from the they-say-vulnerabilities-come-in-threes dept.
Both upstart and Arthur T Knackerbracket processed the following story:
A secretive seller of cyberattack software recently exploited a previously unknown Chrome vulnerability and two other zero-days in campaigns that covertly infected journalists and other targets with sophisticated spyware, security researchers said.
CVE-2022-2294, as the vulnerability is tracked, stems from memory corruption flaws in Web Real-Time Communications, an open source project that provides JavaScript programming interfaces to enable real-time voice, text, and video communications capabilities between web browsers and devices. [...]
Avast said on Thursday that it uncovered multiple attack campaigns, each delivering the exploit in its own way to Chrome users in Lebanon, Turkey, Yemen, and Palestine. The watering hole sites were highly selective in choosing which visitors to infect. Once the watering hole sites successfully exploited the vulnerability, they used their access to install DevilsTongue, the name Microsoft gave last year to advanced malware sold by an Israel-based company named Candiru.
"In Lebanon, the attackers seem to have compromised a website used by employees of a news agency," Avast researcher Jan Vojtěšek wrote. "We can't say for sure what the attackers might have been after, however often the reason why attackers go after journalists is to spy on them and the stories they're working on directly, or to get to their sources and gather compromising information and sensitive data they shared with the press."
[...] Despite the efforts to keep CVE-2022-2294 secret, Avast managed to recover the attack code, which exploited a heap overflow in WebRTC to execute malicious shellcode inside a renderer process. The recovery allowed Avast to identify the vulnerability and report it to developers so it could be fixed. The security firm was unable to obtain a separate zero-day exploit that was required so the first exploit could escape Chrome's security sandbox. That means this second zero-day will live to fight another day.
Once DevilsTongue got installed, it attempted to elevate its system privileges by installing a Windows driver containing yet another unpatched vulnerability, bringing the number of zero-days exploited in this campaign to at least three. Once the unidentified driver was installed, DevilsTongue would exploit the security flaw to gain access to the kernel, the most sensitive part of any operating system. Security researchers call the technique BYOVD, short for "bring your own vulnerable driver." It allows malware to defeat OS defenses since most drivers automatically have access to an OS kernel.
[...] "While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility," Vojtěšek wrote. "Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day."
(Score: 5, Touché) by HammeredGlass on Tuesday July 26 2022, @10:07PM (3 children)
Onward I go with FF and derivatives because even shitty devs that hate productivity and love worthless "causes" is still better than MS or Google
(Score: 3, Interesting) by RS3 on Wednesday July 27 2022, @02:24AM (2 children)
Years ago I was a big FF fan, but like most others, they got very bloated, kept changing up the settings and menus, and I got weary of it. My parents were big FF fans so I helped them with it, but they've passed away and I haven't messed with FF. I hear good things about it and might try it if I get any free time.
I mostly use Old Opera (nobody gets that right- 12.18 Presto) but more and more sites won't work even with javascript turned on. I also use Vivaldi which is a pretty cool Chrome derivative, but is usually a couple of chrome versions behind. And it's a huge bloated pig, but I find all the Vivaldi touches make it pretty usable. Biggest complaint, and it's pretty big: it crashes out fairly often, and sometimes you lose work, stuff you've entered, etc. Not sure how to know what the bugs are without some dev. kit that I don't want to install on this here computer.
(Score: 2) by Freeman on Wednesday July 27 2022, @04:10PM (1 child)
Highly recommend just sticking with Firefox. Much better than using an outdated browser and less awful than straight-up handing your data to Google. Let's face it, Edge isn't better in that regard and may actually just be handing your data to Google and Microsoft.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by RS3 on Wednesday July 27 2022, @07:08PM
Thanks, I appreciate it. Old Opera runs with javascript OFF, so there's not much mechanism for data leakage. I ran it across some of the websites that test such things:
https://browseraudit.com [browseraudit.com]
https://privacy.net/analyzer [privacy.net]
Even with javascript and cookies ON, all they could get was OS, browser version (which they got very wrong), simple basic stuff.
With javascript off, they get almost nothing. So I think I'm as privacy protected as I can be. I'm aware of various browsers like Brave, privacy plugins (I have several in Vivaldi), so when a site won't work on Old Opera, I browse it with Vivaldi and plugins.
(Score: 0) by Anonymous Coward on Wednesday July 27 2022, @02:44AM
I love the BYOVD. It is stupid obvious in hindsight, but great idea to use your access to load a crappy driver to get root. Imagine finding out that the Windows driver you wrote was so bad, that all sorts of malware are using it to break into systems.
(Score: 1, Interesting) by Anonymous Coward on Wednesday July 27 2022, @09:01AM
i remember using a signed executable that came from nvidia installer in... 2009; to make sure that the part that deployed the trojan was signed, and sure it was.
Signature on it was valid until 2015... It could make registry keys and write files.
Was it to bypass authenticode something something on someones win2012 server... god, i don't remember the details... There definitely was a specific reason...
Nevertheless, TFA describes a useful, tested technique to bypass some windows "security" with:
If you cant fake signature, can't inject it in database they validate from, cant modify the validation request/response, cant make them bypass the check somehow by practicing user-specific coercion, and no physical access to machine itself, then use something that has a signature already and that can be either patched in-memory or has calls to do what you need.