CYBERSECURITY NEWS V. 11.08 – why don’t you download some malicious Chrome extensions?

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates with comments from our experts

News for discussion

Malicious Chrome extensions

More than 80 million users have downloaded 295 Chrome extensions, including fake ad blockers, weather widgets, and screen capture utilities. The extensions downloaded malicious code from the fly-analytics.com domain and then proceeded to insert ads into Google and Bing search results. Even after Chrome removes malicious extensions from the store, users have to manually remove them from their browsers.

hexway commentary:

There are three things you can watch forever: fire burning, a bughunter begging for $50 for a Double-Blind Self XSS, and a user installing a malicious browser extension.

Are browser extensions practical? Of course. Are they safe? Of course not. Let's be honest: the average user of internet browsers cannot manage extensions safely. But we wouldn't consider ourselves experts if we didn't have some advice for you:

1. Do not install browser extensions if manifest.json and Background scripts mean nothing to you.

2. You can tell the difference between facebook.com and faceboook.com? Good job! Help your family and friends to install a couple of well-known extensions (ad blockers, translators, etc. – choose the applicable).

3. If you are responsible for IT security in your company, restrict the use of browser extensions (and may the force be with you).

News FYI

Twitter fixed flaw giving access to direct messages

Twitter has fixed a vulnerability that affects its Android app and allows an attacker to gain access to personal data, including direct messages. The flaw is related to an Android OS security issue (CVE-2018-9492) and affects OS versions 8 and 9. According to Twitter, the vulnerability has not been exploited. The company claims that 96% of users have already updated the app and urges the remaining 4% to do so as soon as possible.

Meetup fixed two high severity vulnerabilities

Meetup has patched an XSS and a CSRF vulnerability that, when combined, could allow an attacker to hijack a group and redirect all Meetup financial transactions to the attacker's PayPal account. The two privacy-compromising API flaws can be exploited by submitting a request with malicious JavaScript to the Meetup API. Attackers can create a worm that could compromise the whole website and let attackers take control of groups and divert funds.

Maze steals data again

LG and Xerox fell victim to the Maze ransomware at the end of June. In early August, over 50 GB of data related to the source codes of LG products firmware and 28 GB of confidential data regarding Xerox employees along with other data appeared on the "portal of leaks". In August, it was also revealed that the ransomware had stolen 10TB of data from Canon. Canon is currently investigating the situation.

New victim of WastedLocker

GPS navigation equipment and smartwatch manufacturer Garmin has been hit by a WastedLocker attack. The major hack occurred at the end of July and disabled all company systems, which resulted in production being suspended. Customers could not access connected services, including Garmin Connect, flyGarmin, Strava, and inReach solutions. Garmin was forced to pay a ransom of $10 million to gain access to its systems and resume services.

WastedLocker has no known encryption weaknesses. It abuses Windows memory management to avoid detection by security software. Although the virus appeared only in May 2020, ransoms already amount to millions of dollars. In June 2020 alone, at least 31 American organizations and companies were affected by WastedLocker attacks.