Cyber Security Headlines: Chromium browser flaw, Twitter leak developments, IcedID strikes again

Experts detail Chromium browser security flaw putting confidential data at risk

Details have emerged about a now-patched vulnerability in Google Chrome and Chromium-based browsers that, if successfully exploited, could have made it possible to siphon files containing confidential data. “The issue arose from the way the browser interacted with symlinks when processing files and directories,” Imperva researcher Ron Masas said. “Specifically, the browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files.” Google characterized the medium-severity issue (CVE-2022-3656) as a case of insufficient data validation in File System, releasing fixes for it in versions 107 and 108 released in October and November 2022.

(The Hacker News)

Twitter says 200 million-user leak not obtained from its systems, others disagree

In an update on its own investigation launched after data of more than 200 million users were offered for sale online, the company has found “no evidence” that hacking was a cause. The company pointed out that the huge trove of data is likely part of a publicly available dataset originating from different sources. However, Alon Gal, co-founder and CTO at cybercrime intelligence company Hudson Rock, doesn’t agree with Twitter’s statement and confirmed the authenticity of the leak. Regardless, according to Privacy Affairs CEO and founder Miklos Zoltan the data dump is now available online for free, which is quite a discount from its original asking price of $200,000. It contains no passwords, but The Register states there’s “plenty of stuff for social engineering and doxing.”

(Security Affairs and The Register)

IcedID malware strikes again: Active Directory domain compromised in under 24 hours

A recent IcedID malware attack enabled a threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access. “Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,” Cybereason researchers said in a report published this week. IcedID, also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a dropper for other malware, joining the likes of Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin. Attacks involving the delivery of IcedID have leveraged a variety of methods, especially in the wake of Microsoft’s decision to block macros from Office files downloaded from the web.

(The Hacker News)

GitHub disables pro-Russian hacktivist DDoS pages

On Tuesday, GitHub disabled accounts on the platform belonging to a pro-Russian hacktivist group linked to attacks on entities in NATO countries, including efforts to disrupt the websites of Denmark’s central bank and other financial institutions in the country. The group, NoName057(16), used the software development platform to host its distributed denial of service (DDoS) tool website and code used in its attacks, researchers with SentinelOne said Thursday. The researchers reported the activity to Github, prompting the company to disable the group’s accounts in accordance with its acceptable use policies.

(Cyberscoop)

Thanks to this week’s episode sponsor,

Can you name all the third party apps connected to your major SaaS platforms like Salesforce and Microsoft? What about the data these apps can access? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk. With AppOmni, you get visibility to all third party apps and SaaS-to-SaaS connections — including which end users have enabled them, and the level of data access they’ve been granted. Visit AppOmni.com to request a free risk assessment.

Social marketplace Trustanduse exposes nearly half a million users

Trustanduse.com is a platform for consumers to rate products, services, professionals, and stores, as well as get offers and discounts. The company was founded in 2016 and is based in Athens. A team at Cybernews identified a publicly accessible database storing up to 855GB of sensitive user and business data that belongs to the marketplace. The leaked database was first found on June 21 and remained potentially accessible to threat actors for at least six months. It contained PII including hashed passwords.

(Security Affairs)

Lawsuit claims student loan site inflated membership to entice acquisition

JPMorgan Chase is suing the 30-year-old founder of Frank, a fintech startup it acquired for $175 million, for allegedly lying about its scale and success by creating an enormous list of fake users to entice the financial giant to buy it. Frank offers software aimed at improving the student loan application process for young Americans seeking financial aid. The lawsuit, filed late last year claims that CEO Charlie Javice allegedly created a roster of “fake customers – a list of names, addresses, dates of birth, and other personal information for 4.265 million ‘students’ who did not actually exist,” when in reality, according to the suit, Frank had fewer than 300,000 customer accounts at that time.

(Forbes)

StrongPity hackers target Android users via trojanized Telegram app

The StrongPity APT hacking group is distributing a fake Shagle chat app that is a trojanized version of the Telegram for Android app with an added backdoor. Shagle is a legitimate random-video-chat platform allowing strangers to talk via an encrypted communications channel. However, the platform is entirely web-based, not offering a mobile app. StrongPity has been found using a fake website since 2021 that impersonates the actual Shagle site to trick victims into downloading a malicious Android app. Once installed, this app enables the hackers to conduct espionage on the targeted victims, including monitoring phone calls, collecting SMS texts, and grabbing contact lists.

(Bleeping Computer)

College student creates an app to detect ChatGPT

Edward Tian, a 22-year-old computer science student at Princeton University, has built an app to detect whether text is written by ChatGPT, the viral chatbot that’s sparked fears over its potential for unethical uses in academia and elsewhere. GPTZero, as it is called, can “quickly and efficiently” decipher whether a human or ChatGPT authored an essay. His motivation to create the bot was to fight what he sees as an increase in AI-based plagiarism. 

(NPR)