Hackerzhome

hackerzhome-logo-bg
Hackerzhome-logo-sm

Cybersecurity news all over the world

HACKERZHOME NEWS

January 13, 2023

www.hackerzhome.org

Friday

'Address Poisoning' cryptocurrency scam: a fresh alert from MetaMask

In order to deceive users into sending money to a scammer instead of the intended recipient, a new scam known as “Address Poisoning” has surfaced, according to cryptocurrency wallet service MetaMask.

Cryptocurrency transfers made with MetaMask are recorded in the wallet’s transaction history.

An abbreviated form of the third party’s address and further information, such as the token, and the amount given or received, are displayed when you click the transaction.

In order to pull off the fraud, the threat actor keeps an eye on fresh transactions on the blockchain.

After choosing a target, they build an address that is very close to, if not almost identical to, the one used in the most recent transaction using a vanity address generator.

It should be noted that it can take less than a minute to create an address that matches the prefix or suffix of a destination address. Targeting both, though, will take much longer to generate

The threat actor then uses this new address to send the intended sender’s address a token transaction for $0 or a tiny amount of cryptocurrency so that the transaction shows up in their wallet’s history.

Additionally, MetaMask advises you to preserve known, legitimate cryptocurrency addresses for individuals or services to which you frequently send transactions using the built-in Address Book feature found under “Settings Contacts.”

However, this would cause problems with user interface design because Ethereum addresses are relatively long (66 characters).

NEWS 1
'Address Poisoning' cryptocurrency scam: a fresh alert from MetaMask

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

Microsoft: OWASSRF weakness allows Cuba ransomware to infiltrate Exchange servers

Microsoft claims that hackers using the Cuba ransomware are breaking into Microsoft Exchange servers that have not yet been patched against a serious server-side request forgery (SSRF) flaw that is also used in Play ransomware assaults.

A zero-day attack called OWASSRF that targets this problem (CVE-2022-41080) was recently confirmed by cloud computing service provider Rackspace to have been utilized by Play ransomware to infiltrate unpatched Microsoft Exchange servers on their network and go beyond ProxyNotShell URL rewrite mitigations.

Microsoft claims that the Play ransomware gang has been making use of this security hole since late November 2022. In order to prevent such attacks, the business urges clients to prioritize CVE-2022-41080 patching.

While Microsoft has informed some of its customers that ransomware gangs are leveraging the SSRF Exchange vulnerability since it was patched on November 8th, the warning has not yet been updated to warn that it is really being used in the wild.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

January 13, 2023 /

Friday

Hackerzhome News

2

Have you heard ?
Twitter Says That The 200 Million User Data Breaches Weren’t Caused By System Hacks Know More!

Chromium Browser Security Flaw Detailed by Experts Risking Confidential Data

Chromium Browser Security Flaw Detailed by Experts Risking Confidential Data

Information has been available on a now-patched vulnerability in Google Chrome and Chromium-based browsers that, if abused, might have allowed for the theft of files holding sensitive data.

As a case of inadequate data validation in the File System, Google described the medium-severity flaw (CVE-2022-3656) and published remedies for it in versions 107 and 108 which were released in October and November 2022.

The vulnerability, referred to as SymStealer, is essentially a bug known as a symbolic link (also known as a symlink) following, which occurs when an attacker uses the feature to circumvent a program’s file system restrictions and access illicit data.

When the same symlink file is sent back to the website as part of the infection chain, such as when a crypto wallet service asks customers to upload their recovery keys, the vulnerability might be leveraged to access the actual file carrying the key phrase by traversing the symbolic link.

Using CSS deception, an Imperva proof-of-concept (POC) adjusts the file input element’s size to make it even more trustworthy, effectively enabling information theft regardless of where the folder is dropped on the page.

NEWS 3

On Amazon, an Android TV box came with malware already installed

On Amazon, an Android TV box came with malware already installed
NEWS 4

A Canadian system administrator found that the firmware of an Amazon-purchased Android TV box came pre-loaded with sophisticated, persistent spyware.

Daniel Milisic found the malware, and he wrote a script and instructions to assist users in neutralizing the payload and halting contact with the C2 (command and control) server.

The in question product is the AllWinner T616-powered T95 Android TV box, which is extensively sold on Amazon, AliExpress, and other significant e-commerce sites.

It is unknown if only this particular device was harmed or if the malicious component affects all products from this brand or model.

To clean their device and remove any virus present, T95 users are advised to take these two easy steps:
1. Enter recovery mode or choose “Factory Reset” from the settings menu to restart the device.
2. Run this script after rebooting by connecting to ADB with a USB or WiFi-Ethernet cable.

Run “adb logcat | grep Corejava” and check that the chmod command didn’t work to ensure that the malware has been neutralized.

Recent blog posts

A RAT malware campaign uses polyglot files to try to avoid detection

To avoid being discovered by security programs, StrRAT and Ratty remote access trojans’ (RAT) administrators are waging a fresh campaign employing polyglot MSI/JAR and CAB/JAR files.

Deep Instinct discovered the campaign, and it says that the threat actors have a fair amount of success dodging anti-virus engines. This is noteworthy in light of how long the two specific RATs have existed and how well-known they are.

In order for them to be correctly interpreted and launched by a variety of different applications, polyglot files combine two or more file formats.

Despite Microsoft’s efforts to solve the issue by putting in place a signature-based detection mechanism, there are ways to get around this security, which means polyglot files are still used maliciously.

Threat actors can simply merge the two forms into a single file since JAR files are archives that are recognized as such by a record at their conclusion, as opposed to MSI files, which include a “magic header” at the beginning of the file.

Due to their dual format, they may be run by the Java runtime as a JAR file and as an MSI under Windows.

A RAT malware campaign uses polyglot files to try to avoid detection
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

Cyberghost

Cyberghost

A Computer science Engineer, Certified Ethical hacker (CEH), Offensive Security Certified professional (OSCP), SOC Analyst & Content Creator.