INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Supply Chain Compromise or False Positive: The Intriguing Case of efile.com [updated - confirmed malicious code]
Last Updated: 2023-04-03 19:08:14 UTC
by Johannes Ullrich (Version: 1)
[Added an update at the end with more details regarding the "update.exe" file. I think it is safe to say at this point, that efile.com has been compromised.]
Last week, related to the 3CX compromise, I mentioned how difficult it can be to determine if an overall trusted resource is compromised. This weekend, our reader Drew sent us a note that there is some talk about efile.com being possibly compromised. Users are reporting a popup that offers a file "update.exe." This in itself is, of course, highly suspicious. But I was not able to reproduce the issue. Drew also linked to an any.run analysis showing the behavior.
The update.exe was apparently uploaded to Virustotal. As I checked earlier today, only two engines flagged the file: Crowdstrike and Cynet. I just redid the analysis and did not get any additional positives. The file appears to have been uploaded on March 17th, and the creation time is March 17th as well. A post on Reddit also observed the behavior on March 17th.
Let's take a closer look at efile.com. The site uses common modern technologies: Bootstrap, jQuery, and Google Analytics . Nothing too special about this. But things get a bit more interesting looking at the sources downloaded by the browser.
Read the complete entry: https://isc.sans.edu/diary/Supply+Chain+Compromise+or+False+Positive+The+Intriguing+Case+of+efilecom+updated+confirmed+malicious+code/29708/
Analyzing the efile.com Malware "efail"
Last Updated: 2023-04-04 13:28:51 UTC
by Johannes Ullrich (Version: 1)
Yesterday, I wrote about efile.com serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed.
Depending on the browser, you may have received one of two binaries. "update.exe" or "installer.exe." These binaries are quite different. I will focus on "update.exe" for two reasons: It was used for Chrome users, which is the vast majority compared to the other option, Firefox. Secondly, "update.exe" is written in Python, making it much easier to analyze.
Read the complete entry: https://isc.sans.edu/diary/Analyzing+the+efilecom+Malware+efail/29712/
Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains
Last Updated: 2023-03-31 12:57:26 UTC
by Jan Kopriva (Version: 1)
In my last Diary, I shortly mentioned the need for correctly set Content Security Policy and/or the obsolete X-Frame-Options HTTP security headers (not just) in order to prevent phishing pages, which overlay a fake login prompt over a legitimate website, from functioning correctly. Or, to be more specific, to prevent them from dynamically loading a legitimate page in an iframe under the fake login prompt, since this makes such phishing websites look much less like a legitimate login page and thus much less effective.
Discussion of the aforementioned headers has led me to a question of how common use of these headers is and how they are commonly set. Which is what we will take a short look at today.
Although data about general trends in the use of these headers may be found online, I wanted to go a little bit more in-depth. I have therefore written a short Python script, which would go through the current Tranco list of one million most popular domains and gather data about which HTTP security-related headers were used on each one (provided the domains pointed to a HTTP server).
In total, the script gathered data about 21 different headers (e.g., X-XSS-Protection, Strict-Transport-Security, Cross-Origin-Resource-Policy, etc.) and their specific settings. Since results for the other headers might be interesting as well, I might write another diary discussing those once I’ve had more time to go over the data. For now, however, let us take a look at how common the use of the two headers which may be used to set restrictions for embedding a websites in an iframe or other object is. Specifically, we will look at the use of X-Frame-Options header and the use of CSP policies containing the frame-ancestors directive (since CSP doesn’t block the behavior we are interested in – the so called “framing attacks” – without this directive in place, we will only focus on CSP headers in which the directive is present).
Read the complete entry: https://isc.sans.edu/diary/Use+of+XFrameOptions+and+CSP+frameancestors+security+headers+on+1+million+most+popular+domains/29698/