Hackers Exploited Krpano Framework Flaw to Inject Spam Ads on 350+ Websites - Related to luckystrike, firms, it, hackers, patches

Google Patches Chrome’s Fifth Zero-Day of the Year

An insufficient validation input flaw, one of 11 patched in an enhancement this week, could allow for arbitrary code execution and is under active attack.

Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel modification released Wednesday.

The bug, tracked as CVE-2022-2856 and rated as high on the Common Vulnerability Scoring System (CVSS), is associated with “insufficient validation of untrusted input in Intents,” .

Google credits Ashley Shen and Christian Resell of its Google Threat Analysis Group (TAG) for reporting the zero-day bug, which could allow for arbitrary code execution, on July 19. The advisory also unveiled 10 other patches for various other Chrome issues.

Intents are a deep linking feature on the Android device within the Chrome browser that replaced URI schemes, which previously handled this process, , a organization that offers various linking options for mobile applications.

“Instead of assigning window.location or an [website] to the URI scheme, in Chrome, developers need to use their intent string as defined in this document,” the organization explained on its website. Intent “adds complexity” but “automatically handles the case of the mobile app not being installed” within links, .

Insufficient validation is associated with input validation, a frequently-used technique for checking potentially dangerous inputs to ensure that they are safe for processing within the code, or when communicating with other components, ’s Common Weakness Enumeration site.

“When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application,” . “This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution.”.

As is typical, Google did not disclose specific details of the bug until it is widely patched to avoid threat actors taking further advantage of it, a strategy that one security professional noted is a wise one.

“Publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences, because it takes time to roll out security updates to vulnerable systems and attackers are champing at the bit to exploit these types of flaws,” observed Satnam Narang, senior staff research engineer at cybersecurity firm Tenable, in an email to Threatpost.

Holding back info is also sound given that other Linux distributions and browsers, such as Microsoft Edge, also include code based on Google’s Chromium Project. These all could be affected if an exploit for a vulnerability is released, he noted.

“It is extremely valuable for defenders to have that buffer,” Narang added.

While the majority of the fixes in the enhancement are for vulnerabilities rated as high or medium risk, Google did patch a critical bug tracked as CVE-2022-2852, a use-after-free issue in FedCM . 8. FedCM—short for the Federated Credential Management API–provides a use-case-specific abstraction for federated identity flows on the web, .

The zero-day patch is the fifth Chrome bug under active attack that Google has patched so far this year.

In July, the business fixed an actively exploited heap buffer overflow flaw tracked as CVE-2022-2294 in WebRTC, the engine that gives Chrome its real-time communications capability, while in May it was a separate buffer overflow flaw tracked as CVE-2022-2294 and under active attack that got slapped with a patch.

In April, Google patched CVE-2022-1364, a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine on which attackers already had pounced. The previous month a separate type-confusion issue in V8 tracked as CVE-2022-1096 and under active attack also spurred a hasty patch.

February saw a fix for the first of this year’s Chrome zero-days, a use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that already was under attack. Later it was revealed that North Korean hackers were exploiting the flaw weeks before it was discovered and patched.

The threat actor known as Dark Caracal has been attributed to a campaign that deployed a remote access trojan called Poco RAT in attacks targeting Spa......

Google has showcased the rollout of artificial intelligence (AI)-powered scam detection capabilities to secure Android device individuals and their personal inf......

Organizations are either already adopting GenAI solutions, evaluating strategies for integrating these tools into their business plans, or both. To dr......

Space Pirates Targets Russian IT Firms With New LuckyStrike Agent Malware

The threat actor known as Space Pirates has been linked to a malicious campaign targeting Russian information technology (IT) organizations with a previously undocumented malware called LuckyStrike Agent.

The activity was detected in November 2024 by Solar, the cybersecurity arm of Russian state-owned telecom organization Rostelecom. It's tracking the activity under the name Erudite Mogwai.

The attacks are also characterized by the use of other tools like Deed RAT, also called ShadowPad Light, and a customized version of proxy utility named Stowaway, which has been previously used by other China-linked hacking groups.

"Erudite Mogwai is one of the active APT groups specializing in the theft of confidential information and espionage," Solar researchers noted. "Since at least 2017, the group has been attacking government agencies, IT departments of various organizations, as well as enterprises related to high-tech industries such as aerospace and electric power."

The threat actor was first publicly documented by Positive Technologies in 2022, detailing its . The group is believed to share tactical overlaps with another hacking group called Webworm. It's known to target organizations in Russia, Georgia, and Mongolia.

In one of the attacks targeting a government sector customer, Solar showcased it discovered the attacker deploying various tools to facilitate reconnaissance, while also dropping LuckyStrike Agent, a multi-functional .NET backdoor that uses Microsoft OneDrive for command-and-control (C2).

"The attackers gained access to the infrastructure by compromising a publicly accessible web service no later than March 2023, and then began looking for 'low-hanging fruit' in the infrastructure," Solar presented. "Over the course of 19 months, the attackers slowly spread across the customer's systems until they reached the network segments connected to monitoring in November 2024."

Also noteworthy is the use of a modified version of Stowaway to retain only its proxy functionality, alongside using LZ4 as a compression algorithm, incorporating XXTEA as an encryption algorithm, and adding support for the QUIC transport protocol.

"Erudite Mogwai began their journey in modifying this utility by cutting down the functionality they didn't need," Solar expressed. "They continued with minor edits, such as renaming functions and changing the sizes of structures (probably to knock down existing detection signatures). At the moment, the version of Stowaway used by this group can be called a full-fledged fork."

Google has showcased the rollout of artificial intelligence (AI)-powered scam detection elements to secure Android device people and their personal inf......

An insufficient validation input flaw, one of 11 patched in an modification this week, could allow for arbitrary code execution and is under active attack.

Die Backuplösung Commvault ist verwundbar und Angreifer können Computer kompromittieren. Dagegen gerüstete Versionen sind verfügbar.

Hackers Exploited Krpano Framework Flaw to Inject Spam Ads on 350+ Websites

A cross-site scripting (XSS) vulnerability in a virtual tour framework has been weaponized by malicious actors to inject malicious scripts across hundreds of websites with the goal of manipulating search results and fueling a spam ads campaign at scale.

Security researcher Oleg Zaytsev, in a findings shared with The Hacker News, expressed the campaign – dubbed 360XSS – affected over 350 websites, including government portals, [website] state government sites, American universities, major hotel chains, news outlets, car dealerships, and several Fortune 500 companies.

"This wasn't just a spam operation," the researcher stated. "It was an industrial-scale abuse of trusted domains."

All these websites have one thing in common: A popular framework called Krpano that's used to embed 360° images and videos to facilitate interactive virtual tours and VR experiences.

Zaytsev mentioned he stumbled upon the campaign after coming across a pornography-related ad listed on Google Search but with a domain associated with Yale University ("[website][.]edu").

A notable aspect of these URLs is an XML parameter that's designed to redirect the site visitor to a second URL that belongs to another legitimate website, which is then used to execute a Base64-encoded payload via an XML document. The decoded payload, for its part, fetches the target URL ([website], the ad) from yet another legitimate site.

The XML parameter passed in the original URL served in the search results is part of a broader configuration setting named "passQueryParameters" that's used when embedding a Krpano panorama viewer into an HTML page. It's specifically designed to pass HTTP parameters from the URL to the viewer.

The security issue here is that if the option is enabled, it opens the door to a scenario where an attacker could use a specially crafted URL to execute a malicious script in a victim's web browser when the vulnerable site is visited.

Indeed, a reflected XSS flaw arising as a result of this behavior was disclosed in Krpano in late 2020 (CVE-2020-24901, CVSS score: [website], indicating that the potential for abuse has been publicly known for over four years.

While an revision introduced in version [website] restricted "passQueryParameters" to an allowlist in an attempt to prevent such XSS attacks from taking place, Zaytsev found that explicitly adding the XML parameter to the allowlist reintroduced the XSS risk.

"Since version [website], Krpano's default installation was not vulnerable," the researcher told The Hacker News via email. "However, configuring passQueryParameter in combination with the XML parameter allowed external XML configuration via the URL, leading to an XSS risk."

"The exploited versions I've come across were primarily older ones, predating version [website]"

The campaign, per Zaytsev, has leveraged this weakness to hijack over 350 sites to serve sketchy ads related to pornography, diet supplements, online casinos, and fake news sites. What's more, some of these pages have been weaponized to boost YouTube video views.

The campaign is noteworthy, not least because it abuses the trust and credibility of legitimate domains to show up prominently in search results, a technique called search engine optimization (SEO) poisoning, which, in turn, is accomplished by abusing the XSS flaw.

Following responsible disclosure, the latest release of Krpano eliminates support for external configuration via the XML parameter, thereby mitigating the risk of XSS attacks even when the setting is used.

"Improved embedpano() passQueryParameters security: data-urls and external URLs are generally not allowed as parameter values anymore and URLs for the XML parameter are limited to be within the current folder structure," [website] released this week.

It's currently not known who is behind the massive operation, although the abuse of an XSS flaw to serve just redirects, as opposed to carrying out more nefarious attacks like credential or cookie theft, raises the possibility of an ad firm with questionable practices that's serving these ads as a monetization strategy.

individuals of Krpano are advised to enhancement their installations to the latest version and set the "passQueryParameters" setting to false. Affected website owners are recommended to find and remove infected pages via Google Search Console.

Passwords are rarely appreciated until a security breach occurs; suffice to say, the importance of a strong password becomes clear only when faced wit......

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulnerable to an 11 month-old command injection flaw.

The US Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that h......