Security News

Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy rules since Chrome 73. Tracked as CVE-2020-6519, the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites.

While brute-forcing and password spraying techniques are the most common way to mount account takeovers, more methodical cybercriminals are able to gain access to accounts even with more secure MFA protocols in place. According to Abnormal Security, cybercriminals are zeroing in on email clients that don't support modern authentication, such as mobile email clients; and legacy email protocols, including IMAP, SMTP, MAPI and POP. Thus, even if MFA is enabled on the corporate email account, an employee checking email via mobile won't be subject to that protection.

Adding insult to injury, researchers have recently discovered a workaround for a previous patch issued for Microsoft Teams, that would allow a malicious actor to use the service's updater function to download any binary or malicious payload. Essentially, bad actors could hide in Microsoft Teams updater traffic, which has lately been voluminous. While Microsoft tried to cut off this vector as a conduit for remote code execution by restricting the ability to update Teams via a URL, it was not a complete fix, the researcher explained.

According to Eclypsium researchers, the bug tracked as CVE-2020-10713 could allow attackers to get around these protections and execute arbitrary code during the boot-up process, even when Secure Boot is enabled and properly performing signature verification. "During the parser stage, the configuration values are copied to internal buffers stored in memory. Configuration tokens that are longer in length than the internal buffer size end up leading to a buffer overflow issue. An attacker may leverage this flaw to execute arbitrary code, further hijacking the machine's boot process and bypassing Secure Boot protection. Consequently, it is possible for unsigned binary code to be loaded, further jeopardizing the integrity of the system."

In a report published by Check Point research today, the malware - infamously called Joker - has found another trick to bypass Google's Play Store protections: obfuscate the malicious DEX executable inside the application as Base64 encoded strings, which are then decoded and loaded on the compromised device. "The Joker malware is tricky to detect, despite Google's investment in adding Play Store protections," said Check Point's Aviran Hazum, who identified the new modus operandi of Joker malware.

Cyberattacks bypass the WAF. 49% of security professionals reported more than a quarter of attempts to sidestep their WAF protocols had been successful in the last 12 months. 29% of respondents admitted they had found it difficult to alter their WAF policies to guard against new web application attacks, while just 15% said they had found the process very easy.

Details on a macOS privacy protections bypass method were published this week, more than six months after Apple was informed of the issue, but failed to deliver a fix. Dubbed TCC, the privacy protections system was introduced in macOS Mojave to ensure that certain files on the system are kept out of reach of unauthorized applications.

Six months after software developer Jeff Johnson told Apple about a privacy bypass vulnerability opening up protected files in macOS Mojave, macOS Catalina, and the upcoming macOS Big Sur, the bug remains unfixed - so he's going public. This latest bug can be exploited by a maliciously crafted app to bypass a privacy system known as Transparency, Consent, and Control that was introduced in OS X Mavericks and got strengthened in subsequent releases through technologies like System Integrity Protection in El Capitan.

Researchers reported on Monday that hackers are now exploiting Google's Analytics service to stealthily pilfer credit card information from infected e-commerce sites. According to several independent reports from PerimeterX, Kaspersky, and Sansec, threat actors are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them exfiltrate payment information entered by users even in conditions where content security policies are enforced for maximum web security.

Phishers are trying to bypass the multi-factor authentication protection on users' Office 365 accounts by tricking them into granting permissions to a rogue application. How? The aforementioned authorization code is exchanged for an access token that is presented by the rogue application to Microsoft Graph, which will authorize its access.