Posts

Vulnerability: Google Chrome Browser – CVE-2018-6148: Incorrect handling of CSP header

On May 23rd, a security researcher reported a vulnerability in the Chrome Desktop Browser (Pre-Version 67.0.3396.79) that allows for the mishandling of the Content Security Policy (CSP) header. The CSP header allows website developers to implement a 2nd layer of security on their websites to prevent possible malicious activity. The vulnerability bypasses the SECURITY_CHECK in Chrome, allowing possible cross-site scripting, clickjacking, and varying types of code injection attacks against vulnerable users browsing affected websites.

Chrome released a patch on June 05 fixing the vulnerability and raising the version to 67.0.3396.79. Chrome has reserved CVE-2018-6148 for the vulnerability but is restricting details surrounding the bug until the majority of Chrome users have been updated to prevent threat actors from exploiting the vulnerability.

The Proficio Threat Intelligence Recommendations:

  • Update Chrome to the latest version
  • Always make sure to stay up to date on application updates and security patches

Patch Release Page – Click Here
General Info – Click Here

Method: Roaming Mantis Malware

Kaspersky Labs has detailed Android malware mainly targeting Chinese and Korean users. The malware is designed to steal two-factor authentication codes for Google accounts sent via SMS/MMS.

Kaspersky Labs has detailed a lot of the interesting technical elements of the malware. For example, command and control for samples analyzed were found to lookup strings of web pages hosted on legitimate sites such as sohu.com and baidu.com. Kaspersky also believes the initial infection vector for the Android devices were compromised routers in Asia. The routers were redirecting Android devices towards malicious sites via DNS hijacking. The malware does have a component that appears to target English speaking users, but the HTML code within the malware is written in broken English. Most researchers after additional analysis have attributed this malware to cybercriminals focusing on Chinese and Korean targets.

Proficio Threat Intelligence Recommendations:

  • Do not allow users that have Android devices to bring “rooted” devices into corporate networks (rooted devices were targeted in this campaign)
  • Routers in this attack allowed attackers to perform DNS hijacking in this campaign. Monitoring corporate routers for attacks and compromise should be performed by security operations
  • SOCs (security operation centers) often detect BYOD infected cellular devices in guest networks or corporate wireless networks. Corporate IT should decide on an action (or no action) to be taken when these detections occur

General Information – Click Here