Monthly Archives: July 2022

New Firefox privacy feature strips URLs of tracking parameters

Posted on by

Numerous companies, including Facebook, Marketo, Olytics, and HubSpot, utilize custom URL query parameters to track clicks on links.

For example, Facebook appends a fbclid query parameter to outbound links to track clicks, with an example of one of these URLs shown below.

https://www.example.com/?fbclid=IwAR4HesRZLT-fxhhh3nZ7WKsOpaiFzsg4nH0K4WLRHw1h467GdRjaLilWbLs

With the release of Firefox 102, Mozilla has added the new ‘Query Parameter Stripping’ feature that automatically strips various query parameters used for tracking from URLs when you open them, whether that be by clicking on a link or simply pasting the URL into the address bar.

Once enabled, Mozilla Firefox will now strip the following tracking parameters from URLs when you click on links or paste an URL into the address bar:

  • Olytics: oly_enc_id=, oly_anon_id=
  • Drip: __s=
  • Vero: vero_id=
  • HubSpot: _hsenc=
  • Marketo: mkt_tok=
  • Facebook: fbclid=, mc_eid=

[…]

To enable Query Parameter Stripping, go into the Firefox Settings, click on Privacy & Security, and then change ‘Enhanced Tracking Protection’ to ‘Strict.’

Mozilla Firefox's Enhanced Tracking Protection set to Strict
Mozilla Firefox’s Enhanced Tracking Protection set to Strict
Source: BleepingComputer

However, these tracking parameters will not be stripped in Private Mode even with Strict mode enabled.

To also enable the feature in Private Mode, enter about:config in the address bar, search for strip, and set the ‘privacy.query_stripping.enabled.pbmode‘ option to true, as shown below.

Enable privacy.query_stripping.enabled.pbmode setting
Enable privacy.query_stripping.enabled.pbmode setting
Source: BleepingComputer

It should be noted that setting Enhanced Tracking Protection to Strict could cause issues when using particular sites.

If you enable this feature and find that sites are not working correctly, just set it back to Standard (disables this feature) or the Custom setting, which will require some tweaking.

Source: New Firefox privacy feature strips URLs of tracking parameters

A wide range of routers are under attack by new, unusually sophisticated malware

Posted on by

[…]researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

[…]

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai Internet of Things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.

Enlarge
[…]

The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker’s infrastructure.

This graphic illustrates the steps listed involved.

The threat actors also disguised the landing page of a control server to look like this:

Enlarge
Black Lotus Labs

The researchers wrote:

Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.

 

The discovery of this ongoing campaign is the most important one affecting SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018.

[…]

Source: A wide range of routers are under attack by new, unusually sophisticated malware | Ars Technica