Evil cursor attack .. Firefox patched…

Firefox with a new patch for evil cursor attacks

In an update from last week, Firefox patched a vulnerability that tech support scammers exploited in the wild to build artificial mouse cursors, in this way preventing users from quickly closing down malicious websites.

The flaw was discovered to be publicly exploited by UK-based security . A fix of the bug was released last week with a version 79.0 of Firefox.

Named “evil cursor”, this vulnerability is a classic bug that exploits the code that allows website owners to modify the look of the cursor on their websites.

The change in the cursor’s look may seem pointless, but this is a feature that is often used for web-based games, web-enhanced reality, or virtual reality experiences in a browser. Nevertheless, for the regular web, cursor customization has opened room for malicious exploitation.

Malicious websites use “evil cursor” attacks to exploit the cursor’s settings in order to change its position and click area on the page. An evil cursor attack occurs when a normal mouse cursor is displayed in the top-left corner, for example, but its click area is actually somewhere else – it could be at the bottom-right corner, in the center or wherever the malicious actors set it. This creates a visual illusion for the user of where he sees the cursor and where it actually clicks.

Commonly, operators of different scam sites use evil cursor attack techniques in order to keep users stuck on their pages since the cursor difference between the location and the actual click area does not let them close tabs and pop-ups.

Chrome has been receiving fixes for evil cursor attacks by Google Since 2010, with the latest patch dating from March 2019. Mozilla is also a target for this kind of attacks and a scam group has found a way to abuse its previous evil cursor patch, dated from 2018, in order to allow new attacks.

The abusers have created a deliberate infinite loop in the code of their site to prevent Firefox’s 2018 patch from operating, in this way efficiently rejecting Mozilla ‘s earlier fix and opening the door for new evil cursor attacks. Fortunately, Mozilla has already addressed that issue with a new fix, named CVE-2020-15654, which is available in the security section of their website.

HTTP Smuggling Attack

HTTP Request Smuggling Attacks
A new research has identified four new variants of HTTP request smuggling attacks that work against various commercial off-the-shelf web servers and HTTP proxy servers.

What is HTTP Request Smuggling?

HTTP request smuggling (or HTTP Desyncing) is a technique employed to interfere with the way a website processes sequences of HTTP requests that are received from one or more users.
Vulnerabilities related to HTTP request smuggling typically arise when the front-end (a load balancer or proxy) and the back-end servers interpret the boundary of an HTTP request differently, thereby allowing a bad actor to send (or “smuggle”) an ambiguous request that gets prepended to the next legitimate user request.

This desynchronization of requests can be exploited to hijack credentials, inject responses to users, and even steal data from a victim’s request and exfiltrate the information to an attacker-controlled server.

What’s in New variants?

The new variants using various proxy-server combinations, including Aprelium’s Abyss, Microsoft IIS, Apache, and Tomcat in the web-server mode, and Nginx, Squid, HAProxy, Caddy, and Traefik in the HTTP proxy mode.

The list of all new four new variants is as below, including an old one that the researcher successfully exploited in his experiments.
Variant 1: “Header SP/CR junk: …”
Variant 2 – “Wait for It”
Variant 3 – HTTP/1.2 to bypass mod_security-like defense
Variant 4 – a plain solution
Variant 5 – “CR header”

When handling HTTP requests containing two Content-Length header fields, Abyss, for example, was found to accept the second header as valid, whereas Squid used the first Content-Length header, thus leading the two servers to interpret the requests differently and achieve request smuggling.

In situations where Abyss gets an HTTP request with a body whose length is less than the specified Content-Length value, it waits for 30 seconds to fulfill the request, but not before ignoring the remaining body of the request.

This also results in discrepancies between Squid and Abyss, with the latter interpreting portions of the outbound HTTP request as a second request.

A third variant of the attack uses HTTP/1.2 to circumvent WAF defense as defined in OWASP ModSecurity Core Rule Set (CRS) for preventing HTTP request smuggling attacks craft a malicious payload that triggers the behavior.

Lastly,using the “Content-Type: text/plain” header field was sufficient to bypass paranoia level checks 1 and 2 specified in CRS and yield an HTTP Request Smuggling vulnerability.

What Are the Possible Defenses?

After the findings were disclosed to Aprelium, Squid, and OWASP CRS, the issues were fixed in Abyss X1 v2.14, Squid versions 4.12, and 5.0.3 and CRS v3.3.0.

Calling for normalization of outbound HTTP Requests from proxy servers,the need for an open source, robust web application firewall solution that’s capable of handling HTTP Request Smuggling attacks.

Wasted locker Evasion Technique

As time goes … One after another Ransomware come and goes. Like we say it’s summer.. winter.. Rainy.. Spring seasons.. Once released it’s been a talk of town and one after another big organisation gets the hit.. paying ransoms getting the decryptors is regular now a days. But the difference is each one is getting better sophisticated than other… The teahniques used for evasion varies..

Here we see how Wasted locker used the Technique to evade security systems

WastedLocker, a ransomware strain that reportedly shut down Garmin’s operations for several days in July, is designed to avoid security tools within infected devices, according to a technical analysis from Sophos.

The ransomware abuses the Microsoft Windows memory management feature to evade detection by security software. They also found other tools within the malware designed to make it difficult to detect.

“WastedLocker … is cleverly constructed in a sequence of maneuvers meant to confuse and evade behavior-based anti-ransomware solutions,”.

Evading Security

WastedLocker and other newer strains of ransomware are increasingly being designed to avoid detection and security tools. These so-called “survival skills” allow the malware to live in the network long enough to encrypt files.

“Survival demands that static and dynamic endpoint protection struggle to make a determination about a file based on the appearance of its code, and that behavioral detection tools are thwarted in their efforts to determine the root cause of the malicious behavior,”.

WastedLocker appears to have adopted a technique similar to one used by a ransomware strain called Bitpaymer. This method of avoidance targets the Windows API functions within the memory, according to the report.

“This technique adds an additional layer of obfuscation by doing the entire thing in memory, where it’s harder for a behavioral detection to catch it,” .

In memory evasion

WastedLocker also makes it harder for behavior-based anti-ransomware tools to keep track of what is going on by using memory-mapped I/O to encrypt a file, Sophos reports. This involves transparently encrypting cached documents in memory without causing disruptions to the disk I/O, which shields it from behavior monitoring software.

The Windows memory management feature is used to increase performance by using files or applications that are read and stored in the operating system’s cached memory. To trick anti-ransomware tools, WastedLocker opens a file, caches it in memory and then closes it.

WastedLocker closes the file once it has mapped a file in memory, and the victim might mistake it as an error. But the trick works because the Windows Cache Manager also opens a handle to the file once a file is mapped into memory.

Once the data is stored in the Windows Cache Manager, WastedLocker encrypts the file’s content stored in the cache.When the data stored in the cache is modified, it will be become “dirty” so that, eventually, Windows will write the encrypted cached data back to their original files and anti-ransomware software will not detect any illegitimate process.

Iran APT34 poisoned DOH for exploit

An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks.

Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.

DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols.

As its name hints, the tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

Oilrig, also known as APT34, has been using DNSExfiltrator to move data laterally across internal networks, and then exfiltrate it to an outside point.

Oilrig is most likely using DoH as an exfiltration channel to avoid having its activities detected or monitored while moving stolen data.

This is because the DoH protocol is currently an ideal exfiltration channel for two primary reasons. First, it’s a new protocol that not all security products are capable of monitoring. Second, it’s encrypted by default, while DNS is cleartext.

Historically, the group has dabbled with DNS-based exfiltration techniques. Before adopting the open-source DNSExfiltrator toolkit in May, the group had been using a custom-built tool named DNSpionage since at least 2018, per reports by Talos, NSFOCUS, and Palo Alto Networks.

A spear-phishing campaign orchestrated by unidentified Iranian hackers, who targeted the staff pharma giant Gilead, which at the time announced it began working on a treatment for the COVID-19 virus. It is, however, unclear if these are the same incidents.

Previous reporting has linked most Iranian APTs as working as members or working as contractors for the Islamic Revolutionary Guard Corps, Iran’s top military entity.