Adult sites at a risk of Malsmoked

Shady attracts shady! Lately, cybercriminals have been found manipulating adult website visitors and redirecting victims to malicious websites serving up malware.

What & Why

Researchers discovered an Malsmoke campaign that appears to have begun mid-October.

  • The threat actors, who have been active throughout 2020, are pushing adult site users to download a fake Java update in their malvertising attacks.
  • Sites such as bravoporn[.]com and xhamster[.]com with hundreds of millions of users are, reportedly, at the risk of downloading Zloader, a banking malware.
  • The reason to go after high traffic adult portals can be set straight; the more the visitors higher the number of infected systems.

How does it work?

The new campaign works across all major web browsers, including Google Chrome.

  • When a user clicks to play a video clip, a new browser containing a grainy video pops up. 
  • In the background, however, victims are redirected to malicious pages such as landingmonster[.]online until they land on a “decoy” porn site.
  • The movies play for a few seconds and suddenly an overlay message surfaces saying the Java Plug-in 8.0 was not found.
  • The fake Java update is, in fact, a digitally signed Microsoft installer, loaded with a number of libraries and executables—that final payload is Zloader.

Activity review of malsmoke actors

The name malsmoke campaign came from Smoke Loader malware that the group drops via the Fallout exploit kit.

  • Since the beginning of the year, malsmoke operators have been running successful exploit kit campaigns, until they decided to pick a new trick involving social engineering.
  • The hacker group launched attacks on the systems of porn surfers running older versions of Adobe Flash Player and Internet Explorer, infecting most of the adult networks with malware on the web.

Stay safe

Atmost care at your own risk

APT Predictions 2020 As it happened..Predicting 2021

Trying to make predictions about the future is a tricky business. As per the researchers what they predicted and what is happened.. and what going to happen they elobrated

  • The next level of false flag attacks
    Olympic Destroyer , Death Stalker
  • From ransomware to targeted ransomware
    Attacks targetting mainly hospitals and universities
  • New online banking and payments attack vectors
    FIN7, Cobalt Groups, Silence and Magecart, as well as APT threat actors such as Lazarus.
  • More infrastructure attacks and attacks against non-PC targets
    Tunnel Snake, Mosaic Regressor
  • Increased attacks in regions that lie along the trade routes between Asia and Europe
  • Increasing sophistication of attack methods
    Geo-fencing attacks or hosting malware and used for C2 communications).
  • A further change of focus towards mobile attacks
    TwoSail Junk
  • The abuse of personal information: from deep fakes to DNA leaks
    Leaked/stolen personal information is being used more than ever before in up-close and personal attacks.

Turning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.

APT threat actors will buy initial network access from cybercriminals

More Silicon Valley companies will take action against zero-day brokers

Increased targeting of network appliances

The emergence of 5G vulnerabilities

Demanding money “with menaces”

More disruptive attacks

Attackers will continue to exploit the COVID-19 pandemic

Cisco WebEx bug invites Ghost users 🤡

The increase in usage of remote conference also brings the question of security and data privacy. Researchers at IBM analysed one such popular offering, Cisco’s Webex, and discovered three vulnerabilities in the service that could let attackers join a meeting as a “ghost” without being detected.

The bugs resulted in such bad actors being able to not just joining a meeting secretly, but also stay in a meeting as an audio participant even after being “expelled”. The attacker could also gain details about meeting attendees from the lobby without even entering the call. Even when such an actor enters the call, the only indication is in the form of a connection beep, something that could be ignored in meetings with many attendees. IBM says that it found that the vulnerabilities affect both scheduled meetings and unique meetings with specific URLs.

The researchers explain that the vulnerabilities work when attackers exploit the “handshake” process between Webex client at the user’s end and the server. Attackers could manipulate the request sent over the WebSocket – a connection between the client and the server – due to “improper input validation and sanitization” and inject specially designed values into the request to join as a ghost host. The researchers successfully tested the scenarios and could join the meeting without being present in the participants’ list and without being detected.

IBM says that it immediately shared the details of its finding with Cisco owing to the severity and urgency of the issues. The networking company worked on a fix for the said vulnerabilities, for which it released security advisories today. The three bugs are labeled CVE-2020-3441, CVE-2020-3471, CVE-2020-3419 and have been successfully fixed. Since the issue affected Webex clients on most platforms, the firm recommends that users update their apps to the latest versions.

Chrome to block NAT Slipstream @first

Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol.

In Chrome 87, we have new APIs and updates to Chrome’s built-in Developer Tools, such as:

Support for the new Cookie Store API;

New features to allow easier modification of web fonts via CSS;

A new feature to let websites enumerate all the locally installed fonts;

Support for pan, tilt, and zoom controls on webcam streams; and,

Support for debugging WebAuthn operations via the Chrome DevTools.

NAT Slipstream attack fixes

This technique allows attackers to bypass firewalls and make connections to internal networks by tricking users into accessing malicious sites — effectively turning Chrome into a proxy for attackers.

Chrome 87 will be the first browser to block NAT Slipstream attacks by blocking access to ports 5060 and 5061, which the attack uses to bypass firewalls and network address translation (NAT) schemes.

Similar efforts are also underway at Apple and Mozilla, with fixes planned for future versions of Safari and Firefox.

FTP deprecation

Google is also following through on its plans to remove FTP support from Chrome. This process started last year, and was initially planned for Chrome 81 but due to Covid this got delayed

The FTP deprecation was rescheduled for the fall and began last month with the release of Chrome 86 when Google removed support for FTP links for 1% of Chrome’s userbase.

Google will now remove FTP support for half of Chrome’s userbase, and the browser maker plans to disable support for FTP links altogether next year, in January, with the release of Chrome 88.

Mozilla has already removed support for FTP links in Firefox earlier this year in June, with the release of Firefox 77.