Welcome to the next episode of the Xopero Security Center – the first one in 2021! But let’s make a small step back first and take a look at some of the most interesting news from the last week. Google has patched a bug in its feedback tool incorporated across its services which allowed attackers to see your private Google Docs documents. T-Mobile also got some problems – a second data leak in 2020, but this time from the CPNI system. The hosting giant Wasabi was also struggling. The cloud storage service has been knocked offline for 13 hours. And the last one… Cybersecurity specialists spotted a new multi-platform malware that transforms Windows and Linux servers into Monero miners. More details can be found below.
Hackers can see your private Google Docs documents
Google has patched a bug in its feedback tool incorporated across its services. It could be exploited to potentially steal screenshots of sensitive documents simply by embedding them in a malicious website.
Many of Google’s products, including Google Docs, come with a “Send feedback” or “Help Docs improve” option that allows users to send feedback and include a screenshot – something that’s automatically loaded to highlight specific issues.
The feature is deployed in the main website (“google.com”) and integrated to other domains via an iframe element that loads the pop-up’s content from “feedback.googleusercontent.com.”
It means that whenever a screenshot of the Google Docs window is included, rendering the image necessitates the transmission of RGB values of every pixel to the parent domain (www.google.com), which then redirects those RGB values to the feedback’s domain, which ultimately constructs the image and sends it back in Base64 encoded format.
Researcher Sreeram KL, identified a bug in the manner these messages were passed to “feedback.googleusercontent.com”. It allowed an attacker to modify the frame to an arbitrary, external website, and in turn, steal and hijack Google Docs screenshots which were meant to be uploaded to Google’s servers.
Notably, the flaw stems from a lack of X-Frame-Options header in the Google Docs domain. Thus it made it possible to change the target origin of the message and exploit the cross-origin communication between the page and the frame contained in it. While the attack requires some form of user interaction an exploit could easily leverage this weakness to capture the URL of the uploaded screenshot and exfiltrate it to a malicious site.
T-Mobile data leak exposed CPNI data – users phone numbers and call records
T-Mobile has announced a data leak exposing customers’ proprietary network information (CPNI), including phone numbers and call records. The telco giant stated that this breach affected only a small number of customers – less than 0.2%, which equates to around 200,000 people affected by this breach.
According to the T-Mobile stuff the threat actors did not access names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax ID, passwords, or PINs.
Hacker had gained access only to the CPNI. Customer Proprietary Network Information is the data collected by telecommunications companies about a consumer’s telephone calls. It includes the time, date, duration and destination number of each call, the type of network a consumer subscribes to, and any other information that appears on the consumer’s telephone bill.
The company in the process of notifying impacted customers.
Wasabi cloud storage service knocked offline for 13 hours! Reason? Hosting malware
Cloud storage provider Wasabi suffered an outage after a domain used for storage endpoints was suspended for hosting malware. Wasabi offers significantly cheaper services than Amazon S3, not charging egress or API fees, and promising a 99.999999999% data durability.
On Monday, 28th of December Wasabi users suddenly found that they could no longer access their storage buckets [1, 2, 3] hosted on the wasabisys.com domain.
Wasabi acknowledged the issue in an outage report stating that DNS resolutions were causing “degraded performance.”
According to the status report, their domain registrar attempted to contact Wasabi about malicious content hosted on the wasabisys.com domain. When sending the abuse report, the registrar forwarded it to the wrong email, and Wasabi was never notified.
This mishap led to the registrar suspending the domain, effectively knocking the storage service offline as almost all of their storage buckets utilize the wasabisys.com domain.
After learning of the abuse report, Wasabi suspended the client hosting the malicious content and asked the registrar to reactivate the domain. The domain’s reinstatement took thirteen hours to complete.
Threat actors are known to abuse legitimate cloud hosting services to host malware, and Wasabi is no exception. It is unknown what malicious content, or potentially false positives, triggered the domain’s suspension.
New multi-platform malware turns Windows, Linux servers into Monero miners
A newly discovered and self-spreading Golang-based malware has been actively dropping XMRig cryptocurrency miners on Windows and Linux servers since early December.
This multi-platform malware also has worm capabilities that allow it to spread to other systems by brute-forcing public-facing services like MySQL, Tomcat, Jenkins or WebLogic using password spraying and a list of hardcoded credentials. Older versions of the worm were also seen trying to exploit the CVE-2020-14882 Oracle WebLogic remote code execution vulnerability.
Attackers use the C&C server to host the bash or PowerShell dropper script, a Golang-based binary worm, and the XMRig miner deployed to surreptitiously mine for untraceable Monero cryptocurrency on infected devices. Once it manages to compromise one of the targeted servers, it will deploy the loader script (ld.sh for Linux and ld.ps1 for Windows) that drops both the XMRig miner and Golang-based worm binary. The malware will automatically kill itself if it detects that the infected systems are listening on port 52013. If the port is not in use, the worm will open its own network socket.
According to the Intezer security researcher Avigayil Mechtinger: „The fact that the worm’s code is nearly identical for both its PE and ELF malware – and the ELF malware going undetected in VirusTotal – demonstrates that Linux threats are still flying under the radar for most security and detection platforms”.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Finland says hackers accessed MPs’ emails accounts (ZDNet)
2. Hackers phish 615,000 login credentials by using Facebook ads (HackRead)
3. Home appliance giant Whirlpool hit in Nefilim ransomware attack (Bleeping Computer)
4. Multi-platform card skimmer found on Shopify, BigCommerce stores (Bleeping Computer)
5. Google: Microsoft Improperly Patched Exploited Windows Vulnerability (Security Week)
6. GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic (Bleeping Computer)
7. Japanese Aerospace Firm Kawasaki Warns of Data Breach (Threat Post)
8. Emotet Returns with Updated Modules and New Campaign (Hot for Security)
9. Adobe now shows alerts in Windows 10 to uninstall Flash Player (Bleeping Computer)
10. Italy’s Ho-Mobile database with 2.5m accounts allegedly stolen, sold (HackRead)