600k Google Chrome users exposed

Jan 03 2025

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s the only guaranteed protection against an #AmberAlert cyberstorm ⛈️⛈️⛈️

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to Palo Alto, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Take that, ya DoSsers! 🙃

🚨🔥 High-Severity PAN-OS Vulnerability Alert! 🔥🚨

Palo Alto Networks has uncovered CVE-2024-3393, a DoS vulnerability (CVSS score: 8.7) impacting PAN-OS software. This bug could let attackers send malicious packets that reboot firewalls, potentially causing chaos! 🌐💥

What's Affected?

🛑 PAN-OS Versions: 10.X, 11.X, and Prisma Access on PAN-OS 10.2.8+ (or earlier than 11.2.3).

✅ Fixed in: PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and later.

What's Happening?

  • Malicious DNS packets can trigger firewall reboots.

  • Repeated attacks = maintenance mode lockdown.

  • Firewalls with DNS Security logging enabled are at risk.

What You Can Do! 🛡️

Patch ASAP using the latest updates for your PAN-OS version.

  • Disable DNS Security logging for unmanaged firewalls:

  • Go to: Objects > Security Profiles > Anti-Spyware > DNS Policies > DNS Security.

  • Prisma Access Users: Open a support case for quick action!

  • CISA Adds to KEV Catalog

This vulnerability is now on the CISA KEV list, with a deadline for Federal Civilian Agencies to patch by Jan 20, 2025.

🔧 Proactive measures = safer firewalls. Protect your networks now! 🖥️💪

Now, on to this week’s hottest cybersecurity news stories: 

  • 🙍🏻‍♂️ 600k Google Chrome users exposed to data theft via 16 extensions 🔌

  • 🔐 Default credentials expose 15,000+ Four-Faith routers to new exploit 👾

  • 🌶️ Don’t get burned by CAPSAICIN, a new strain targeting D-Link routers 📡

Hackers: There’s no place like Chrome 💀

Wizard Of Oz GIF by Turner Classic Movies

Gif by tcm on Giphy

🚨 Massive Chrome Extension Hack Hits 600,000+ Users! 🙍🏻‍♂️

Cybercriminals have compromised at least 16 popular Chrome browser extensions, putting over 600,000 users at risk of data theft and credential exposure.

💻 How It Happened:

Hackers targeted extension publishers with phishing emails disguised as messages from "Google Chrome Web Store Developer Support." Victims were tricked into granting permissions to a malicious app, allowing attackers to inject harmful code into legitimate extensions. The compromised versions stole cookies, access tokens, and other sensitive data.

🔥 The first known victim, Cyberhaven, saw its extension hijacked on December 24, enabling malicious code to communicate with an external server, download harmful files, and exfiltrate user information.

🎯 Who’s Affected?

This wasn’t an isolated attack! Researchers uncovered more impacted extensions, including:

🌟 AI tools like AI Assistant – ChatGPT and Bard AI Chat Extension

🔒 VPNs like VPNCity and Internxt VPN

🎥 Tools like VidHelper Video Downloader and Reader Mode

📜 Even Rewards Search Automator and Keyboard History Recorder

⚡ Why It’s Dangerous:

The malicious versions could:

  • Steal sensitive data, including Facebook Ads tokens 🧑‍💻

  • Spy on users and bypass protections 🕵️‍♂️

  • Remain active on devices even after being removed from the Chrome Web Store ⚙️

💡 What You Can Do:

1️⃣ Check your extensions and remove anything suspicious or unused.

2️⃣ Update regularly to secure versions.

3️⃣ Be cautious with unexpected emails—phishing is on the rise! 🚫✉️

🌐 Why It Matters:

Browser extensions often seem harmless, but they can have extensive permissions, making them prime targets for hackers. This attack campaign highlights the need for better visibility and stricter controls over third-party tools.

Stay safe, stay updated, and protect your online world! 💪✨

Get the complete picture of AI from an expert with nearly a decade of experience.

What You Need To Know About AI is an upcoming book exploring AI’s history, what modern AI can (and can’t) do, and what it means for you and the future.

Learn how it's being used in medicine, finance, and more. Get past the hype and understand how AI works in an accessible, but not dumbed-down way.

Password123 👍

🚨 New Exploit Targets Industrial Routers! 🌐

A high-severity flaw in select Four-Faith industrial routers (models F3x24 and F3x36) has been actively exploited in the wild, according to VulnCheck. This vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), poses a significant threat, especially if default credentials have not been updated.

💥 The Vulnerability:

The flaw allows attackers to perform OS command injection on vulnerable routers, but only if they manage to authenticate. Here’s the catch—many of these routers still use default credentials, making it easy for bad actors to bypass this restriction.

🛠️ How the Attack Works:

  • Endpoint Exploited: /apply.cgi

  • Weakness: The adj_time_year parameter in system time settings is vulnerable.

  • Payload: Attackers leverage this flaw to launch a reverse shell, giving them persistent remote access to the device.

📍 Origins of the Attack:

The latest exploitation attempt came from IP address 178.215.238[.]91, which has been linked to previous attacks on Four-Faith routers.

This IP has also been associated with the exploitation of CVE-2019-12168, another remote code execution flaw.

Reports from GreyNoise show similar attacks as recent as December 19, 2024.

🌍 Scope of the Threat:

Over 15,000 internet-facing devices are potentially at risk, according to data from Censys.

Evidence suggests these attacks may have started as early as November 2024.

Attackers appear to be spamming the entire internet at low rates, aiming to deliver a Mirai-like payload.

🔒 What You Can Do:

1️⃣ Change Default Credentials Now 🛡️—this simple step can block unauthorized access.

2️⃣ Limit Internet Exposure 🌐—restrict access to routers only to trusted networks.

3️⃣ Monitor for Unusual Activity 👀—keep an eye out for suspicious connections.

4️⃣ Await further updates: As of now, no official patch has been released.

📅 VulnCheck responsibly disclosed the flaw to Four-Faith on December 20, 2024, but there’s no word yet on a fix.

💬 Expert Insights:

Jacob Baines, VulnCheck: “The attacks aren’t widespread but are consistent, targeting the entire internet at low rates.”

🚨 Why It Matters:

Industrial routers are critical for IoT and operational systems, making vulnerabilities like CVE-2024-12856 a high-priority risk for businesses.

Stay vigilant and secure your devices to prevent falling victim to these attacks! 🛠️✨

Quick, pass the milk! 🥛👀😏

Cybersecurity researchers are ringing alarm bells over a surge in malicious campaigns targeting vulnerable D-Link routers, hijacking them into two distinct botnets:

  • FICORA (a variant of Mirai)

  • CAPSAICIN (a Kaiten/Tsunami derivative)

💥 What’s Happening?

These botnets exploit long-known vulnerabilities in D-Link routers’ HNAP (Home Network Administration Protocol) interface, enabling attackers to execute malicious commands. Vulnerabilities leveraged include:

📅 CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112—some dating back nearly a decade!

🌍 Scope of the Attacks:

FICORA: Attacks are widespread, targeting systems globally.

CAPSAICIN: Focused on East Asian regions, especially Japan and Taiwan, with peak activity on October 21–22, 2024.

🔧 How They Work:

FICORA Botnet:

1️⃣ Deploys a downloader script (multi) from IP 103.149.87[.]69.

2️⃣ Fetches malware for various Linux architectures via commands like wget, curl, and tftp.

3️⃣ Equipped with DDoS capabilities using UDP, TCP, and DNS protocols.

4️⃣ Performs brute-force attacks using a hard-coded username-password list.

CAPSAICIN Botnet:

1️⃣ Uses a downloader script (bins.sh) from IP 87.10.220[.]221.

2️⃣ Establishes a connection with its C2 server (192.110.247[.]46).

3️⃣ Sends OS info and victim "nickname" back to the C2.

4️⃣ Awaits further commands, including:

  • Execute shell commands 🖥️

  • Download files 📂

  • Launch DDoS attacks 🌐

💥 Notable DDoS methods:

  • BLACKNURSE: ICMP packet floods 🌀

  •  HTTP Flooding 📶

  • DNS Amplification 🌎

🤖 A Battle for Control:

CAPSAICIN actively terminates other botnets’ processes to dominate compromised devices, ensuring it's the sole operator.

💡 Why It Matters:

Even though these vulnerabilities were disclosed and patched long ago, many devices remain unpatched and exposed. The attacks highlight the importance of regular device updates and robust monitoring.

🛡️ What Can You Do?

🔑 Update firmware immediately to patch known vulnerabilities.

🚫 Restrict external access to router management interfaces.

🔍 Monitor network traffic for unusual activity.

🧹 Change default credentials to thwart unauthorized access.

💬 Expert Take:

“Despite patches being available for nearly a decade, these attacks persist globally,” warns Vincent Li from Fortinet FortiGuard Labs. “Keeping devices updated and secure is not optional—it’s essential.”

⚠️ Don’t let your router become a botnet’s new recruit. Protect your network now! 🌐🛡️

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles