Except for phishing and scams, downloading an HTML attachment and opening it locally on your browser was never considered as a severe threat until a security researcher today demonstrated a technique that could allow attackers to steal files stored on a victim’s computer.

Barak Tawily, an application security researcher, shared his findings , where he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser.

The attack takes advantage of the way Firefox implements Same Origin Policy (SOP) for the “file://” scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders.

Since the Same Origin Policy for the file scheme has not been defined clearly in the RFC by IETF, every browser and software have implemented it differently—some treating all files in a folder as the same origin whereas other treat each file as a different origin.

Tawily said that Firefox is the only major browser that didn’t change its insecure implementation of Same Origin Policy (SOP) for File URI Scheme over time and also supports Fetch API over file protocol.
Read more »

Terminological Note

“OpenPGP” refers to the OpenPGP protocol, in much the same way that HTML refers to the protocol that specifies how to write a web page. “GnuPG”, “SequoiaPGP”, “OpenPGP.js”, and others are implementations of the OpenPGP protocol in the same way that Mozilla Firefox, Google Chromium, and Microsoft Edge refer to software packages that process HTML data.

Executive Summary

In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as “rjh” and “dkg”). This attack exploited a defect in the OpenPGP protocol itself in order to “poison” rjh and dkg’s OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.

This attack cannot be mitigated by the SKS keyserver network in any reasonable time period. It is unlikely to be mitigated by the OpenPGP Working Group in any reasonable time period. Future releases of OpenPGP software will likely have some sort of mitigation, but there is no time frame. The best mitigation that can be applied at present is simple: stop retrieving data from the SKS keyserver network.

Read more »

A fairly undetected remote access trojan called Ratsnif and used in cyber-espionage campaigns from the OceanLotus group has gained new capabilities that allow it to modify web pages and SSL hijacking.

OceanLotus is a threat actor group believed to act in the interest of the Vietnamese state for espionage operations. Also known as APT32, CobaltKitty, SeaLotus, and APT-C-00 in the infosec community, the hackers typically combine unique malware with commercially-available tools, like Cobalt Strike.

Read more »

No fewer than six examples of Mac malware were discovered last month, including one which exploits a vulnerability in macOS Gatekeeper. The latest example – dubbed OSX/CrescentCore – takes steps to hide from security researchers.

Security company Intego says it has found CrescentCore on multiple websites, posing as, you guessed it, a Flash Player updater …

The team at Intego has observed OSX/CrescentCore in the wild being distributed via numerous sites. Mac users should beware that they may encounter it, even via seemingly innocuous sources such as Google search results.

The new malware was first observed linked from a site purporting to share digital copies of new comic books for free—one of many shady sites that flagrantly violates U.S. copyright laws.

A high-ranking Google search result was also observed redirecting through multiple sites, eventually leading to a page (hosted at any of a large number of domains) with flashy warnings about Adobe Flash Player supposedly needing to be updated—which in reality is a malware distribution site.

As the company notes, sketchy sites claiming to offer free versions of movies, TV shows, music and books are an extremely common source of malware.

Read more »

A new exploit kit that researchers named Spelevo has emerged recently targeting a certain category of victims and infect their computer systems with two banking trojans.

To achieve their goal, exploit kits (EKs) use a traffic direct system (TDS) or gate that points the connection to a landing page where the potential victim device is analyzed for vulnerable applications. Candidates are then directed to the adequate exploit.

Spelevo exploits patched bugs in IE and Adobe Flash

The latest exploits preferred by these browser-based threats are Internet Explorer’s CVE-2018-8174, and Flash’s CVE-2018-15982 and CVE-2018-4878, as noted by Malwarebytes most recent in their most recent seasonal EK report.

Discovered by security researcher Kafeine back in early March, Spelevo uses a business-to-business (B2B) website to drop infamous banking trojans IceD and Dridex, according to an analysis from Cisco Talos today.

Read more »