www.darkreading.com
Open in
urlscan Pro
2606:4700::6812:6f2f
Public Scan
URL:
https://www.darkreading.com/threat-intelligence/watch-out-attackers-hiding-malware-browser-updates
Submission: On October 18 via api from TR — Scanned from DE
Submission: On October 18 via api from TR — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* Think Like An Attacker - A Dark Reading November 16 Event
* Black Hat Europe - December 4-7 - Learn More
Webinars
* Fundamentals of a Cyber Risk Assessment
Oct 18, 2023
* DevSecOps for Mobile App Development
Oct 19, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Reports >
Webinars >
White Papers >
Slideshows >
Newsletters >
Events >
Partner Perspectives: Microsoft
Partner Perspectives: Google Cloud
Newsletter Sign-Up
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* Think Like An Attacker - A Dark Reading November 16 Event
* Black Hat Europe - December 4-7 - Learn More
Webinars
* Fundamentals of a Cyber Risk Assessment
Oct 18, 2023
* DevSecOps for Mobile App Development
Oct 19, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Reports >
Webinars >
White Papers >
Slideshows >
Newsletters >
Events >
Partner Perspectives: Microsoft
Partner Perspectives: Google Cloud
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* Think Like An Attacker - A Dark Reading November 16 Event
* Black Hat Europe - December 4-7 - Learn More
Webinars
* Fundamentals of a Cyber Risk Assessment
Oct 18, 2023
* DevSecOps for Mobile App Development
Oct 19, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Reports >
Webinars >
White Papers >
Slideshows >
Newsletters >
Events >
Partner Perspectives: Microsoft
Partner Perspectives: Google Cloud
--------------------------------------------------------------------------------
Newsletter Sign-Up
SEARCH
A minimum of 3 characters are required to be typed in the search bar in order to
perform a search.
Announcements
1.
Event
Think Like an Attacker: Understanding Cybercriminals & Nation-State Threat Actor
| Nov 16 Virtual Event <REGISTER NOW>
PreviousNext
Threat Intelligence
3 MIN READ
News
WATCH OUT: ATTACKERS ARE HIDING MALWARE IN 'BROWSER UPDATES'
Updating your browser when prompted is a good practice, just make sure the
notification comes from the vendor themselves.
Nate Nelson
Contributing Writer, Dark Reading
October 17, 2023
Source: Tada Images via Shutterstock
PDF
Threat actors are using cybersecurity best practices against you, hiding malware
inside of fake browser updates.
They do so by seeding legitimate but vulnerable websites with malicious
JavaScript. Upon loading, the code presents users with convincing browser update
notifications, masking dangerous payloads.
According to a Oct. 17 report from Proofpoint, the trend began with one threat
actor, TA569, and it has since been adopted by at least four different threat
clusters, in what appears to be a growing and intractable new trend.
"TA569 has been very active for quite some time, and I've seen how difficult it
has been for customers to understand and remediate the threat on their own,"
says Daniel Blackford, senior manager of threat research at Proofpoint. Because
it's so effective, he adds, "other threat actors have absolutely piggybacked on
it."
MALICIOUS CODE, HIDDEN IN HONEST WEBSITES
Though they may vary in the particulars, each of the four threat clusters
tracked by Proofpoint follow largely the same script.
First, the actors take advantage of a legitimate but vulnerable website,
injecting their own malicious JavaScript code.
"It's generally very opportunistic. We have seen it across basically every
industry: media, local sports associations — like kids' soccer groups — software
companies, in some cases," Blackford says.
It might be an unpatched vulnerability, or a WordPress misconfiguration that
provides the opening, "but it doesn't always have to be the website itself. It
can be any assets that are imported into the website — any type of styling
template, media player, or pretty much any third-party code," he says.
When an end user loads the website, the attackers' script runs alongside the
rest of the site's various assets. Its job is to refer traffic to an
attacker-controlled domain.
THE FAKE BROWSER UPDATE LURE
From here, Blackford explains, "the Web inject is going to take some information
about your system — you're coming from this geographic location, you're using
this browser version. It can determine whether you're in some type of virtual
environment or not. And if you pass all of the criteria, then it's going to
reach out to that backend server and pull in the fake Update page."
The update lures are designed to look like they're coming from the browser's
developers, with a clean look and relevant iconography. The following
screenshots, courtesy of the security researcher Jerome Segura, capture fake
updates from TA569 and another cluster, "FakeSG," also known as "RogueRaticate"
(see below).
If a user falls for the trap and clicks "Update," they download malware to their
computer.
If the attacker is TA569, for example, a user will download its signature
"SocGholish" initial access malware. In the past, SocGholish has been used as a
primer for ransomware, including WastedLocker, LockBit, Drydex, Hive, and more.
HOW TO AVOID FAKE BROWSER UPDATES
Employees and otherwise educated civilians are taught to avoid links and
attachments in unrecognized emails or text messages. They might know to avoid a
seedy-looking link, but what about a notification coming from their browser?
To suss out a real update from a fake one, Blackford urges users to pay
attention to how their trusted websites and browsers typically behave, and
whether anything happens that doesn't align with the usual pattern.
"Nine times out of 10, I'll go to my kid's soccer league website and see: okay,
we've got a match against some other school on Wednesday, and nothing happens.
And then one time, all of a sudden, I'm redirected to a page that says I'm using
an old version of Chrome, click this button to update. That difference in
pattern should be the trigger," he says, while admitting that "it's not easy to
spot. But that's also why bad guys continue to make money hand over fist."
In the end, users shouldn't be spooked from maintaining their cybersecurity
hygiene. "Updating your browser is a good security practice," Blackford
maintains, "and I strongly suggest that people do it."
Attacks/Breaches
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe
More Insights
White Papers
*
The Forrester Wave: External Threat Intelligence Service Providers, Q3 2023
*
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
More White Papers
Webinars
*
Fundamentals of a Cyber Risk Assessment
*
DevSecOps for Mobile App Development
More Webinars
Reports
*
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
*
The State of Supply Chain Threats
More Reports
Editors' Choice
Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event
Tara Seals, Managing Editor, News, Dark Reading
Reassessing the Impacts of Risk Management With NIST Framework 2.0
Gaurav Banga, Founder & CEO, Balbix
Microsoft: Chinese APT Behind Atlassian Confluence Attacks; PoCs Appear
Tara Seals, Managing Editor, News, Dark Reading
Curl Bug Hype Fizzles After Patching Reveal
Becky Bracken, Editor, Dark Reading
Webinars
* Fundamentals of a Cyber Risk Assessment
* DevSecOps for Mobile App Development
* When Tech Converges, Orgs Consolidate: Navigating Change Across your Security
Platforms
* Data Analytics That Matter Most to The Modern Enterprise
* Modern Threats, Modern Security: 3 Practical Tips for CISOs to Stop Cyber
Threats in the Age of AI
More Webinars
Reports
* Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
* The State of Supply Chain Threats
* Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
* Everything You Need to Know About DNS Attacks
* How Enterprises Are Managing Application Security Risks in a Heightened
Threat Environment
More Reports
White Papers
* The Forrester Wave: External Threat Intelligence Service Providers, Q3 2023
* Building Cyber Resiliency: Key Strategies for Proactive Security Operations
* Mandiant Threat Intelligence at Penn State Health
* 9 Traits You Need to Succeed as a Cybersecurity Leader
* The Ultimate Guide to the CISSP
More White Papers
Events
* Think Like An Attacker - A Dark Reading November 16 Event
* Black Hat Europe - December 4-7 - Learn More
* Black Hat Middle East and Africa - Nov 14-16 - Learn More
* SecTor - Canada's IT Security Conference Oct 23-26 - Learn More
More Events
More Insights
White Papers
*
The Forrester Wave: External Threat Intelligence Service Providers, Q3 2023
*
Building Cyber Resiliency: Key Strategies for Proactive Security Operations
More White Papers
Webinars
*
Fundamentals of a Cyber Risk Assessment
*
DevSecOps for Mobile App Development
More Webinars
Reports
*
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
*
The State of Supply Chain Threats
More Reports
DISCOVER MORE FROM INFORMA TECH
* InformationWeek
* Network Computing
* ITPro Today
* Data Center Knowledge
* Black Hat
* Omdia
WORKING WITH US
* About Us
* Advertise
* Reprints
FOLLOW DARK READING ON SOCIAL
*
*
*
*
*
*
* Home
* Cookies
* Privacy
* Terms
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.
Cookies Button
ABOUT COOKIES ON THIS SITE
We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. You can choose to accept all of these
cookies or only essential cookies. To learn more or manage your preferences,
click “Settings”. For further information about the data we collect from you,
please see our Privacy Policy
Accept All
Settings
COOKIE PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Confirm My Choices