This vulnerability allows local attackers to escalate privileges on affected installations of Cisco Nexus Dashboard Fabric Controller. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Cisco Nexus Dashboard Fabric Controller. Authentication is not required to exploit this vulnerability.
WordPress 5.9.2 is now available!
This security and maintenance release features 1 bug fix in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.
You can download WordPress 5.9.2 from WordPress.org, or visit your Dashboard → Updates and click “Update Now”.
If you have sites that support automatic background updates, they’ve already started the update process.
The security team would like to thank the following people for responsively reporting vulnerabilities, allowing them to be fixed in this release:
Melar Dev, for finding a Prototype Pollution Vulnerability in a jQuery dependencyBen Bidner of the WordPress security team, for finding a Stored Cross Site Scripting VulnerabilityResearchers from Johns Hopkins University, for finding a Prototype Pollution Vulnerability in the block editor
For more information, browse the full list of changes on Trac, or check out the version 5.9.2 HelpHub documentation page.
The 5.9.2 release was led by Jb Audras, with the help of Jorge Costa on package updates, Sergey Biryukov on mission control, and David Baumwald on backport commits.
In addition to the release squad members and security researchers mentioned above, thank you to everyone who helped make WordPress 5.9.2 happen:
Alan Jacob Mathew, Alex Concha, André, Anton Vlasenko, David Baumwald, ehtis, Jb Audras, Jorge Costa, Peter Wilson, Sergey Biryukov, Tonya Mork, and ironprogrammer.
Props @davidbaumwald and @sergeybiryukov for peer review.
CIS now offers free trials for several CIS Hardened Images, pre-configured virtual machine images, in the AWS Marketplace. Try a hardened VM today.
The US Securities and Exchange Commission today proposed legal changes that would require publicly traded companies to disclose material cybersecurity incidents within four days of such a breach.
The SEC also wants to require “periodic disclosures” of the impact of ongoing cybersecurity threats in regularly scheduled quarterly 10-Q and annual 10-K reports filed by publicly traded firms, further increasing the mandate for transparency on cybersecurity issues. The more immediate reports disclosing security incidents would be filed in 8-K forms, used for unscheduled disclosures.
The idea is to protect investors by improving their ability to inform themselves about the risks involved in investing in a given company, according to the SEC. Given the severity of the threat posed by bad cybersecurity actors, a breach could have a huge impact on a company’s stock value and line of business, the commission said in a statement.
Thomas Akesson discovered that Subversion incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a denial of service.
A man accused of being connected to the Russia-linked REvil ransomware group responsible for cyberattacks on organizations including US-based software company Kaseya, has been extradited from Poland and arraigned in a Dallas court.
In November last year, the US Department of Justice charged the man, 22-year-old Yaroslav Vasinskyi, of being behind the July 2021 ransomware attack against Kaseya. Vasinskyi, a Ukrainian national, was taken into custody in Poland and transported to Dallas, where he arrived on March 3.
Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi
McAfee has recently observed several malicious Chrome Extensions which, once installed, will redirect users to phishing sites, insert Affiliate IDs and modify legitimate websites to exfiltrate personally identifiable information (PII) data. According to the Google Extension Chrome Store, the combined install base is 80,000
One extension, ‘Netflix Party’, mimics the original Netflix Party extension, which allows groups of people to watch Netflix shows at the same time. However, this version monitors all the websites you visit and performs several malicious activities.
The malicious actor behind the extensions has created several Twitter accounts and fake review websites to deceive users into trusting and installing the extensions.
The victim will be tricked into installing the extension and their data will be stolen when browsing a gift card site.
The details of each step are as follows:
The perpetrator creates malicious extensions and adds them to the Chrome Extension Store. They create fake websites to review the extensions and fake Twitter accounts to publicize them.
A victim may perform a web or Twitter search for Netflix Party, read the review and click on a link that will lead them to the Google Chrome Store.
They click to install the Extension and accept the permissions.
The victim will either perform a web search or directly navigate to the gift card website. The Extension will identify the website and redirect them to the phishing page.
The victim will enter their gift card information on the phishing page.
The gift card information is posted to the server to which the malicious actor has access. They can now use or sell the stolen data and the victim will lose their funds.
This section contains the technical analysis of the malicious chrome extension “bncibciebfeopcomdaknelhcohiidaoe“.
The manifest.json file contains the permissions of the extension. The ‘unsafe-eval’ permission in the ‘content_security_policy’ and the allowed use of content.js on any website visited by the user is of particular concern
When the extension is installed, the background.js script will be loaded. This file uses a simple obfuscation technique of putting all the code on one line which makes it difficult to read. This is easily cleaned up by using a code beautifier and the image below shows the obfuscated script on the first line and the cleaned-up code below the red arrow.
This script accesses https://accessdashboard[.]live to download a script and store it as variable ‘code’ in Chrome’s local storage. This stored variable is then referenced in the content.js script, which is executed on every visited website.
After beautification, we see the code will read the malicious script from the ‘code’ variable which was previously stored.
The malicious code has three main functions, redirection for phishing, modifying of cookies to add AffiliateIDs, and modifying of website code to add chat windows.
Redirection for phishing works by checking if the URL being accessed matches a list, and conditionally redirects to a malicious IP that hosts the phishing site.
URLs monitored are:
https[:]//www.target.com/guest/gift-card-balance
https[:]//www.macys.com/account/giftcardbalance
https[:]//www.nike.com/orders/gift-card-lookup
https[:]//www.nordstrom.com/nordstrom-gift-cards
https[:]//www.sephora.com/beauty/giftcards
https[:]//www.sephoragiftcardbalance.com
https[:]//balance.amexgiftcard.com
https[:]//prepaidbalance.americanexpress.com/GPTHBIWeb/validateIPAction.do?clientkey=retail%20sales%20channel
https[:]//amexprepaidcard.com
[:]//secure4.store.apple.com/shop/giftcard/balance
Upon navigating to one of the above sites, the user will be redirected to 164[.]90[.]144[.]88. An observant user would notice that the URL would have changed to an IP address, but some users may not.
The image below shows the Apple Phishing site and the various phishing kits being hosted on this server.
The phishing sites share similar codes. If a user enters their gift card information, the data will be posted to 52.8.106.52. A network capture of the post request is shown below:
The second malicious function contains AIPStore which is a dictionary containing a list of URLs and their respective monetizing sites which provide affiliate IDs. This function works by loading new tabs which will result in cookies being set on the visited sites. The flow below describes how the extension will work.
A user navigates to a retail website
If the retail website is contained in the AIPStore keymap, the extension will load a new tab with a link to a monetizing site which sets the cookie with the affiliate ID. The new tab is then closed, and the cookie will persist.
The user will be unaware that a cookie would have been set and they will continue to browse the website.
Upon purchasing any goods, the Affiliate ID will be recognized by the site vendor and commission will be sent to the Affiliate ID owner which would be the Malicious Actor
The left image below shows the original site with no affiliate cookie, the one on the right highlights the cookie that has been added by the extension.
The final function checks a list of URLs being accessed and if they match, a JS script will be injected into the HTML code which will result in a chat window being displayed. The image below shows the injected script and the chat window.
The chat window may be used by the malicious actor to request PII data, credit card, and product key information.
This threat is a good example of the lengths malicious actors will go to trick users into installing malware such as creating Twitter accounts and fake review websites.
McAfee advises its customers to be cautious when installing Chrome Extensions and pay attention to the permissions that they are requesting.
The permissions will be shown by Chrome before the installation of the Extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog
McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.
The Malicious code within the extension is detected as Phish-Extension. Please perform a ‘Full’ scan via the product.
Type
Value
Product
Detected
URL – Phishing Sites
164.90.141.88/*
McAfee WebAdvisor
Blocked
Chrome Extension
netflix-party – bncibciebfeopcomdaknelhcohiidaoe
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
teleparty – flddpiffdlibegmclipfcnmaibecaobi
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hbo-max-watch-party – dkdjiiihnadmgmmfobidmmegidmmjobi
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
prime-watch-party – hhllgokdpekfchhhiknedpppjhgicfgg
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
private-watch-party – maolinhbkonpckjldhnocgilkabpfodc
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hotstar-ad-blocker – hacogolfhplehfdeknkjnlblnghglfbp
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hbo-ad-blocker – cbchmocclikhalhkckeiofpboloaakim
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
blocksite – pfhjfcifolioiddfgicgkapbkfndaodc
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hbo-enhanced – pkdpclgpnnfhpapcnffgjbplfbmoejbj
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hulu-watch-party – hkanhigmilpgifamljmnfppnllckkpda
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
disney-plus-watch-party – flapondhpgmggemifmemcmicjodpmkjb
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
spotify-ad-blocker – jgofflaejgklikbnoefbfmhfohlnockd
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
ott-party – lldibibpehfomjljogedjhaldedlmfck
Total Protection and LiveSafe
Phish-Extension
The post Come Join the Scam Party appeared first on McAfee Blog.
Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi
McAfee has recently observed several malicious Chrome Extensions which, once installed, will redirect users to phishing sites, insert Affiliate IDs and modify legitimate websites to exfiltrate personally identifiable information (PII) data. According to the Google Extension Chrome Store, the combined install base is 80,000
One extension, ‘Netflix Party’, mimics the original Netflix Party extension, which allows groups of people to watch Netflix shows at the same time. However, this version monitors all the websites you visit and performs several malicious activities.
The malicious actor behind the extensions has created several Twitter accounts and fake review websites to deceive users into trusting and installing the extensions.
The victim will be tricked into installing the extension and their data will be stolen when browsing a gift card site.
The details of each step are as follows:
The perpetrator creates malicious extensions and adds them to the Chrome Extension Store. They create fake websites to review the extensions and fake Twitter accounts to publicize them.
A victim may perform a web or Twitter search for Netflix Party, read the review and click on a link that will lead them to the Google Chrome Store.
They click to install the Extension and accept the permissions.
The victim will either perform a web search or directly navigate to the gift card website. The Extension will identify the website and redirect them to the phishing page.
The victim will enter their gift card information on the phishing page.
The gift card information is posted to the server to which the malicious actor has access. They can now use or sell the stolen data and the victim will lose their funds.
This section contains the technical analysis of the malicious chrome extension “bncibciebfeopcomdaknelhcohiidaoe“.
The manifest.json file contains the permissions of the extension. The ‘unsafe-eval’ permission in the ‘content_security_policy’ and the allowed use of content.js on any website visited by the user is of particular concern
When the extension is installed, the background.js script will be loaded. This file uses a simple obfuscation technique of putting all the code on one line which makes it difficult to read. This is easily cleaned up by using a code beautifier and the image below shows the obfuscated script on the first line and the cleaned-up code below the red arrow.
This script accesses https://accessdashboard[.]live to download a script and store it as variable ‘code’ in Chrome’s local storage. This stored variable is then referenced in the content.js script, which is executed on every visited website.
After beautification, we see the code will read the malicious script from the ‘code’ variable which was previously stored.
The malicious code has three main functions, redirection for phishing, modifying of cookies to add AffiliateIDs, and modifying of website code to add chat windows.
Redirection for phishing works by checking if the URL being accessed matches a list, and conditionally redirects to a malicious IP that hosts the phishing site.
URLs monitored are:
https[:]//www.target.com/guest/gift-card-balance
https[:]//www.macys.com/account/giftcardbalance
https[:]//www.nike.com/orders/gift-card-lookup
https[:]//www.nordstrom.com/nordstrom-gift-cards
https[:]//www.sephora.com/beauty/giftcards
https[:]//www.sephoragiftcardbalance.com
https[:]//balance.amexgiftcard.com
https[:]//prepaidbalance.americanexpress.com/GPTHBIWeb/validateIPAction.do?clientkey=retail%20sales%20channel
https[:]//amexprepaidcard.com
[:]//secure4.store.apple.com/shop/giftcard/balance
Upon navigating to one of the above sites, the user will be redirected to 164[.]90[.]144[.]88. An observant user would notice that the URL would have changed to an IP address, but some users may not.
The image below shows the Apple Phishing site and the various phishing kits being hosted on this server.
The phishing sites share similar codes. If a user enters their gift card information, the data will be posted to 52.8.106.52. A network capture of the post request is shown below:
The second malicious function contains AIPStore which is a dictionary containing a list of URLs and their respective monetizing sites which provide affiliate IDs. This function works by loading new tabs which will result in cookies being set on the visited sites. The flow below describes how the extension will work.
A user navigates to a retail website
If the retail website is contained in the AIPStore keymap, the extension will load a new tab with a link to a monetizing site which sets the cookie with the affiliate ID. The new tab is then closed, and the cookie will persist.
The user will be unaware that a cookie would have been set and they will continue to browse the website.
Upon purchasing any goods, the Affiliate ID will be recognized by the site vendor and commission will be sent to the Affiliate ID owner which would be the Malicious Actor
The left image below shows the original site with no affiliate cookie, the one on the right highlights the cookie that has been added by the extension.
The final function checks a list of URLs being accessed and if they match, a JS script will be injected into the HTML code which will result in a chat window being displayed. The image below shows the injected script and the chat window.
The chat window may be used by the malicious actor to request PII data, credit card, and product key information.
This threat is a good example of the lengths malicious actors will go to trick users into installing malware such as creating Twitter accounts and fake review websites.
McAfee advises its customers to be cautious when installing Chrome Extensions and pay attention to the permissions that they are requesting.
The permissions will be shown by Chrome before the installation of the Extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog
McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.
The Malicious code within the extension is detected as Phish-Extension. Please perform a ‘Full’ scan via the product.
Type
Value
Product
Detected
URL – Phishing Sites
164.90.141.88/*
McAfee WebAdvisor
Blocked
Chrome Extension
netflix-party – bncibciebfeopcomdaknelhcohiidaoe
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
teleparty – flddpiffdlibegmclipfcnmaibecaobi
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hbo-max-watch-party – dkdjiiihnadmgmmfobidmmegidmmjobi
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
prime-watch-party – hhllgokdpekfchhhiknedpppjhgicfgg
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
private-watch-party – maolinhbkonpckjldhnocgilkabpfodc
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hotstar-ad-blocker – hacogolfhplehfdeknkjnlblnghglfbp
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hbo-ad-blocker – cbchmocclikhalhkckeiofpboloaakim
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
blocksite – pfhjfcifolioiddfgicgkapbkfndaodc
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hbo-enhanced – pkdpclgpnnfhpapcnffgjbplfbmoejbj
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
hulu-watch-party – hkanhigmilpgifamljmnfppnllckkpda
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
disney-plus-watch-party – flapondhpgmggemifmemcmicjodpmkjb
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
spotify-ad-blocker – jgofflaejgklikbnoefbfmhfohlnockd
Total Protection and LiveSafe
Phish-Extension
Chrome Extension
ott-party – lldibibpehfomjljogedjhaldedlmfck
Total Protection and LiveSafe
Phish-Extension
The post Come Join the Scam Party appeared first on McAfee Blog.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the browser
UI, bypass security restrictions, obtain sensitive information, or execute
arbitrary code. (CVE-2022-0843, CVE-2022-26381, CVE-2022-26382,
CVE-2022-26383, CVE-2022-26384, CVE-2022-26385)
A TOCTOU bug was discovered when verifying addon signatures during
install. A local attacker could potentially exploit this to trick a
user into installing an addon with an invalid signature.
(CVE-2022-26387)
