Managed by your organization – what is the problem?

Managed by your organization is the line in the web browser that is displayed when the remote management policy is enabled in the browser configurations. By design, this feature aims at protecting the browsers running on the corporate workstations or industrial IoT devices from unintended changes. But, same as quite a lot of restrictive techniques, it is a double-edged sword.

As it prevents users from making changes to browser settings, this configuration is often a target of abuse from browser hijackers. In particular, such a technique is often used by browser hijackers. Such malware redirects users’ searches to a different search engine, collecting user information and potentially exposing them to phishing sites.

Once installed, browser hijackers go through either Group Policies or registry keys that belong to the browser. By setting a selection of values responsible for enabling remote management to true, they block the user’s ability to change any settings of the browser and delete/change browser extensions. This becomes especially critical when the hijacker sits inside of a malicious browser extension.

Remove Managed by your organization Guide

You may encounter several ways to solve the problem: by editing registry, disabling Group Policies through GP Editor, or else. But as actual removal attempts show, the most effect appears when you apply all the steps together. Still, some of the steps may not be viable for certain users, thus I picked only those which will work most of the time.

Group Policies Removal

First step in dealing with Managed by your organization is to remove policies that the malware changes to enable this state. This method does not require having access to Group Policies Editor, which is unavailable for non-Pro editions of Windows. All you have to do is find and remove all the folders listed below. Note: their deletion will require administrator privileges.

Windows\System32\GroupPolicy
Windows\System32\GroupPolicyUsers
ProgramFiles(x86)\Google\Policies
ProgramFiles\Google\Policies

Removing Registry Keys

Next step is going through the registry keys that may contain malicious configurations. Press the Win+R combination, and type “regedit” in the search window. This will get you to the Registry Editor; there, find and delete the keys you see below.

HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Policies\Google\Update
HKEY_LOCAL_MACHINE\Software\Policies\Chromium
HKEY_LOCAL_MACHINE\Software\Google\Chrome
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Enrollment
HKEY_CURRENT_USER\Software\Policies\Google\Chrome
HKEY_CURRENT_USER\Software\Policies\Chromium
HKEY_CURRENT_USER\Software\Google\Chrome
"HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}" /v "CloudManagementEnrollmentToken"

Not all keys may be present, as it depends on installed software, browser configurations, malware that did the changes and other things. Nonetheless, you should delete all the keys you can find.

Once done, reboot your computer to apply the changes. Then, you should be able to edit any of the Chrome settings and remove any browser extensions that may have previously been blocked from editing.

The post How to Remove Chrome “Managed by Your Organization” appeared first on Gridinsoft Blog.

Why does “Your Connection is Not Private” appear?

The “Your Connection is Not Private” error is a common security message that appears when your browser detects an issue with the security of the connection to the website you are trying to visit. Why would it appear to be a completely safe site that should care about privacy, you ask? This error indicates that the browser cannot establish a secure connection due to issues with the website’s SSL (Secure Sockets Layer) certificate.

You may read further about SSL certificates in a dedicated article. But in short, to access a website, the browser must verify the server’s digital certificates. If verification fails, the browser will deny access to the website and display the message “Your connection is not private”. There can be several reasons for this, including:

• Incorrect system date and time
• Expired/misconfigured certificate
• Untrusted Certificate Authority (CA)
• Man-in-the-Middle attack
• Outdated browser
• Network issues

Ways to Fix a “Your Connection is Not Private” Error

Despite the issue looking as something serious and network-related, it is actually rather easy to fix even for beginners. Here, I have gathered solutions that will likely resolve the “Your connection is not private” problem.

Double-Check the URL and Reload the Page

This may seem obvious, but there can be a simple typo in the URL that prevents the website from loading. If everything is correct, try refreshing the page. An unstable connection, connection timeout, or other issues can lead to the error. Nonetheless, they are resolved by a simple page reload.

Check the Time and Date

Many cryptographic protocols, including SSL/TLS, rely on accurate time for validating certificates and other cryptographic operations. Additionally, an SSL certificate has a specific validity period and is issued for a set duration. If the date and time on your computer are significantly different from the real time, the browser may think that the certificate is either not yet valid or has already expired, even if this is not the case.

To set the time on a Windows PC:

Right-click on the clock in the system tray and select “Adjust time and date”.

Check the boxes next to “Time & language” and “Set time zone automatically,” then click “Sync now”.

To set the time on a Mac:

Open System Settings → General → Date & Time.

Ensure the checkbox next to “Set time and date automatically” is enabled.

Use Incognito Mode

Sometimes, cache, cookie data, and browser extensions can malfunction and interfere with page loading. In incognito mode, browsers do not load extensions or use stored cache and cookie data. This helps eliminate conflicts caused by misconfigurations, corrupted data, or conflicts with browser extensions. But when this does not help, the problem may sit deeper in the web browser configuration.

Clear Browser Cache

As mentioned earlier, browsers store information from previously visited websites. While cookies are helpful for personalizing browsing experiences, such as facilitating logins and online purchases, they can pose security risks. Clearing this data ensures operating only with the current information, and also enhances online security. This step is particularly crucial if there were issues due to incorrect settings previously.

If you are using Google Chrome:

Click the hamburger menu icon in the top right corner and select Settings. Scroll down and click on Privacy and security, then click on Clear browsing data.

Select the Cookies and other site data and Cached images and files options. Then, click Clear data.

For data removal in Mozilla Firefox, tap the menu button and choose Settings. Choose the Privacy & Security panel and scroll down to the History.

Click the “Clear history…” button. The Clear Data dialog will appear. In the Clear Data dialog, you should select the following options: Cookies and Site Data (to remove login status and site preferences) and Cached Web Content (to remove stored images, scripts, and other cached content). Then, click Clear.

To delete the cache, history, and other browser data from Microsoft Edge, choose Settings and more → Settings → Privacy, search, and services.

Under Clear browsing data > Clear browsing data now, choose Choose what to clear. Under Time range, select a time range from the drop-down menu.

Select the types of browsing data you want to clear (see the table for descriptions). For example, you may want to delete cookies and browsing history but keep passwords and form fill data. Here, click Clear now.

Check Your Browser Extensions

Although extensions are not supposed to run in Incognito mode by default, some might still run. For example, malicious or unwanted extensions may enable the “run in incognito mode” checkbox upon installation. Depending on the results of previous steps, the issue might be resolved or not. If the problem persists, check your browser extensions for any unwanted or outdated ones.

Add “www” to the URL beginning

Sometimes websites have separate SSL certificates for “www” and non-“www” versions. Additionally, some sites are configured to automatically redirect you to the “www” version or vice versa. In any case, by adding the identifier to the URL beginning may fix the issue in some cases.

Update Your Browser and OS

Usually, both the browser and OS update automatically, but sometimes this might not happen. If you are using a Chromium-based browser, open settings and go to the “About” section. The browser will automatically check for updates and offer to install them.

Do the same with your operating system. If you are a Windows user, click Start → Settings.

Click Windows Update → Check for updates.

If you are a macOS user, open System Settings → General → Software Update and follow the instructions.

Check Your Antivirus, Firewall or VPN

In some cases, antimalware programs intercept and inspect HTTPS traffic, inserting their own certificates. This can cause SSL/TLS certificate issues if the antivirus handles them incorrectly. It may also use its own root certificates to verify website security, leading to conflicts and errors if the browser doesn’t trust these certificates.

VPNs, in turn, might route traffic through servers that aren’t trusted, potentially causing the error. Additionally, VPNs may use their own encryption methods and certificates, resulting in conflicts and the aforementioned error. If you are using a VPN, try disabling it and see if the issue is resolved.

Malware Activity Causing Your Connection is Not Private Error

Among the reasons for seeing the Your Connection is Not Private error may be the activity of a spyware in your system. This malware type is capable of different dirty deeds, including SSL certificate hijacking. By injecting a fake certificate during the user’s browsing flow, hackers can further decrypt the traffic and get all the sensitive data.

Modern browsers, on the other hand, are equipped against such attacks. They have a built-in certificate checking system, called exactly to detect any manipulations with SSL certs. And, seeing that spyware has hijacked one, it will simply cut the connection down, so the attack will fail. This, however, does not solve the problem for you personally – the page remains unavailable.

How To Check Your System

Fortunately, this issue can be resolved in a few clicks. You need to scan your device for malware. I recommend using GridinSoft Anti-Malware. It’s an excellent option because, in addition to cleaning up existing threats, it also provides real-time protection for your system.

The post “Your Connection is Not Private” Error appeared first on Gridinsoft Blog.

How to Increase Google Chrome Performance

Today, Google Chrome is considered the most popular browser due to its speed, friendly interface, convenience, and ease of use. But after a particular time of service, it takes a few seconds to launch your browser, and your web surfing process turns into a wait for your website to be loaded. There are many reasons for this (cache, history, cookies, problem extensions) that cause bugs and greatly slow down Google Chrome. The following actions will help optimize the operation of the browser and speed up its launch on Windows 10.

Update Chrome Browser

Your browser must be the latest version to keep your performance optimal. Usually, Google Chrome is updated automatically, but sometimes due to technical problems, this may not happen. For example, this can be because of a weak or limited Internet. Type chrome:/help in the address bar to ensure you have the latest version of your browser. If you want to upgrade, follow the instructions.

Check Your Extensions

Next step: you need to check the installed extensions and remove the unwanted ones. You may have previously installed the extension and have not used it for a long time, but it still consumes the system’s resources, slowing it down. Go to chrome://extensions and disable or uninstall unused extensions. To do this, press “remove”. If the extension was installed without your knowledge, check the “Report abuse” box.

Enable Prediction Service to Load Pages

Be sure to enable network action predictions called prefetch; this will allow the browser to open websites faster. To do this, open chrome://settings/cookies and scroll through the page to “preload pages for faster browsing and searching” to enable the feature.

Google Chrome has a wide range of web services for predicting and improving web surfing. This may be preloading pages for faster displaying or offering an alternative site if the site you need is not available. To preload pages you may visit, Google Chrome uses cookies (with your permission) and encrypts and sends messengers through Google to hide your confidential data from sites.

Try the Experimental Function of Closing Tabs

This simple but convenient feature allows the browser to close tabs, thus speeding up the browser. In addition, it helps run Chrome’s JavaScript handler regardless of the graphical user interface (GUI). This speeds up your browser and eliminates the need to wait long to close tabs. To activate this function, go to chrome://flags and find “Fast tab/window close,” and select “Enable” in the drop-down menu.

Use an experimental feature to increase RAM for Chrome.

You can increase the maximum value of RAM that Chrome can use. By adjusting the value by the height and width of the tile, you can allocate more RAM. This minimizes stuttering, and page scrolling becomes smoother.

To do this, in the same menu (chrome://flags), type “Default tile” in the Find dialog and specify the new values of the two parameters (width and height) in the drop-down window. Alternatively, you can set the value to “512” instead of “Default.”

Change custom theme to Default

If you have customized the browser for yourself and configured the theme, I recommend returning the standard theme. Since pieces also consume RAM, if speed is more important for you, do not use custom themes. To set the default theme, open chrome://settings, and under “Appearance,” click “Reset to default.”

Clear out cache data

This problem also leads to reduced free space on the hard drive. Regular cleaning will not only free space but also speed up Google Chrome.

Navigate to chrome:/settings/clearBrowserData and perform the cleanup. I recommend selecting only the “Cached images and files” checkbox. If you choose all the boxes, the browser will be completely cleared, and you will have to re-authenticate on the sites.

Reset Browser Settings to the Default

If you have done all of the above, but none of the methods helped you, you think the browser continues to work slowly; you can completely reset the browser. This allows you to remove any user settings altogether and fix problems caused by extensions or any other actions.

Type chrome://settings/reset to the address bar, then select “Reset settings to their original defaults” and click “Reset settings“.

I hope the above methods have been useful to you, they are also suitable for Windows 10/11 users.

The post How To Make Google Chrome Faster 2024 appeared first on Gridinsoft Blog.

New Chrome 0-day Vulnerability Fixed

On January 16, Google released an update for its Chrome browser that contains a fix for 3 vulnerabilities. Among them there is one, CVE-2024-0519, that was reported by an anonymous user. The company acknowledges the exploitation of this breach in the wild.

Key issue of the vulnerability lies in an improper memory access control in the JScript V8 engine, used in Chrome. The issue falls under CWE-119 designation. The way Chrome operates supposes the ability of direct memory addressing, but with lack of proper handling, it leads to the ability to reference to a wrong memory location. What this gives to attackers is the ability to both read and write to the random memory area, causing data leaks and arbitrary code execution.

Besides the most sensible issue, there are also 2 high-severity vulnerabilities fixed in the same update. Both touch V8 JavaScript, too, but are related to lack of memory write validation and type confusion. The latter, actually, can lead to similar effects with CVE-2024-0519, so it should be treated with the same seriousness. The good thing about these two is the absence of their real-world exploitation.

Google Releases Fix to the Newest 0-day Exploit

The severity of the issue obviously calls for urgent response from the developer. Fortunately, Google never hesitates to patch such bugs. However, due to the limitations, the patch may not be available to all users simultaneously. Here is the list of OS-specific versions that contain a fix.

To check whether you have an updated version of the browser or to check for updates, go to Settings → About Chrome. This will open the menu which checks the update availability each time you open it.

Being the most popular web browser is not just about privileges, as you may witness. Such a humongous user base means increased (if not maxed out) attention from adversaries, who take such vulnerabilities nothing short of a gift. For ordinary users, the best way to counteract this is to keep an eye on the latest updates, specifically on what issues they fix.

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

OAuth2 Vulnerability Allows for Persistent Session Hijacking

The attackers found a way to use specific components within the Chrome browser to hijack sessions without a risk of it being interrupted by password changes. They targeted Chrome’s token_service table, part of the WebData, to exfiltrate tokens and account IDs. This table contains essential information, such as the GAIA ID and the encrypted_token column. Next, the attackers decrypted these encrypted tokens using a key stored in Chrome’s Local State within the UserData directory.

This method is similar to how Chrome stores passwords, indicating that the attackers deeply understood Chrome’s data management system. The exploit’s success relied on the attackers’ ability to navigate and utilize Chrome’s intricate data structures, specifically those related to user authentication and token management.

MultiLogin Endpoint Is The Culprit

The MultiLogin endpoint is a crucial element of Google’s OAuth2 system. It synchronizes Google accounts across various services, ensuring a consistent user experience by aligning the browser account states with Google’s authentication cookies. However, attackers have found a way to exploit this endpoint’s functionality. By providing vectors of account IDs and auth-login tokens, attackers can maintain unauthorized access to Google services.

Although this is a regular operation for the endpoint, attackers have used it maliciously. The endpoint’s invisibility and exploitability make it an ideal target for exploitation. It is not widely documented or known, and its role in managing simultaneous sessions or user profile switches makes it a potent tool for attackers once they understand how to manipulate it.

The Discovery and Spread of the OAuth2 Exploit

Back in October 2023, one of the malware developers described a vulnerability in OAuth2 and the exploit to it on its Telegram channel. This exploit uniquely allowed the generation of persistent Google cookies by manipulating tokens. This capability ensured continuous access to Google services, bypassing standard security measures even after resetting the user’s password​​. Obviously, the exploit’s potential didn’t go unnoticed.

Lumma infostealer was the first to integrate this exploit in November 2023, employing advanced blackboxing techniques to protect the methodology. This incorporation marked the beginning of a trend, as the exploit quickly caught the attention of various malware groups. Following Lumma, malware entities like Rhadamanthys, Stealc, Meduza, Risepro, and WhiteSnake implemented the exploit. Each group brought nuances to the exploit’s application, indicating its versatility among cybercriminals​​.

Hidden Tactics

In addition, the attackers manipulated the token:GAIA ID pair, which is also essential in Google’s authentication process. This manipulation allowed them to regenerate Google service cookies and maintain unauthorized access to user accounts. Thus, Lumma, a key player in exploiting this vulnerability, encrypted the critical token:GAIA ID pair with proprietary private keys. This process, known as “blackboxing,” not only obscured the core mechanics of the exploit but also made it difficult for other malicious entities to replicate the method.

Since the attackers encrypted the communication between their C2 and the MultiLogin endpoint, it was challenging for network security systems to detect the exploit. Standard security protocols often overlook such encrypted traffic, mistaking it for legitimate data exchange.

Interim Measures for Protection

While Google is working on fixing the vulnerability, there are some immediate steps you can take to protect your account. First, it is recommended that you log out of all your browser profiles. This will invalidate your current session tokens. After logging out, change your password and log in again. The action will generate new session tokens. Such a step is essential because tokens and GAIA IDs may have been stolen, and generating new session tokens will prevent unauthorized access by rendering the old tokens useless.

The post OAuth2 Session Hijack Vulnerability: Details Uncovered appeared first on Gridinsoft Blog.

Google Chrome Vulnerability Exploited in the Wild

The bug with heap buffer, that made the CVE-2023-4863 possible, is related to the way Chrome handles WebP images. By default, Windows assigns the browser as a way to display images of that format, and it remains unchanged in the vast majority of cases. Thus, the potential audience of exploitation is humongous – Chrome retains its monopoly on the browser market. WebP, at the same time, steadily substitutes “classic” image formats.

Originally, the flaw became known on September 6, 2023, after the corresponding research by Apple SEAR and Citizen Lab at The University of Toronto was sent to Google. The company, however, hesitates with publishing more extensive information upon the case. All that is known now is that the buffer overflow bug that happens during the WebP image reading can allow for arbitrary code execution. Alternatively, the browser may simply crash – which is to be expected with buffer overflow bugs. On the CVE MITRE resource, the exploit is listed though lacks any details besides the basics I’ve already mentioned.

How Critical CVE-2023-4863 is?

Arbitrary/remote code execution bugs are quite common to receive highest marks on exploit severity ratings. And when combined with eased in-the-wild usage and large selection of targets, the threat becomes truly massive. Millions of people use Chrome on a daily basis, and facing WebP images is common as well. Hackers can try to do whatever they want to millions of users, by simply sending the specifically crafted image.

Protect Yourself Against Chrome Exploits

Despite Google being sluggish with publishing the way the exploit works, they are fast on updates. The updates 116.0.5845.187/.188 for Windows (Stable/Extended) and 116.0.5845.187 for Mac have the vulnerability fixed. Updating the browser is plain and simple – go to Settings, and get down to the About Chrome button. Clicking it will initiate the browser update checkup, and if there is a newer version available – you’ll receive it.

But what can you do to avoid falling victim to exploits that were not uncovered and/or patched? Zero-trust is the only option that gives you reliable protection against such exploits. Its name is self-explanatory – solutions with such a policy treat any program as potentially dangerous. However, solutions with such a policy are mostly oriented towards corporate clients. And overall, negatives of having a paranoiac security solution in your system overwhelm situational profits. For individual users, I’d recommend looking for other options.

Your own awareness gives you a great advantage. The vast majority of phishing attacks bear on a single supposement – the victim will be too ignorant and reckless to notice the incoming fraud. And what can be more pleasant than crushing fraudsters’ hopes? Sure, this requires knowledge of what exactly you should seek, but these tips will do you a great service even away from scam avoidance.

The post Google Fixes Critical Vulnerability in Chrome, Exploited in the Wild appeared first on Gridinsoft Blog.

Predasus Malware Targets Chromium-based Browsers in Latin America

Threat analysts have discovered a new malware called “Predasus”. Attackers use this malware to insert harmful code through a Chrome extension and employ this method to attack various sites, including WhatsApp’s web version. The attackers enter and exploit the targeted websites through legitimate channels to deploy Predasus malware, enabling them to steal users’ confidential and financial data. Predasus engages in several malicious activities, such as obtaining sensitive information like login details, financial data, and personal information.

Predasus Infection Chain

Browser extensions can infect your device in various ways. They exploit browser or operating system vulnerabilities, including social engineering, to trick users into downloading them. The scenario is classic – a user opens an email attachment, a PDF, Word, or Excel file. The attachment contains malware that stealthily infects the user’s computer and is automatically deployed once downloaded. The malware then connects to the first command and control (C&C) server and downloads several files written to a folder named “extension_chrome” in the %APPDATA% folder. It terminates any process associated with Google Chrome and creates malicious .LNK files in several locations, replacing legitimate ones. In addition, the extension gains some permissions:

• “tabs”: Allows the extension to access and modify browser tabs and their content.
• “background”: Allows the extension to run in the background, even when the extension’s popup window is closed.
• “storage”: Allows the extension to store and retrieve data from the browser’s local storage.
• “alarms”: Allows the extension to schedule tasks or reminders at specific times.
• “cookies”: Allows the extension to access and modify cookies for any website the user visits.
• “idle”: Allows the extension to detect when the user’s system is idle (i.e., not being actively used).
• “webRequest”: Allows the extension to monitor, block, or modify network requests made by the browser.
• “webRequestBlocking”: Allows the extension to block network requests made by the browser.
• “system.display”: Allows the extension to detect and adjust display settings on the user’s system.
• “http://*/*”: Allows the extension to access any HTTP website.
• “https://*/*”: Allows the extension to access any HTTPS website.
• “browsingData”: Allows the extension to clear the user’s browsing data (such as history and cache) for specific websites.

Some of these permissions pose a risk because they allow an extension to access or modify sensitive user data.

What data is at risk?

According to IBM Security Lab, Predasus has been seen in many malicious activities, including modifying browser behavior and stealing sensitive data such as login credentials, financial information, and personal data. In addition, this attack uses WhatsApp Web. Since WhatsApp is popular in some countries such as Brazil, Mexico, and India, attackers can get enough potentially valuable information. Using a phishing payment site, scammers steal payment information from the victim under the guise of paying for a subscription. In addition, the phishing site asks for a confirmation code that the victim received via text message. In this way, the fraudsters access the victim’s bank account. Ultimately, the attackers sell the obtained data on the Darknet.

Safety Tips

To avoid unpleasant consequences, you must be cyber hygienic and watch what you install. Hackers always seek for new ways of malware spreading, and your attentiveness can effectively repel all their attempts.

• Be careful with emails you receive. This advice repeats again and again, as hackers keep using spoofed emails to spread malware. Strange topic, unknown sender, typos – all such things should raise suspicion.
• Only download extensions you’re sure about. Even using Chrome Web Store as a source does not mean you’re safe. Hackers have their ways to upload malicious plugins even to this marketplace – leave alone third-party sources.
• Use two-factor authentication and regularly update your browser and extensions to stay safe.
• Use effective anti-malware software. When it comes to protecting from malware attacks from different vectors, it is quite easy to whiff at some point. To avoid problems, a backup protection option is essential. GridinSoft Anti-Malware can offer you great protection, both reactive and proactive.

The increase in harmful Chrome extensions is concerning and emphasizes the importance of being cautious while browsing the web. There are concerns that this malware campaign may spread to North America and Europe.

The post Predasus Malware Attacks Latin America Through Browser Plugins appeared first on Gridinsoft Blog.

Let me remind you that we also said that Malicious Ledger Live extension for Chrome steals Ledger wallet data, and also that 295 Chrome extensions injected ads in search results.

The existence of ViperSoftX malware has been known to security experts since 2020, for example, Cerberus and Fortinet have already talked about it. Now, the malware has been studied in detail by Avast experts. They report that the malware has changed noticeably since then.

The company report says that since the beginning of 2022, Avast has detected and stopped 93,000 ViperSoftX attack attempts against its customers, mainly affecting users from the United States, Italy, Brazil and India. At the same time, it is known that the main distribution channel for malware is torrent files of game cracks and activators for various software.

After examining the wallet addresses that are hard-coded in the ViperSoftX and VenomSoftX samples, the experts found that as of November 8, 2022, the attackers “earned” about $130,000. Moreover, the stolen cryptocurrency was obtained solely by redirecting cryptocurrency transactions on hacked devices, that is, this amount does not include profit from other activities of hackers.

The new variants of ViperSoftX do not differ much from those studied earlier, that is, they can steal data from cryptocurrency wallets, execute arbitrary commands, download payloads from the control server, and so on. The main difference between the new versions of ViperSoftX is the installation of an additional malicious VenomSoftX extension in the victim’s browsers (Chrome, Brave, Edge, Opera).

To hide from the victim, the extension masquerades as Google Sheets 2.1, allegedly created by Google, or as a certain Update Manager.

Although VenomSoftX largely duplicates the functionality of ViperSoftX (both malware target the cryptocurrency assets of victims), the extension itself carries out the theft differently, which increases the chances of attackers to succeed.

In particular, the targets of VenomSoftX are Blockchain.com, Binance, Coinbase, Gate.io and Kucoin, and the extension monitors the user’s clipboard and replaces any addresses of cryptocurrency wallets (as Carabank Group did, for example) that get there, with the addresses of attackers.

In addition, the extension can change the HTML code on sites to detect the address of the user’s cryptocurrency wallet, while manipulating elements in the background and redirecting payments to attackers.

To determine the victim’s assets, the VenomSoftX extension intercepts all API requests to the aforementioned cryptocurrency services, and then sets the maximum available transaction amount, stealing all available funds.

Moreover, in the case of Blockchain.info, the extension will try to steal the password entered on the site.

The researchers say it’s easy to detect such fake Google Sheets: the real Google Sheets are usually installed in Chrome as an app (chrome://apps/) and not as an extension, which is fairly easy to check on said page. If the extension is present in the browser, you should remove it as soon as possible, clear the data, and probably change the passwords.

The post Chrome Extension ViperSoftX Steals Passwords and Cryptocurrency appeared first on Gridinsoft Blog.

What the error “This Site Can’t Provide a Secure Connection” means

First, let’s find out what a “secure connection” is. It is a connection to a website that uses the secure Hypertext Transfer Protocol (HTTPS), not HTTP. Browsers usually mark secure websites with a lock icon at the address bar’s beginning, confirming that the connection is secure. The secure connection supposes the encryption of all data packages your device exchanges with the server, so the third party is not able to see the contents. HTTPS offers significant security advantages over HTTP but imposes strict requirements for compliance. One of these is a valid SSL certificate. Thus, the “This site can’t provide a secure connection” error tells us there is a problem with the SSL certificate. That is, the site claims to be HTTPS compliant but either does not provide a certificate or provides an invalid certificate. If the browser can’t verify the certificate, it won’t load the site and will display this error message instead.

Causes of the “This Site Can’t Provide a Secure Connection” error

If you see a site security warning, it does not necessarily mean the site is unsafe. Although it is not impossible, more often than not, it is less dangerous. The problem can be divided into problems with the web browser or system configuration and issues with the site. You can check this by opening the problem page in several browsers. Suppose you see the error in one browser, which works fine in another. In that case, the problem is probably in the browser (usually the cache). If the error appears in all browsers, the problem is either with your computer or the site itself. Listed below are the most common causes of this error message:

• Incorrect time and date settings on your device. If your laptop has the wrong date and time settings, this can cause problems with SSL certificate authentication. Your PC may think it is already expired or, what is more comic, have not been issued yet.
• Outdated SSL caches in your browser. This is one of the common causes. Because web browsers store SSL certificates in a cache, they don’t need to check the certificate every time you visit a site, thereby speeding up browsing. However, if the SSL certificate changes, but the browser still loads an older version from the cache, it can cause this error.
• Invalid or expired SSL certificate. Certificates must be periodically renewed. You will see this error if the website’s SSL certificate has expired.
• Fraudulent browser extensions. An incorrectly working browser extension can also cause problems with certificate authentication. Often it’s a simple error caused by a poor design, though sometimes the extension can be malicious.
• Overzealous antivirus. Incorrectly configured antivirus software can sometimes erroneously produce this message. This may be due to an encryption error.

Fix the “This Site Can’t Provide a Secure Connection” error

Fortunately for the user, the problem solving does not require any serious interruptions. However, in certain cases, you will be forced to witness the error until the other party does not deal with an outdated certificate. Below we will look at how to eliminate the secure connection error.

Set the correct date and time

The certificate’s expiration date is significant, and you need to keep an eye on the signing and expiration date of the certificate. Incorrect date and time zone can lead to a secure connection error in Chrome browser. Therefore, ensure that the time on your system is synchronized with your current time zone. In most cases, this simple solution is effective.

Clear Chrome’s browsing data

If the problem persists after setting the date and time, try clearing the Chrome cache and cookies. To do this, press Ctrl + Shift + Delete, select the time range “all time,” and click “Clear data“.

Check recently installed extensions

Recently installed extensions and ad blockers can interfere with how you see Chrome sites. First, try removing these extensions and then reloading the web page again. To remove extensions from Chrome, follow these steps:

First, open the Chrome browser and type chrome://extensions in the address bar.

This will take you to the extensions page, where you can click on the “Remove” button next to your recently installed extensions.

You can do the same step to disable ad blockers.

Check your antivirus and firewall settings

Sometimes the connection error in Chrome can occur due to too aggressive or incorrect settings of the antivirus and firewall installed on your PC. Most modern antivirus programs scan websites for malicious elements and other security threats. They also check the SSL/TLS versions of the website. If the website uses an outdated version of SSL, the antivirus will block it. In this case, you can solve the problem by temporarily disabling the antivirus. However, it would not be safe.

Clear SSL state

If the above methods don’t help, try to clear the SSL status. To do this, perform the following steps:

• Open the Start menu.
• Search for and open Internet Properties.
• Select the Content tab.
• Click Clear SSL State

Disable the QUIC protocol

QUIC (Quick UDP Internet Connections) provides a connection equivalent to TLS/SSL to Google’s servers. QUIC is enabled by default in Chrome. To disable it, copy chrome://flags/#enable-quic, paste it into the address bar, and press Enter. At the top of the screen, the experimental QUIC protocol is set as the Default protocol. Please disable it and restart Chrome.

Enable TLS and SSL support.

TLS and SSL are old protocols that are disabled in most browsers and operating systems. Since most websites use much more secure and fast protocols, Chrome did not allow you to visit this site and warned you that it was not secure. However, you can enable TLS/SSL protocol support:

• Open the Control Panel, find Internet Options.
• Click the Advanced.
• Scroll down and select TLS 1.0, TLS 1.1, TLS 1.2, SSL 3.0, and SSL 2.0 and click ” OK”.

Restart your computer and try to visit the web page.

The post “This Site Can’t Provide a Secure Connection”: How to Fix appeared first on Gridinsoft Blog.

The vulnerability in question is the CVE-2022-2294 bug, which was fixed by Google and Apple engineers earlier this month.

Let me remind you that we also wrote that SpookJS Attack Allows to Bypass Site Isolation In Google Chrome.

The current vulnerability is known to be a heap buffer overflow in the WebRTC component and was first reported by information security expert Jan Vojtěsek from the Avast Threat Intelligence team. Even then, it was known about the exploitation of the bug in real attacks, but no details were disclosed.

As Avast experts now say, the vulnerability was discovered after investigating a spyware attack on one of the company’s customers. According to experts, Candiru started using CVE-2022-2294 back in March 2022, attacking users in Lebanon, Turkey, Yemen and Palestine.

Spyware operators used the standard watering hole tactic for such campaigns. This term refers to attacks that are built by analogy with the tactics of predators who hunt at a watering hole, waiting for prey – animals that have come to drink. This usually means that attackers inject malicious code onto legitimate sites, where it waits for victims.

In this case, by compromising the site, the hackers expected that it would be visited by their targets using a browser vulnerable to CVE-2022-2294. In one case, the website of an unnamed Lebanese news agency was hacked and injected with JavaScript, allowing XXS attacks and redirecting the victim to a server with exploits.

The attack was particularly nasty in that it did not require any interaction with the victim (such as clicking on a link or downloading something). To compromise, it was enough to simply open a malicious site in Google Chrome or another Chromium-based browser (including Edge, as well as Safari, since the vulnerability was related to WebRTC).

To make sure they attack only the right people, the hackers created victim profiles by collecting a lot of data, including information about the victim’s system language, time zone, screen size, device type, browser plugins, device memory, cookies, and more.

It is also noted that in the case of the Lebanese attacks, 0-day not only allowed the attackers to execute shellcode inside the rendering process, but was additionally associated with some kind of sandbox escape vulnerability that Avast was unable to recreate for analysis.

When the DevilsTongue malware finally infiltrated the victim’s system, she tried to elevate privileges by installing a Windows driver containing another unpatched vulnerability. Thus, the total number of 0-day bugs involved in this campaign was at least three.

Once the driver was installed, DevilsTongue used a security hole to gain access to the kernel, the most sensitive part of any OS. Researchers call this attack method BYOVD — bring your own vulnerable driver (“bring your own vulnerable driver”). It allows malware to bypass OS protections since most drivers automatically have access to the OS kernel.

Let me remind you that the DevilsEye spyware, which was developed by the Israeli company Candiru and then sold to governments of different countries, was described in detail by specialists from Microsoft companies last year. Even then, it was known that politicians, human rights activists, activists, journalists, scientists, embassies and political dissidents in various countries of the world suffer from this malware attack.

The post Chrome 0-day Vulnerability Used to Attack Candiru Malware appeared first on Gridinsoft Blog.