#AxisOfEasy 371: Malicious Chrome Extensions Exploit Google’s New Security Model


Weekly Axis Of Easy #371


Last Week’s Quote was:  “You become uncancelable as long you don’t accept that you can be canceled,” was by Alex Hormozi.  No one got it.

This Week’s Quote: “If you don’t read the newspapers, you are uninformed, if you do, you are misinformed.” By ???

THE RULES: No searching up the answer, must be posted at the bottom of the blog post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.


This is your easyDNS #AxisOfEasy Briefing for the week of October 7th, 2024 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey Tweets, and Len the Lengend click here.


In this issue: 

  • Malicious Chrome Extensions Exploit Google’s New Security Model
  • Gamers Targeted by Fake Cheat Scripts Spreading Malware
  • States Sue TikTok Over Alleged Child Exploitation and Mental Health Risks
  • Nobel-Winning AI Pioneer Geoffrey Hinton Warns of Rapid AI Evolution Amid Industry Accolades
  • MoneyGram Hack Exposes Customer Data
  • The Wayback Machine Hacked

Elsewhere Online:

  • Researchers Find Major Security Holes in Industrial MMS Libraries
  • Discord Faces Bans in Russia, Turkey Over Content Issues
  • Tech Giant Faces Government Antitrust Challenge
  • North Korean Hackers Exploit Fake Job Interviews to Distribute Malware
  • Mandatory Standards and Reporting in Australia’s Cybersecurity Law


Malicious Chrome Extensions Exploit Google’s New Security Model

Despite Google’s Manifest V3 upgrade for Chrome extensions, malicious extensions are bypassing security measures. On September 20, Singapore-based SquareX researchers demonstrated at DefCon 32 how harmful extensions could steal data and redirect users to phishing sites, even from platforms like Google Meet and Zoom.

SquareX CEO Vivek Ramachandran emphasized that V3’s permissions model remains too broad. “Malicious actors can exploit minimal permissions to steal data,” he said.

Google introduced Manifest V3 in 2018 to enhance privacy and security but has faced criticism for insufficient controls. Ramachandran estimated that hundreds of malicious extensions based on Manifest V3 already exist on the Chrome Web Store. He urged Google to enforce stricter permissions and improve vetting processes.

Although Google has implemented security measures, including risk assessment tools and extension management capabilities, gaps remain. Ramachandran advised enterprises to audit their installed extensions and restrict unnecessary permissions.

“Extensions run like internal applications, but endpoint security tools lack visibility over them,” he warned, urging businesses to adopt better browser extension control.

Read: https://www.darkreading.com/cyber-risk/malicious-chrome-extensions-past-google-updated-security

 

Gamers Targeted by Fake Cheat Scripts Spreading Malware

Gamers seeking cheat scripts are being lured into downloading Lua-based malware through fake websites. This malware, detailed by Morphisec researcher Shmuel Uzan, affects users worldwide, delivering additional payloads and establishing persistence on infected systems.

Morphisec’s analysis found that the malware is distributed via obfuscated Lua scripts, which hide suspicious activity. Victims are tricked into downloading fake game cheat engines like Solara and Electron from booby-trapped GitHub repositories.

These ZIP files contain malicious Lua scripts that communicate with command-and-control servers, downloading harmful payloads such as RedLine Stealer. “Infostealers are gaining prominence as stolen credentials are sold on the Dark Web,” Uzan noted.

The attack mirrors recent campaigns using GitHub to host malware, with the goal of stealing sensitive information from users. GitHub is working to enhance its security, stating that it is “looking into measures to better protect against this activity.”

This campaign is part of a broader trend, with malware also spread through Telegram and YouTube targeting crypto investors and gamers. Attackers profit by mining cryptocurrency and stealing credentials, creating a growing threat to unsuspecting users.

Read: https://thehackernews.com/2024/10/gamers-tricked-into-downloading-lua.html

 

States Sue TikTok Over Alleged Child Exploitation and Mental Health Risks

Over a dozen states and the District of Columbia have sued TikTok, claiming it’s intentionally addictive and harmful to children’s mental health. The lawsuits follow a March 2022 investigation led by a bipartisan group of attorneys general from states like New York and California. The core issue is TikTok’s algorithm, which drives the “For You” feed using endless scrolling, notifications, and beauty filters to keep users engaged, allegedly prioritizing ad revenue over well-being. Officials argue these features cause anxiety, depression, and body dysmorphia, particularly in young users.

District of Columbia Attorney General Brian Schwalb draws parallels to past cases against the tobacco and pharmaceutical industries, emphasizing TikTok’s profit motives. Beyond mental health concerns, TikTok is accused of running an unlicensed virtual economy through TikTok Coins, taking a 50% commission, and enabling teen exploitation via its LIVE streaming feature. Authorities assert that despite age restrictions, children bypass controls to access adult content. TikTok disputes these claims, emphasizing its cooperation with authorities over the past two years.

In parallel, 22 states filed an amicus brief urging Tennessee courts to force TikTok to release investigation documents. Texas also sued, alleging illegal data sales involving minors. TikTok’s U.S. future is uncertain as ByteDance faces a mid-January deadline to sell the platform.

Read: https://apnews.com/article/tiktok-lawsuit-youth-mental-health-2993f8e70d2e3d4eab9988df168fb948

 

Nobel-Winning AI Pioneer Geoffrey Hinton Warns of Rapid AI Evolution Amid Industry Accolades

Geoffrey Hinton and John Hopfield have been awarded the 2024 Nobel Prize in Physics for their pioneering work on artificial neural networks. The Royal Swedish Academy of Sciences honored their application of statistical physics to pattern recognition, which laid the foundation for transformative AI technologies like facial recognition and language translation. Hinton, previously splitting his time between Google and the University of Toronto, developed the “Boltzmann machine,” leveraging Ludwig Boltzmann’s equations for autonomous data processing—an essential precursor to modern generative AI models such as ChatGPT. Hopfield’s contributions, specifically his development of associative memories (“Hopfield networks”), revolutionized data storage and retrieval, directly influencing Hinton’s subsequent work.

Despite the accolades, Hinton has expressed concerns about AI’s accelerated development, which he once predicted would take 30-50 years but now sees as imminent. He criticized firms like OpenAI for prioritizing profit over safety, highlighting AI’s risks, such as job displacement and misinformation. This aligns with his earlier 2021 warnings on the societal impact of autonomous weapons and healthcare applications. Hinton’s departure from Google in 2023 allowed him to freely discuss these risks, which coincide with broader calls from tech leaders, including Elon Musk, to pause advanced AI development for safety assessments.

Read: https://www.cbc.ca/news/science/nobel-prize-physics-2024-1.7344607


MoneyGram Hack Exposes Customer Data

MoneyGram, a major U.S. money transfer company, confirmed that hackers stole customer information during a September 20 cyberattack. The breach caused a week-long outage, disrupting its website and app.

Stolen data includes personal details like names, phone numbers, and national identification numbers. Some customers also had Social Security numbers and transaction information exposed.

MoneyGram is investigating the breach’s full impact. Spokesperson Sydney Schoolfield stated the company is in the “early stages” of assessing affected customers.

The nature of the attack remains unclear, but MoneyGram has notified U.K. regulators as required by law. The company, serving over 50 million people annually, faces scrutiny over potential risks to customers.

“We’re working diligently to understand the scope of the breach,” MoneyGram said in its statement.

Read: https://techcrunch.com/2024/10/07/moneygram-says-hackers-stole-customers-personal-information-and-transaction-data/


The Wayback Machine Hacked

The hacker, not one for subtlety, even threw up a JavaScript alert on the site, cheekily announcing the breach and teasing that users will soon see themselves on Have I Been Pwned. The stolen database, weighing in at a hefty 6.4 GB, includes email addresses, bcrypt-hashed passwords, and other sensitive data. Guess it’s time for Internet Archive fans to fire up their password managers—again.

As if that wasn’t enough, the Archive has also been hit by a DDoS attack courtesy of the BlackMeta hacktivist group, because why not pile on when things are already bad? Founder Brewster Kahle has confirmed the breach and DDoS attacks, adding that they’re scrambling to scrub systems and beef up security. Meanwhile, users are left wondering if their beloved archival site has been running on duct tape and hope all this time.

Read:  https://easydns.urlsand.com/?u=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Finternet-archive-hacked-data-breach-impacts-31-million-users%2F&e=e7eb7067&h=702c1c6f&f=y&p=y



Elsewhere Online:

Researchers Find Major Security Holes in Industrial MMS Libraries
Read: https://thehackernews.com/2024/10/researchers-uncover-major-security.html

Discord Faces Bans in Russia, Turkey Over Content Issues
Read: https://www.zerohedge.com/markets/russia-turkey-block-discord-over-content-violations

Tech Giant Faces Government Antitrust Challenge
Read: https://www.theguardian.com/technology/2024/oct/09/google-us-government-attempt-break-up-business-court-filing

North Korean Hackers Exploit Fake Job Interviews to Distribute Malware
Read: https://thehackernews.com/2024/10/n-korean-hackers-use-fake-interviews-to.html

Mandatory Standards and Reporting in Australia’s Cybersecurity Law
Read: https://www.infosecurity-magazine.com/news/australia-introduces-cybersecurity/

If you missed the previous issues, they can be read online here:

 


 

Leave a Reply

Your email address will not be published. Required fields are marked *