Search This Blog

Showing posts with label Safari. Show all posts

With Safari Zero-Day Attacks, Russian SVR Hackers Targeted LinkedIn Users

 

Google security experts revealed details on four zero-day vulnerabilities that were undisclosed until they were exploited in the wild earlier this year. After discovering exploits leveraging zero-day vulnerabilities in Google Chrome, Internet Explorer, and WebKit, the engine used by Apple's Safari web browser, Google Threat Analysis Group (TAG), and Google Project Zero researchers discovered the four security issues. 

CVE-2021-21166 and CVE-2021-30551 in Chrome, CVE-2021-33742 in Internet Explorer, and CVE-2021-1879 in WebKit were the four zero-day exploits found by Google researchers earlier this year while being abused in the wild. "We tie three to a commercial surveillance vendor arming govt backed attackers and one to likely Russian APT," Google Threat Analysis Group's Director Shane Huntley said. "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020," Google researchers added. "While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend." 

Despite the fact that the zero-day flaws for Chrome and Internet Explorer were developed and sold by the same vendor to customers all over the world looking to improve their surveillance capabilities, they were not employed in any high-profile operations. The CVE-2021-1879 WebKit/Safari bug, according to Google, was used "to target government officials from Western European countries by sending them malicious links," via LinkedIn Messaging. 

The attackers were part of a likely Russian government-backed actor employing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7), according to Google experts. While Google did not link the exploit to a specific threat group, Microsoft claims it is Nobelium, the state-sponsored hacking group responsible for the SolarWinds supply-chain attack that resulted in the compromise of numerous US federal agencies last year. 

Volexity, a cybersecurity firm, also attributed the attacks to SVR operators based on strategies used in earlier attacks dating back to 2018. In April, the US government charged the Russian Foreign Intelligence Service (aka SVR) for conducting "a broad-scale cyber-espionage campaign" through its hacking group known as APT29, The Dukes, or Cozy Bear. The attacks were designed to "collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook, and Yahoo and send them via WebSocket to an attacker-controlled IP," according to Google.

Mobile Versions of Several Browsers Found Vulnerable to Address Bar Spoofing Flaws

 

Several mobile browsers including Firefox, Chrome, and Safari were found vulnerable to an ‘address bar spoofing’ flaw which when exploited could allow a threat actor to disguise a URL and make his phishing page appear like a legitimate website, according to a report published by cybersecurity company Rapid7 which reportedly worked in collaboration with Rafay Baloch - an independent security researcher who disclosed ten new URL spoofing vulnerabilities in seven browsers. 
 
The browsers were informed about the issues in August as the vulnerabilities surfaced earlier this year; some of the vendors took preventive measures - patching the issues beforehand while others left their browsers vulnerable to the threat. 
 
Notably, the Firefox browser for Android has already been fixed by Mozilla, and for those who haven’t updated it yet make sure you do it now. While Google’s Chrome Browser on both Android and iOS is still vulnerable to the threat and is unlikely to be patched until September. Other affected browsers include Opera Touch, UC Browser, Yandex Browser, RITS Browser, and Bolt Browser. 

In order to execute an address bar spoofing attack, the attacker alters the URL which is displayed onto the address bar of the compromised web browser which is configured to trick victims into believing that the website they are browsing is monitored by an authenticated source. However, in reality, the website would be controlled by the attackers carrying out the spoofing attack. The attacker can trick his victims into providing their login details or other personal information by making them think as they are connected to a website like Paypal.com. 
 
“Exploitation all comes down to, "Javascript shenanigans." By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website”, the report explained. 
 
“With ever-growing sophistication of spear-phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear-phishing attacks and hence prove to be very lethal,” Baloch further told.

HACKED- Windows 10, macOS, Adobe, VMware, Apple and Oracle at The Pwn2Own 2020!


Pwn2Own is a well-known computer hacking contest which is held once every year at the CanSecWest security conference. In this contest, the contestants are tested on how well they could exploit commonly used software and mobile devices with formerly unheard of vulnerabilities.

An issue as grave as the Coronavirus pandemic has clearly not affected the spirits of the Pwn2Own 2020 hacking competition which got done with its first two days.

On Day 1, security researchers and participants bagged a handsome amount of over $180,000 for exploiting the Windows 10, Ubuntu Desktop and macOS, mention sources.

Reportedly, a “team from the Georgia Tech Systems Software and Security Lab succeeded in exploiting a kernel privilege escalation to execute code on macOS” by way of Safari. The attack mechanism that ended up winning for the team $70,000 was comprised of 6 vulnerabilities.

Per the event page (thezdi.com), Georgia Tech employed a “6 bug chain to pop calc and escalate to root”.

The team that has won several preceding editions of the hacking contest, Team Fluoroacetate, won themselves a victorious $40,000 after they employed a “local privilege escalation exploit” meant for the Windows 10.

Reports mention that one of the two members of the aforementioned team also won himself a smashing amount of $40,000 for yet another privilege escalation exploit pursuing Windows 10.

As per sources, the RedRocket CTF team got themselves a win, owing to it to one of their members, Mafred Paul, who bagged an attractive amount of $30,000 for a local privilege escalation exploit focused on Ubuntu Desktop. The hack was about the manipulation of the ‘Input validation bug’.

On Day 2, The Fluoroacetate successfully targeted the Adobe Reader with a local privilege escalation by employing a pair of UAFs, mentioned sources and grabbed an amount of $50,000.

Per reports, the Synacktiv team targeted the VMware Workstation but unfortunately to no avail in the given duration of time. There also were special demonstrations of the Zero Day Initiative against the Oracle VirtualBox.

This was the very first time the organizers allowed “conditional remote participation” in the Pwn2Own hacking contest, understandably because of the increased concerns of people about traveling due to the Coronavirus outbreak.



Users can now Use 2 Step Verification on their Chrome and Safari Browser


Google has launched a new feature for ensuring users' security. You will now be able to enroll for 2 Factor Authentication Keys from Web browsers. Google is allowing you to enroll security keys on Android and macOS devices by making it easier to register for keys. "Two-factor authentication, also called multiple-factor or multiple-step verification, is an authentication mechanism to double-check that your identity is legitimate."


When you sign in into your account it asks for a username and password, this is the first verification process. Two-factor authentication adds another security layer after this to confirm your identity. It (2FA) could be a pin, a password, a one time password, a physical device, or biometric. It should be something only you have to know. Two-factor authentication is very important as a password isn't as protective as we believe. Cyber attackers can test billions of password combinations in a second.

Two-factor authentication or two-step verification adds another layer of protection besides a password, and it is hard for cybercriminals to get this second factor and reduces their chance to succeed. Now Google is offering these 2FA authentication keys, and you can register for these on macOS devices using Safari (v. 13.0.4 and up), and Android devices running Android 7.0 “N” and up, using the Google Chrome web browser (version 70 and up). Users can register these independently or with those who have signed up for the Advanced Protection Program. It's available for all users given you're using the mentioned version of the software.

What is Security Keys? 

Security Keys are the most secure form of two-factor authentication (2FA) or two-step verification to protect against various threats like hacking and phishing. Users are provided with physical keys that they can insert into the USB port of their device, when required the user will touch the key. On Android devices, the user will have to tap the key on their NFC ( Near Field Communication) enabled device. Android users can also opt for USB and Bluetooth keys. Apple mobile users will be provided Bluetooth-enabled security keys.