Firefox Flips Out DOH

Mozilla has announced that it’s firefox browser implementing DOH – DNS over HTTP by default for all users in the U.S.a major step in the push to fully encrypt all Internet traffic and eliminate the risk of attack. However, while Mozilla is pushing the feature as “one of the many privacy protections you can expect to see from us in 2020,” it could be gearing up for a lengthy legislative battle.

Firefox DOH’ed

On a technical level, DNS over HTTPS (DoH) encrypts the initial lookup of the website you want to reach, known as the Domain Name System. “DNS is a database that links a human-friendly name, such as http://www.mozilla.org, to a computer-friendly series of numbers, called an IP address (e.g. 192.0.2.1),” Mozilla explains. “By performing a ‘lookup’ in this database, your web browser is able to find websites on your behalf.” 

Since these split-second requests also include your IP address, a hacker could take that information to create an online profile of you and the sites you visit, or the server itself could be collecting your data for advertising or marketing purposes, often without your knowledge.

End to end encryption

By turning on default DNS over HTTPS, Firefox assures users that it is only using trusted servers—cloudflare and NextDN at the outset—which are “committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties.” So if you use the Firefox browser in the U.S., your Internet traffic will ignore your ISP’s server and redirect it to either Cloudfare or NextDN to ensure encryption from start to finish. It’s somewhat like surfing through a VPN without actually signing into one.

Chrome Zero patched.

Chrome patched again this time for 3 vulnerabilities including one Zero day. Patches for this zero-day have been released part of Chrome version 80.0.3987.122. The update is available for Windows, Mac, and Linux users, but not Chrome OS, iOS, and Android.

Zero day patched

The zero-day is tracked under the identifier of CVE-2020-6418, and is described only as a “type confusion in V8.”

V8 is Chrome’s component that’s responsible for processing JavaScript code.

A ttype confusion refers to coding bugs during which an app initializes data execution operations using input of a specific “type” but is tricked into treating the input as a different “type.”

The “type confusion” leads to logical errors in the app’s memory and can lead to situations where an attacker can run unrestricted malicious code inside an application.

Google Chronicle

Chronicle, a security analytics platform, joined Google Cloud in June 2019. The platform itself was launched at RSA 2019 “to help change the way any business could quickly, efficiently, and affordably investigate alerts and threats in their organization.”

Google announced another two additions to the platform: Threat detection using the new YARA-L rules language, and enhanced data modeling.

YARA is a language built for detecting and recognizing malware (YARA-L is a version that logs information) which Google said is “built specifically for modern threats and behaviours.” Its addition will allow Chronicle to better detect new forms of malware and novel forms of attack.

Google Describes YARA-L’s capabilities as being able to bring “massively scalable, real-time and retroactive rule execution” to Chronicle’s existing threat detection capabilities.

The second addition to Chronicle is what Google called “intelligent data fusion.” This new tool includes a new type of data model and the ability to link multiple security events into a single timeline for improved incident modeling.

Oblique RAT

A new malware campaign dubbed ObliqueRAT using malicious Microsoft Office documents to target government organizations in Southeast Asia , through a Email phishing campaign

The file name in the campaign is like one of Company-Terms.doc & DOT_JD_GM.doc“.if user opens the file it prompts for a password, once the file gets opened the below events will start processing

The malicious script then creates a shortcut in the Start-Up directory to achieve persistence if the machine is rebooted.

The second stage of the payload is ObliqueRAT which has various features & functions, the RAT communicates with the C&C server and then execute the commands.

The malware checks for the process named “Oblique” running on the infected machine, if already process is running then RAT will stop the execution.

Capabilities

  • Able to execute commands on the infected system
  • Exfiltrate files from the computer
  • An Attacker can drop additional files
  • Able to terminate any running process