Exclusive: German Police Raid OmniRAT Developer and Seize Digital Assets

OmniRAT remote administration tool

The German police yesterday raided the house of the developer of OmniRAT and seized his laptop, computer and mobile phones probably as part of an investigation into a recent cyber attack, a source told The Hacker News.

OmniRAT made headlines in November 2015 when its developer launched it as a legitimate remote administration tool for IT experts and companies to manage their devices with explicit permissions.

Available between $25 and $100, OmniRAT quickly became one of the most popular remote administration tools, allowing users to monitor Android, Windows, Linux, and Mac devices remotely and access every available information on them.

However, just like any other remote administration tool like DroidJack, DarkComet, AndroRAT, and njRAT, some customers of OmniRAT also used the tool for illicit purposes, especially because it was available at a far cheaper price than other RATs in the market.

In one such event earlier this year, a group of hackers attempted to target several industries by exploiting an old remote code execution vulnerability (CVE-2016-7262) in Microsoft Excel that eventually installed OmniRAT on targeted computers.

According to a security researcher who reported this incident in January, the attackers used a malformed Excel sheet disguising as a business profile of “Kuwait Petroleum Corporation (KPC)” to lure its victims into opening the attachment.

Though Kuwait Petroleum Company was not itself targeted by the malware, another anonymous source told The Hacker News that almost two months ago, lawyers representing the oil company started emailing the domain registrar from where the official domain of OmniRAT was registered and demanded them to disclose the identity of the domain owner, citing whois-related GDPR and ICANN rules.

Kuwait Petroleum Company

whois domain lookup

The content on the official OmniRAT website has been unavailable since last few days, which has probably been taken down by its developer to prevent its domain registrar from disclosing his identity to the company.

The developer of OmniRAT reportedly resides in Germany, but his/her identity is still unknown to the public.

At this moment, it’s not clear if the raid by German police is linked to the efforts made by Kuwait Oil Company or involves some separate criminal case against him.

It’s also possible that the German police could be behind the list and identity of all the customers who purchased OmniRAT in the last four years to crack down on cybercriminals abusing the tool.

In a similar operation in 2015, law enforcement agencies in several countries raided homes and arrested suspected users of DroidJack smartphone malware.

Though creating malware or hacking tool is illegal in Germany, like many other countries, it also depends upon how the tool has been advertised.

Because just like penetration testing tools, remote administration tools are also a two-sided sword and can be used for both legal and illegal purposes.

In one case, it was reported that two years ago a group of hackers were using OmniRAT to spy on Islamic State (ISIS) members and supporters by distributing its Android version via the popular Telegram messaging app.

A disclaimer, as shared below, posted on the official OmniRAT website also said that the tool is not for hacking and that customers are themselves liable for any misuse.

“OmniRAT is created by German authors, and the servers are also located in Germany. Therefore the German law applies for us. OmniRAT is a remote administration tool (rat). It is not – as many believe – a trojan neither made for hacking; therefore, it is not illegal and does not violate the law. The usage, however, is only licit on devices you own or have permission for. This is also stated inside our terms of service. By purchasing and using OmniRAT, you obey the above.”

Although the OmniRAT developer did not seem to have directly encouraged his customers to use the tool for spying on someone, late last year, he posted description and new features of his tool on an infamous hacking forum, a website which is famous among newbies for finding hacking tools in the market.

OmniRAT remote administration tool

On the same hacking forum, in April this year, he announced the shutdown of OmniRAT, saying “unfortunately due to the pressure of the government and the cybercrime division OmniRAT has to be shut down. This will take immediate effect.”

However, since the working of the tool does not directly rely or share collected device data with the OmniRAT server, users who already have access to the remote administration tool can still continue using it for whatever purpose they want.

The Hacker News is keeping an eye on every possible development in this story and will update our readers as soon as we learn more about it.

Microsoft Adds 2FA-Protected “Personal Vault” Within OneDrive Cloud Storage

Microsoft OneDrive Personal Vault

Microsoft has introduced a new password-protected folder within its OneDrive online file storage service that will allow you to keep your sensitive and important files protected and secured with an extra layer of authentication.

Dubbed Personal Vault, the new OneDrive folder can only be accessed with an additional step of identity verification, such as your fingerprint, face, PIN, or a two-factor authentication code sent to you via email or SMS.

The Personal Vault folder will appear next to other folders in the OneDrive app like your Documents and Pictures, but it will be locked and prompt you for an additional code each time you try to access them via the web, PC, or mobile devices, thus keeping them more secure in the event when someone gains access to your account or your device.

Microsoft suggests this new protected area in OneDrive would be useful for users to store more sensitive and personal files like copies of passport, tax, car or home documents, identification cards, and financial information, for instance.

To instantly store your files in the Personal Vault folder, all you need to do is scan in your documents directly into your Personal Vault through the OneDrive app. You can even take pictures and shoot videos with OneDrive and send them straight to Personal Vault.

You can store as many files you want in the Personal Vault folder, up to your overall OneDrive storage limit. Microsoft is also increasing OneDrive’s base storage plan from 50GB to 100GB at no additional cost.

Microsoft OneDrive Personal Vault

Personal Vault, by default, includes all protections that OneDrive currently offers, including file encryption “at rest” in Microsoft’s cloud and in transit to a device, ransomware protection, mass file deletion and recovery, suspicious activity monitoring, virus scanning on download for known threats, and version history for all file types.

In addition, when the OneDrive app syncs your Personal Vault files to your computer, it directly stores those files to a BitLocker-encrypted area of your local hard drive on your Windows 10 computer, instead of any regular folder.

“For further protection on mobile devices, we recommend that you enable encryption on your iOS or Android device,” Microsoft says. “Together, these measures help keep your files protected even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it.”

What’s more? After a period of inactivity (3 minutes on mobile devices and 20 minutes on the web or local hard drive by default), the Personal Vault will automatically relock, and you’ll have to reauthenticate to gain access again.

Moreover, if you try to access OneDrive remotely through a web browser on an unfamiliar PC, the browser will not save your files within the Personal Vault in its cache.

Microsoft is making the OneDrive Personal Vault feature available to the web version of its OneDrive, Windows 10 PCs, as well as the iOS and Android mobile apps.

OneDrive Personal Vault is currently only rolling out in Australia, New Zealand, and Canada, though the company will make it available to all markets by the end of the year.

‘Legit Apps Turned into Spyware’ Targeting Android Users in Middle East

android malware app

Cybersecurity researchers are warning about an ongoing Android malware campaign that has been active since 2016 and was first publicly reported in August 2018.

Dubbed “ViceLeaker” by researchers at Kaspersky, the campaign has recently been found targeting Israeli citizens and some other middle eastern countries with a powerful surveillance malware designed to steal almost all accessible information, including call recordings, text messages, photos, videos, and location data—all without users’ knowledge.

Besides these traditional spying functionalities, the malware also has backdoor capabilities including upload, download, and delete files, record surrounding audio, takeover camera, and make calls or send messages to specific numbers.

The malware used in these campaigns was named “Triout” in a report published by Bitdefender in 2018, which is sort of a malware framework that attackers are using to turn legitimate applications into spyware by injecting an additional malicious payload into them.

In a new report published today, Kaspersky Lab revealed that attackers are actively using the Baksmali tool to disassemble and then reassemble the code of a legitimate app after injecting their malicious code in it—a technique commonly known as Smali injection.

“Based on our detection statistics, the main infection vector is the spread of Trojanized applications directly to victims via Telegram and WhatsApp messengers,” the researchers said.

android malware app

Besides this, researchers also found that the code used in the malware to parse commands from the command-and-control server resembles with modified versions of an open source XMPP/Jabber client for the Android platform called “Conversations.”

“In addition, we did not see traces of the Smali injection [in the modified Conversations app],” Kaspersky researchers explained, but “found traces of dx/dexmerge compilers, which means that, this time, the attackers just imported the original source code into an Android IDE (such as Android Studio, for instance) and compiled it with their own modifications.”

However, those modified versions of Conversations app do not contain any malicious code but appear to be used by the same group of attackers for some yet-undiscovered purpose.

“This brought to us the hypothesis that this might be the version used by the group behind ViceLeaker for internal communication or for other, unclear purposes. All the detection of this backdoored app were geolocated in Iran,” researchers said.

According to the researchers, the ViceLeaker attack campaign is still ongoing, and attackers could potentially distribute malicious repackaged versions of legitimate apps through third-party app stores, instant messengers, or attacker-controlled online webpages.

Since such apps masquerade as legitimate or popular apps, Android users are highly recommended to always download apps from trusted sources, like Google Play Store, to prevent themselves from becoming a victim to this attack.

However, you should also not trust every app available on the Play Store. So, always stick to only verified developers to avoid installing malicious apps.

Account Takeover Vulnerability Found in Popular EA Games Origin Platform

ea games account hacking

A popular gaming platform used by hundreds of millions of people worldwide has been found vulnerable to multiple security flaws that could have allowed remote hackers to takeover players’ accounts and steal sensitive data.

The vulnerabilities in question reside in the “Origin” digital distribution platform developed by Electronic Arts (EA)—the world’s second-largest gaming company with over 300 million users—that allows users to purchase and play some of the most popular video games including Battlefield, Apex Legends, Madden NFL, and FIFA.

The Origin platform also manages users EA Games account authentication and allows them to find friends, join games, and manage their profiles.

Discovered by researchers at Check Point and CyberInt, the vulnerabilities when chained together could have allowed attackers to hijack gamer’s EA account just by convincing them into opening an official webpage from the EA Games website.

To perform this attack, as shown in the video demonstration, researchers took advantage of a long-known unpatched weakness in Microsoft’s Azure cloud service that allowed them to takeover one of the EA subdomains, which was previously registered with Azure to host one of the Origin’s services.

As explained in a previous report, if DNS (CNAME) of a domain/subdomain is pointing to Azure cloud platform but has not been configured or linked to an active Azure account, any other Azure user can hijack it to park that subdomain to his/her Azure server.

“During Cyber Int’s research, though, [it] found that the ea-invite-reg.azurewebsites.net service was not in-use anymore within Azure cloud services; however, the unique subdomain eaplayinvite.ea.com still redirect to it using the CNAME configuration,” CheckPoint researchers said in a report published today.

In their proof-of-concept attack, researchers hijacked “eaplayinvite.ea.com” and hosted a script on it that exploited weaknesses in the EA games’ oAuth single sign-on (SSO) and TRUST mechanism.

The webpage eventually allowed the researchers to capture players secret SSO tokens just by convincing them into visiting it in the same web browser where they already have an active session on the EA website and takeover their accounts without requiring actual credentials.

“The TRUST mechanism exists between ea.com and origin.com domains and their subdomains. Successfully abusing the mechanism enabled our research team to manipulate the OAuth protocol implementation for full account takeover exploitation,” researchers explained.

ea games hacking

In a worst-case scenario, CheckPoint researchers said an attacker could have exploited these flaws to cause potential damage like gaining access to players’ credit card information with the ability to fraudulently purchase in-game currency on behalf of the players.

CyberInt and Check Point immediately reported their findings to EA Games and helped the company fix the security loopholes to protect their gaming customers. The security firm went public with its findings today—almost three months after EA addressed the issues.

Two Florida Cities Paid $1.1 Million to Ransomware Hackers This Month

florida ransomware attack

In the last two weeks, Florida has paid more than $1.1 million in bitcoin to cybercriminals to recover encrypted files from two separate ransomware attacks—one against Riviera Beach and the other against Lake City.

Lake City, a city in northern Florida, agreed on Monday to pay hackers 42 Bitcoin (equivalent to $573,300 at the current value) to unlock phone and email systems following a ransomware attack that crippled its computer systems for two weeks.

The ransomware attack, dubbed “Triple Threat” since it combines three different methods of attack to target network systems, infected Lake City systems on June 10 after an employee in city hall opened a malicious email.

Though the IT staff disconnected computers within just 10 minutes of the cyber attack starting, it was too late. The attack locked down the city workers’ email accounts and servers.

Since the police and fire departments operate on a different server, they were the only ones not impacted by the attack. While other Lake City networks are currently disabled, Public Safety services remain unaffected by this attack.

The unknown hackers contacted the city’s insurer and negotiated ransom payment of 42 bitcoins, currently $573,300. Lake City officials voted on Monday to pay the ransom to regain access to their important files.

The ransom payment would be mostly covered by insurance, although $10,000 would be incurred by taxpayers.

“Our systems are shut down, but there is no evidence to indicate any sensitive data has been compromised. All customer service payment data, such as credit card data, is stored off-site by third-party vendors and would not have been accessed by an attack like this on our network,” said City Information Technology Director Brian Hawkins.

Lake City is the second city in Florida recently being hit by a ransomware attack.

Riviera Beach, another city in Florida, became a victim of a ransomware attack on May 29 after a city employee clicked on a malicious link in an email, according to local media reports.

The ransomware attack crippled the city’s computer systems for at least three weeks after which the Riviera Beach City Council authorized the city’s insurer to pay a ransom of 65 Bitcoin ($897,650 at today’s value) to regain access to their locked systems.

Federal authorities and cybersecurity experts have always advised victims not to pay ransoms since it encourages cybercriminals, and also there’s no guarantee of your files or computer systems being completely restored.

Instead of paying hackers a ransom, organisations, and companies should have robust backups of their important and required files and data as well as educate their employees to avoid being a victim of any cyber attack.

New Mac Malware Exploits GateKeeper Bypass Bug that Apple Left Unpatched

macos malware gatekeeper

Cybersecurity researchers from Intego are warning about possible active exploitation of an unpatched security vulnerability in Apple’s macOS Gatekeeper security feature details and PoC for which were publicly disclosed late last month.

Intego team last week discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on macOS without displaying users any warning or asking for their explicit permission.

However, the newly discovered malware, dubbed OSX/Linker, has not been seen in the wild as of now and appears to be under development. Though the samples leverage unpatched Gatekeeper bypass flaw, it does not download any malicious app from the attacker’s server.

According to Joshua Long from Intego, until last week, the “malware maker was merely conducting some detection testing reconnaissance.”

“One of the files was signed with an Apple Developer ID (as explained below), it is evident that the OSX/Linker disk images are the handiwork of the developers of the OSX/Surfbuyer adware,” Long said in a blog post.

However, since the malware sample links to a remote server from where it downloads the untrusted app, attackers can also distribute same samples to real targeted by merely replacing the defined sample app with a malware app on their server.

macOS Gatekeeper Bypass Vulnerability

GateKeeper is a security feature built into Apple macOS that enforces code signing and verifies downloaded applications before allowing them to run, helping users protect their systems from malware and other malicious software.

That means, if you download an application from the Internet, GateKeeper will only allow it to execute without any warnings if it has been signed with a valid Apple-issued certificate, otherwise will prompt you to allow or deny the execution.

However, Gatekeeper has been designed to treat both external drives (USB or HDD) and network shares as “safe locations” from where users can run any application without involving GateKeeper’s checks and prompts.

Filippo Cavallarin, an independent security researcher, late last month publicly revealed a way to exploit this behavior by combining it with two other legitimate features of macOS operating system, which are:

zip archives can contain symbolic links pointing to an arbitrary location, including automount endpoints, and
automount feature on macOS can automatically mount a network share from a remote server just by accessing it with a “special” path i.e., beginning with “/net/.”

“For example, ls /net/evil-attacker.com/sharedfolder/ will make the OS read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS,” Cavallarin explained in a blog post.

As shown in the video demonstration, Cavallarin created a ZIP file with a symbolic link to an attacker-controlled network share that macOS will automount.

Once a victim opens the ZIP archive and follows the link, he will navigate to the attacker-controlled network share that’s trusted by Gatekeeper, tricking the victim into running malicious executable files without any warning.

“The way Finder is designed (ex hide .app extensions, hide full path from title bar) makes this technique very effective and hard to spot,” the researcher says.

However, the newly discovered malware samples are not ZIP files, but disk image files (with .dmg), showing that “malware makers were experimenting to see whether Cavallarin’s vulnerability would work with disk images, too.”

Cavallarin responsibly reported his findings to Apple on February 22 but decided to go public late last month after the company failed to patch the issue within the 90 days disclosure deadline and started ignoring his emails.

Until Apple patches this issue, researcher advised network administrators to block NFS communications with external IP addresses, and for home users, it is always important to not open email attachments from an unknown, suspicious, or untrustworthy source.

PoC Released for Outlook Flaw that Microsoft Patched 6 Month After Discovery

outlook hacking email

As we reported two days ago, Microsoft this week released an updated version of its Outlook app for Android that patches a severe remote code execution vulnerability (CVE-2019-1105) that impacted over 100 million users.

However, at that time, very few details of the flaw were available in the advisory, which just revealed that the earlier versions of the email app contained a cross-site scripting (XSS) flaw that could allow attackers to run scripts in the context of the current user just by sending a specially crafted email to the victims.

Now, Bryan Appleby from F5 Networks, one of the security researchers who reported this issue independently to Microsoft, released more details and proof-of-concept for the Outlook vulnerability that he reported to the tech giant almost six months ago.

In a blog post published Friday, Appleby revealed that while exchanging some JavaScript code with his friends over an email, he accidentally discovered a cross-site scripting (XSS) issue that could allow an attacker to embed an iframe into the email.

In other words, the vulnerability resided in the way email server parses HTML entities in the email messages.

Though JavaScript running inside an iframe can only access the content within it, Appleby found that executing JavaScript code inside the injected iframe can allow the attacker to read app-related content in the context of logged-in Outlook user, including their cookies, tokens and even some contents of their email inbox.

The vulnerability, Appleby said, allowed him to “steal data from the app—I could use it to read and extract the HTML.”

“This kind of vulnerability could be exploited by an attacker sending an email with JavaScript in it. The server escapes that JavaScript and does not see it because it’s within an iframe. When delivered, the mail client automatically undoes the escaping, and the JavaScript runs on the client device. Bingo – remote code execution,” Appleby explains.

“This code can do whatever the attacker desires, up to and including stealing information and/or sending data back out. An attacker can send you an email and just by you reading it, they could steal the contents of your inbox. Weaponized, this can turn into a very nasty piece of malware.”

Appleby responsibly reported his findings to Microsoft on 10 December 2018, and the company confirmed the vulnerability on 26 March 2019 when he shared a universal PoC with the tech giant.

Microsoft patched the vulnerability and released a fix just 2 days agothat’s almost 6 months after the initial vulnerability disclosure. The company says it is currently not aware of any attacks in the wild related to this issue.

Besides Appleby, security researchers Sander Vanrapenbusch, Tom Wyckhuys, Eliraz Duek from CyberArk and Gaurav Kumar also reported the same issue to Microsoft separately in recent months.

Gaurav Kumar also shared a video with The Hacker News that demonstrates the vulnerability in action, as shown above.

Once again, if your Android device is not yet updated automatically, you are advised to update your Outlook app from Google Play Store manually.

OpenSSH Now Encrypts Secret Keys in Memory Against Side-Channel Attacks

openssh side channel vulnerability

In recent years, several groups of cybersecurity researchers have disclosed dozens of memory side-channel vulnerabilities in modern processors and DRAMs, like Rowhammer, RAMBleed, Spectre, and Meltdown.

Have you ever noticed they all had at least one thing in common?

That’s OpenSSH.

As a proof-of-concept, many researchers demonstrated their side-channel attacks against OpenSSH application installed on a targeted computer, where an unprivileged attacker-owned process exploits memory read vulnerabilities to steal secret SSH private keys from the restricted memory regions of the system.

That’s possible because OpenSSH has an agent that keeps a copy of your SSH key in the memory so that you don’t have to type your passphrase every time you want to connect to the same remote server.

However, modern operating systems by default store sensitive data, including encryption keys and passwords, in the kernel memory which can not be accessed by user-level privileged processes.

But since these SSH keys live on the RAM or CPU memory in plaintext format, the feature is susceptible to hacking attempts when the attacks involve memory read vulnerabilities.

OpenSSH Now Stores Only Encrypted Keys in the Memory

Here’s good news — it’s not the case anymore.

The latest update from the OpenSSH developers resolves this issue by introducing a new security feature that encrypts private keys before storing them into the system memory, protecting it against almost all types of side-channel attacks.

According to OpenSSH developer Damien Miller, a new patch to OpenSSH now “encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large “prekey” consisting of random data (currently 16KB).”

“Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely,” Miller explains.

“Implementation-wise, keys are encrypted ‘shielded’ when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialized.”

It should be noted that this patch just mitigates the threat and is not a permanent solution. Miller says OpenSSH will remove this protection against side-channel attacks in a few years when computer architecture becomes less unsafe.

Security Flaw in Pre-Installed Dell Support Software Affects Million of Computers

dell computer hack

Dell’s SupportAssist utility that comes pre-installed on millions of Dell laptops and PCs contains a security vulnerability that could allow malicious software or rogue logged-in users to escalate their privileges to administrator-level and access sensitive information.

Discovered by security researchers at SafeBreach Labs, the vulnerability, identified as CVE-2019-12280, is a privilege-escalation issue and affects Dell’s SupportAssist application for business PCs (version 2.0) and home PCs (version 3.2.1 and all prior versions).

Dell SupportAssist, formerly known as Dell System Detect, checks the health of your system’s hardware and software, alerting customers to take appropriate action to resolve them. To do so, it runs on your computer with SYSTEM-level permissions.

With this high-level privileges, the utility interacts with the Dell Support website and automatically detects Service Tag or Express Service Code of your Dell product, scans the existing device drivers and installs missing or available driver updates, along with performing hardware diagnostic tests.

However, researchers at SafeBreach Labs discovered that the software insecurely loads .dll files from user-controlled folders when run, leaving a spot for malware and rogue logged-in users to corrupt existing DLLs or replace them with malicious ones.

dell computer hacking

Therefore, when SupportAssist loads those tainted DLLs, malicious code gets injected into the program and executed within the context of an administrator, thus easily allowing the attacker to gain complete control of a targeted system.

“According to Dell’s website, SupportAssist is pre-installed on most of Dell devices running Windows. This means that as long as the software is not patched, the vulnerability affects millions of Dell PC users,” the researchers say.

What’s worrisome? Researchers believe that Dell is not the only company whose PCs are impacted by this particular security issue.

Since Dell SupportAssist is written and maintained by Nevada-based diagnostics and customer support firm PC-Doctor, other PC makers that bundle the same diagnostic and troubleshooting tools into their own computers with different names may also be vulnerable.

“After SafeBreach Labs sent the details to Dell, we discovered that this vulnerability affects additional OEMs which use a rebranded version of the PC-Doctor Toolbox for Windows software components,” the researchers say.

Also, according to the PC-Doctor website, PC makers have “pre-installed over 100 million copies of PC-Doctor for Windows on computer systems worldwide,” which means the flaw also affects other OEMs that rely on PC-Doctor for specialized troubleshooting tools.

Since Dell’s SupportAssist software use a signed driver by PC-Doctor to access low-level memory and hardware, researchers demonstrated this vulnerability to read the content of an arbitrary physical memory address as a proof-of-concept.

SafeBreach Labs reported the vulnerability to Dell on 29th April 2019, and the company then reported the issue to PC Doctor and released fixes provided by PC-Doctor on 28th May for affected SupportAssist versions.

Dell Business and home PC users are recommended to update their software to Dell SupportAssist for Business PCs version 2.0.1 and Dell SupportAssist for Home PCs version 3.2.2 respectively.

It’s not the first time when Dell SupportAssist has been found affected by a severe security vulnerability.

In April this year, Dell also addressed a critical remote code execution vulnerability in the utility that would have allowed remote attackers to download and install malware from a remote server on affected Dell computers and take full control over them.

Firefox 67.0.4 Released — Mozilla Patches Second 0-Day Flaw This Week

mozilla firefox browser vulnerability update download

Okay, folks, it’s time to update your Firefox web browser once again—yes, for the second time this week.

After patching a critical actively-exploited vulnerability in Firefox 67.0.3 earlier this week, Mozilla is now warning millions of its users about a second zero-day vulnerability that attackers have been found exploiting in the wild.

The newly patched issue (CVE-2019-11708) is a “sandbox escape” vulnerability, which if chained together with the previously patched “type confusion” bug (CVE-2019-11707), allows a remote attacker to execute arbitrary code on victims’ computers just by convincing them into visiting a malicious website.

Browser sandboxing is a security mechanism that keeps third-party processes isolated and confined to the browser, preventing them from damaging other sensitive parts of a computer’s operating system.

“Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process,” the advisory explains.

Firefox 0-Days Found Exploited in the Wild

Mozilla has already been aware of the first issue since April when a Google Project Zero researcher reported it to the company, but it learned about the second issue and attacks in the wild just last week when attackers started exploiting both the flaws together to target employees from Coinbase platform and users of other cryptocurrency firms.

Just yesterday, macOS security expert Patrick Wardle also published a report revealing that a separate campaign against cryptocurrency users is also using same Firefox 0-days to install a macOS malware on targeted computers.

At this moment it’s not clear if attackers independently discovered the first vulnerability just in time when it was already reported to Mozilla or gained classified bug-report information through another way.

Install Firefox Patches to Prevent Cyber Attacks

Anyway, the company has now released Firefox version 67.0.4 and Firefox ESR 60.7.2 that address both the issues, preventing attackers from remotely taking control over your systems.

Though Firefox installs latest available updates automatically, users are still advised to ensure they are running Firefox 67.0.4 or later.

Besides this, just like the patch for the previous issue, it is also expected that the Tor Project will once again release a new version of its privacy browser very soon to patch the second bug as well.

Important Update (21/06/2019) ➤ The Tor Project on Friday also released second update (Tor Browser 8.5.3) for its privacy web-browser this week that patches the second vulnerability Firefox patched yesterday.