Tecplix ThreatTrack Insights - August

1. Widespread Malware Campaign Installs Rogue Browser Extensions via Fake Software Websites

A sophisticated and ongoing malware campaign is actively targeting users of Google Chrome and Microsoft Edge browsers by installing rogue extensions through a trojan distributed via counterfeit websites. These websites mimic popular software download pages, luring unsuspecting users into downloading the malicious trojan. The threat, which has been active since 2021, leverages both adware and advanced malicious scripts to compromise user systems.

Key Takeaways:

Malware Distribution: The trojan is delivered through fake websites that pose as legitimate download sources for widely used software like Roblox FPS Unlocker, YouTube, VLC media player, Steam, and KeePass.

Malicious Extensions: Once installed, the malware facilitates the installation of rogue browser extensions that can hijack search queries, intercept web requests, and steal private data.

Wide Reach: The campaign has impacted over 300,000 users, indicating a significant and widespread threat.

Malvertising: Malicious advertising is a key tactic, driving traffic to lookalike websites that promote the trojan-laden downloads.

Impact: This malware campaign poses a substantial threat to both individual users and organizations. The rogue extensions installed by the trojan can hijack and redirect search queries, leading to potential data breaches and unauthorized access to sensitive information. The malware’s ability to modify system settings and install additional payloads further escalates the risk, making it a critical security concern.

Who is Affected: Users of Google Chrome and Microsoft Edge who have downloaded software from unverified or suspicious websites are at high risk. The campaign primarily targets those searching for popular software, making it crucial for all internet users to remain vigilant when downloading and installing programs.

Recommendations:

? Regular data backups are the most crucial part of a ransomware security strategy.

? Download software only from reputable sources and official websites. Avoid third-party platforms that might disguise malware as legitimate software.

? Conduct Regular Security Audits this can help identify vulnerabilities.

? Users who are affected by the malware attack are recommended to delete the scheduled task that reactivates the malware each day, remove the Registry keys, and delete the below files and folders from the system -

o C:\Windows\system32\Privacyblockerwindows.ps 1

o C:\Windows\system32\Windowsupdater1.ps 1

o C:\Windows\system32\WindowsUpdater1Script.ps 1

o C:\Windows\system32\Optimizerwindows.ps 1

o C:\Windows\system32\Printworkflowservice.ps 1

o C:\Windows\system32\NvWinSearchOptimizer.ps 1 - 2024 version

o C:\Windows\system32\kondserp_optimizer.ps 1 - May 2024 version

o C:\Windows\InternalKernelGrid

o C:\Windows\InternalKernelGrid3

o C:\Windows\InternalKernelGrid4

o C:\Windows\ShellServiceLog

o C:\windows\privacyprotectorlog

o C:\Windows\NvOptimizerLog

2. Critical Security Vulnerabilities in Google Chrome: Immediate Action Required

Google Chrome, one of the most widely used web browsers, has been found to have several critical vulnerabilities in its versions prior to 127.0.6533.99/.100 for Windows and Mac, and 127.0.6533.99 for Linux. These vulnerabilities expose users to significant security risks, potentially allowing malicious actors to gain control over affected systems.

Key Takeaways

Software Affected: Google Chrome versions prior to 127.0.6533.99/.100 for Windows and Mac; prior to 127.0.6533.99 for Linux.

Identified Vulnerabilities: CVE-2024-7533, CVE-2024-7534, CVE-2024-7532, CVE-2024-7535, CVE-2024-7536, CVE-2024-7550.

Exploit Methods: Attackers could leverage these vulnerabilities by enticing users to visit a specially crafted web page.

Impact: Exploitation of these vulnerabilities allows remote attackers to execute arbitrary code on compromised systems, potentially leading to full control over the affected device. This could result in data breaches, system corruption, and further exploitation across connected networks.

Who is Affected?

Users and organizations running Google Chrome versions prior to 127.0.6533.99/.100 on Windows and Mac, and prior to 127.0.6533.99 on Linux, are at high risk. It is strongly advised that all users update to the latest version of Google Chrome immediately to mitigate these risks.

Recommendation:

Please update Chrome to the latest version 127.0.6533.99/.100.

3. Critical Security Vulnerabilities in Mozilla Products Demand Immediate Attention

Multiple high-severity vulnerabilities have been identified in several Mozilla products, including Thunderbird and Firefox. These vulnerabilities pose significant risks, allowing remote attackers to execute arbitrary code and potentially cause denial of service (DoS) conditions on affected systems.

Key Takeaways:

Impacted Software: Mozilla Thunderbird, Mozilla Firefox ESR, and Mozilla Firefox, specifically versions prior to 115.14, 128.1, and 129.

Identified Vulnerabilities: A total of 14 vulnerabilities, including CVE-2024-7518 through CVE-2024-7531, have been detected, affecting key components within the software.

Primary Risks: The flaws include out-of-bounds memory access, incomplete exception handling, and type confusion, all of which can lead to severe security breaches if exploited.

Impact:

The vulnerabilities in Mozilla products could lead to serious consequences, including unauthorized remote code execution and system disruption. Attackers can exploit these flaws to compromise sensitive information, disrupt operations, and control affected systems. The security risks are heightened due to the potential for these vulnerabilities to be triggered simply by opening a malicious web request, making them a critical threat to both individual users and organizations.

Who is Affected?

Users of Mozilla Thunderbird and Firefox ESR, as well as general Firefox users running versions earlier than those specified, are at high risk. This includes enterprises and individuals relying on these platforms for daily operations. Immediate action is required to update to the latest software versions to mitigate the risks associated with these vulnerabilities.

Recommendation:

Please update Mozilla Firefox to the latest version Firefox 129.0.

Fortinet Security Vulnerabilities: Critical Patches Released

Fortinet has issued critical patches addressing three vulnerabilities found in various Fortinet products, including FortiOS, FortiAnalyzer, FortiManager, FortiProxy, FortiPAM, and FortiSwitchManager. These vulnerabilities pose potential security risks, with two classified as medium-severity flaws and one as a low-severity issue.

Key Takeaways:

CVE-2022-45862: A medium-severity flaw in FortiOS that could allow attackers to bypass the file integrity checking system.

CVE-2024-21757: A medium-severity vulnerability in FortiAnalyzer and FortiManager, enabling unauthorized modification of admin passwords through device configuration backups.

CVE-2024-36505: A low-severity issue affecting the GUI of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager, potentially allowing attackers to reuse web sessions after logout if credentials are compromised.

Impact:

The identified vulnerabilities, if left unpatched, could lead to unauthorized access, compromised system integrity, and potential exploitation of web sessions. Organizations relying on the affected Fortinet products are advised to implement the patches promptly to safeguard their systems.

Who is Affected:

Entities utilizing FortiOS, FortiAnalyzer, FortiManager, FortiProxy, FortiPAM, and FortiSwitchManager should review their systems and apply the necessary patches. This advisory is particularly critical for IT administrators responsible for maintaining the security of these Fortinet products.

Recommendation:

Follow the recommended upgrade path using below mentioned URL. https://docs.fortinet.com/upgrade-tool

In Crisis?

If you suspect a compromise or face a critical security issue, connect with us to unlock rapid, expert protection. Your Security and Business Continuity is our top Priority!

Get in touch with our security team by filling out this form or call at +91 6366 600 700.