Cyber Security News of the week — 21.03.2022|25.03.2022

5 min readMar 25, 2022

Browser-in-The-Browser Attack — A New Phishing Strategy

Most services like Google, Microsoft, and more, use the popup window feature to display login pages. Since such windows open separately, the most reliable way to check their authenticity is to observe the URL.

The above is what the researcher exploited as he crafted legit-looking windows via basic HTML/CSS.

As stated in his post, Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable… JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc. And of course you can make the window appear in a visually appealing manner through animations available in libraries such as JQuery.

With JavaScript enabled, even hovering over the links would not help to check the URL’s legitimacy. However, once done, it would be trivial for the attacker to lure the victim into submitting login credentials. It currently remains unclear how lucrative this strategy appears to criminals, and how they intend to exploit it in real-world attacks.


Cloudflare Launches “Friendly Bots” For Swift Bot Verification

Cloudflare Rolls Out Friendly Bots

Briefly, Cloudflare conducts manual verification for bots submitted by users. Also, the service requires other information to go with its bot validation methods. The latter comes into play when the other methods fail the purpose.

The process is tedious, and so, often reserved for larger bots. Thus, it becomes difficult for small-scale bots to pass the verification in time. Why? Our system relies on a cache of verified traffic, ensuring that certain IPs or other data have widely shown good behavior on the Internet. Cloudflare has now launched “Friendly Bots” for those bots that lie between “good” and “bad”.

Working And Benefits

Explaining how it works, Cloudflare explained that users can submit the required bot details via the dashboard. Thus, it will facilitating a secure and scalable bot validation.

Cloudflare Radar To Show “Verified Bots”

Apart from the above-described update, Cloudflare has also announced displaying a list of “verified Bots with Cloudflare Radar. The list will show real-time updates.


Facestealer Spyware Fooled 100K+ Users On Google Play Store

Once again, a security threat has appeared to remind Android users to avoid downloading apps from unknown developers. Researchers caught a malicious app distributing «Facestealer» spyware on the Google Play Store that successfully targeted thousands of Android users. Facestealer Spyware Appeared On Play Store Elaborating the details in a recent blog post, researchers from Pradeo stated how the Facestealer spyware targeted Android users globally. In brief, the malware appeared on the Google Play Store as a fake photo-editing app.

The app exhibited the functionalities of legit photo-editing apps to trick users. Investigating the app further made the researchers trace the app’s link to a Russian domain previously connected to similar malicious apps. Google Removed The Malicious App At the time of discovery, the malicious app had attracted over 100,000 downloads on the Play Store. That means the spyware successfully targeted a considerable number of Android users.

Following Pradeo’s report, Google removed the malware from the Play Store. Nonetheless, the threat won’t be over unless users of this app ensure removal of it from their devices. Also, out of caution, users must reset their Facebook account credentials to prevent further abuse of their profiles.


DeadBolt Ransomware Resurfaces to Hit QNAP Again

DeadBolt ransomware has resurfaced in a new wave of attacks on QNAP that begin in mid-March and signals a new targeting of the Taiwan-based network-attached storage devices by the fledgling threat, researchers said. Researchers from Censys, which provides attack-surface management solutions, said they observed DeadBolt infections on QNAP gear ramp up slowly starting March 16, with a total of 373 infections that day. The new wave of attacks ostensibly follow the same pattern as January’s wave, but the majority of the victims are running the QNAP QTS Linux kernel version 5.10.60, Ellzey said. That said, «at this time, Censys cannot state whether this is a new attack targeting different versions of the QTS operating system, or if it’s the original exploit targeting unpatched QNAP devices,» he acknowledged.

The attackers are asking for 0.03 Bitcoin for a decryption key, which is about $1,223 at today’s exchange rate. QNAP is not the only company in the crosshairs of DeadBolt, which first came to researchers’ attention due to the January attacks. In mid-February, Reddit users began reporting that the ransomware was targeting ASUSTOR ADM devices, according to Censys.

Attack Detection

Censys researchers picked up on the latest wave of QNAP attacks due to the unique way the current DeadBolt ransomware variant communicates with victims, according to the post. «Instead of encrypting the entire device, which effectively takes the device offline , the ransomware only targets specific backup directories for encryption, and vandalizes the web-administration interface with an informational message explaining how to remove the infection,» Ellzey wrote.


Stay Focused. Stay Vigilant.

Cyber Security News Team — Cyber Security Community of SLIIT