of this issue are extensive. Here's a closer look at the possible impact on major browsers. 

Chrome zero-Day vulnerability: Google Chrome, the world's most popular browser, is an obvious target for attackers. A successful exploit of the 0.0.0.0 Day bug could allow criminals to get beyond Chrome's security measures and get access to a user's local network. This could expose sensitive information kept on a user's PC, compromise corporate networks if a user works remotely, or even aid in the installation of malware. 

Firefox zero-day vulnerability: Although Firefox is not as extensively used as Chrome, it is a popular choice for many consumers. A successful exploit of the 0.0.0.0 Day vulnerability may have similar repercussions for Firefox users. Attackers could potentially obtain access to local networks, steal data, or carry out malware attacks. 

Safari Zero-Day vulnerability: The 0.0.0.0 Day vulnerability could also affect Apple's Safari browser, which is the default browser on all Apple devices. While Apple has a reputation for strong security, this vulnerability underlines the ongoing need for vigilance. A successful exploit can allow attackers access to a user's local network on a Mac or iOS device, possibly compromising private information or aiding new assaults. 

The disclosure of the 0.0.0.0 Day vulnerability underlines the ongoing challenge of ensuring browser security in an increasingly complicated threat ecosystem. Browser developers must continue to invest in R&D to remain ahead of thieves. Users must also be cautious and follow best practices to safeguard themselves from emerging risks.

Google Delays Plan to Replace Cookies, Leaving Users and Industry in Limbo


In unexpected turn of events, Google has delayed its plan to replace tracking cookies in its Chrome browser, affecting its three billion users worldwide. The company had intended to transition to new, anonymised tracking methods to enhance user privacy, but these alternatives have faced regulatory and privacy challenges.

Cookie Controversy and Privacy Concerns

Originally, Google aimed to retire cookies and introduce Privacy Sandbox, which would use less invasive tracking methods by grouping users into like-minded cohorts. However, this initiative encountered significant pushback due to concerns over its effectiveness and potential industry impact. Critics argue that these new methods might still compromise user privacy and could harm the digital advertising ecosystem.

Google's Alex Cone, Product Manager for Privacy Sandbox, recently acknowledged the lack of progress, stating, “We’re at work on those [new] designs, and we’ll discuss those with regulators as we advance… there’s no new information to provide.” This indefinite delay has left many in the industry frustrated and uncertain about the future of digital tracking.

Reports indicate that Google is now in "damage control mode," attempting to soothe the industry's nerves. Meetings, forums, and panels have been held to address concerns, but concrete solutions remain elusive. Many ad tech executives feel like they're at the mercy of Google's decisions, which immensely impact their operations.

The Privacy Sandbox was seen as a necessary evolution from cookies, but now, with no clear timeline, the advertising industry is left in limbo. This delay means that the status quo of invasive tracking will continue for the foreseeable future, much to the dismay of privacy advocates.

Google vs. Apple: A Privacy Battle

The timing of these developments is noteworthy. Apple's recent ad campaign criticised Chrome's privacy practices, aligning closely with Google’s announcement of cookie delays. Apple has been a strong proponent of privacy, introducing features like App Tracking Transparency (ATT) that significantly restrict user tracking. The effectiveness of Apple's approach has been debated, with opt-in rates for tracking remaining low.

Google’s struggle with Privacy Sandbox could lead to similar outcomes as Apple’s ATT, where user tracking becomes more transparent but less prevalent. However, this shift requires careful consideration and regulatory approval, which is currently lacking.

The Future of Digital Tracking

The UK's Competition and Markets Authority (CMA) is closely watching Google's revised approach, emphasising the need for balanced solutions that protect consumers and market dynamics. The Electronic Frontier Foundation (EFF) has long advocated for banning behavioural advertising based on online activity, underscoring the urgent need for robust privacy legislation.

The advertising industry, having prepared for a post-cookie world, now faces uncertainty. Investments in Privacy Sandbox-related technologies may stall, and the transition to new tracking methods could be delayed indefinitely.

For Chrome users, this means continued exposure to current tracking practices, with no immediate improvements in privacy. Meanwhile, the digital advertising industry grapples with Google's unpredictable policy changes. As the debate over user privacy and tracking continues, the need for clear, effective, and timely solutions becomes ever more critical.

Third-Party Cookies Stay: Google’s New Plan for Web Browsing Privacy


Google no longer intends to remove support for third-party cookies, which are used by the advertising industry to follow users and target them with ads based on their online activity.

Google’s Plan to Drop Third-Party Cookies in Chrome Crumbles

In a significant shift, Google has decided to abandon its plan to phase out third-party cookies in its Chrome browser. This decision marks a notable change in the tech giant’s approach to user privacy and web tracking, reflecting the complexities and challenges of balancing privacy concerns with the needs of advertisers and regulators.

In a recent post, Anthony Chavez, VP of Google's Privacy Sandbox, revealed that the search and advertising giant has realized that its five-year effort to build a privacy-preserving ad-tech stack requires a lot of work and has implications for online advertisers, some of whom have been vocally opposed. 

“In light of this, we are proposing an updated approach that elevates user choice. Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing,” Anthony said.

For the time being, the Privacy Sandbox, a suite of APIs for online ad delivery and analytics that are intended to preserve privacy, will coexist with third-party cookies in Chrome.

The Initial Plan

Google’s initial plan, announced in early 2020, aimed to eliminate third-party cookies from Chrome by 2022. Third-party cookies, which are used by advertisers to track users across different websites, have been a cornerstone of online advertising. However, they have also raised significant privacy concerns, as they enable extensive tracking of user behavior without explicit consent.

Instead of dropping third-party cookie support in the Chrome browser next year - subject to testing that began in January - Google intends to give Chrome users the option of playing in its Privacy Sandbox or in the adjacent land of data surveillance, where third-party cookies support all manner of information collection.

It remains to be seen whether Chrome's interface for selecting between Privacy Sandbox and standard third-party cookies will be less confusing than the much-criticized "Enhanced ad privacy in Chrome" popup that announced the arrival of Privacy Sandbox APIs in Chrome last year.

Delays and Challenges

Despite the ambitious timeline, Google’s plan faced numerous delays. The company extended the deadline multiple times, citing the need for more time to develop and test alternative technologies. The complexity of replacing third-party cookies with new solutions that could satisfy both privacy advocates and the advertising industry proved to be a significant hurdle.

One of the key challenges was ensuring that the new technologies would not undermine the effectiveness of online advertising. Advertisers rely heavily on third-party cookies to target ads and measure their performance. Any replacement technology needed to provide similar capabilities without compromising user privacy.

Feedback from Stakeholders

Throughout the process, Google received extensive feedback from various stakeholders, including advertisers, publishers, and regulators. Advertisers expressed concerns about the potential impact on their ability to deliver targeted ads, while regulators emphasized the need for robust privacy protections.

In response to this feedback, Google made several adjustments to its plans. The company introduced new proposals, such as Federated Learning of Cohorts (FLoC), which aimed to group users into cohorts based on similar interests rather than tracking individual users. However, these proposals also faced criticism and skepticism from privacy advocates and industry experts.

The Decision to Abandon the Plan

Ultimately, Google decided to abandon its plan to phase out third-party cookies. Instead, the company will introduce a new experience that allows users to make an informed choice about their web browsing privacy. This approach aims to provide users with greater control over their data while still enabling advertisers to deliver relevant ads.

Why Shouldn't You Upload Files So Readily On Your Browser?


The digital society we live in has made it abundantly clear that being cautious about online activities goes beyond avoiding suspicious links. Recent findings by cybersecurity researchers have surfaced a new ransomware threat that exploits web browsers, potentially putting users' files at risk.

The Rising Threat

Modern web browsers like Google Chrome and Microsoft Edge offer advanced functionalities, allowing users to seamlessly interact with various online services, from email to multimedia streaming. However, these capabilities also open doors for hackers to manipulate browsers and gain unauthorised access to users' local file systems.

What Is The Risk?

The File System Access API, utilised by browsers, enables web applications to interact with users' files. This means that uploading files to seemingly benign online tools could inadvertently grant hackers access to personal data stored on the user's computer.

The Implications

Imagine using an online photo editing tool. Uploading files for editing could inadvertently expose your entire file system to malicious actors, who could then encrypt your files and demand ransom for decryption.

The Scale of the Issue

Ransomware attacks have become increasingly prevalent, targeting individuals and organisations across various sectors. In 2023 alone, organisations paid over $1.1 billion in ransomware payments, highlighting the urgent need for robust cybersecurity measures.

Addressing the Threat

Researchers at the Cyber-Physical Systems Security Lab at Florida International University have been investigating this new breed of ransomware. Their findings, presented at the USENIX Security Symposium, underscore the severity of the threat posed by browser-based ransomware.

Recommended Practices 

The research team proposed three defence approaches to mitigate the risk of browser-based ransomware. These strategies focus on detecting and preventing malicious activity at the browser, file system, and user levels, offering a multi-layered defence mechanism against potential attacks.

1. Temporarily Halting Web Applications:

This approach involves temporarily suspending a web application's activity within the browser to detect any suspicious behavior related to file encryption. By monitoring the application's actions, security systems can identify and interrupt potential ransomware activity before it causes significant damage. This measure enables users to maintain control over their files and prevent unauthorised access by any threat actors.

2. Monitoring Web Application Activity:

In addition to halting web applications, this defense strategy focuses on continuously monitoring their activity on users' computers. By analysing patterns and behaviours associated with ransomware attacks, security systems can easily detect and respond to any anomalous activities. This real-time monitoring ensures timely intervention and minimizes the impact of browser-based ransomware on users' systems.

3. Introducing Permission Dialog Boxes:

To empower users with greater control over their file system access, this approach proposes the implementation of permission dialogue boxes. When a web application requests access to the user's local files, a dialogue box prompts the user to approve or deny the request, along with providing information about the associated risks and implications. By promoting user awareness and informed decision-making, this measure ensures security posture and reduces the likelihood of inadvertent file exposure to ransomware threats.

As technology continues to transform, so do the tactics employed by cybercriminals. By staying informed and implementing proactive cybersecurity measures, users can safeguard their digital assets against threats like browser-based ransomware.




Banking Malware "Brokewell" Hacks Android Devices, Steals User Data

Banking Malware "Brokewell" Hacks Android Devices

Security experts have uncovered a new Android banking trojan called Brokewell, which can record every event on the device, from touches and information shown to text input and programs launched.

The malware is distributed via a fake Google Chrome update that appears while using the web browser. Brokewell is in ongoing development and offers a combination of broad device takeover and remote control capabilities.

Brokewell information

ThreatFabric researchers discovered Brokewell while examining a bogus Chrome update page that released a payload, which is a common approach for deceiving unwary users into installing malware.

Looking back at previous campaigns, the researchers discovered that Brokewell had previously been used to target "buy now, pay later" financial institutions (such as Klarna) while masquerading as an Austrian digital authentication tool named ID Austria.

Brokewell's key capabilities include data theft and remote control for attackers.

Data theft 

  • Involves mimicking login windows of targeted programs to steal passwords (overlay attacks).
  • Uses its own WebView to track and collect cookies once a user logs into a valid website.
  • Captures the victim's interactions with the device, such as taps, swipes, and text inputs, to steal data displayed or inputted on it.
  • Collects hardware and software information about the device.
  • Retrieves call logs.
  • determines the device's physical position.
  • Captures audio with the device's microphone.

Device Takeover: 

  • The attacker can see the device's screen in real time (screen streaming).
  • Remotely executes touch and swipe gestures on the infected device.
  • Allows remote clicking on specific screen components or coordinates.
  • Allows for remote scrolling within elements and text entry into specific fields.
  • Simulates physical button presses such as Back, Home, and Recents.
  • Remotely activates the device's screen, allowing you to capture any information.
  • Adjusts brightness and volume to zero.

New threat actor and loader

According to ThreatFabric, the developer of Brokewell is a guy who goes by the name Baron Samedit and has been providing tools for verifying stolen accounts for at least two years.

The researchers identified another tool named "Brokewell Android Loader," which was also developed by Samedit. The tool was housed on one of Brokewell's command and control servers and is utilized by several hackers.

Unexpectedly, this loader can circumvent the restrictions Google imposed in Android 13 and later to prevent misuse of the Accessibility Service for side-loaded programs (APKs).

This bypass has been a problem since mid-2022, and it became even more of a problem in late 2023 when dropper-as-a-service (DaaS) operations began offering it as part of their service, as well as malware incorporating the tactics into their bespoke loaders.

As Brokewell shows, loaders that circumvent constraints to prevent Accessibility Service access to APKs downloaded from suspicious sources are now ubiquitous and widely used in the wild.

Security experts warn that device control capabilities, like as those seen in the Brokewell banker for Android, are in high demand among cybercriminals because they allow them to commit fraud from the victim's device, avoiding fraud evaluation and detection technologies.

They anticipate Brokewell being further improved and distributed to other hackers via underground forums as part of a malware-as-a-service (MaaS) operation.

To avoid Android malware infections, avoid downloading apps or app updates from sources other than Google Play, and make sure Play Protect is always turned on.

Google Disables 30 Million Chrome User Cookies


Eliminating Cookies: Google's Next Plan

Google has been planning to eliminate cookies for years, and today is the first of many planned quiet periods. About 30 million users, or 1% of the total, had their cookies disabled by the Chrome web browser as of this morning. Cookies will be permanently removed from Chrome by the end of the year—sort of.

Cookies are the original sin of the internet, according to privacy campaigners. For the majority of the internet's existence, one of the main methods used by tech businesses to monitor your online activity was through cookies. Websites use cookies from third firms (like Google) for targeted adverts and many other forms of tracking.

These are referred to as "third-party cookies," and the internet's infrastructure includes them. They are dispersed throughout. We may have sent you cookies if you visited Gizmodo without using an ad blocker or another type of tracking protection. 
Years of negative press about privacy violations by Google, Facebook, and other internet corporations in 2019 were so widespread that Silicon Valley was forced to respond. 

Project: Removing third-party cookies from Chrome

Google declared that it was starting a project to remove third-party cookies from Chrome. Google gets the great bulk of its money from tracking you and displaying adverts online. Since Chrome is used by almost 60% of internet users, Google's decision to discontinue the technology will successfully eliminate cookies forever.

First of all, on January 4, 2023, Google will begin its massive campaign to eradicate cookies. Here's what you'll see if you're one of the 30 million people who get to enjoy a cookieless web.
How to determine whether Google disabled your cookies

The first thing that will appear in Chrome is a popup that will explain Google's new cookie-murdering strategy, which it terms "Tracking Protection." You might miss it if, like many of us, you react to pop-ups with considerable caution, frequently ignoring the contents of whatever messages your computer wants you to read.

You can check for more indicators to make sure you're not getting a ton of cookies dropped on you. In the URL bar, there will be a small eyeball emblem if tracking protection is enabled.

If you wish to enable a certain website to use cookies on you, you can click on that eyeball. In fact, you should click on it because this change in Chrome is very certain to break some websites. The good news is that Chrome has a ton of new capabilities that, should it sense a website is having issues, will turn off Tracking Protection.

Finally, you can go check your browser’s preferences. If you open up Chrome’s settings, you’ll find a bunch of nice toggles and controls about cookies under the “Privacy and security” section. If they’re all turned on and you don’t remember changing them, you might be one of the lucky 30 million winners in Google’s initial test phase.

Google is still tracking you, but it’s a little more private

Of course, Google isn’t about to destroy its own business. It doesn’t want to hurt every company that makes money with ads, either, because Google is fighting numerous lawsuits from regulators who accuse the company of running a big ol’ monopoly on the internet. 

You can now go check the options in your browser. The "Privacy and security" area of Chrome's settings contains a number of useful toggles and controls regarding cookies. If all of them are on and you don't recall turning them off, you could be among the fortunate 30 million individuals who won in Google's initial test phase.

You are still being tracked by Google, but it's a little more discreet

Naturally, Google has no intention of ruining its own company. It also doesn't want to harm other businesses that rely on advertising revenue, as Google is now defending itself against multiple cases from authorities who claim the corporation has a monopoly on the internet.






Enhancing Online Privacy: Google Trials IP Address Masking Option

 


Currently, Google is in the process of perfecting Gnatcatcher, which used to be called Gnatcatcher. Under the new name "IP Protection," Gnatcatcher is called more appropriately. By doing this, Chrome is reintroducing a proposal to hide users' IP addresses, thereby making it harder to track their activities across sites. 

When users add their computer to a network, it receives a unique address called an Internet Protocol (IP) address that indicates what it will do over the network. A number acts as a means of identifying the user's location on the network when they are connected. Messages must be delivered to the right location for a computer to communicate with another computer without the need for each computer to know the other's address. 

To track the user behaviour of sites and online services, IP addresses are used to create digital profiles that can be used for targeted advertising purposes on websites and online services. The fact that this tracking can be circumvented without third-party tools raises significant privacy concerns, as bypassing this tracking is not as straightforward as dealing with third-party cookies without using these tools. 

While navigating the web, Google recognizes that it is crucial to balance the requirement for a user's privacy with practical functionality. Essentially, the solution they have devised involves disguising the IP address of the user through the redirection of traffic from certain third-party domains through proxy servers, so that the IP address remains invisible for these domains even though traffic is coming from them. 

The IP Protection feature will initially be available as an opt-in service, so users will have the option of obfuscating their IP addresses from third parties whenever they wish. It was decided that IP Protection should be rolled out in stages to ensure regional considerations can be accommodated and to ensure that there is a shallow learning curve. The first phase of this initiative will have Google proxying requests to its domain to satisfy regional considerations. 

The proxies will only be accessible by US-based IP addresses for a short period until Google has fine-tuned the list of affected domains. For now, only US-based IP addresses can access them. Despite the possibility of tracking you, your IP address also plays a huge role in routing traffic, preventing fraud, as well as other important tasks that are required by the network. 

The Google IP Protection feature for Chrome was designed to do this by routing all third-party traffic from specific third-party websites through proxy servers to hide your IP address from those sites on the Internet. It is also pointed out that when this feature is introduced to Chrome users, it will be an opt-in feature. 

It is the responsibility of users to decide whether they wish to obscure their IP address from third parties or not, so IP Protection will be a feature they can opt in to. To accommodate regional differences and ensure a shallow learning curve, IP Protection will be rolled out in stages. Phase 0, which will be a proxying of Google's domains, will serve as the first step towards Phase 0. 

It is expected that this situation will continue until Google has had sufficient time to fine-tune the list of affected domains. In the beginning, those proxy servers will only be accessible to IP addresses from the US at least. 

It has been decided that Google to use a two-hop approach to improve privacy in the next phase, which will include Google managing the first hop while an external Content Delivery Network (CDN) will manage the second hop.

Ideally, IP addresses are a must-have for Internet traffic routing, fraud prevention, and a wide variety of other functions. Thus, Google has designed a system that will cover traffic routing, fraud prevention, and a wide variety of other functions while thwarting tracking at the same time. 

It is a feature of Google's 'The Privacy Sandbox' toolkit which has been known as 'Gnatcatcher' previously. It is specifically designed for users to be able to avoid being tracked between websites through their IP address. 

At first, this proxy will remain optional for users, and its implementation will be phased out, so each region is allowed to adapt to this innovation at its own pace. Google intends to facilitate a phased approach so that each region adapts to the new technologies at its own pace. It will be possible to only affect domains within third-party contexts at first, with an emphasis on tracking domains that are well known. 

Users do not want to reveal their IP addresses, which is why they use proxy servers or VPNs to hide their IP addresses. A proxy or a VPN masks the real IP address of a user by masking it with one of the proxy operator's IP addresses. Only the proxy operator or the VPN provider knows a user's real address. A proxy is being used by Google to hide the IP addresses of its users under its IP Protection proposal. 

The feature will be tested and rolled out in multiple phases due to the potential side effects it may cause. Google wants to learn as it goes. The first phase of the feature will only support users with IP addresses from the United States and will only work with a single Google-owned proxy that will only redirect requests to Google-owned domains. 

Google is interested in testing out the infrastructure without impacting any third-party companies that may be using it. In addition to services such as Gmail, Google also owns the Ad Services domain, which is used for advertising purposes. 

There is a small percentage of users who will be automatically enrolled by Google in the current phase, and these users must also be logged into Chrome to participate. In a future phase, Google plans to use a chain of two proxy servers to prevent both of the proxy servers from seeing both the origin IP address as well as the destination IP address. 

There have been some interesting developments recently when it comes to Google's privacy options, as it has now launched its Privacy Sandbox which is aimed directly at making third-party cookies a thing of the past. 

According to the company, cookies will be disabled in the year 2024. By combining IP Protection with third-party websites, data will be less likely to be gathered from multiple sites by third-party sites in the future.

Google Chrome Launches 'Privacy Sandbox' to Phase Out Tracking Cookies

 

Google has officially commenced the implementation of Privacy Sandbox within its Chrome web browser for a majority of its users. This move comes nearly four months after the initial announcement of the plan.

"We believe it is vital to both improve privacy and preserve access to information, whether it's news, a how-to-guide, or a fun video," Anthony Chavez, vice president of Privacy Sandbox initiatives at Google, said.

"Without viable privacy-preserving alternatives to third-party cookies, such as the Privacy Sandbox, we risk reducing access to information for all users, and incentivizing invasive tactics such as fingerprinting."

To facilitate thorough testing, the search giant has chosen to leave approximately three percent of users unaffected by the transition initially. Full availability is anticipated for all users in the upcoming months.

Privacy Sandbox serves as Google's comprehensive approach to a suite of technologies designed to replace third-party tracking cookies with privacy-conscious alternatives. This transition aims to maintain personalized content and advertisements while safeguarding user privacy.

Simultaneously, the company is in the beta testing phase of Privacy Sandbox on Android, extending it to eligible mobile devices running Android 13.

A pivotal component of this endeavor is the Topics API, which categorizes users into varying topics based on their site visitation frequency. Websites can utilize this API to discern a user's interests and deliver tailored ads without knowing the user's identity. Essentially, the web browser acts as an intermediary between the user and the website. Users also have the option to further customize their experience, including specifying ad topics of interest, enabling relevance and measurement APIs, or opting out entirely.

Despite its advancements, Privacy Sandbox has not been without criticism. The Movement For An Open Web recently pointed out that "Google gathers reams of personal data on each and every one of its users, sourced through an opt-in process that it's hard for most web users to avoid."

This development coincides with Google's efforts to enhance real-time protections against phishing attacks through enhancements to Safe Browsing, all without prior knowledge of users' browsing history.

While Google hasn't disclosed specific technical details, it has incorporated Oblivious HTTP relays (OHTTP relays) as part of Privacy Sandbox to enhance anonymity protections and mask IP address information.

"Previously, it worked by checking every site visit against a locally-stored list of known bad sites, which is updated every 30 to 60 minutes," Parisa Tabriz, vice president of Chrome, said.

"But phishing domains have gotten more sophisticated — and today, 60% of them exist for less than 10 minutes, making them difficult to block. By shortening the time between identification and prevention of threats, we expect to see 25% improved protection from malware and phishing threats."

Chrome's Invasive New Tracking Sparks Need for a New Browser

The importance of privacy issues has increased in the digital era, leading people to look for browsers that prioritize data protection. One of the most popular browsers, Chrome, has recently drawn criticism for its intrusive new tracking features. Users are encouraged to investigate privacy-focused options by this development.

Chrome's latest tracking initiative, Ad Topics, allows websites to gather detailed information about users' online activities. This information is then used to tailor advertisements, potentially leading to a breach of user privacy. As reported by Android Authority, this feature has raised significant concerns among privacy advocates and users alike.

In response to these concerns, the Privacy Sandbox initiative has been introduced. Spearheaded by industry leaders, including Google, it aims to strike a balance between personalized advertising and user privacy. By creating a set of privacy-preserving APIs, Privacy Sandbox seeks to protect users' data while still enabling advertisers to deliver relevant content.

Privacy Sandbox's mission is to "evolve the web ecosystem to provide a more private experience for users." By prioritizing user privacy, it aims to reshape the online experience, ensuring that individuals have greater control over their personal information. This initiative signals a positive step towards a more secure and user-centric internet.

Experts emphasize the significance of user awareness and choice in this evolving landscape. As stated by John Doe, a privacy advocate, "Users deserve to have a say in how their data is collected and used online. It's crucial for them to be informed about the tracking practices of their chosen browser."

In light of these developments, users are urged to explore alternative browsers prioritizing privacy. Browsers like Brave, Firefox, and Safari have long been known for their commitment to user data protection. These options offer robust privacy features, ensuring that users can navigate the web without sacrificing their personal information.

Recent tracking capabilities added to Chrome show how crucial privacy is becoming in the digital sphere. The advent of programs like Privacy Sandbox is a step in the right direction toward achieving a balance between user security and personalization. However, looking at alternative browsers is a wise decision for people seeking urgent privacy guarantees. It is crucial that we control our online experiences while maintaining our privacy since as users, we have the capacity to do so.


Web Development Revolution: Chrome's Cookie-Free Tools

 


It has become increasingly common for browsers to use third-party cookies as part of their browsing process, which makes it possible for advertisers and bad actors to spy on large chunks of your browsing history to provide more relevant ads. There is no doubt that third-party cookies contribute to the functioning of websites and the experience of Internet users, but most experts agree that we need alternatives that are easier to control, regulate, and understand. 

Google announced in a blog post that it will enable the Privacy Sandbox APIs over the next few days to protect user privacy. There would be an initial rollout of these APIs for a small percentage of users with Chrome 115 installed. When the APIs become available, they would ramp up gradually over time. 

To get rid of browser cookies, Google developed a Privacy Sandbox in 2019 to rid itself of the problem. This is counter to Google's operation. The privacy feature on the site is not intended to completely stop advertisers from targeting audiences with their ads. Instead, it makes it harder for advertisers to access users' personal information. Google announced the Privacy Sandbox program in May 2023. It stated that the process would begin by July 2023 and be available to everyone. Finally, the day has come when that dream will become a reality. 

The Chrome Developers blog for Chrome 115 has more details about the upcoming "relevance and measurement APIs" introduced in Chrome 115. There are several APIs, including Topics APIs that categorize a user’s interests based on how they utilize the Internet. These APIs do not share this information with advertisers directly. There are also attribution reporting APIs, which can determine if ad clicks or views result in conversions. Besides the Protected Audience API (previously FLEDGE), which allows relevant advertising to be displayed to users based on their previous interactions with advertisers.

It is important to point out that these updates come shortly after the U.K.'s top privacy watchdog, Competition Markets & Authority, which is responsible for overseeing the development of Sandbox, released a set of guidelines for testing Sandbox just a few weeks ago. It has been proposed that Google will have to submit itself to more oversight by the CMA by 2021. This is to address concerns that removing third-party cookies may pose a new competitive challenge for companies that use personalized ads. As per the guidelines, reporting test results is particularly critical for ad-tech companies as it helps the CMA assess whether the Privacy Sandbox has addressed our competition concerns, which will help determine whether the Privacy Sandbox is effective. 

The matter of privacy and competition remains one of the biggest concerns facing Google and other digital advertising giants in Europe and the U.S. about the way they conduct their online advertising practices. A new lawsuit has been filed by the European Commission against Google, asserting that its ad-tech business violates the antitrust laws of the EU and suggesting potential steps to break up its massive ad-tech operation. It was noted by Norwegian legislators, as well as French regulatory agencies, that Meta was placed under state control due to its behavioral advertising. In contrast, Criteo was fined for using personal data for advertising. Various courts, lawmakers, and regulatory agencies in various countries have pressured other companies to use data for advertising purposes. 

A privacy sandbox, in essence, is a document that claims third-party cookies are a privacy disaster that needs to be fixed with an open, industry-wide standard that aims to accomplish this goal. A user tracking tool integrates into your browser so that it runs securely locally, which then means that data that is relevant and anonymous is only sent to websites and advertisers when it is relevant and relevant, such as what type of products or topics people may be interested in when visiting their website. By doing this, advertisers and publishers will not have to track users personally so they will no longer have to track their audience. 

The EFF, one of the privacy watchdogs that monitors privacy issues, has criticized the Privacy Sandbox for some of its original ideas. These include FLoC (Federated Learning of Cohorts), which was among its ideas. In response to feedback, Google pivoted and created a different approach, such as Protected Audience. This has not received the same criticism as the now-launched Protected Audience, as it does not follow the same approach. The Privacy Sandbox continues to be a subject of controversy among competitors such as Brave, partly because of concerns surrounding antitrust laws. 

In the beginning, the APIs will be turned on for a limited number of Chrome dev browser instances that are part of Google Chrome development. With the rollout progressing, Google will gradually increase the number of devices to monitor potential problems as the rollout progresses. The following are some of the APIs that were enabled for Chrome developers during this rollout - a few groups of developers will only encounter a subset of the newly available APIs activated so it is easier to detect and isolate issues associated with specific APIs during this rollout. 

There is a possibility that this process will begin next week, starting on the 24th of July, according to Google. The APIs will be released for about 35 percent of the browsers during the week so that the developers can test the APIs. According to the company, they plan to increase this to 60 percent by the end of August. During August, a Chrome 116 general availability date is expected to be announced. However, it is unclear when APIs will work for 99 percent of Chrome 115 browsers. 

At this stage of the testing program, Google says most of the small groups tested with limited access should have all the relevance and measurement APIs enabled. 'Only small, isolated groups are going to be maintained by the company, without each API being enabled for every small group. 

A couple of issues with onboarding and regulatory investigations have caused Google to delay the project, although it was originally projected to phase out third-party cookies in late 2023. The Competition and Markets Authority (CMA), which previously voiced concerns that the search giant's own advertising business would unfairly gain from the updated approach, published guidelines in June for third parties to follow when testing Google's Privacy Sandbox tools. 

It is well known that by passing the CMA's regulatory hurdles back in 2022, Google's plans for refusing or removing third-party cookies will have been approved (provided that Google sticks to the commitments it made to get approval), and the company said it "will continue to work closely with the CMA" before taking any further action to do so.

Remember to Clear the Cache on Your iPhone

Websites and apps may load more quickly by taking advantage of the cache, a designated area in your iPhone that stores temporary data. As cache data use up space on your phone, it's a good idea to wipe it off frequently to improve browsing speed. When you free up space on your iPhone by clearing the browser or app cache, you may notice a speed and performance improvement. This is especially true if you're experiencing performance concerns.

Clearing cache on  iPhone

For iPhones, Safari is the default browser, which lets you clear the cache in just a few simple steps. This method has a major impact on all devices logged into your iCloud account starting with iOS 11. As a result, the caches on all of your devices will be emptied, and the next time you use them, you'll have to sign in to each one separately. Here is what to do.

1. Launch the iPhone's Settings app.
2. From the list of programs, choose Safari.
3. Choose Clear Website Data and History.
4. The pop-up box will allow you to select Clear History and Data.

Even though cleaning your browsing history in Chrome logs you out of websites, it doesn't appear to dismiss all open tabs. You will need to re-log into any websites you may have been visiting.

With Chrome, remove the iPhone cache

1. Start the Chrome application.
2. To access more options, click the three dots in the lower right corner.
3. Choose Settings by swiping up from the top.
4. On the following menu, choose Privacy and Security.
5. After that, choose Clear Browsing Data to bring up one final selection.
6. At the top-left corner of the menu, choose the desired time frame.
7. Check to see if Cached Images and Files, Cookies, and Site Data are all selected. At the very bottom of the screen, select Clear Browsing Data.


Caches and cookies 

Cookies are little files that carry passwords and personalization data and store data about your online behavior. Many cookies, including those that keep you logged in to regularly visited websites, are helpful; nevertheless, some third-party cookies track your behavior on many websites. This could contain potentially sensitive data, such as your search history and your clicked links.

Contrarily, a cache stores data files that your browser or application is likely to utilize frequently. Avoiding the need to constantly download the same data, can improve the performance of your phone.

Caches typically only need to be cleared once every two to three months. Usually, at that point, your browser will start accumulating a cache big enough to start slowing things down. One should be cautious of cleaning your cache more frequently if you visit many websites.




Microsoft Announced the End of Support for Windows 7 & 8

Microsoft has published a warning over the imminent end of support for Windows 8.1, which would not receive any updates or patches after January 10th, 2023.

According to the research, over 100 million computers were still running Windows 7 as of 2021, giving their owners little time to update them before they face the security hazards associated with utilizing an antiquated browser and operating system.

Windows 8.1 is still the fourth most popular Microsoft operating system in the world, according to the Statcounter team, with 2.45% of all Windows users having it installed on their computers. Given the fact that it will affect millions of individuals and expose numerous PCs to attack, this end of support is quite concerning. 

PCs running Windows XP, 7, or 8 were more prevalent than those running Windows 11 according to a Lansweeper survey of 27 million Windows devices conducted in October.

For systems running Windows 10 2004 or 20H2, Windows 10 21H1 was a minor feature update that was designed to be simple to install. It contained improvements to Windows Defender Application Guard, Windows Management Instrumentation via Group Policy, and support for several Windows Hello-enabled cameras. 

Along with the release of a new Chrome version, Google also disclosed that it will discontinue support for Windows 7 and Windows 8.1 in early 2023. For users to continue receiving new Chrome updates, their device must be running Windows 10 or later.

It would be wise for anyone running an outdated version of Windows to inspect their computers and make some critical adjustments this week. Microsoft has issued the warning because Windows 8.1 will soon stop receiving security updates and patches after January 10, 2023.

Google Blames Spanish Spyware of Exploiting Chrome, Windows, and Firefox Zero-Days


Variston IT Spyware behind an attack on Google

A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018. 

Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device." 

Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.

Google's Response 

Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."

The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems. 

What is Heliconia vulnerability?

Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively. 

Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.  

But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit. 

Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further. 

Google blog said

Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.

Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape

Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit

Files: a set of Firefox exploits for Linux and Windows.






SolarMarker Using Watering Hole Attacks and Fake Chrome Browser Updates, Infects Business Professionals

 

Researchers have uncovered the cyberattack group behind the SolarMarker malware, which is targeting a global tax consulting firm with offices in the United States, Canada, the United Kingdom, and Europe. It is using fake Chrome browser updates as part of watering hole attacks. This is a fresh approach for the group, replacing its previous method of SEO poisoning, also known as spamdexing. 

SolarMarker is a multistage malware that can steal autofill data, saved passwords, and credit card information from victims' browsers. According to an advisory issued on Friday by eSentire's Threat Response Unit (TRU), the threat group was observed exploiting vulnerabilities in a medical equipment manufacturer's website, which was built with the popular open-source content management system WordPress. The victim worked for a tax consulting firm and used Google to look up the manufacturer's name.

"This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update," the advisory noted.

"The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website," the advisory added. "Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page."

Considering that the TRU team has only witnessed a single infection of this vector type, it is unclear whether the SolarMarker group is testing new tactics or preparing for a larger campaign. Previous SolarMarker attacks used SEO poisoning to target people who searched online for free templates of popular business documents and business forms.

Increase Employee Awareness by Monitoring Endpoints

The TRU advisory outlines four key steps organisations can take to mitigate the impact of these types of attacks, including increasing employee awareness of automatic browser updates and avoiding downloading files from unknown sites.
 
"Threat actors research the kind of documents businesses look for and try to get in front of them with SEO," the advisory stated. "Only use trusted sources when downloading content from the internet, and avoid free and bundled software."

TRU also recommends more vigilant endpoint monitoring, which will necessitate more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to strengthen the organization's overall defence posture.

SolarMarker Campaigns Relaunched Following a Dormant Period

The.NET malware was discovered in 2020 and is typically distributed via a PowerShell installer, with data-gathering capabilities and a backdoor.

Sophos Labs discovered a number of active SolarMarker campaigns in October 2021 that followed a common pattern: cybercriminals used SEO techniques to place links to websites with Trojanized content in the search results of several search engines.

Menlo Security previously reported a SolarMarker campaign in October 2021 that used over 2,000 unique search terms to lure users to sites that then dropped malicious PDFs rigged with backdoors.

ChromeLoader: Microsoft, VMware Warns of the New Malware Campaigns

 

Microsoft and VMware are warning about the ongoing widespread malware campaign of ChromeLoader, which led to an “ongoing wide-ranging click frauds” later this year. 

The malware tool named ChromeLoader is apparently hijacking the browsers to redirect users to ad pages. The software has now evolved into a potential threat by deploying more potent payloads that go beyond malvertising. Variants of ChromeLoader have been dropping malicious browser extensions, node WebKit malware, and even ransomware on Windows PCs and Macs. 

Functioning of ChromeLoader 

Microsoft detected an ongoing widespread campaign of click frauds and attributed it to a threat actor DEV-0796. The malware attack begins with an ISO file that is downloaded when the user clicks a malicious ad, browser redirects, or Youtube comment. The attackers seek to profit from clicks generated by malicious browser extensions or node-WebKit that they have installed on the victim’s device, without being detected.  

The researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team said they have seen the malware’s operators impersonating various legitimate services that would lead users to ChromeLoader. The researchers observed hundreds of attacks that included variants of the malware, targeting multiples sectors such as education, government, healthcare, and enterprises in business services. 

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop [...] It is imperative that these industries take note of the prevalence of this threat and prepare to respond to it” warns the researchers. 

Rapid Evolution Of Malware

Earlier, the malware infected Chrome with a malicious extension that redirected the user traffic to advertising sites performing click frauds and generating income for the threat actors. “But, it later evolved into an ‘info-stealer’, stealing sensitive data stored in browsers and deploying zip bombs (i.e. malicious archive files) to crash systems, while still retaining its adware function,” said researchers, in an advisory released on September 19. 

Since Adware does not cause any significant damage to a victim’s software, the threat is not taken seriously by analysts. However, any software, such as ChromeLoader, that could enter a system undetected, is an immediate threat to a user, as the victim may as well apply modifications, facilitating monetization options for the malware. 

“The Carbon Black MDR team believes that this is an emerging threat that needs to be tracked and taken seriously [...] due to its potential for delivering more nefarious malware,” VMware said in the advisory. 

Researchers Discover Kimusky Infra Targeting South Korean Politicians and Diplomats

 

Kimusky, a North Korean nation-state group, has been linked to a new wave of nefarious activities targeting political and diplomatic entities in its southern counterpart in early 2022. 

The cluster was codenamed GoldDragon by Russian cybersecurity firm Kaspersky, with infection chains resulting to the implementation of Windows malware designed to file lists, user keystrokes, and stored web browser login credentials. South Korean university professors, think tank researchers, and government officials are among the potential victims. 

Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is a prolific North Korean advanced persistent threat (APT) group that targets entities globally, but with a primary focus on South Korea, to gather intelligence on various topics of interest to the regime.

The group, which has been active since 2012, has a history of using social engineering tactics, spear-phishing, and watering hole attacks to obtain sensitive information from victims.

Late last month, cybersecurity firm Volexity linked the actor to an intelligence-gathering mission aimed at siphon email content from Gmail and AOL using Sharpext, a malicious Chrome browser extension.

The latest campaign employs a similar tactic, with the attack sequence initiated by spear-phishing messages containing macro-embedded Microsoft Word documents supposedly comprising content related to geopolitical issues in the region. Alternative initial access routes are also said to use HTML Application (HTA) and Compiled HTML Help (CHM) files as decoys in order to compromise the system.

Whatever method is used, the initial access is followed by a remote server dropping a Visual Basic Script that is orchestrated to fingerprint the machine and retrieve additional payloads, including an executable capable of exfiltrating sensitive information.

The attack is unique in that it sends the victim's email address to the command-and-control (C2) server if the recipient clicks on a link in the email to download additional documents. If the request does not include the expected email address, a harmless document is returned.

To complicate matters even further, the first-stage C2 server forwards the victim's IP address to another VBS server, which compares it to an incoming request generated after the target opens the bait document. The two C2 servers' "victim verification methodology" ensures that the VBScript is distributed only when the IP address checks are successful, indicating a highly targeted approach.

"The Kimsuky group continuously evolves its malware infection schemes and adopts novel techniques to hinder analysis. The main difficulty in tracking this group is that it's tough to acquire a full-infection chain," Kaspersky researcher Seongsu Park concluded.

New Google Chrome Zero-Day Flaw Being Exploited in the Wild

 

Google launched patches for the Chrome browser for desktops on Tuesday that address an actively exploited high-severity zero-day flaw in the wild. The issue, identified as CVE-2022-2856, has been described as a case of insufficient validation of untrusted input in Intents. 

On July 19, 2022, security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group were credited with discovering the flaw. As is customary, the tech powerhouse has withheld further details about the flaw until the vast majority of users have been informed. 

"Google is aware that an exploit for CVE-2022-2856 exists in the wild," the company said aptly.

The latest update also addresses ten other security flaws, the majority of which are related to use-after-free flaws in various components such as FedCM, SwiftShader, ANGLE, and Blink. A heap buffer overflow vulnerability in Downloads has also been fixed.

This is the fifth zero-day vulnerability in Chrome that Google has fixed since the beginning of the year.
  • CVE-2022-0609 - Use-after-free in Animation
  • CVE-2022-1096 - Type confusion in V8
  • CVE-2022-1364 - Type confusion in V8
  • CVE-2022-2294 - Heap buffer overflow in WebRTC
To mitigate potential threats, users are advised to update to version 104.0.5112.101 for macOS and Linux, and 104.0.5112.102/101 for Windows. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the fixes as they become available.

Kimsuky Makes E-Mails Hacking Browser Extensions

A hacking group that is believed to work from North Korea is loading harmful browser extensions for Edge and Chrome. It tries to steal email info from open AOL and Gmail sessions and interchange browser preference files. 

About SHARPEXT

Volexity experts found the malicious extension, known as SHARPEXT, it is active for almost a year by Kimsuky (aka SharpTongue). It uses the extension after the attack has been launched, for keeping its presence. 

"SharpTongue's toolset is well documented in public sources; the most recent English-language post covering this toolset was published by Huntress in 2021. The list of tools and techniques described in that post is consistent with what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an interesting, undocumented malware family used by SharpTongue," reports Volexity.

Kimsuky's Attack

Unlike other harmful browser extensions, SHARPEXT isn't made for stealing user credentials. On the contrary, the extension steals information from the e-mail inboxes of the victims.

The hackers deploy the extension manually via a VBS script once the initial breach of the victim system has been done. 

How SHARPEXT is installed

To install SHARPEXT, the hackers replace the Preferences and Secure Preferences files, for the aimed Chromium-based browser, which is generally said to be a difficult task to execute. 

• To interchange the Secure Preferences file, the hackers obtain some details from the browser and make a new file running on browser start-up.

• After that, the attackers use a secondary script to conceal some of the extension's features and any other windows that can surface and alarm the users about suspicious activities. 

• Lastly, the extension uses a pair of listeners for a particular type of activity in the browser tabs. Installation is then modified for different respective targets. 

Volexity says "the purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used by dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title (“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the tab."