Information Technology

Image: Catalin Cimpanu
Threat actors have discovered they can abuse the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses.
For non-Chrome users, Chrome sync is a feature of the Chrome web browser that stores copies of a user’s Chrome bookmarks, browsing history, passwords, and browser and extension settings on Google’s cloud servers.
The feature is used to sync these details between a user’s different devices, so the user always has access to his most recent Chrome data wherever they go.
Chrome sync feature was recently abused in the wild
Bojan Zdrnja, a Croatian security researcher, said on Thursday that during a recent incident response, he discovered that a malicious Chrome extension was abusing the Chrome sync feature as a way to communicate with a remote command and control (C&C) server and as a way to exfiltrate data from infected browsers.
Zdrnja said that in the incident he investigated, attackers gained access to a victim’s computer, but because the data they wanted to steal was inside an employee’s portal, they downloaded a Chrome extension on the user’s computer and loaded it via the browser’s Developer Mode.
The extension, which posed as a security add-on from security firm Forcepoint, contained malicious code that abused the Chrome sync feature as a way to allow attackers to control the infected browser.

Image: Bojan Zdrnja
Zdrnja said the goal of this particular attacker was to use the extension to “manipulate data in an internal web application that the victim had access to.”

“While they also wanted to extend their access, they actually limited activities on this workstation to those related to web applications, which explains why they dropped only the malicious Chrome extension, and not any other binaries,” Zdrnja said in a report published on Thursday.
Malicious code found in the extension suggested that the attacker was using the malicious add-on to create a text-based field to store token keys, which would then be synced to Google cloud servers as part of the sync feature.
“In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure,” he said.
Data stored in the key field could be anything, Zdrnja said.
It could be data the malicious extension gathered about the infected browser (such as usernames, passwords, cryptographic keys, or more) or commands the attacker wanted the extension to execute on the infected workstation.
In this way, the extension could be used as an exfiltration channel from inside corporate networks to an attacker’s Chrome browser instance or as a way to control the infected browser from afar, bypassing local security defenses.
Malicious operations hide in legitimate Chrome traffic
Since the stolen content or subsequent commands are sent via Chrome’s infrastructure, none of these operations would be inspected or blocked in most corporate networks, where the Chrome browser is usually allowed to operate and transmit data unhindered.
“Now, if you are thinking on blocking access to clients4.google.com be careful – this is a very important web site for Chrome, which is also used to check if Chrome is connected to the Internet (among other things),” Zdrnja warned.
Instead, the researcher urged companies to use Chrome’s enterprise features and group policy support to block and control what extensions can be installed in the browser, preventing the installation of rogue extensions like the one he investigated. More

Google has disabled The Great Suspender, an extension that was used by Chrome users who were prone to having a lot of tabs open, because, in the words of the message users have been receiving, “it contains malware.”
This has left users with some questions and concerns.
Also: Best Google Chrome extensions in 2021
First, what happened? Well, concerns were raised last year that the extension contained nefarious code after the extension changed hands. More details here on GitHub.
Yesterday, Google pulled the plug on the extension, telling users that it was now blocked, and all mentions of it on the Google Chrome webstore now result in 404s.
If you were a user, the tabs you had suspended are now gone. Well, you can still recover them, but it’s a bit of a faff. It involves searching your history for the ID of the extension (klbibkeccnjlkjkiokjodocebajanakg) and then extracting the URL from the string (it’s after the uri=).
Others want to know what to do next.

There are a few extensions that you can use that do similar things. Session Buddy and OneTab sprint to mind.
If you’d rather a paid service, I’ve been using Partizion for the past few months, and I find it really reliable, and once you get used to it, it works really well.
Or, you know, you could limit the number of tabs you have open. More

A woman from Iowa has pleaded guilty to sharing confidential photos then published to a social media group focused on outing “snitches”. 

On Thursday, the US Department of Justice (DoJ) said that two individuals were involved in the scheme: Rachel Manna, a resident of West Des Moines, and Ankeny, Iowa-based Danielle Taff, who was formerly employed as a contractor paralegal for the US Attorney’s Office for the Southern District of Iowa. 
Taff worked in the civil division, and so should have been nowhere near records related to criminal cases. 
However, in 2018, 33-year-year Manna asked Taff, as her acquaintance, to access information relating to “certain defendants in a criminal investigation and prosecution being handled by the US Attorney’s Office,” according to the DoJ. 
Taff agreed to Manna’s request and in mid-May, the 37-year-old used her government PC to access criminal investigation files on the district’s shared storage drive. 
After finding records relating to police interviews with “at least two individuals” who cooperated in a drug trafficking investigation, Taff pulled out her mobile phone and took photographs of the files. 
Taff then handed over her photographs, of which there were approximately 30, to Manna. 

These photographs, which identified the people who were helping the police in their investigation, were then shared by Manna to a Facebook group dedicated to “outing snitches” in the Des Moines region. 
Individuals labeled as snitches by cooperating with law enforcement, especially when criminal activities are occurring, could face personal retribution and increased risk to their safety. 
Taff pleaded guilty for her role in the leak of confidential information in November 2020. Taff will be sentenced on March 9. Manna, having now also admitted to her crime, will be sentenced on June 4. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Remote attackers can use the bugs to execute code as the root user.
Image: Getty Images/iStockphoto
Cisco is warning customers using its small business routers to upgrade the firmware to fix flaws that could give remote attackers root level access to the devices. 
The critical flaws affect the Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers. These were the models Cisco recommended customers using unsupported small business routers to move to last month. 

Networking

There are several bugs in the web management interface of the routers that remote attackers can use to execute code as the root user. The devices don’t properly validate HTTP requests, allowing an attacker to send specially crafted HTTP requests that might exploit the flaw. 
Also: Best VPN services in 2021: Safe and fast don’t come free
The gear is vulnerable if it is running a firmware release earlier than Release 1.0.01.02, according to Cisco. Affected devices include the RV160 VPN Router, RV160W Wireless-AC VPN Router, RV260 VPN Router, RV260P VPN Router with POE, and RV260W Wireless-AC VPN Router. 
There are no workarounds, so customers must upgrade to release 1.0.01.02 or later. It released that version in January. Cisco is tracking the bugs as CVE-2021-1289, CVE-2021-1290, and CVE-2021-1291. 
The web interface of the Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers are also vulnerable to remote attacks via a directory traversal issue. Admins need to ensure devices have firmware that is release 1.0.01.02 or later to be protected. 

“An attacker could exploit these vulnerabilities by using the web-based management interface to upload a file to a location on an affected device that they should not have access to. A successful exploit could allow the attacker to overwrite files on the file system of the affected device,” Cisco warned. 
This set of bugs is being tracked as CVE-2021-1296 and CVE-2021-1297. 
There are also multiple high-severity flaws in the web interface of the Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers. The bugs are remotely exploitable and can be used to trigger a denial of service. 
It’s another input validation issue that allows an attacker to send HTTP requests designed to exploit the bugs. Cisco notes that the attacker would need correct administrator credentials to exploit the bugs. Cisco is tracking these as CVE-2021-1319, CVE-2021-1320, and CVE-2021-1321.
The same set of routers are also vulnerable to multiple command injection vulnerabilities that have been tagged with the identifiers CVE-2021-1314, CVE-2021-1315, and CVE-2021-1316. 
SEE: How do we stop cyber weapons from getting out of control?
Again, the flaws are due to improper validation of user-supplied input that allow an attacker to send crafted HTTP requests to the devices. These are high severity issues that “could allow the attacker to execute arbitrary code as the root user on the underlying operating system”, according to Cisco.
An attacker would need to have valid administrator credentials to exploit the flaws. 
Cisco fixed the bugs affecting the RV320 and RV325 Dual Gigabit WAN VPN Routers in firmware release 1.5.1.13.
However, it will not release firmware updates for the Cisco RV016, RV042, RV042G, and RV082 Routers because they have have entered the end-of-life process. 
The affected devices are vulnerable if they’re running the below firmware releases: 

Product

Firmware Release

RV016 Multi-WAN VPN Routers

4.2.3.14 and earlier

RV042 Dual WAN VPN Routers

4.2.3.14 and earlier

RV042G Dual Gigabit WAN VPN Routers

4.2.3.14 and earlier

RV082 Dual WAN VPN Routers

4.2.3.14 and earlier

RV320 Dual Gigabit WAN VPN Routers

1.5.1.11 and earlier

RV325 Dual Gigabit WAN VPN Routers

1.5.1.11 and earlier More

The founder of a pair of cryptocurrency hedge funds in New York has been charged for stealing $90 million from clients. 

According to the US Department of Justice (DoJ), Stefan He Qin, the founder of Virgil Sigma Fund LP and VQR Multistrategy Fund LP, siphoned away investor funds for “years” while enjoying an extravagant lifestyle. 
The case was presided over by US District Judge Valerie Caproni at the United States District Court for the Southern District of New York.
On Thursday, US prosecutors said that from 2017 and throughout 2020, Qin was the operator of the two New York-based funds. Virgil Sigma was touted as a fund that took advantage of speculative cryptocurrency market opportunities and claimed to use a trading algorithm to reap profits by monitoring price changes across exchanges. 
The 24-year-old Australian national hoodwinked investors into believing that the fund was a safe bet as a “market-neutral” fund. During investor meetings and PR calls, Qin said that Virgil Sigma was profitable month after month — with the exception of March 2017 — and also claimed that over $90 million in assets were under active management. 
In February 2020, Qin created VQR, a hedge fund that “was poised to make or lose money based on the fluctuations in the value of cryptocurrency and was not market-neutral,” according to the DoJ. This fund held $24 million on behalf of investors. 
However, Virgil Sigma funds were embezzled. The cash was used by Qin to pay for personal expenses including penthouse rent and services, as well as to make personal cryptocurrency and speculative investments, including those in Initial Coin Offerings (ICOs) that had nothing to do with the hedge fund. 

It did not take long for “nearly all of the investor capital” in Virgil Sigma to drain away, US prosecutors say. 
As Qin continued to pretend that the hedge fund was making a substantial profit, more investors flocked to the fund. In turn, he was able to pay off client redemption requests — at least, until the summer of 2020.
Qin was suddenly unable to meet redemption requests, and so attempted to steal from VQR by way of fund transfers. In December 2020, he ordered the head trader at VQR to wind down all trading positions and transfer the funds to Virgil Sigma. 
By this point, the fraud had been exposed. 
“Stefan He Qin drained almost all of the assets from the $90 million cryptocurrency fund he owned, stealing investors’ money, spending it on indulgences and speculative personal investments, and lying to investors about the performance of the fund and what he had done with their money,” commented US Attorney Audrey Strauss. “The whole house of cards has been revealed, and Qin now awaits sentencing for his brazen thievery.”
Qin pled guilty to one count of securities fraud, an offense that carries a maximum term of 20 years in prison. Sentencing is scheduled for May. 
Last month, a San Francisco resident was sentenced to six months in prison and was ordered to pay damages of $4.4 million after being found guilty of defrauding investors. The 33-year-old represented himself as a cryptocurrency and ICO consultant, but once he secured investments, he simply embezzled the funds. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Citrix
DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks, security firm Netscout said in an alert on Wednesday.
The company’s alert comes to warn owners of devices that ship with Plex Media Server, a web application for Windows, Mac, and Linux that’s usually used for video or audio streaming and multimedia asset management.
The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices.
Plex Media servers punch a hole in router NATs
Netscout says that when a server/device running a Plex Media Server app is booted and connected to a network, it will start a local scan for other compatible devices via the Simple Service Discovery Protocol (SSDP).
The problem comes when a Plex Media Server discovers a local router that has SSDP support enabled. When this happens, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.
Since the SSDP protocol has been known for years to be a perfect vector to amplify the size of a DDoS attack, this makes Plex Media servers a juicy and untapped source of DDoS bots for DDoS-for-hire operations.
Netscout says that attackers only have to scan the internet for devices with this port enabled, and then abuse them to amplify web traffic they send to a DDoS attack victim.

According to Netscout, the amplification factor is around 4.68, with a Plex Media server amplifying incoming PMSSDP packets from 52 bytes to around 281 bytes, before sending the packet to the victim.
27K+ Plex Media servers are exposed on the internet
The security firm said it scanned the internet and found 27,000 Plex Media servers left exposed online that could be abused for DDoS attacks.
Furthermore, some servers have already been abused. Netscout said that not only did it saw DDoS attacks using Plex Media servers, but that this vector is now becoming common.
“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” the company said.
According to Netscout, past PMSSDP attacks have reached around 2-3 Gbps, but the servers could be combined with other vectors for much larger attacks.
This is Netscout’s second warning about a new DDoS attack vector being discovered abused in the wild this year. In January, the company warned that Windows Remote Desktop Protocol (RDP) servers were also being abused for DDoS attacks. More

Google has released today version 88.0.4324.150 of the Chrome browser for Windows, Mac, and Linux. Today’s release contains only one bugfix for a zero-day vulnerability that was exploited in the wild.

The zero-day, which was assigned the identifier of CVE-2021-21148, was described as a “heap overflow” memory corruption bug in the V8 JavaScript engine.
Google said the bug was exploited in attacks in the wild before a security researcher named Mattias Buelens reported the issue to its engineers on January 24.
Two days after Buelens’ report, Google’s security team published a report about attacks carried out by North Korean hackers against the cyber-security community.
Some of these attacks consisted of luring security researchers to a blog where the attackers exploited browser zero-days to run malware on researchers’ systems.
In a report on January 28, Microsoft said that attackers most likely used a Chrome zero-day for their attacks. In a report published today, South Korean security firm said they discovered an Internet Explorer zero-day used for these attacks as well.
Google did not say today if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe it was so due to the proximity of the two events.

But despite how this zero-day was exploited, regular users are advised to use Chrome’s built-in update feature to upgrade their browser to the latest version as soon as possible. This can be found via the Chrome menu, Help option, and About Google Chrome section.
Before today’s patches, Google went through a spell last year where it patched five actively-exploited Chrome zero-days in a span of three weeks. More

Growing awareness of the importance of digital security is driving customer growth for NortonLifeLock, the company said Thursday. In its third quarter financial results, the company reported a direct customer count of 21 million, up by 876,000 year-over-year and by 334,000 quarter-over-quarter. 
“Our vision to protect and empower everyone to live their digital lives safely has never been more relevant than it is today,” CEO Vincent Pilette said in a statement. “Consumers are seeing the value of Cyber Safety with nearly 60% of our customers using Norton 360. We are accelerating our investments in new products and customer experiences that are driving our growth momentum, and with the Avira acquisition, we are just getting started.”
NortonLifeLock’s non-GAAP diluted EPS was 38 cents on revenue of $639 million, up 3 percent.
Analysts were expecting earnings of 37 cents per share on revenue of $630.53 million.
Consumer reported billings in the quarter came to $700 million, up 10 percent. Average revenue per user was $9.10 per month, up 1 percent. 
NortonLifeLock also said its board of directors has declared a quarterly cash dividend of $0.125 per common share to be paid on March 17.
For the fourth quarter, the company is expecting revenue in the range of $655 million to $665 million.

Tech Earnings More