Redline Stealer Exploits CVE-2022-1096 in Chromium Browsers to Target Millions of Users

Originally published at: Redline Stealer Exploits CVE-2022-1096 in Chromium Browsers to Target Millions of Users - CloudSEK

 

Category:

Vulnerability Intelligence

Vulnerability Class:

Access of Resource Using Incompatible Type

CVE ID:

CVE-2022-1096

CVSS:3.0 Score:

9.1

Executive Summary

  • CloudSEK’s Threat Research Team has discovered a breach affecting ~0.5 million users due to an active zero-day vulnerability being exploited in the wild by the RedLine stealer malware.
  • The zero-day vulnerability exploits all the chromium-based browsers including prominent browsers such as: Chrome, Chromium, Microsoft Edge, Opera, Vivaldi, etc. Google released an emergency patch to fix this issue.
  • We have gathered from confidential sources that Redline stealer has stolen the information of millions of users by exploiting this vulnerability.
  • RedLine stealer logs, available on the dark web, contain information belonging to several prominent corporations’ infrastructure.
  • The threats posed by the logs being publicly available can be remediated and nullified by real-time dark web monitoring.

Analysis

Redline stealer, an infamous information harvesting malware, steals data of individuals and corporations by exploiting CVE-2022-1096.

CVE-2022-1096

  • The vulnerability, which affects the Chrome V8 JavaScript and WebAssembly engine, is exploited when arbitrary code is executed by a malicious actor on a vulnerable system.
  • The vulnerability has been assigned CVE-2022-1096 with a CVSS v3 score of 9.1.

RedLine Stealer Exploits CVE-2022-1096 to Breach Organizations and Individuals

  • Over the years, Redline stealer, which is disseminated using various theme-based email or software lures, has been employing increasingly sophisticated tactics to infiltrate devices.
  • RedLine steals PII (personally identifiable information) and passwords from devices that store their passwords and sensitive information in browsers that are vulnerable to this CVE.
  • This vulnerability has been exploited to target organizations such as Axis Bank, Jio, Cisco, Samsung, Zoom, etc., as well as individuals.
  • Currently, over 0.5 million records, breached by RedLine by exploiting this vulnerability, are on sale on dark web marketplaces.

Information from the Dark Web

CloudSEK has identified that RedLine stealer logs, available on dark web marketplaces and shops, contain data from prominent corporations’ infrastructure.

Redline stealer in stealer logs marketplace offering access

Redline stealer in stealer logs marketplace offering access

RedLine Stealer Log Analysis

Analysis of logs collected so far, highlights the domains targeted by Redline stealer, before this zero-day exploit was discovered.

Affected Domain Parent Organization
https://etc.axisbank.co.in/ETC/RetailRoadUserLogin Axis Bank
https://omni.axisbank.co.in/axisretailbanking/ Axis Bank
https://prepaidcards.axisbank.co.in/customer/html/UAMLogin.jsp Axis Bank
https://retail.axisbank.co.in/wps/portal/rBanking/axisebanking/AxisRetailLogin/!ut/p/a1/04_Sj9CPykssy0xPLMnMz0vMAfGjzOKNAzxMjIwNjLwsQp0MDBw9PUOd3HwdDQwMjIEKIoEKDHAARwNC-sP1o_ArMYIqwGNFQW6EQaajoiIAVNL82A!!/dl5/d5/L2dBISEvZ0FBIS9nQSEh/ Axis Bank
https://secure.axisbank.com/ACSWeb/EnrollWeb/AxisBank/server/AccessControlServer Axis Bank
https://jiomeetpro.jio.com/activate Reliance Jio
https://signup.jio.com/ Reliance Jio
https://trueconnect.jio.com/ Reliance Jio
https://www.jio.com/Enterprise/Mobility/portal/jioLogin Reliance Jio
https://www.jio.com/Jio/portal/jioLogin Reliance Jio
https://www.jio.com/Jio/portal/activation.jspx Reliance Jio
https://www.jio.com/JioWebApp/index.html Reliance Jio
https://cll-auth.cisco.com/ Cisco
https://cloudsso.cisco.com/as/authorization.oauth2 Cisco
https://cloudsso.cisco.com/idp/prp.wsf Cisco
https://cloudsso.cisco.com/sp/startSSO.ping Cisco
https://emsp.cisco.com/ Cisco
https://homesupport.cisco.com/en-us/register Cisco
https://id.cisco.com/ Cisco
https://id.cisco.com/signin/password-reset Cisco
https://id.cisco.com/signin/register Cisco
https://identity.cisco.com/ Cisco
https://identity.cisco.com/api/tenants/global/v1/am/login-actions/authenticate Cisco
https://identity.cisco.com/api/tenants/global/v1/am/protocol/openid-connect/auth Cisco
https://identity.cisco.com/ui/tenants/global/v1.0/enrollment-ui Cisco
https://identity.cisco.com/ui/tenants/global/v1.0/recovery-ui/update-password/ Cisco
https://jobs.cisco.com/jobs/Register Cisco
https://res.cisco.com/websafe/pswdValidate.action Cisco
https://sso.cisco.com/ Cisco
https://sso.cisco.com/autho/forms/CDClogin.htm Cisco
https://account.samsung.com/mobile/account/signInOAuth2.do Samsung
https://account.samsung.com/accounts/v1/546e6f8607485413fbf79bddf07f9e8c/signInGate Samsung
https://account.samsung.com/accounts/v1/MBR/signInGate Samsung
https://account.samsung.com/accounts/v1/odchb/changePassword Samsung
https://account.samsung.com/accounts/tesseract/signInGate Samsung
https://account.samsung.com/accounts/v1/CSWEB/signIn Samsung
https://account.samsung.com/accounts/v1/SDAP/signInGate Samsung
https://us.account.samsung.com/accounts/v1/FMM2/signInGate Samsung
https://api.zoom.us/activate Zoom
https://api.zoom.us/oauth2/login Zoom
https://us02web.zoom.us/rec/share/SuAVLb_89kda9dz9iU781_hTHsbBQrpqRWeDONAltOTkOjO3FbT4uXWWsBZgnWA3.CJUZIpAvWcfmYHqL Zoom
https://zoom.us/rec/play/h3dVroWtfVoSZMl43YEcTqpzQlFIf2V1BYUA7ndzTabF4q0pcQTuDLJb8MDwXb0GYSVWXD1i-foM0e7e.KMrkn1cwgjROq1rn Zoom
http://web.vodafone.com.eg/ar/customizeyourgifts Vodafone
https://auth.myvodafone.com.au/login Vodafone
https://corp-sts-prod.vodafone.com/adfs/ls/ Vodafone
https://eshop.vodafone.com.eg/ Vodafone
https://offers.vodafone.com/ Vodafone
https://online.vodafone.com.tr/oss/ Vodafone
https://online.vodafone.com.tr/yanimda/ Vodafone
https://ro.idp.vodafone.com/iam/oic/authorize Vodafone
https://tsl.vodafone.com/vipssp/ Vodafone
https://tsl.vodafone.com/vipssp/login Vodafone
https://tv.vodafone.com.tr/canli-tv-izle Vodafone
https://vodafone.com.fj/MyVodafoneLogin Vodafone
https://web.vodafone.com.eg/ Vodafone
https://web.vodafone.com.eg/ar/account Vodafone
https://web.vodafone.com.eg/auth/realms/vf-realm/login-actions/authenticate Vodafone
https://web.vodafone.com.eg/ar/customizeyourgifts Vodafone
https://web.vodafone.com.eg/auth/realms/vf-realm/login-actions/reset-credentials Vodafone
https://web.vodafone.com.eg/auth/realms/vf-realm/login-actions/registration Vodafone
https://web.vodafone.com.eg/auth/realms/vf-realm/login-actions/reset-credentials Vodafone
https://web.vodafone.com.eg/auth/realms/vf-realm/protocol/openid-connect/auth Vodafone
https://web.vodafone.com.eg/en/recharge1 Vodafone
https://www.myvodafone.com.au/selfservice/registration Vodafone
https://www.ventajasvodafone.com/custom/pin.action Vodafone
https://www.vodafone.com.eg/sso/login Vodafone
https://www.vodafone.com.eg/userAcc/registerUser Vodafone
https://www.vodafone.com.fj/myvodafone/login.cfm Vodafone
https://www.vodafone.com.tr/evdeinternet/ Vodafone
https://auth.myvodafone.com.au/login Vodafone
http://cepmerkezi.vodafone.com.tr/priceplans/alt-n-2gb-tarifesi Vodafone
http://www.vodafone.com.tr/Servisler/online-self-servis.php Vodafone
https://etopup.vodafone.com.tr/ETOPUPGUI/ Vodafone
https://hesabim.tv.vodafone.com.tr/Members/ResetPassword Vodafone
https://offers.vodafone.com/es Vodafone
https://online.vodafone.com.tr/oss/ Vodafone
https://ro.idp.vodafone.com/ Vodafone
https://ro.idp.vodafone.com/iam/oic/authorize Vodafone
https://s2.guvenlidepo.vodafone.com.tr/ Vodafone
https://tv.vodafone.com.tr/ Vodafone
https://tv.vodafone.com.tr/detaylar/marsli/CB85926F-F225-4158-B5AE-C75631AF9578 Vodafone
https://www.vodafone.com.tr/sso2/giris.php Vodafone
https://www.vodafone.com.tr/telefonlar/login Vodafone

Impact & Mitigation

Impact Mitigation
  • Attackers could use this exploit to gain unauthorized access and gain higher privileges to steal sensitive information.
  • This vulnerability could even lead to an RCE (Remote code execution) attack. The published credentials could enable other threat actors to gain access to the organization’s networks.
  • Certain accesses can lead to devastating attacks including but not limited to sophisticated ransomware campaigns.
  • Since password reuse is a common practice, threat actors could leverage the exposed credentials to gain access to other accounts of the users.
  • Reset the compromised user login credentials and implement a strong password policy for all user accounts.
  • Check for possible workarounds and patches while keeping the ports open.
  • Use MFA (multi-factor authentication) across logins.
  • Patch all vulnerable and exploitable endpoints.
  • Monitor for anomalies, in user accounts and systems, that could be indicators of possible takeovers.
  • Frequent monitoring of Dark Web and marketplaces can alert about any sensitive credentials being sold.

References