The framework has ties back to a Spanish exploit broker called Variston IT, and offers a one-stop shop for compromising Chrome, Defender and Firefox.

Google's Threat Analysis Group (TAG) has discovered a cyberattack framework dubbed Heliconia, built to exploit zero-day and n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. It likely has connections to a gray-market spyware broker called Variston IT, which highlights how this shadowy segment is flourishing.

The Heliconia threat consists of three modules:

*   Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
*   Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
*   And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.

TAG became aware of the threat after receiving an anonymous submission to the Chrome bug reporting program. Upon further investigation, the Heliconia framework's source code was found to contain a script that points back to Variston IT, a Barcelona-headquartered entity that claims to provide "custom security solutions."

Commercial spyware is often sold by organizations claiming to be legitimate companies, for "use by law enforcement." However, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents," according to a TAG posting on Wednesday.

Researchers noted that Variston IT is firmly in the middle of this proliferating market — a space that has seen sanctioning by the United States and others against organizations like the infamous NSO Group, creator of the Pegasus spyware.

"The commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe," TAG researchers added. "While surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups."

So far, none of the modules has been seen in current attacks in the wild, but TAG researchers noted that they've likely been deployed in the past, including using the exploits they contain as zero-days before they were fixed.

Google TAG Warns on Emerging Heliconia Exploit Framework for RCE

After months of meticulous planning, investigators finally move in to catch AlphaBay’s mastermind red-handed. Then the case takes a tragic turn.

The Hunt for the Dark Web’s Biggest Kingpin, Part 5: Takedown

A 500-page document reviewed by WIRED shows that Corellium engaged with several controversial companies, including spyware maker NSO Group.

Corellium, a cybersecurity startup that sells phone-virtualization software for catching security bugs, offered or sold its tools to controversial government spyware and hacking-tool makers in Israel, the United Arab Emirates, and Russia, and to a cybersecurity firm with potential ties to the Chinese government, according to a leaked document reviewed by WIRED that contains internal company communications.

The 507-page document, apparently prepared by Apple with the goal of using it in the company’s 2019 copyright lawsuit against Corellium, shows that the security firm, whose software lets users perform security analysis using virtual versions of Apple’s iOS and Google’s Android, has dealt with companies that have a track record of selling their tools to repressive regimes and countries with poor human rights records.

According to the leaked document, Corellium in 2019 offered a trial of its product to NSO Group, whose customers have for years been caught using its Pegasus spyware against dissidents, journalists, and human rights defenders. Similarly, Corellium’s sales staff offered to provide a quote to purchase its software to DarkMatter, a now-shuttered cybersecurity company with ties with the UAE government that hired several former US intelligence members who reportedly helped it spy on human rights activists and journalists. 

In correspondence with WIRED, Corellium says NSO Group and Dark Matter had access to “a limited time/limited functionality trial version of Corellium's software” and that both were later denied requests to purchase the full version following its vetting process. 

For years Corellium has painted itself as a crucial defender against software bugs on Android and iOS. But the leaked document shows that Corellium worked with several companies that use bugs and exploits to hack into cell phones, as opposed to helping Google and Apple patch vulnerabilities.

The document includes emails between Corellium staff and customers or potential customers, including NSO Group and DarkMatter. The document is not public and is being reported on for the first time here. 

“As one of our early beta requesters, we’re delighted to extend you and your team at NSO Group an exclusive invitation to try Corellium, the world’s first and only mobile device virtualization platform. We think you’ll really enjoy the advanced mobile security research tools we have to offer,” reads a March 26, 2019, email between Correllium’s support staff and an NSO Group employee. “Your free trial will last until April 9. Trial accounts are limited, but if you need more time, or if you prefer to start your trial at a different time, just let us know.”

In the case of DarkMatter, the document includes an email exchange between a company employee and a Corellium sales email address. The emails are not dated, but they apparently reference a 2019 training on how to use the platform that Corellium offered potential customers at the cybersecurity conference Black Hat.

“I was a trainer at Blackhat last year where you guys had provided us access to the portal for a few days and I was very impressed with the amount of features it had,” the DarkMatter employee wrote. “We are interested in purchasing it. Can you guys provide us a quote for all the available options that you have?”

“We’re so glad to hear that you enjoyed using Corellium at Blackhat, and we actually have DarkMatter on our list of teams to reach out to regarding availability,” an unnamed Corellium employee responded. “We’d be more than happy to provide you a quote with all the options checked.”

Also in 2019, according to the document, Corellium sold its software to Paragon, a little-known company that has since been reported to be a provider of government surveillance technology. Corellium also licensed its software to a company called Pwnzen Infotech, whose founders were part of Pangu Team, a well-known Chinese group of elite iOS and iPhone hackers. A Pwnzen sales representative told Reuters in 2019, when Pwnzen was already a Corellium customer, that the company helped hack the phone of a person suspected of “subverting the government” in China. 

“There are a number of ties between Pwnzen and the People’s Republic of China’s government that are cause for concern,” says Dakota Cary, a consultant at Krebs Stamos Group who has written several reports about cybersecurity in China. “Bolstering Pwnzen’s hacking capabilities likely occurred at the detriment to US security interests,” he added, explaining that the company’s improved capabilities could have provided the Chinese government with better tools to hack targets inside and outside of the country, including the US.

Also, as of today, Corellium counts Russian iPhone hacking company Elcomsoft as a customer. And in 2019, Corellium sold to Elcomsoft’s Israeli competitor Cellebrite, a firm that helps law enforcement unlock iPhones and access the data stored within. Cellebrite has reportedly sold its phone-hacking products to countries such as China, Saudi Arabia, and Bahrain, among others. 

Corellium did not dispute the legitimacy of the document, but it also did not respond to a series of questions about its contents. Instead, Corellium CEO Amanda Gorton shared a draft of a blog post in which the company says it offered trials to NSO Group and DarkMatter but denied that the two companies became customers. 

“We’ve had opportunities to profit from these bad actors and have chosen not to,” the blog post reads. It further explains that Corellium restricts sales of its cloud product to “fewer than sixty countries” and has a “block list” of organizations.

Corellium didn’t specify the 60 countries, nor did it answer specific questions about Paragon, Pwnzen, Cellebrite, or Elcomsoft. The company wrote in the blog post that as the sales process goes on, the vetting gets “more intensive.” According to the blog post, that means Corellium asks about the customer’s use case, consults with “trusted contacts in the security community, including contacts at various US government agencies,” and looks at the potential customer’s online presence and investigates its “ownership, corporate structure, and employees.”

Apple did not respond to a request for comment, nor did NSO Group, Cellebrite, or Pwnzen. XiaBo Chen, who identifies as the founder of Pwnzen on LinkedIn, did not respond to multiple requests for comment. After the controversy surrounding DarkMatter’s role in targeting activists and journalists, the company reportedly rebranded to Digital14 in 2019, then to CPX in 2021. Digital14 and CPX did not respond to requests for comment.

Idan Nurick, the CEO and cofounder at Paragon, says that “as a matter of principle, Paragon maintains the confidentiality of its clients, as well as technology providers, and the company does not disclose any information pertaining to these entities.”

Vladimir Katalov, the CEO, cofounder, and co-owner of Elcomsoft, confirmed that his company is a Corellium customer. 

‘Puzzling’ Claims

The leaked document, prepared in 2021, according to an included timeline, mirrors Apple’s arguments against Corellium, which it accused of violating its copyright and the Digital Millennium Copyright Act by re-creating a virtual version of iOS. While Apple has never publicly presented the evidence that’s contained in the document against Corellium, the tech giant accused Corellium in its lawsuit of helping researchers develop zero-day exploits and spyware for governments around the world, hinting that this was one of the main reasons it didn’t approve of Corellium’s practices, apart from alleged copyright infringement.

“Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement,” Apple said in the complaint. “Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”

Corellium has forcefully defended itself against Apple’s claims, saying it sells to “well-known and well-respected financial institutions, government agencies, and security researchers” who use their product for legitimate purposes.

In December 2020, when he dismissed Apple’s copyright infringement claims, US District Judge Rodney Smith, of the Southern District of Florida, sided with Corellium, writing in the order on the parties’ motions for summary judgment that “Apple’s position is puzzling, if not disingenuous.”

“As for Apple’s contention that Corellium sells its product indiscriminately, that statement is belied by the evidence in the record that the company has a vetting process in place (even if not perfect) and, in the past, has exercised its discretion to withhold the Corellium Product from those it suspects may use the product for nefarious purposes,” the judge wrote. “Having reviewed the evidence, the Court does not find a lack of good faith and fair dealing.”

The case took an unexpected turn in August 2021, when Apple and Corellium settled out of court. (The terms of the deal were confidential.) Then, days later, the tech giant filed an appeal, keeping its case against Corellium alive.

Bad Reputations

Even in 2019, NSO Group and DarkMatter had poor reputations in the world of cybersecurity. At the time, there had already been several examples of abuse of NSO Group’s Pegasus spyware, particularly against journalists in Mexico. Ronald Deibert, the director of the Citizen Lab, a digital rights watchdog housed at the University of Toronto's Munk School that has investigated companies like NSO Group for years, said in March 2019 that there was a “mountain of evidence that NSO Group’s surveillance technology is being abused by its clients, and the company is either unwilling or unable to perform the type of due diligence to prevent that from happening.” 

Both Apple and Microsoft have called NSO Group “21st-century mercenaries.”

Gorton has publicly denied selling Corellium’s products to DarkMatter and NSO Group and said Corellium does not sell to companies in the Middle East.

“We have definitely rejected customers who have approached us. I’m sure you can imagine DarkMatter, NSO Group have all reached out and we just politely declined, we don’t sell to that region,” she said during a November 2021 interview with the _Decipher_ podcast. 

In the interview, she sold her company’s mission as positive and uncontroversial, saying that Corellium can be used to help researchers find bugs and report them to companies like Apple, something that companies like NSO Group, DarkMatter, Paragon, Pwnzen, Cellebrite, and Elcomsoft don’t do. Gorton added that hunting for security bugs is “kind of exactly what we wanted to see the platform used for.”

In the past, other Corellium executives and founders have repeatedly downplayed the possibility that bad actors could use its software. When asked whether he was worried that Corellium customers could use the product to find bugs and develop exploits that would then be used by governments, David Wang, one of the company’s cofounders, told _Forbes_ in 2018 that the company would be “selective in who we choose to do business with.” 

Wang did not respond to WIRED’s request for comment. 

In the podcast interview, Gorton has also fielded questions about how Corellium vets its customers to avoid selling to bad actors and that the company takes this process “very seriously,” selling only in the Asia-Pacific, European Union, and North America regions, and researching companies they don’t recognize. “We err on the side of caution,” she said.

The leaked document includes a 2021 email from Steve Dyer, the vice president of sales and business development at Corellium, to Gorton. In the email, Dyer explains the process for vetting “current and future cloud customers” as they submit requests for trials online. Part of the process, Dyer wrote, is to check that the companies are not from countries sanctioned by the US government, such as North Korea, Sudan, Syria, and Russia. (While Elcomsoft is headquartered in Russia, the company is not sanctioned by the US government.) 

“China has been added to the list for auto-denied trials,” Dyer wrote. 

Last year, the US government added NSO Group to a federal blocklist, preventing any US companies and individuals from doing business with the spyware company. In correspondence with WIRED, Corellium said it voluntarily refused to sell its software to NSO Group “more than two years before the United States Department of Commerce placed NSO Group on its Entity List.”

Nevertheless, Corellium’s engagement with these controversial companies may change the cybersecurity community’s view that Apple’s lawsuit is a case of an entitled tech giant going after a scrappy startup with an innovative product that it doesn’t like. 

John Scott-Railton, a senior researcher at the Citizen Lab, says the Corellium sales department’s outreach to NSO Group and DarkMatter is “a potentially cynical act” given the nature of those companies. “At that point, Corellium and everyone else knew exactly who NSO Group was and what they would do with that kind of technology and the people that would inevitably be harmed,” Scott-Railton says. “It raises questions about their ethics, their judgment, or both.”

Zach Edwards, an independent privacy and security researcher, says that “sensitive technology cannot be haphazardly sold to any company, in any country in the world.”

“While Corellium is a reverse-engineering tool that doesn't intrinsically create risks through its sale, the core purpose of the tool is to reverse malware,” Edwards says. “And if you sell the product to malware developers in countries averse to Western interests, we should assume that this tool will be used to improve malware.”

A person who tried Corellium in the past, who asked to remain anonymous because they were not allowed to speak to the press, says that “given what’s happening in the world today, you shouldn’t be dealing with Russian companies,” such as Elcomsoft. 

Elcomsoft’s CEO Katalov says that “the decision to work with a company based in Russia is a personal choice.”

“Please rest assured that we still strive to provide the best software and services, and trying to keep good relationships with our customers all over the world,” he adds. “We will just keep doing our job, making the world a safer place and battling the crime.”

Adrian Sanabria, a cybersecurity veteran, says that it’s not surprising that “groups interested in creating iOS exploits would be using a platform designed for iOS security research.” 

“For me, the core takeaway is that Apple created the need for platforms like Corellium by not providing the tools, access, and transparency the market needs and desires,” he says.

Danger Zones

Some of the organizations and companies linked to Corellium in the document come from countries seen as controversial by most people in the cybersecurity community in the West, including Alex Stamos, who acted as an expert witness for Corellium in the lawsuit against Apple.  

“I personally don’t believe it would be ethical to sell exploits to Saudi Arabia,” Stamos, the director of Stanford University’s Internet Observatory, said during testimony he provided in the lawsuit between Apple and Corellium, which is quoted in the document.  

Stamos also expressed doubts about selling products to the United Arab Emirates, whose government had a close relationship with DarkMatter. “The UAE has been shown to use malware and exploits to spy on journalists and suppress local dissent,” Stamos said. 

In response to the document’s revelations, Stamos says he doesn’t think “it's appropriate for Apple to use copyright law to try to stop security research, and I don't think it's responsible for Corellium to offer their product to companies known to create malicious software for authoritarian states.”

The document also includes the logos of alleged Corellium customers and companies linked to it. As well as the companies previously mentioned, the document includes the logo of Azimuth, a provider of advanced hacking tools to the intelligence and law enforcement agencies of the so-called Five Eyes. Other logos include the Centre for Strategic Infocomm Technologies of Singapore, or CSIT, as well as the logo of an academic institution in Saudi Arabia called the Center of Excellence in Information Assurance (COEIA), housed at the King Saud University. 

CSIT executives did not respond to a request for comment. Other than the logo of the COEIA, the document also shows a 2019 email titled “invitation to Corellium” sent to the organization. The COEIA did not respond to a request for comment.

The legal battle between Apple and Corellium is ongoing. Late last month, the two companies appeared at a hearing before the Eleventh Circuit of the US Court of Appeals in Florida. Apple’s lawyer, Melissa Sherry, argued that Corellium’s product is just a slightly tweaked version of iOS that’s not transformative enough not to be fair use. Corellium attorney Kevin Russell said the product helps users “shed light on the functionality of the Apple operating system” and is, therefore, fair use.

“I don't think there's a genuine dispute that the purpose of the product is to explore the unprotected functionality of the system's software,” he said. “What people do with that knowledge is the subject of another statute.”

A Leak Details Apple's Secret Dirt on Corellium, a Trusted Security Startup

"SandStrike," the latest example of espionage-aimed Android malware, relies on elaborate social media efforts and back-end infrastructure.

Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn't mean attackers aren't constantly trying to deploy other sophisticated mobile malware as well.

The latest example is "SandStrike," a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran's Baha'i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

**Elaborate Social Media Lures**

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group's notorious Pegasus spyware along with emerging problems like Hermit.

**Mobile Malware on the Rise**

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint released earlier this year highlighted a 500% increase in mobile malware delivery attempts in Europe in the first quarter of this year. The increase followed a sharp decline in attack volumes toward the end of 2021.

The email security vendor found that many of the new malware tools are capable of a lot more than just credential stealing: "Recent detections have involved malware capable of recording telephone and non-telephone audio and video, tracking location and destroying or wiping content and data."

Google and Apple's official mobile app stores continue to be a popular mobile malware delivery vector. But threat actors are also increasingly using SMS-based phishing campaigns and social engineering scams of the sort seen in the SandStrike campaign to get users to install malware on their mobile devices.

Proofpoint also found that attackers are targeting Android devices far more heavily than iOS devices. One big reason is that iOS doesn't allow users to install an app via an unofficial third-party app store or to download it directly to the device, like Android does, Proofpoint said.

**Different Types of Mobile Malware in Circulation**

Proofpoint identified the most significant mobile malware threats as FluBot, TeaBot, TangleBot, MoqHao, and BRATA. The different capabilities integrated into these malware tools include data and credential theft, stealing funds from online accounts, and general spying and surveillance. One of these threats — FluBot — has been largely quiet since the disruption of its infrastructure in a coordinated law enforcement action in June.

Proofpoint found that mobile malware is not confined to a specific region or language. "Instead, threat actors adapt their campaigns to a variety of languages, regions and devices," the company warned.

Meanwhile, Kaspersky said it blocked some 5.5 million malware, adware, and riskware attacks targeted at mobile devices in Q2 2022. More than 25% of these attacks involved adware, making it the most common mobile threat at the moment. But other notable threats included mobile banking Trojans, mobile ransomware tools, spyware link SandStrike, and malware downloaders. Kaspersky found that creators of some malicious mobile apps have increasingly targeted users from multiple countries at once.

The mobile malware trend poses a growing threat to enterprise organizations, especially those that allow unmanaged and personally owned devices in the workplace. Last year, the US Cybersecurity and Infrastructure Security Agency (CISA) released a checklist of actions that organizations can take to address these threats. Its recommendations include the need for organizations to implement security-focused mobile device management; to ensure that only trusted devices are allowed access to applications and data; to use strong authentication; to disable access to third-party app stores; and to ensure that users use only curated app stores.

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 and 6.x before 6.0.1 allows a user-space client to corrupt the monitor's internal memory.

commit fbd56ddcecab5a3623a89c8e941fdbcc55b41045 Author: Greg Kroah-Hartman Date: Wed Oct 12 09:39:05 2022 +0200 Linux 6.0.1 Link: https://lore.kernel.org/r/20221010070330.159911806@linuxfoundation.org Tested-by: Luna Jernberg Tested-by: Fenil Jain Tested-by: Linux Kernel Functional Testing Tested-by: Justin M. Forbes Tested-by: Florian Fainelli Tested-by: Ronald Warsow Tested-by: Shuah Khan Tested-by: Zan Aziz Tested-by: Slade Watkins Tested-by: Guenter Roeck Tested-by: Rudi Heitbaum Tested-by: Bagas Sanjaya Tested-by: Jon Hunter Tested-by: Sudip Mukherjee Tested-by: Ron Economos Signed-off-by: Greg Kroah-Hartman commit 3c6b036fe5c8ed8b6c4cbdc03605929882907ef0 Author: Tetsuo Handa Date: Fri Sep 2 20:23:48 2022 +0900 Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}\_timer works commit deee93d13d385103205879a8a0915036ecd83261 upstream. syzbot is reporting attempt to schedule hdev->cmd\_work work from system\_wq WQ into hdev->workqueue WQ which is under draining operation \[1\], for commit c8efcc2589464ac7 ("workqueue: allow chained queueing during destruction") does not allow such operation. The check introduced by commit 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") was incomplete. Use hdev->workqueue WQ when queuing hdev->{cmd,ncmd}\_timer works because hci\_{cmd,ncmd}\_timeout() calls queue\_work(hdev->workqueue). Also, protect the queuing operation with RCU read lock in order to avoid calling queue\_delayed\_work() after cancel\_delayed\_work() completed. Link: https://syzkaller.appspot.com/bug?extid=243b7d89777f90f7613b \[1\] Reported-by: syzbot Signed-off-by: Tetsuo Handa Fixes: 877afadad2dce8aa ("Bluetooth: When HCI work queue is drained, only queue chained work") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Greg Kroah-Hartman commit 390ba6a7755d6db79e8000d5501096c24f3b8bfd Author: Jules Irenge Date: Wed Sep 7 16:24:20 2022 +0100 bpf: Fix resetting logic for unreferenced kptrs commit 9fad7fe5b29803584c7f17a2abe6c2936fec6828 upstream. Sparse reported a warning at bpf\_map\_free\_kptrs() "warning: Using plain integer as NULL pointer" During the process of fixing this warning, it was discovered that the current code erroneously writes to the pointer variable instead of deferencing and writing to the actual kptr. Hence, Sparse tool accidentally helped to uncover this problem. Fix this by doing WRITE\_ONCE(\*p, 0) instead of WRITE\_ONCE(p, 0). Note that the effect of this bug is that unreferenced kptrs will not be cleared during check\_and\_free\_fields. It is not a problem if the clearing is not done during map\_free stage, as there is nothing to free for them. Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr") Signed-off-by: Jules Irenge Link: https://lore.kernel.org/r/Yxi3pJaK6UDjVJSy@playground Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 448faed285b9a0dc4101ffb6a256aa261fcd0979 Author: Daniel Golle Date: Fri Sep 30 01:56:53 2022 +0100 net: ethernet: mtk\_eth\_soc: fix state in \_\_mtk\_foe\_entry\_clear commit ae3ed15da5889263de372ff9df2e83e16acca4cb upstream. Setting ib1 state to MTK\_FOE\_STATE\_UNBIND in \_\_mtk\_foe\_entry\_clear routine as done by commit 0e80707d94e4c8 ("net: ethernet: mtk\_eth\_soc: fix typo in \_\_mtk\_foe\_entry\_clear") breaks flow offloading, at least on older MTK\_NETSYS\_V1 SoCs, OpenWrt users have confirmed the bug on MT7622 and MT7621 systems. Felix Fietkau suggested to use MTK\_FOE\_STATE\_INVALID instead which works well on both, MTK\_NETSYS\_V1 and MTK\_NETSYS\_V2. Tested on MT7622 (Linksys E8450) and MT7986 (BananaPi BPI-R3). Suggested-by: Felix Fietkau Fixes: 0e80707d94e4c8 ("net: ethernet: mtk\_eth\_soc: fix typo in \_\_mtk\_foe\_entry\_clear") Fixes: 33fc42de33278b ("net: ethernet: mtk\_eth\_soc: support creating mac address based offload entries") Signed-off-by: Daniel Golle Link: https://lore.kernel.org/r/YzY+1Yg0FBXcnrtc@makrotopia.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 50fe01fa7640bc216bb1a47754a1f799c20eff8e Author: Kumar Kartikeya Dwivedi Date: Wed Sep 21 16:35:50 2022 +0200 bpf: Gate dynptr API behind CAP\_BPF commit 8addbfc7b308d591f8a5f2f6bb24d08d9d79dfbb upstream. This has been enabled for unprivileged programs for only one kernel release, hence the expected annoyances due to this move are low. Users using ringbuf can stick to non-dynptr APIs. The actual use cases dynptr is meant to serve may not make sense in unprivileged BPF programs. Hence, gate these helpers behind CAP\_BPF and limit use to privileged BPF programs. Fixes: 263ae152e962 ("bpf: Add bpf\_dynptr\_from\_mem for local dynptrs") Fixes: bc34dee65a65 ("bpf: Dynptr support for ring buffers") Fixes: 13bbbfbea759 ("bpf: Add bpf\_dynptr\_read and bpf\_dynptr\_write") Fixes: 34d4ef5775f7 ("bpf: Add dynptr data slices") Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20220921143550.30247-1-memxor@gmail.com Acked-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 64517c21fd0f28b40a75d0d3121276b31399278e Author: Palmer Dabbelt Date: Tue Sep 20 13:45:18 2022 -0700 RISC-V: Print SSTC in canonical order commit 61a41d16ad20657f93613229a8b17766c51dc849 upstream. This got out of order during a merge conflict, fix it by putting the entries in the correct order. Fixes: 7ab52f75a9cf ("RISC-V: Add Sstc extension support") Signed-off-by: Palmer Dabbelt Reviewed-by: Conor Dooley Reviewed-by: Heiko Stuebner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220920204518.10988-1-palmer@rivosinc.com/ Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit d3b5e30e87b52404765b25d9ee156a85c3d8caf6 Author: Mario Limonciello Date: Tue Aug 2 23:25:00 2022 -0500 gpiolib: acpi: Add a quirk for Asus UM325UAZ commit 0ea76c401f9245ac209f1b1ce03a7e1fb9de36e5 upstream. Asus UM325UAZ has GPIO 18 programmed as both an interrupt and a wake source, but confirmed with internal team on this design this pin is floating and shouldn't have been programmed. This causes lots of spurious IRQs on the system and horrendous battery life. Add a quirk to ignore attempts to program this pin on this system. Reported-by: Pavel Krc Link: https://bugzilla.kernel.org/show\_bug.cgi?id=216208 Reviewed-by: Hans de Goede Signed-off-by: Mario Limonciello Reviewed-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 359e1b7a7f79738e00a59f367dbe0d3a819d1754 Author: Mario Limonciello Date: Tue Aug 2 23:24:59 2022 -0500 gpiolib: acpi: Add support to ignore programming an interrupt commit 6b6af7bd5718f4e45a9b930533aec1158387d552 upstream. gpiolib-acpi already had support for ignoring a pin for wakeup, but if an OEM configures a floating pin as an interrupt source then stopping it from being a wakeup won't do much good to stop the interrupt storm. Add support for a module parameter and quirk infrastructure to ignore interrupts as well. Signed-off-by: Mario Limonciello Reviewed-by: Hans de Goede Reviewed-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 94e14d5193c5692faa589b733e9a360154d4696b Author: Johan Hovold Date: Tue Sep 13 16:53:12 2022 +0200 USB: serial: ftdi\_sio: fix 300 bps rate for SIO commit 7bd7ad3c310cd6766f170927381eea0aa6f46c69 upstream. The 300 bps rate of SIO devices has been mapped to 9600 bps since 2003... Let's fix the regression. Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 08e2c70e549b77f5f3af9c76da00779d5756f997 Author: Tadeusz Struk Date: Mon Sep 19 14:59:57 2022 -0700 usb: mon: make mmapped memory read only commit a659daf63d16aa883be42f3f34ff84235c302198 upstream. Syzbot found an issue in usbmon module, where the user space client can corrupt the monitor's internal memory, causing the usbmon module to crash the kernel with segfault, UAF, etc. The reproducer mmaps the /dev/usbmon memory to user space, and overwrites it with arbitrary data, which causes all kinds of issues. Return an -EPERM error from mon\_bin\_mmap() if the flag VM\_WRTIE is set. Also clear VM\_MAYWRITE to make it impossible to change it to writable later. Cc: "Dmitry Vyukov" Cc: stable Fixes: 6f23ee1fefdc ("USB: add binary API to usbmon") Suggested-by: PaX Team # for the VM\_MAYRITE portion Link: https://syzkaller.appspot.com/bug?id=2eb1f35d6525fa4a74d75b4244971e5b1411c95a Reported-by: syzbot+23f57c5ae902429285d7@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk Link: https://lore.kernel.org/r/20220919215957.205681-1-tadeusz.struk@linaro.org Signed-off-by: Greg Kroah-Hartman commit 3a93bbb581f85367b3227a685aa24a051230229c Author: Aleksa Savic Date: Wed Sep 14 13:43:27 2022 +0200 hwmon: (aquacomputer\_d5next) Fix Quadro fan speed offsets commit b7f3e9650f12d1e06b94a0257bcb90279f691bf5 upstream. The offsets for setting speeds of fans connected to Quadro are off by one. Set them to their correct values. The offsets as shown point to registers for setting the fan control mode, which will be explored in future patches, but slipped in here. When setting fan speeds, the resulting values were overlapping, which made the fans still run in my initial testing. Fixes: cdbe34da01e3 ("hwmon: (aquacomputer\_d5next) Add support for Aquacomputer Quadro fan controller") Signed-off-by: Aleksa Savic Link: https://lore.kernel.org/r/20220914114327.6941-1-savicaleksa83@gmail.com Cc: stable@vger.kenrel.org Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 4ec318d06084a807df8eb212e321120236915fd6 Author: Shuah Khan Date: Thu Sep 1 15:23:19 2022 -0600 docs: update mediator information in CoC docs commit 8bfdfa0d6b929ede7b6189e0e546ceb6a124d05d upstream. Update mediator information in the CoC interpretation document. Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20220901212319.56644-1-skhan@linuxfoundation.org Cc: stable@vger.kernel.org Signed-off-by: Jonathan Corbet Signed-off-by: Greg Kroah-Hartman commit 49a49d65e21085c088d2a96e583282d59769926b Author: Kees Cook Date: Thu Sep 29 22:57:43 2022 -0700 hardening: Remove Clang's enable flag for -ftrivial-auto-var-init=zero commit 607e57c6c62c00965ae276902c166834ce73014a upstream. Now that Clang's -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang option is no longer required, remove it from the command line. Clang 16 and later will warn when it is used, which will cause Kconfig to think it can't use -ftrivial-auto-var-init=zero at all. Check for whether it is required and only use it when so. Cc: Nathan Chancellor Cc: Masahiro Yamada Cc: Nick Desaulniers Cc: linux-kbuild@vger.kernel.org Cc: llvm@lists.linux.dev Cc: stable@vger.kernel.org Fixes: f02003c860d9 ("hardening: Avoid harmless Clang option under CONFIG\_INIT\_STACK\_ALL\_ZERO") Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman commit a3c72efe3d6143b0964642435d8d8bf42e4fbf75 Author: Sami Tolvanen Date: Fri Sep 30 20:33:10 2022 +0000 Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 commit 2120635108b35ecad9c59c8b44f6cbdf4f98214e upstream. We enable -Wcast-function-type globally in the kernel to warn about mismatching types in function pointer casts. Compilers currently warn only about ABI incompability with this flag, but Clang 16 will enable a stricter version of the check by default that checks for an exact type match. This will be very noisy in the kernel, so disable -Wcast-function-type-strict without W=1 until the new warnings have been addressed. Cc: stable@vger.kernel.org Link: https://reviews.llvm.org/D134831 Link: https://github.com/ClangBuiltLinux/linux/issues/1724 Suggested-by: Nathan Chancellor Signed-off-by: Sami Tolvanen Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220930203310.4010564-1-samitolvanen@google.com Signed-off-by: Greg Kroah-Hartman commit df3d15181e00f1e63d778c29d252a25e04f6b046 Author: Bart Van Assche Date: Tue Aug 30 13:58:42 2022 -0700 sparc: Unbreak the build commit 17006e86a7641fa3c50324cfb602f0e74dac8527 upstream. Fix the following build errors: arch/sparc/mm/srmmu.c: In function ‘smp\_flush\_page\_for\_dma’: arch/sparc/mm/srmmu.c:1639:13: error: cast between incompatible function types from ‘void (\*)(long unsigned int)’ to ‘void (\*)(long unsigned int, long unsigned int, long unsigned int, long unsigned int, long unsigned int)’ \[-Werror=cast-function-type\] 1639 | xc1((smpfunc\_t) local\_ops->page\_for\_dma, page); | ^ arch/sparc/mm/srmmu.c: In function ‘smp\_flush\_cache\_mm’: arch/sparc/mm/srmmu.c:1662:29: error: cast between incompatible function types from ‘void (\*)(struct mm\_struct \*)’ to ‘void (\*)(long unsigned int, long unsigned int, long unsigned int, long unsigned int, long unsigned int)’ \[-Werror=cast-function-type\] 1662 | xc1((smpfunc\_t) local\_ops->cache\_mm, (unsigned long) mm); | \[ ... \] Compile-tested only. Fixes: 552a23a0e5d0 ("Makefile: Enable -Wcast-function-type") Cc: stable@vger.kernel.org Signed-off-by: Bart Van Assche Tested-by: Andreas Larsson Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220830205854.1918026-1-bvanassche@acm.org Signed-off-by: Greg Kroah-Hartman commit 79bc9ee841abf982affb75c8417abe9091e64304 Author: Al Viro Date: Mon Oct 3 20:26:08 2022 -0400 fix coredump breakage commit 4f526fef91b24197d489ff86789744c67f475bb4 upstream. Let me count the ways in which I'd screwed up: \* when emitting a page, handling of gaps in coredump should happen before fetching the current file position. \* fix for a problem that occurs on rather uncommon setups (and hadn't been observed in the wild) had been sent very late in the cycle. \* ... with badly insufficient testing, introducing an easily reproducible breakage. Without giving it time to soak in -next. Fucked-up-by: Al Viro Reported-by: "J. R. Okajima" Tested-by: "J. R. Okajima" Fixes: 06bbaa6dc53c "\[coredump\] don't use \_\_kernel\_write() on kmap\_local\_page()" Cc: stable@kernel.org # v6.0-only Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 2a96b532098284ecf8e4849b8b9e5fc7a28bdee9 Author: Dongliang Mu Date: Tue Aug 16 12:08:58 2022 +0800 fs: fix UAF/GPF bug in nilfs\_mdt\_destroy commit 2e488f13755ffbb60f307e991b27024716a33b29 upstream. In alloc\_inode, inode\_init\_always() could return -ENOMEM if security\_inode\_alloc() fails, which causes inode->i\_private uninitialized. Then nilfs\_is\_metadata\_file\_inode() returns true and nilfs\_free\_inode() wrongly calls nilfs\_mdt\_destroy(), which frees the uninitialized inode->i\_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security\_inode\_alloc just prior to this\_cpu\_inc(nr\_inodes) Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck Reported-by: Hao Sun Reported-by: Jiacheng Xu Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Dongliang Mu Cc: Al Viro Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit a53f14b0a934de4c0ee6935c7ee224e979460a7b Author: Jalal Mostafa Date: Wed Sep 21 13:57:01 2022 +0000 xsk: Inherit need\_wakeup flag for shared sockets commit 60240bc26114543fcbfcd8a28466e67e77b20388 upstream. The flag for need\_wakeup is not set for xsks with \`XDP\_SHARED\_UMEM\` flag and of different queue ids and/or devices. They should inherit the flag from the first socket buffer pool since no flags can be specified once \`XDP\_SHARED\_UMEM\` is specified. Fixes: b5aea28dca134 ("xsk: Add shared umem support between queue ids") Signed-off-by: Jalal Mostafa Signed-off-by: Daniel Borkmann Acked-by: Magnus Karlsson Link: https://lore.kernel.org/bpf/20220921135701.10199-1-jalal.a.mostapha@gmail.com Signed-off-by: Greg Kroah-Hartman

CVE-2022-43750

Observable discrepancies in the login process allow an attacker to guess legitimate user names registered in the BMC. This issue affects: Lanner Inc IAC-AST2500A standard firmware version 1.10.0.

Over the past year, Nozomi Networks Labs has conducted research on the security of Baseboard Management Controllers (BMCs), with a special focus on OT and IoT devices. In part one of this blog series, we reveal thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X (AMI’s MegaRAC SP-X standard codebase is not affected by those specific issues). By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host. During our research, we uncovered other vulnerabilities whose patching is still in progress and thus cannot be disclosed as of yet; those will be covered in a follow-up blog post. 

Our discussion starts with an introduction to BMCs and an illustration of the vulnerabilities discovered. We will then provide an example of how an attacker can abuse these issues to ultimately compromise the device, and conclude with remediations that asset owners can implement. 

Nozomi Networks Labs reveals vulnerabilities in BMC firmware affecting OT/IoT devices. 

**Baseboard Management Controllers (BMC) 101**

A Baseboard Management Controller (BMC) is a supplementary System-on-Chip designed for remote monitoring and management of a computer. Due to this dedicated network interface and tight coupling with critical hardware components (e.g. motherboard chipset), BMCs can perform fully remote low-level system operations, such as keyboard-and-mouse interaction straight from the bootstrap, system power control, BIOS firmware reflash, etc. 

In the past, BMCs were only found in IT server motherboards, whereas vendors are now broadening the scope of BMCs to operational technology (OT) and internet of things (IoT) sectors. One such vendor is Lanner Inc., a Taiwanese brand specializing in embedded applications. Notably, during our research, we analyzed Lanner IAC-AST2500A, an expansion card that enables BMC functionalities on Lanner appliances. IAC-AST2500A’s firmware is based on the American Megatrends (AMI) MegaRAC SP-X solution, a popular BMC firmware also utilized by brands such as Asus, Dell, Gigabyte, HP, Lenovo, or nVidia. 

Among the available network services, the expansion card features a web application through which users can fully control the managed host as well as the BMC itself. Figure 1 depicts a screenshot of the interface. 

**Figure 1.** Screenshot of the web interface of the Lanner IAC-AST2500A 

**Vulnerabilities Found **

By analyzing the web interface of the IAC-AST2500A, we found thirteen vulnerabilities, as listed below: 

*   **CVE-2021-26727**: spx\_restservice SubNet\_handler\_func Multiple Command Injections and Stack-Based Buffer Overflows, **CVSS v3.1 10** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26728**: spx\_restservice KillDupUsr\_func Command Injection and Stack-Based Buffer Overflow, **CVSS v3.1 10** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26729**: spx\_restservice Login\_handler\_func Command Injection and Multiple Stack-Based Buffer Overflows, **CVSS v3.1 10** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26730**: spx\_restservice Login\_handler\_func Subfunction Stack-Based Buffer Overflow, **CVSS v3.1 10** (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26731**: spx\_restservice modifyUserb\_func Command Injection and Multiple Stack-Based Buffer Overflows, **CVSS v3.1 9.1** (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) 
*   **CVE-2021-26732**: spx\_restservice First\_network\_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) 
*   **CVE-2021-26733**: spx\_restservice FirstReset\_handler\_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) 
*   **CVE-2021-44776**: spx\_restservice SubNet\_handler\_func Broken Access Control, CVSS v3.1 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) 
*   **CVE-2021-44467**: spx\_restservice KillDupUsr\_func Broken Access Control, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) 
*   **CVE-2021-44769**: TLS Certificate Generation Function Improper Input Validation, CVSS v3.1 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) 
*   **CVE-2021-46279**: Session Fixation and Insufficient Session Expiration, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L) 
*   **CVE-2021-45925**: Username Enumeration, CVSS v3.1 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 
*   **CVE-2021-4228**: Hard-coded TLS Certificate, CVSS v3.1 5.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L) 

These vulnerabilities affect version 1.10.0 of the standard firmware of Lanner IAC-AST2500, except for CVE-2021-4228 which was found on version 1.00.0. 

**Attack Chain Example: CVE-2021-44467 and CVE-2021-26728 **

CVE-2021-44467 and CVE-2021-26728 describe a possible attack chain whereby an unauthenticated attacker can achieve Remote Code Execution (RCE) with root privileges on the BMC. During the login process, the web application asks through a confirmation dialog if the user wants to terminate any other active session on the logged-in account (Figure 2). 

**Figure 2.** Termination of other active sessions on a logged-in account 

This functionality is implemented via an authenticated POST request to “/api/KillDupUsr”, which is ultimately handled by the “KillDupUsr\_func” function of “spx\_restservice”. This function begins as in Figure 3. 

Figure 3 CVE 2021 44467

Although the POST request contains a QSESSIONID cookie, the function does not perform any verification checks on the user session. This flaw enables unauthenticated attackers to arbitrarily terminate active sessions of other users, causing a Denial-of-Service (DoS) condition (CVE-2021-44467). Further issues can be observed by proceeding with the analysis (Figure 4). 

**Figure 4.** CVE-2021-26728 in KillDupUsr\_func 

At line 41, “strcat” is called to copy the content of “v9”, which contains the value of the externally controllable HTTP parameter “username”, into “dest”, a fixed-size buffer. No checks are done on the length of “v9” before executing the instruction, leading to a stack-based buffer overflow. 

At line 46, a “safe\_system” is called with “dest” as argument. Despite the name, it turned out to be possible to inject arbitrary OS commands in the string (for instance, a subshell command) that were executed by the device, leading to a command injection (CVE-2021-26728). When also considering that all processes run with root privileges on the device, the combined weaknesses enable an unauthenticated attacker to completely compromise both the BMC and the managed host. 

**Remediations  **

After sharing all vulnerabilities with Lanner via a responsible disclosure process, the vendor developed updated BMC firmware versions for the IAC-AST2500A that resolve all issues described in this blog. The correct patched version strictly depends on the appliance in use; thus, we urge Lanner customers to contact technical support to receive the appropriate package. 

If asset owners are unable to patch their appliances, we advise enforcing firewall or network access control rules to restrict the network reachability of the web interface to trusted personnel only, or to actively monitor the network traffic via intrusion detection systems. 

**Summary  **

BMCs represent an attractive way to conveniently monitor and manage computer systems without requiring physical access, in the IT as well as in the OT/IoT domain. Nevertheless, their usability comes at the expense of a broader attack surface, and that may lead to an increase of the overall risk if they are not adequately protected. In this blog, we have presented the first results of our analysis of BMCs in OT and IoT devices and discussed thirteen vulnerabilities, five of which are rated as critical. 

During our assessment, we uncovered further vulnerabilities, that are still in the process of being fixed and will be disclosed at a later date. We recommend that our readers regularly monitor our Nozomi Networks Labs page for the release of the follow-up blogpost, which will describe the remaining issues.

**Related Links:**

*   Vulnerability Details: CVE-2021-26727 
*   Vulnerability Details: CVE-2021-26728 
*   Vulnerability Details: CVE-2021-26729 
*   Vulnerability Details: CVE-2021-26730 
*   Vulnerability Details: CVE-2021-26731 
*   Vulnerability Details: CVE-2021-26732 
*   Vulnerability Details: CVE-2021-26733 
*   Vulnerability Details: CVE-2021-44776 
*   Vulnerability Details: CVE-2021-44467 
*   Vulnerability Details: CVE-2021-44769 
*   Vulnerability Details: CVE-2021-46279 
*   Vulnerability Details: CVE-2021-45925 
*   Vulnerability Details: CVE-2021-4228

CVE-2021-45925: Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1

SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk.
"The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection

SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called **WarHawk**.

"The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection and Pakistan Standard Time zone check in order to ensure a victorious campaign," Zscaler ThreatLabz said.

The threat group, also called APT-C-17, Rattlesnake, and Razor Tiger, is suspected to be an Indian state-sponsored group, although a report from Kaspersky earlier this May acknowledged previous indicators that led to the attribution have since disappeared, making it challenging it to link the threat cluster to a specific nation.

More than 1,000 attacks are said to have been launched by the group since April 2020, an indication of SideWinder's newfound aggression since it commenced operations a decade ago in 2012.

The intrusions have been significant not only with regard to their frequency but also in their persistence, even as the group takes advantage of a massive arsenal of obfuscated and newly-developed components.

In June 2022, the threat actor was found leveraging an AntiBot script that's designed to filter their victims to check the client browser environment, specifically the IP address, to ensure the targets are located in Pakistan.

The September campaign spotted by Zscaler entails the use of a weaponized ISO file hosted on NEPRA's website to activate a killchain that leads to the deployment of the WarHawk malware, with the artifact also acting as a decoy to hide the malicious activity by displaying a legitimate advisory issued by the Cabinet Division of Pakistan on July 27, 2022.

WarHawk, for its part, masquerades as legitimate apps such as ASUS Update Setup and Realtek HD Audio Manager to lure unsuspecting victims into execution, resulting the exfiltration of system metadata to a hard-coded remote server, while also receiving additional payloads from the URL.

This includes a command execution module that's responsible for the execution of system commands on the infected machine received from the command-and-control server, a file manager module that recursively enumerates files present in different drives, and an upload module that transmits files of interest to the server.

Also deployed as a second-stage payload using the aforementioned command execution module is a Cobalt Strike Loader, which validates the host's time zone to confirm it matches the Pakistan Standard Time (PKT), failing which the process is terminated.

Following the anti-anThe loader injects shellcode into a notepad.exe process using a technique called KernelCallbackTable process injection, with the malware author lifting source code from a technical write-up published in April 2022 by a researcher who goes by the online alias Capt. Meelo.

The shellcode then decrypts and loads Beacon, the default malware payload used by Cobalt Strike to establish a connection to its command-and-control server.

Per the cybersecurity company, the attack campaign's connections to the SideWinder APT stem from the reuse of network infrastructure that has been identified as used by the group in prior espionage-focused activities against Pakistan.

"The SideWinder APT Group is continuously evolving their tactics and adding new malware to their arsenal in order to carry out successful espionage attack campaigns against their targets," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan

Asus RT-N12E 2.0.0.39 is affected by an incorrect access control vulnerability. Through system.asp / start_apply.htm, an attacker can change the administrator password without any authentication.

Wireless-N300 Router

*   300 Mbps high speed
*   Plug-n-surf CD free installation
*   External 5dBi antenna for better coverage  
    (\*Antenna type will differ according to local regulations and requirement in each country)  
    
*   Power saving: consumes less power during stand by mode
*   Support EZ WPS connection

Awards

"The Asus RT-AX88U is the best choice for a higher end router. It features next generation Wi-Fi 6 (802.11ax) technology, and an impressive eight Gigabit Ethernet ports, which even supports link aggregation. Backing this up is the usual excellent AsusWRT interface, which allows granular control of every imaginable setting. "

"One of the fastest routers we've tested, the Asus ROG Rapture GT-AC5300 offers lots of gamer-friendly features, copious I/O ports, and a slick management console that lets you optimize your network for lag-free gaming."

"The Asus RT-AC86U is a fast AC2900 dual band router that's equipped with the latest networking technology and is loaded with gamer optimization and network protection features."

Today, they’re well known not just for superior wireless performance, but also as one of the few brands that continue to push the latest in standards, security, advanced user customisation and building a robust networking ecosystem through AiMesh functionality to enable compatible ASUS routers to work together in a single SSID.

ASUS’ popularity is most likely due to their focus on powerful hardware with cutting edge networking features across their Wi-Fi 6 range from the flagship ROG Rapture GT-AX11000 to the RT-AX86U.

See all

Media reviews

See all

**Consistently Praised for Networking Excellence!**

**Readers’ Choice, 6 Years Running! (2012-2017)**  
“No brand is more likely to be recommended than ASUS. The company receives excellent marks for their ease of setup and reliability.”– PC Magazine \>>Learn more.

**Recommended Excellence Award for Best Router Brand,** PC Pro Technology Excellence Awards 2016.

ASUS RT-N12E supports 802.11 b/g/n and has 300 Mbps high speed. With CD free easy installation and stable data transmission, RT-N12E is the basic solution for wireless internet setup. It also contents Green WLAN technology so it consumes less power during stand by mode.

**Step1:**

**Step2:**

**Step3:**

Power up the router and launch the browser

Enter the information provided by your ISP

Start surfing!

**Plug-n-Surf Installation**

3-steps is all you need to set up the router. You don't need a CD for installation.

**Save The Planet And Your Pocket**

Compared with generic Wireless-N routers, ASUS ECO-WiFi CPU reduces 72%\* of energy consumption and utility cost.

\* The result given was of an internal testing methods comparing typical router, with standby, normal and heavy traffic. Testing criteria: \[Standby mode\] Only WAN ports are connected. \[Normal traffic\] 1 wired connected PC and 1 wirelessly connected laptop for P2P download. \[Heavy traffic\] 4 wired connected PCs and 2 wirelessly connected laptops for P2P download. Utility cost is calculated based on 2011 US household avg. electricity price, all taxes included.

**Extended Network Coverage**

The RT-N12E features a 5dBi high-gain antenna that boosts the wireless signal, thereby extending coverage range.

\*Antenna type will differ according to local regulations and requirement in each country.

**Network Map-Manual Free Management**

1.  Have a quick overview of the whole network and WAN/LAN status
2.  Manage your network in minutes
3.  Try our EZ UI software

**WPS Function& WPA/WPA2 Encryption**

WEP encryption is not enough for Wi-Fi connection nowadays, and intruders may be able to access your network.Using the WPS function with WPA/WPA2 encryption improves protection for your home networks and private resources.

**Keep Up to Date!**

Remember to always keep your device’s firmware up to date so you can benefit from the very latest service and security enhancements — and get exciting new features! Learn more about updating new firmware.

\*This product does not support universal repeater mode. If needed, please find RT-N10U, RT-N12, RT-N13U, or RT-N15U.

\* ASUS received the highest numerical score among wireless routers in the J.D. Power 2015 Wireless Router Satisfaction Report, based on 2,716 responses from 8 companies measuring satisfaction with wireless routers surveyed November-December 2015. Your experiences may vary. Visit jdpower.com

CVE-2020-23648: RT-N12E｜WiFi Routers｜ASUS Global

Categories: News
Categories: Ransomware
Tags: Dutch

Tags:  law enforcement

Tags:  DeadBolt

Tags:  ransomware

Tags:  decryption keys

Tags:  responders.nu

With the idea provided by an incident response company, Dutch police used a clever trick to get 150 DeadBolt ransomware decryption keys for free.



(Read more...)




The post DeadBolt ransomware gang tricked into giving victims free decryption keys appeared first on Malwarebytes Labs.

Posted: October 19, 2022 by

Dutch police and other law enforcement agencies have managed to trick the DeadBolt ransomware operators into releasing 150 decryption keys for free. 

The method of obtaining decryption keys was found by a Dutch incident response company called Responders.NU, who shared the method with the police. The basis for the trick iss that it was possible to cancel an unconfirmed Bitcoin transaction before payment went through through, but **after** the decryption key was released.

Because of the large amount of Bitcoin transactions taking place at one time, it can take a while for payment to actually go through. That gave police enough time to block the transactions from going through before the payment actually took place. By then they'd already received the decryption key and could pass it on to the victims. They managed to repeat the process around 150 times before the ransomware gang pulled the plug on their system that gave out the decryption keys.

**Deadbolt**

DeadBolt is a ransomware that specializes in encrypting online network attached storage (NAS) devices. Owners of QNAP  (Quality Network Appliance Provider) devices have recently been the target of this ransomware operator. QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers' DeadBolt ransomware, which annoyed part of its userbase.

More recently, QNAP detected that cybercriminals known as DeadBolt were exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that were directly connected to the internet. This DeadBolt campaign also targeted Asustor users. According to the police there are around 20,000 affected devices worldwide. Each of them received instructions to pay 0.05 Bitcoin (around $1000 at the time of writing) to get a decryption key for their files.

**Decryption keys**

The police wanted to emphasize that it is always important to file a complaint about cybercrime, even though the chances of apprehending the cybercriminals may seem slim. So they started by helping victims, from 13 countries, who had filed a complaint with their local police.

Most of the victims who they helped should have received instructions on how to access their personal decryption key by now.

If you have not been notified by the police but you still want to check if you are one of the lucky ones, you can follow the instructions on the site deadbolt.responders.nu and find out if your decryption key is available.

**Mitigation**

It is important to file a complaint if you are a victim of a cybercrime. Not only does it give law enforcement agencies a better understanding of what's going on and how widespread a campaign is, it also provides them with information that may help them apprehend the criminals or recover your data or money.

To avoid falling victim to the DeadBolt ransomware, the obvious advice is to not connect your NAS directly to the internet, but we understand that that ruins the whole purpose of a NAS for some users.

Make sure that the firmware of your device and all the software running on it is up to date. These criminals will not only find new vulnerabilities, but also use old ones that have not yet been patched.

To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.

**RELATED ARTICLES**

DeadBolt ransomware gang tricked into giving victims free decryption keys

Red Hat Security Advisory 2022-7020-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:7020-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7020  
Issue date:        2022-10-18  
CVE Names:         CVE-2022-40674  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* expat: a use-after-free in the doContent function in xmlparse.c  
(CVE-2022-40674)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.3.0-7.el9_0.src.rpm

aarch64:  
firefox-102.3.0-7.el9_0.aarch64.rpm  
firefox-debuginfo-102.3.0-7.el9_0.aarch64.rpm  
firefox-debugsource-102.3.0-7.el9_0.aarch64.rpm

ppc64le:  
firefox-102.3.0-7.el9_0.ppc64le.rpm  
firefox-debuginfo-102.3.0-7.el9_0.ppc64le.rpm  
firefox-debugsource-102.3.0-7.el9_0.ppc64le.rpm

s390x:  
firefox-102.3.0-7.el9_0.s390x.rpm  
firefox-debuginfo-102.3.0-7.el9_0.s390x.rpm  
firefox-debugsource-102.3.0-7.el9_0.s390x.rpm

x86_64:  
firefox-102.3.0-7.el9_0.x86_64.rpm  
firefox-debuginfo-102.3.0-7.el9_0.x86_64.rpm  
firefox-debugsource-102.3.0-7.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY08TOtzjgjWX9erEAQhbrQ//eGfpfVEIx6Srj3T7RZqukl589ujYYn6v  
mBvHuTG8Id6QrbJv5Rz+eE4guLQhrWmYPD2T0+6W7hoxMqn2rcODlyxhPH4ch3KN  
tmMkctfMps2l4uyrDwPl+r+120pTBNt0c/lQXgQMj7TFDjjttN/70YNIlUPw5iqN  
i0crNIvxb9AhotwYBS7dasUsCayfeLdZTR+7Ss8IMApBjzDBKFKz6c2Blb2GlSob  
CRdDCYZE+e6SHZ4iAFyzP4VKV2MB+ZPCzNxMXziNTcOBBx60yeVegjzv5hOIyEEi  
JhEGrJhCqaisBZAxgVKxRHugYcunWoemiVrSA9Wai6csGp0PiOE1HnFje1mCx5r1  
AuVmi07pwQf76cyh5Smu4IknlPosEyVtUlD4cxmr+vo0ScBqqqIPpuxa7QEG/cKV  
qCrQy0FgI8WvJ3X1deElT1XKFw9t2Hlr7K1QnZ+o9tBO8Ldc8wEGjDlCD9FWuARC  
09K4bvy1ZgLbIpXDr3v2oWLo4dzFmziqp/2Gvtnf+2FW/oKM41YBFLmICtFeOmoe  
uR9Ov0hmGz3GbXN8sXZgxFZ7tDYP/qhL7ho+QBY0JgYHkVG7ehlfeC4D+fWgOwPw  
o1zblZTxUUjRoWkCtLZoDj9I8XsRnQFmuM6EE4sCLgyT/qa+u8NkrkgEFmmzvfqT  
IZQb2vgCZ6g=ReFl  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#asus