CYBERSECURITY NEWS V. 11.12 – Critical bug in PlayStation Now, MageCart skimmers in social media buttons

hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

Credit card stealer hides inside social media buttons

Sanguine Security analysts discovered that attackers are hiding MageCart skimmers in buttons used to post on social networks. Fake buttons look like the regular social media buttons found on countless websites and do not arouse any suspicion among visitors. The malware consists of two parts: the payload code itself and a decoder that reads and executes the payload. In new attacks, hackers use SVG files to hide malicious code. According to Sanguine Security: "The malicious payload assumes the form of an HTML <svg> element, using the <path> element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the <svg> element ". This technique was discovered in September on e-commerce sites, with malicious payloads hidden inside buttons designed to post content to social networks (Google, Facebook, Twitter, Instagram, YouTube, and Pinterest). In infected stores, the decoder reads the hidden malicious code and downloads a keylogger that would capture and steal bank card information from the payment form. To date, 37 online stores have been identified as infected with malware.

PlayStation Now bug allowed malicious code execution on Windows

A critical bug has been fixed in the PlayStation Now app for Windows that could be used by malicious sites to execute arbitrary code. The issue affected PS Now version 11.0.2 and earlier on computers running Windows 7 SP1 or later. Due to vulnerable WebSocket connections, websites could send requests to the application and load malicious URLs, which would then trigger arbitrary code execution in the system. This is possible if the WebSocket server running on the target device does not perform origin header or origin request checks. To successfully exploit the bug, attackers must convince a PS Now user to open a specially crafted malicious site. For example, they can send a link in a phishing email or a Discord channel, and so on. Besides that, the AGL Electron app launched by PlayStation Now allowed loaded JavaScript to run new processes on web pages, leading to code execution.

Many apps in Google Play Store still vulnerable to critical code execution vulnerability

About 8% of Android applications available in the Google Play Store are still affected by the CVE-2020-8913 vulnerability in the popular Android library. By exploiting the vulnerability, an attacker can inject malicious code into vulnerable applications, providing access to the host application's resources. As a result, a hacker can gain access to sensitive data from other applications on the device. The vulnerability was discovered this year and patched by Google in Play Core 1.7.2 back in March; however, not all developers have updated the library.

Among the most popular apps running the unpatched version of the library are Microsoft Edge, Grindr, OkCupid, Cisco Teams, Yango Pro, Movit, Xrecorder.

Chrome fixed serious bugs that allowed hijacking PCs

Google has rolled out an update fixing eight vulnerabilities at once, half of which are considered highly critical. Some of them could lead to memory violations, allowing hackers to compromise computers running Chrome. Windows, macOS, and Linux versions of the browser are vulnerable.

Three dangerous use-after-free vulnerabilities (CVE-2020-16037, CVE-2020-16038, CVE-2020-16039) could trigger memory errors. Under certain conditions, these could be used to run malicious code on the host system.

Another vulnerability (CVE-2020-16040) affects Google's JavaScript and WebAssembly engine, V8: due to insufficient data validation, it makes XSS attacks possible.

Google also fixed two medium-threat bugs: CVE-2020-16041 and CVE-2020-16042. The latter affects V8; the former allows accessing objects outside the allocated memory.

Google will not release any details about any of these vulnerabilities until most users have updated their browsers.