The malware hijacks purchase commissions, tracks users, removes security headers, injects hidden iframes, and bypasses CAPTCHA.
The post GhostPoster Firefox Extensions Hide Malware in Icons appeared first on SecurityWeek.
Most of us repeat the same actions every single day in the browser: opening the same sites, saving posts, copying links, and jumping between tools. This extension was built to remove those boring steps so you can stay focused on the actual work instead of the browser gymnastics.
By turning your “everyday flow” into one‑click actions, the extension saves time on every session and makes browsing feel much smoother.
Chrome extensions are small apps that live inside your browser and can add extra buttons, menus, or automations to the pages you already use. This one attaches to your toolbar and works directly on the current tab, so you do not need to switch apps or copy‑paste between windows.
Describe here in your own words, with bullet points, what your extension does, for example:
Installing from the Chrome Web Store is the safest and easiest way to get new extensions. The store is Google’s official marketplace, and Chrome shows you exactly which permissions every extension needs before you confirm.
To install:
After that, the icon will appear near your address bar; pin it so it is always visible from the puzzle icon menu.
Once installed, clicking the icon activates the extension on the page you are currently viewing. Depending on your features, you can trigger actions like saving the page, posting content somewhere, or processing the current tab with a single click.
To make the post more attractive, add:
Chrome gives you full control over every extension you install through the extensions page. At any time, you can open chrome://extensions/ to disable, limit, or remove the extension completely.
From that page you can also adjust whether it runs on all sites or only when you click it, letting you tune the balance between convenience and privacy.
If you are tired of repeating the same browser actions over and over, try installing the extension and using it for a week to see how much time you save. Add your honest feedback as a review on the Chrome Web Store so the next update can be even better.
Stop Wasting Clicks: Supercharge Your Browser With This New Chrome Extension was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.
If you build websites, you know the drill: manually dragging your browser window smaller, then bigger, then smaller again, trying to see how your design looks on a phone, tablet, and desktop. It’s tedious, imprecise, and wastes time you could spend actually coding or designing.
Window Resizer solves this by letting you resize your browser to exact dimensions with one click, making responsive design testing instant and accurate.
Window Resizer is a Chrome extension built specifically for web designers and developers who need to test their layouts across different screen resolutions. Instead of manually resizing your browser and guessing dimensions, the extension provides preset resolution options and custom size controls directly from your toolbar.
Key features include:
Testing responsive design manually is error-prone because you never know the exact pixel dimensions when you drag a window. Window Resizer gives you precision, letting you test at common breakpoints like 320px, 768px, 1024px, and 1920px instantly.
This is especially valuable when you’re debugging CSS media queries or checking how your layout adapts to different viewport sizes, because you can switch between resolutions in seconds and immediately see the changes.
Getting the extension installed takes less than a minute through the official Chrome Web Store.
Steps to install:
After installation, you can immediately start resizing your current browser window by clicking the icon and selecting from the preset options.
Once installed, open any website you’re working on and click the Window Resizer icon in your toolbar. A popup appears with preset layouts showing different screen sizes, and clicking any option instantly resizes your browser to those exact dimensions.
You can also customize your own presets by going to the settings and adding specific dimensions you test frequently, such as your site’s custom breakpoints. The extension remembers these settings, so your workflow becomes faster every time you use it.
For designers working on documentation or taking screenshots, Window Resizer ensures every capture has consistent dimensions, making your visuals look more professional.
Window Resizer is open-source software that does not collect any user information, ensuring your browsing and development work remains private. The extension only activates when you click it, meaning it doesn’t consume resources or slow down your browser when idle.
If you design or develop websites and you’re still manually resizing browser windows, install Window Resizer and experience how much faster testing becomes when you have pixel-perfect control. Try it on your current project and add your most-used screen sizes to the preset list for instant access.
Download link: https://chromewebstore.google.com/detail/clpflmgfapbjmlbajbkgadjjlbgaidgb
Test Like a Pro: How Window Resizer Makes Responsive Design Effortless was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.
Cross-browser extensions are easy to write, thanks to the WebExtension initiative and core Web technologies. Using a common format, you can write extensions that work anywhere, without the need to target specific browsers.
The extensions were seen profiling users, reading cookie data to create unique identifiers, and executing payloads with browser API access.
The post Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors appeared first on SecurityWeek.
Welcome back, aspiring forensic and incident response investigators.
Today we are going to learn more about a branch of digital forensics that focuses on networks, which is Network Forensics. This field often contains a wealth of valuable evidence. Even though skilled attackers may evade endpoint controls, active network captures are harder to hide. Many of the attacker’s actions generate traffic that is recorded. Intrusion detection and prevention systems (IDS/IPS) can also surface malicious activity quickly, although not every organization deploys them. In this exercise you will see what can be extracted from IDS/IPS logs and a packet capture during a network forensic analysis.
The incident we will investigate today involved a credential-stuffing attempt followed by exploitation of CVE-2022-25237. The attacker abused an API to run commands and establish persistence. Below are the details and later a timeline of the attack.
Our subject is a fast-growing startup that uses a business management platform. Documentation for that platform is limited, and the startup administrators have not followed strong security practices. For this exercise we act as the security team. Our objective is to confirm the compromise using network packet captures (PCAP) and exported security logs.
We obtained an archive containing the artifacts needed for the investigation. It includes a .pcap network traffic file and a .json file with security events. Wireshark will be our primary analysis tool.
The company suspects its management platform was breached. To identify which platform and which hosts are involved, we start with the pcap file. In Wireshark, view the TCP endpoints from the Statistics menu and sort by packet count to see which IP addresses dominate the capture.
This quickly highlights the IP address 172.31.6.44 as a major recipient of traffic. The traffic to that host uses ports 37022, 8080, 61254, 61255, and 22. Common service associations for these ports are: 8080 for HTTP, 22 for SSH, and 37022 as an arbitrary TCP data port that the environment is using.
When you identify heavy talkers in a capture, export their connection lists and timestamps immediately. That gives you a focused subset to work from and preserves the context of later findings.
The port usage suggests the management platform is web-based. Filter HTTP traffic in Wireshark with http.request to inspect client requests. The first notable entry is a GET request whose URL and headers match Bonitasoft’s platform, showing the company uses Bonitasoft for business management.
Below that GET request you can see a series of authentication attempts (POST requests) originating from 156.146.62.213. The login attempts include usernames that reveal the attacker has done corporate OSINT and enumerated staff names.
The credentials used for the attack are not generic wordlist guesses, instead the attacker tries a focused set of credentials. That behavior is consistent with credential stuffing: the attacker uses previously leaked username/password pairs (often from other breaches) and tries them against this service, typically automated and sometimes distributed via a botnet to blend with normal traffic.
A credential-stuffing event alone does not prove a successful compromise. The next step is to check whether any of the login attempts produced a successful authentication. Before doing that, we review the IDS/IPS alerts.
To inspect the JSON alert file in a shell environment, format it with jq and then see what’s inside. Here is how you can make the json output easier to read:
bash$ > cat alerts.json | jq .
Obviously, the file will be too big, so we will narrow it down to indicators such as CVE:
bash$ > cat alerts.json | jq .
Security tools often map detected signatures to known CVE identifiers. In our case, alert data and correlation with the observed HTTP requests point to repeated attempts to exploit CVE-2022-25237, a vulnerability affecting Bonita Web 2021.2. The exploit abuses insufficient validation in the RestAPIAuthorizationFilter (or related i18n translation logic). By appending crafted data to a URL, an attacker can reach privileged API endpoints, potentially enabling remote code execution or privilege escalation.
Now we verify whether exploitation actually succeeded.
To find successful authentications, filter responses with:
http.response.code >= 200 and http.response.code < 300 and ip.addr == 172.31.6.44
Among the successful responses, HTTP 204 entries stand out because they are less common than HTTP 200. If we follow the HTTP stream for a 204 response, the request stream shows valid credentials followed immediately by a 204 response and cookie assignment. That means he successfully logged in. This is the point where the attacker moves from probing to interacting with privileged endpoints.
After authenticating, the attacker targets the API to exploit the vulnerability. In the traffic we can see an upload of rce_api_extension.zip, which enables remote code execution. Later this zip file will be deleted to remove unnecessary traces.
Following the upload, we can observe commands executed on the server. The attacker reads /etc/passwd and runs whoami. In the output we see access to sensitive system information.
During a forensic investigation you should extract the uploaded files from the capture or request the original file from the source system (if available). Analyzing the uploaded code is essential to understand the artifact of compromise and to find indicators of lateral movement or backdoors
After initial control, attackers typically establish persistence. In this incident, all attacker activity is over HTTP, so we follow subsequent HTTP requests to find persistence mechanisms.
The attacker downloads a script hosted on a paste service (pastes.io), named bx6gcr0et8, which then retrieves another snippet hffgra4unv, appending its output to /home/ubuntu/.ssh/authorized_keys when executed. The attacker restarts SSH to apply the new key.
A few lines below we can see that the first script was executed via bash, completing the persistence setup.
Appending keys to authorized_keys allows SSH access for the attacker’s key pair and doesn’t require a password. It’s a stealthy persistence technique that avoids adding new files that antivirus might flag. In this case the attacker relied on built-in Linux mechanisms rather than installing malware.
When you find modifications to authorized_keys, pull the exact key material from the capture and compare it with known attacker keys or with subsequent SSH connection fingerprints. That helps attribute later logins to this initial persistence action.
Further examination of the pcap shows the server reaching out to Ubuntu repositories to download a .deb package that contains Nmap.
Shortly after SSH access is obtained, we see traffic from a second IP address, 95.181.232.30, connecting over port 22. Correlating timestamps shows the command to download the .deb package was issued from that SSH session. Once Nmap is present, the attacker performs a port scan of 34.207.150.13.
This sequence, adding an SSH key, then using SSH to install reconnaissance tools and scan other hosts fits a common post-exploitation pattern. Hackers establish persistent access, stage tools, and then enumerate the network for lateral movement opportunities.
During forensic investigations, save the sequence of timestamps that link file downloads, package installation, and scanning activity. Those correlations are important for incident timelines and for identifying which sessions performed which actions.
At the start, the attacker attempted credential stuffing against the management server. Successful login occurred with the credentials seb.broom / g0vernm3nt. After authentication, the attacker exploited CVE-2022-25237 in Bonita Web 2021.2 to reach privileged API endpoints and uploaded rce_api_extension.zip. They then executed commands such as whoami and cat /etc/passwd to confirm privileges and enumerate users.
The attacker removed rce_api_extension.zip from the web server to reduce obvious traces. Using pastes.io from IP 138.199.59.221, the attacker executed a bash script that appended data to /home/ubuntu/.ssh/authorized_keys, enabling SSH persistence (MITRE ATT&CK: SSH Authorized Keys, T1098.004). Shortly after persistence was established, an SSH connection from 95.181.232.30 issued commands to download a .deb package containing Nmap. The attacker used Nmap to scan 34.207.150.13 and then terminated the SSH session.
During our network forensics exercise we saw how packet captures and IDS/IPS logs can reveal the flow of a compromise, from credential stuffing, through exploitation of a web-application vulnerability, to command execution and persistence via SSH keys. We practiced using Wireshark to trace HTTP streams, observed credential stuffing in action, and followed the attacker’s persistence mechanism.
Although our class focused on analysis, in real incidents you should always preserve originals and record every artifact with exact timestamps. Create cryptographic hashes of artifacts, maintain a chain of custody, and work only on copies. These steps protect the integrity of evidence and are essential if the incident leads to legal action.
For those of you interested in deepening your digital forensics skills, we will be running a practical SCADA forensics course soon in November. This intensive, hands-on course teaches forensic techniques specific to Industrial Control Systems and SCADA environments showing you how to collect and preserve evidence from PLCs, RTUs, HMIs and engineering workstations, reconstruct attack chains, and identify indicators of compromise in OT networks. Its focus on real-world labs and breach simulations will make your CV stand out. Practical OT/SCADA skills are rare and highly valued, so completing a course like this is definitely going to make your CV stand out.
We also offer digital forensics services for organizations and individuals. Contact us to discuss your case and which services suit your needs.
Learn more: https://hackersarise.thinkific.com/courses/scada-forensics
The post Network Forensics: Analyzing a Server Compromise (CVE-2022-25237) first appeared on Hackers Arise.
WordPress Missing the MySQL Extension Error In this post, We are going to Solve another WordPress Error Called, “Your PHP Installation Appears ...
The post Your PHP Installation Appears to Be Missing the MySQL Extension Which Is Required by WordPress appeared first on HackNos.
Login