If you do not use Chrome, let me remind you that this function is applied to synchronize data between different user’s devices, and stores copies of all user bookmarks, browsing history, passwords, as well as browser settings and browser extensions on Google cloud servers.

However, as it turned out, synchronization can be used to send commands to infected browsers, as well as steal data from infected systems, bypassing firewalls and other means of protection.

Zdrnya writes that in the course of the incident he studied, the attacker gained access to the victim’s computer, but was unable to steal the data, since it was inside the employee portal. Then the hacker downloaded a malicious Chrome extension to the victim’s machine and launched it through Developer Mode.

The extension masked itself as a security product from Forcepoint and contained malicious code that abused the synchronization function, allowing an attacker to control the infected browser. In this case, the extension was used to manipulate data in an internal web application that the victim had access to.

The malicious code found in the extension allowed an attacker to create a special text field to store token keys, which were then synchronized with Google cloud servers.

According to the researcher, any data can be stored in such a field: it could be information collected by a malicious extension about an infected browser (for example, usernames, passwords, cryptographic keys, etc.), or, on the contrary, commands that the extension must execute on the infected host.

Thus, a malicious extension can be used to “drain” data from corporate networks into the attacker’s Chrome, and bypassing local protection tools. After all, stolen content or commands are transmitted through the Chrome infrastructure, and the Google browser is usually allowed to work and transfer data without hindrance, that is, the hacker’s activity will not raise suspicion and will not be blocked in most corporate networks.

Instead, the researcher advises using corporate Chrome features and group policies to block or tightly control extensions that can be installed in the browser.

As I mentioned, recently Google Chrome fixed two 0-day vulnerability in two week, that was under attacks.

The post Researcher discovered that Chrome Sync function can be used to steal data appeared first on Gridinsoft Blog.

All this time, Cereals exploited only one vulnerability and attacked D-Link’s NAS and NVR, combining them into a botnet.

For many years, the botnet has eluded the attention of information security professionals, and now it has almost ceased to exist.

“The fact is that the vulnerable D-Link devices on which Cereals parasitized began to become obsolete and out of order, that is, they are becoming smaller and smaller. In addition, the ransomware Cr1ptT0r accelerated the decay of the botnet, which destroyed the competing malware on infected devices and removed the Cereals malware from many D-Link devices in the winter of 2019”, — say Forcepoint researchers.

Now, as the botnet and the vulnerable devices that it has exploited are disappearing, Forcepoint experts decided to publish a report on the activities of the malware, because they can no longer be afraid that the study will draw the attention of other criminals to vulnerable devices and provoke the emergence of new botnets.

Experts write that Cereals can be called a unique phenomenon, since the botnet used only one vulnerability throughout all eight years of its “life”.

This vulnerability was related to the SMS notification feature that was present in the D-Link NAS and NVR firmware. The bug allowed the creator of Cereals to send malicious HTTP requests to the embedded servers of vulnerable devices and execute commands with root privileges. In this way, the botnet operator infected the devices with its malware.

“The botnet was very advanced in its functionality. Therefore, if the attack succeeded, Cereals supported up to four active backdoors on the devices, tried to patch the attacked devices so that other attackers could not attack them, and distributed bots on 12 small subnets”, – say the researchers.

However, all these efforts, in fact, were a waste of time. Forcepoint analysts believe that Cereals was someone else’s hobby or a project created as a joke (it is assumed that the author of the malware is called Stefan and he lives in Germany).

The fact is that the botnet did not engage in DDoS attacks, did not try to attack any other devices other than the above, did not try to access user data stored on infected devices. Instead, all these years Cereals just methodically downloaded anime.

However, this is the cutest botnet I talked about on this blog – others are mostly not like that, for example, read an article about Hoaxcalls botnet, that attacks Grandstream devices.

The post For eight years, the Cereals botnet existed for only one purpose: it downloaded anime appeared first on Gridinsoft Blog.