Asus DSL-N14U-B1 1.1.2.3_805 allows remote attackers to cause a Denial of Service (DoS) via a TCP SYN scan using nmap.

layout

title

date

comments

categories

post

Persistent crash of services after TCP SYN scan

2021-01-22

true

vulnerability

**Affected products**

We have not yet tested Asus models other than those listed. However we suspect it may also work on other models with the same firmware version.

        DSL-N14U_B1 V.1.1.2.3_805
        
    

**Overview**

An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3\_805 device. Remote attacker to cause a denial of service (crash) by performing a SYN scan using a tool such as nmap. Sending these packets causes a persistent outage of the jetdirect (9100/tcp), LPD (515/tcp) and sos (3838/udp) services.

**POC**

**This PoC can crash services.**

##Stage 1: Enumeration

##Stage 2: Upload test

We enter the router via ssh to understand through the proc file system what's going on.

As shown in the figure, we can see some active services and their port in hexadecimal format. Those that interest us are basically jetdirect LPD (i.e. 238C and 0203 in hex)

##Stage 3: Showdown

We run nmap by inserting an additional script with a moderate degree of intrusion.

The script retrieves or sets the "ready message" on devices that support the Printer Job Language.

sudo nmap -sV --script pjl-ready-message

Once this is done, we immediately notice differences in the proc file system.

As a counter check, we show the status of services before and after running nmap via netstat -tulen (busybox doesn't support -p, which is why we work on the proc file system inside the router).

In the latest two figures we show proc file system effects in a comprehensive way 

If we had an eye previously, we have seen well, not just two ocurrencies related to printing services crashed... an additional service disappeared: sos service (3838 / tcp) - Scito Object Server

The situation will persist as long as the modem router is active. The services will be active again only with a physical intervention (reboot)

CVE-2021-3254: kaisersource.github.io/2021-01-22-dsl-n14u.md at main · kaisersource/kaisersource.github.io

Plus: Russia rerouted internet in occupied Ukraine, Grindr sold its users' location data to ad networks, and more.

If the war in Ukraine and Russia's still-unfolding atrocities there didn't offer enough fodder for doomscrolling, this week supplied a new dose of domestic crisis: A leaked Supreme Court draft decision that would overturn _Roe v. Wade_, demolishing a ruling that has served as a cornerstone of reproductive rights for nearly five decades. And this crisis, too, will play out in the digital realm as much as the physical and legal ones.

WIRED's Lily Hay Newman responded to the news with a guide to protecting your privacy if you're seeking an abortion in a near-future world in which _Roe_ has in fact been overturned. As right-wing pundits demand the Supreme Court leaker's prosecution, meanwhile, we analyzed the laws concerning leaks of unclassified government information like a draft court ruling and found that there's no clear statute criminalizing that sort of information sharing. And law professor Amy Gajda walked us through the history of Supreme Court information leaks, which stretches back hundreds of years.

As Russia's war in Ukraine grinds on, we looked at how small, consumer-grade drones are offering a defensive tool to Ukrainians that they're exploiting as in no other war in history. And further abroad in India, a battle is taking shape between VPN firms and the Indian government, which is demanding they hand over users' data. Meanwhile, the country's new “super app,” Tata Neu, has sparked user privacy concerns.

And there's more. As we do every week, we’ve rounded up all the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

If _Roe_'s precedent ceases to protect people seeking abortions across the United States, the question of who can digitally surveil those seeking abortions and abortion providers—and how to evade that surveillance—will become a civil liberties battle of the highest urgency. This week, Motherboard's Joseph Cox fired the opening salvos of that battle with a series of stories about data brokers who offer to sell location data that include individuals' visits to abortion clinics and Planned Parenthood offices, an egregious form of surveillance capitalism with immediate human consequences. Anti-abortion protest groups have already used abortion clinic data to target ads at women inside the clinics, and the same data could soon be used to identify women who seek out-of-state abortions in violation of local laws.

Cox pointed to two companies, SafeGraph and Placer.ai, both of which sold location data of those apparently visiting abortion clinics. Placer.ai has gone so far as to offer "heat maps" of where abortion clinic visitors live to anyone who creates a free account on its site. Cox's reporting had quick results: SafeGraph, which was banned from the Google Play store in June, responded to Motherboard's story by committing to stop selling the abortion-related location data. One of its investors, Are Traasdahl, says he's selling his stake in the company and donating the money to Planned Parenthood.

Your move, Placer.ai.

While we're shaming firms that leak or sell their users' location data, Grindr has long represented a uniquely dangerous combination: a company that courts at-risk users, and then egregiously fails to protect their privacy. This week, _The Wall Street Journal_ revealed that Grindr users' location data was sold for years—beginning in 2017 until at least two years ago—via ad networks, potentially exposing the movements, work locations, and home addresses of millions of gay men. The revelation follows years of Grindr data abuses and inattention to privacy and security, such as allowing anyone to pinpoint users with a triangulation technique, and even turning a blind eye as one man's life was ruined by spoofed Grindr accounts.

In 2022 a Russian military occupation doesn't merely mean physical devastation from shelling, unspeakable war crimes, and mass deportations of Ukrainian civilians to Russian hinterlands. In the Russian-occupied region of Kherson in southern Ukraine, it now means that Ukrainians have been disconnected from the global internet and rerouted through Russia's tightly controlled, surveilled, and censored “Runet.” The move, confirmed Monday by the internet monitoring firm Netblocks, represents a grim advancement of the “splinternet” notion of repressive regimes increasingly walling off their own regional slice of the internet to exert greater control over their populations. Russia now appears to be experimenting with extending its internet repression to the victims of its unprovoked military conquests in a bid to better control and influence digital information there too.

Last month, _The New Yorker_ published an in-depth investigation of how the Israeli hacking firm NSO Group's highly sophisticated smartphone spyware known as Pegasus was used to target members of Spain's Catalan independence movement. Now, Spain's government may be getting a taste of its own medicine: Both the prime minister, Pedro Sánchez, and the country's defense minister, Margarita Robles, have said that their phones, too, were hacked with Pegasus in May and June of 2021. Spain's criminal court is investigating the hacking, which was revealed by security researchers at Citizen Lab. While the Spanish government has claimed that the hacking must have been carried out by a foreign culprit, the Catalan targets of Pegasus have long pointed the finger—for their own targeting at least—at Spain's National Intelligence Center.

The US Treasury announced Friday that it's issuing sanctions against Blender.io, a “mixing” service that's used to obscure the origins and destinations of cryptocurrency. Mixers, including Bitcoin Fog and Helix, have been criminally prosecuted by the US Department of Justice for helping to obscure the criminal origins of cryptocurrency. But the sanctions against Blender.io represent the first time that the Treasury has taken measures to financially ostracize a mixer, making it a crime for any American to transact with the service. In this case, Blender is accused of helping to launder $20.5 million of the $620 million worth of cryptocurrency that North Korea's Lazarus hackers allegedly stole from the cryptocurrency firm Ronin Networks in March. That hack alone suggests that North Korean thieves have already topped the estimated $400 million in crypto—largely in the Ethereum currency—that they stole last year.

Data Brokers Track Abortion Clinic Visits for Anyone to Buy

The country has ordered companies operating VPNs to collect user data and hand it over to officials—but they’re refusing to do so.

VPN companies are squaring up for a fight with the Indian government over new rules designed to change how they operate in the country. On April 28, officials announced that virtual private network companies will be required to collect swathes of customer data—and maintain it for five years or more—under a new national directive. VPN providers have two months to accede to the rules and start collecting data.

The justification from the country’s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn’t wash with VPN providers, some of whom have said they may ignore the demands. “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its “operations and infrastructure to preserve this principle if and when necessary.”

Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark’s legal department, says the VPN provider couldn’t currently comply with India’s logging requirements because it uses RAM-only servers, which automatically overwrite user-related data. “We are still investigating the new regulation and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” he says. ProtonVPN is similarly concerned, calling the move an erosion of civil liberties. “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy,” says spokesperson Matt Fossen. “Our team is investigating the new directive and exploring the best course of action,” says Laura Tyrylyte, head of public relations at Nord Security, which develops Nord VPN. “We may remove our servers from India if no other options are left.”

The hardball response from VPN providers shows how much is at stake. India has rapidly shifted away from a free and open democracy and launched crackdowns on non-governmental organizations, journalists, and activists, many of whom use VPNs to communicate. Human Rights Watch recently warned that media freedom is under attack in the country, with a number of law and policy changes threatening the rights of minority citizens in the country. India dropped eight places in Reporters Without Borders’ Press Freedom Index in the past year and now sits 150th out of 180 countries worldwide. Authorities are alleged to have targeted journalists, stoking nationalist division and encouraging harassment of reporters who are critical of Indian prime minister Narendra Modi. By collecting and storing data on all VPN users in India, authorities may find it easier to see who VPN-using journalists are contacting and why.

Officials in India have claimed that the new rules for VPN providers aren't part of a data grab aimed at further stymying press freedoms, but rather an attempt to better police cybercrime. India has been hit by a number of significant data breaches in recent years and was the third-most affected country worldwide in 2021. “Data breaches have become so common in India that they no longer make front page news as they used to,” says Mishi Choudhary, a technology lawyer and founder of the Software Freedom Law Center, a technology legal support services provider in India. In May 2021, the names, email addresses, locations, and phone numbers of more than 1 million customers of Domino’s Pizza were stolen and posted online; in the same year, the personal information of 110 million users of digital payment platform MobiKwik ended up on the dark web. Now, as the major incidents pile up, Indian officials are going after VPNs in an apparent attempt to reign in the cybercrime surge.

“CERT-In is duty-bound to respond to any cybersecurity incidents,” says Srinivas Kodali, a researcher focusing on digitalization in India from the Free Software Movement of India—though he disputes its efficacy in doing so. Having this information on hand should, in theory, allow CERT-In to investigate any incidents more speedily after the fact. But many don’t believe that’s the full story. “CERT-In doesn’t really have a clean past, and they’ve never really protected citizens’ privacy,” Kodali claims. “According to the rules, they are going to only demand these logs when they actually need them for part of an investigation. But in India, you never know how they will be abused.”

Such concerns of overreach are not unfounded. According to data published in April 2022 by Access Now, an advocacy group lobbying for internet freedoms, India was responsible for 106 of the 182 documented internet shutdowns in 2021. It was the fourth successive year the country held the unenviable title of the internet shutdown capital of the world. At the same time, India’s government has allegedly misled parliament about its use and deployment of the Israeli-produced spyware Pegasus against 160 politicians, lawyers, and activists within the country.

That ‘collect data first, ask questions later’ approach to law enforcement has others worried, too. “This is a blunderbuss way of remembering all data and keeping tabs on your users,” says Anupam Chander, professor of law at Georgetown University in Washington, DC. “That way, if \[India\] needs it for law enforcement, intelligence purposes, or other purposes, they can grab it later.” And the VPN data grab could, potentially, collect information on millions of Indians who rely on the technology. One in five Indians used a VPN in 2021, according to data gathered by service provider Atlas VPN—up from just 3 percent in 2020. The increased usage echoes a broader rise in the use of VPNs in countries such as Venezuela, Costa Rica, and Cambodia, which saw similar increases. It also shows how people in India are seeking out VPNs for information security purposes, as well as to avoid geoblocking of popular websites.

There’s another reason everyday Indians are pursuing VPNs: the rollout of a controversial nationwide identification database. The ID system known as Aadhaar—which first launched in 2009 and has evolved since then—assigns citizens a 12-digit identity code based on their biometric and demographic information. Its proponents say that Aadhaar is part of a plan to digitize the Indian economy and make it easier to access government services. Its opponents say Aadhaar’s ubiquity and required use—you can’t open a bank account, get an ambulance, or pay your taxes without one—is an attempt to shoehorn a surveillance state into existence under the auspices of making things easier for citizens. Choudhary worries that the new rules for VPN providers are part of a broader “mission creep” to control what is said and by whom across India. “This is not just bureaucracy,” Choudhary says. “It seems that the government of India is using every opportunity to make access to the internet much more controlled, as well as monitored.” CERT-In did not respond to a request for comment.

And India is not alone. “South Asian governments are basically competing with each other in this operational Olympics around violating the digital rights of their citizens,” says Pakistani lawyer and internet activist Nighat Dad. Pakistan’s government attempted to introduce a law in October 2021 that gave it the right to monitor and censor any content posted on social media in the country. Pakistan has previously blocked access to Facebook, Twitter, YouTube, WhatsApp, and Telegram “to maintain public order.” Dad is scared. “Not only in Pakistan but in India, there are marginalized communities who are at risk. This is a scary situation.” Similar concerns have been raised in Indonesia, where digital platforms have to register with the communications ministry and agree to provide access to their systems and data on request. So too in Bangladesh, where internet freedom has reached an “all-time low,” according to Freedom House, as the governing party uses laws to crack down on political dissent through social media.

VPNs that are developed within—or operate in—India will have to choose whether to accede to CERT-In’s request or withdraw their support from the country. Kodali says providers may adopt a halfway-house solution, barring new users from paying for VPNs with an Indian bank account, which would theoretically make it impossible for Indians to sign up while in practice quietly permitting them to find a workaround. But what starts in India likely won’t end there. “This does have global implications,” says Chander, who believes India is learning a lesson from China, with its stringent internet crackdowns. There’s a worry other, more liberal governments will follow the Indian-Chinese model, too. Attacks on end-to-end encryption are commonplace in the UK, while the US joined India, the UK, Japan, Australia, and New Zealand in signing an international statement asking for backdoor access that would subvert encryption standards. “I think it’s important that governments justify these actions,” says Chander, “and explain how they don’t threaten civil liberties.”

VPN Providers Threaten to Quit India Over New Data Law

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me. 
In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter that’s going to be a little different, but bear with me. 

In honor of the NFL Draft starting this evening — an event that Cisco is helping to secure — I thought it’d be appropriate to look at building a cybersecurity team from the ground up. As an avid NFL fan (go Browns!) I’m always thinking about what I would do if I was a general manager in a draft room. This year, if I was building a football team, I’d be steering clear of Aidan Hutchinson and Travon Walker early on and trying to trade back and take receivers like Chris Olave or Garrett Wilson. 

But cybersecurity is also a team sport. You need a layered model to ensure your organization stays safe from everyday vulnerabilities, state-sponsored actors and everything in between. To build that team, we need to go through seven rounds of selections to build out the ultimate roster of security tools and skills that everyone needs to keep their organization secure (obviously, some of these are a bit tongue-in-cheek, if you want honest to goodness security advice, reach out to Cisco Talos Incident Response today). Email me at threatsource@cisco.com with what — or who — you would select in the first round of your Cybersecurity Draft. 

**Round 1: Multi-factor authentication **

MFA is a guy you want in the trenches with you every day on the security playing field. They’re going to protect your most important players from attacking bad guys looking to take advantage of holes in your protection. If we’re building a team from the ground up, we need to make sure we have the basics covered, and if your team doesn’t have MFA at this point, you’re going to be searching for an authentication method in the offseason free agency, and who wants to sign passwords to a three-year contract? 

**Round 2: An Incident Response plan **

Incident Response Plans weren’t recruited highly in security high school, but they rose up through the ranks over the past few years to become a Wi-Feisman Trophy winner in 2021. An Incident Response plan is there for you when you fall behind on the scoreboard and need to make ground up quickly against attackers. A strong IR plan will give this team a base from which they can react to any attack quickly and try and minimize the damage, hopefully setting us up for a comeback in the fourth quarter. If you’re also looking to draft an IR plan of your own, might I suggest reaching out to Talos Incident Response, who can work to build one from the ground up? 

**Round 3: User training **

A lot of people are concerned that when he was in college, User Training went relatively unnoticed for being “boring.” But there are ways to spice things up on the field, and I think as a manager, I can truly unlock Training’s potential. If our users are properly informed about the risks out there in an entertaining and educational way, we can hopefully lean on MFA in the trenches to work as it's supposed to. 

**Round 4: Endpoint detection **

Endpoint detection is projected to go earlier than this in the 2022 Cybersecurity Draft, but I personally think people have kind of forgotten about EDR recently and it could slide into the later rounds, which is where I’ll grab them up. EDR will set up in secondary on defense and monitor for any attacker movements on the offensive side of the field, letting the rest of the team know about any unusual activities, users or connections.  

**Round 5: Vulnerability management program **

A vulnerability, asset and patching management program like Kenna Security will round out our starting defense. Here’s a guy who can muck up the middle of the field and make it harder for attackers to break through the line and further toward your network’s endzone. By deploying software like this, this team will make sure major holes are patched up right away before the opposing team’s leader can even see them on the field, and best of all, we can automate the process so we don’t need to focus as much as hands-on coaching with this position group. 

**Round 6: Penetration testing **

Round 6 seems late, but with this front office, we can find greatness anywhere. Penetration testing is going to be this team’s Tom Brady coming from Round 6. We’ll grab a few pentesters to place on the perimeter and look in at the team to find any vulnerabilities in our team before our opponents can. That way when we head into a week of practice, we know what needs to be fixed right away before we are out against our opponents, and they can take advantage. (Plus, this pretty much guarantees we can use red in our uniforms and get something close to the awesome throwback Falcons gear.) 

**Round 7: Physical backups **

Physical backup drives are the kickers of cybersecurity — you hate it when you have to rely on them in the final seconds, but when they work out, they can still be a lifesaver. By keeping physical backups of our team’s data and gameplans, we’re protected in a worst-case scenario and can recover quickly in crunch time rather than hoping we can pay the opponents to give us the ball back. Cloud backups would work just as well in this case, but we like that physical drives have put in years of work to get to this point.  

**Other newsy nuggets **

New research indicates the use of the NSO Group’s Pegasus spyware continues to spread, even to democratic nations. The Spanish government recently deployed the tool against individuals in Catalan, an area looking to separate from Spain. Spyware continues to be a growing concern across the globe, with evidence indicating that Pegasus is being used in at least 45 countries, according to new reporting in the New Yorker, and similar tools are in use by law enforcement agencies in the U.S. and Europe, areas where governments have pledged to crack down on spyware. (The New Yorker, CNET) 

Western governments doubled down on warnings that Russian state-sponsored actors could target critical infrastructure with cyber attacks in the coming weeks, as the country’s invasion of Ukraine drags on. A new alert from cybersecurity agencies in the U.S., Canada, Australia and other countries warns the attacks could come as a Russian response to international sanctions, adding that “other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive.” (CISA, Reuters) 

The Emotet botnet could be testing new techniques in preparation for a large-scale campaign in the coming months. Security researchers recently spotted the threat actor emailing targets OneDrive URLs that hosted ZIP files containing malicious Microsoft Excel files that installed Emotet onto the targeted machine. This would represent the biggest comeback from Emotet since a law enforcement effort in January 2021 disrupted the botnet. Talos has previously seen signs that the botnet and the actor behind it was not likely to go away even after the takedown efforts. (Cybersecurity Dive, ZDNet, Talos) 

**Can’t get enough Talos? **

*   Talos Researcher Spotlight: Liz Waddell, CTIR practice lead
*   Threat Roundup (April 15 – 22)
*   Talos Takes Ep. #93: Kenna 101 — Best patching and mitigation strategies
*   Quarterly Report: Incident Response trends in Q1 2022

**Upcoming events where you can find Talos ****BSides Charm (April 30 - May 1, 2022)  
Towson, Maryland ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****DEF CON 2022 (Aug. 11 - 14, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645   **MD5:** 2c8ea737a232fd03ab80db672d50a17a   **Typical Filename:** LwssPlayer.scr     
**Claimed Product:** 梦想之巅幻灯播放器     
**Detection Name:** Auto.125E12.241442.in02   

**SHA 256:** 792bc2254ce371be35fcba29b88a228d0c6e892f9a525c330bcbc4862b9765d0  **MD5:** b46b60327c12290e13b86e75d53114ae  **Typical Filename:** NAPA\_HQ\_SetW10config.exe  **Claimed Product:** N/A  **Detection Name:** W32.File.MalParent 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:** df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:** DOC001.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 1a234656f81e870cdeb0e648a6b305a41452c405cca21124de26b54f79d55ad0     
**MD5:** 10f1561457242973e0fed724eec92f8c   **Typical Filename:** ntuser.vbe   
**Claimed Product:** N/A     
**Detection Name:** Auto.1A234656F8.211848.in07.Talos

Threat Source newsletter (April 28, 2022) — The 2022 Cybersecurity Mock Draft

In ControlUp Real-Time Agent before 8.6, an unquoted path can result in privilege escalation. An attacker would require write permissions to the root level of the OS drive (C:\) to exploit this.

**Vulnerability ID:** CVE-2022-27905  
**Severity:** Medium  
**Update Release Date:** February 17, 2022  
**Fix version:** Version >= 8.6 for both Hybrid Cloud and COP (On-Premises)

**What was the problem?**

A local privilege escalation may be possible due to an insecure call to the CreateProcessAsUserA (Unquoted path) WinAPI function while the ControlUp Real-Time Agent is running.  
The prerequisites for exploiting this vulnerability are very uncommon and include write access to C:\\ by a low-privilege user and the ability to restart the cuAgent service.

We use cookies to ensure that we give you the best experience on our website. by continuing to use this site you agree to our Cookie policy. Got it

CVE-2022-27905: Security Advisory - State Farm

The U.S. government on Tuesday announced up to $10 million in rewards for information on six hackers associated with the Russian military intelligence service.
"These individuals participated in malicious cyber activities on behalf of the Russian government against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act," the State Department's Rewards for Justice Program

![Russian Military Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjcRGGpPVaSDP71Dqct6SGyWKwT1f5xd_i_T8j1cghxa5v7NLZnn4E8A6uL7dqwiyK8K2r0O8n9u48uPJNi7-2EIgm2VMth6ufE_i7U9RSUD_kcxSJsyBaPItNzBbsAFYp_VdpevfgJuLoexMH9m2B42teEO9wZf4QSZISaPt-QHNJndbS7_GJLqzsc/s728-e1000/hackers.jpg "Russian Military Hackers")

The U.S. government on Tuesday announced up to $10 million in rewards for information on six hackers associated with the Russian military intelligence service.

"These individuals participated in malicious cyber activities on behalf of the Russian government against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act," the State Department's Rewards for Justice Program said.

All the six Russian officers are members of an advanced persistent threat group called Sandworm (aka Voodoo Bear or Iron Viking), which is known to be operating since at least 2008 with a specific focus on targeting entities in Ukraine with the goal of establishing an illicit, long-term presence in order to mine highly sensitive data.

![CyberSecurity](https://thehackernews.com/images/-SmHk9U6ikBk/YVHUUpxrNfI/AAAAAAAA4ac/xluSCU7878ErhlmIN9mj9pKf9fr3LTBwACLcBGAsYHQ/s300-e100/rewind-3-300.png)

The hacker, who are officers of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), are as follows -

*   Artem Valeryevich Ochichenko, who has been linked to technical reconnaissance and spear-phishing campaigns to gain unauthorized access to IT networks of critical infrastructure facilities worldwide

*   Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, who are said to have developed components of the NotPetya and Olympic Destroyer malware used by the Russian government on June 27, 2017 to infect computer systems, and

*   Anatoliy Sergeyevich Kovalev, who is accused of developing spear-phishing techniques and messages used by the Russian government to breach computer systems of critical infrastructure facilities

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

On October 15, 2020, the U.S. Justice Department indicted the aforementioned officers for carrying out destructive malware attacks with an aim to disrupt and destabilize other nations and cause monetary losses, charging them with conspiracy to commit wire fraud and aggravated identity theft.

![Russian Military Hackers](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwJTJ3kg8QUmfZtLWxkNxXZvalCjAEm7T_GZUk5bojaT0q3EO896JySTwXDYsAgG0lRMiuS33bDhE-nqnEdSQPn5MUsW5Ekh5BtwTRfvwP4DOuXyc0vD84IxvI_pPQEk8_CDr_pPYBnL1mm1LOL7ckP9C8FGR3XbRxo_nIzZEyvaVaYWFy-b4VaElN/s728-e1000/million.jpg "Russian Military Hackers")

As part of the initiative, the Rewards of Justice has set up a Tor website at "he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad\[.\]onion" that can be used to submit tips about these threat actors anonymously, or alternatively share the information via Signal, Telegram, or WhatsApp.

The Sandworm collective was most recently attributed to a now-neutralized sophisticated botnet malware dubbed Cyclops Blink that ensnared internet-connected firewall devices and routers from WatchGuard and ASUS.

Other recent hacking activities associated with the group include the deployment of an upgraded version of the Industroyer malware against high-voltage electrical substations in Ukraine amidst the ongoing invasion.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Offers $10 Million Bounty for Information on 6 Russian Military Hackers

The ongoing war in Ukraine means that defenses are only as good and as strong as those with whom we partner.

Disinformation campaigns, distributed denial-of-service attacks, wiper malware, Internet blackouts, and bot armies are just a few of the various digital attacks that Russia has aimed at Ukraine. In late February, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory warning US firms to prepare their defenses to defend against these kinds of attacks. As of now, at least four different kinds of wiper malware — destructive disk-wiping malware — have been released during the conflict.

For those who are still wondering where is the cyberwar in the Russian invasion, it's already here and it's imperative for organizations across the globe to be prepared. However, in a tightly integrated global economy, these preparations must not occur in isolation but, rather, must encompass an organization's partners — and their partners' partners and so forth. Collective resilience captures this notion of strengthening the defenses across an organization's entire supply chain ecosystem by pursuing strength in unity, but viewed through a realistic lens, that self-preservation requires strengthening and lifting up the weakest links within highly interdependent systems. When it comes to the growing uncertainty and instability stemming from the Russian invasion, there has been a sharp swing toward collective resilience to proactively offset and mitigate the ongoing Russian malicious cyber activity.

Russian malware has a history of making organizations across the globe collateral damage, even if they are not the intended target. In 2017, a destructive supply chain attack propagated across the globe in a matter of hours. Maersk, Merck, and FedEx were just a few of the global victims, as the cyberattack disrupted ports, hindered vaccine distribution by the Centers for Disease Control and Prevention, and crippled manufacturing sales. This history, coupled with Russia's ongoing deployment of a range of malicious cyber activity during the fog of war, elevates the risk and potential for collateral damage across the globe due to cyberattacks. CISA's Shields Up campaign attests to the growing risk to organizations stemming from the Russian invasion.

**Third-Party Risks  
**However, Shields Up should not just apply to an organization's own systems but to its partners as well. Third-party risks remain a core attack vector targeting the weakest link within an organization's supply chain. More than 2,000 US-based firms had suppliers in Ukraine and Russia prior to the invasion; a number which exponentially increases to hundreds of thousands of suppliers when integrating their second- and third-tier suppliers. Even if these suppliers are not the intended targeted, they may become collateral damage in the war.

An organization's digital supply chain similarly must be part of this extended defense. Just as NotPetya exploited the digital supply chain, the US and UK have warned that the Russian-linked Cyclops Blink botnet is targeting ASUS, a Taiwanese electronics company. Coupled with the Lapsus$ Group's ongoing attacks, supply chain attacks remain on the rise and are a core component of Russia's strategy of preparatory installation and reconnaissance. The Cyclops Blink campaign has been active since at least 2019, illustrating Russia's ongoing efforts to embed and prepare for future exploitation. FBI Director Christopher Wray explained how cyberattacks do not occur instantaneously, but rather, "There's activity that leads up to it. ... There's developing access to those systems. So, there's a whole range of preparatory work, which is what we've been seeing." This access increasingly occurs through the digital supply chain.

**Collective Resilience  
**Furthermore, the growing list of approximately 400 sanctioned Russian companies introduces an additional cyber and supply chain risk for organizations. For instance, the March 24 US Department of Treasury sanction targets almost 50 Russian defense-industrial base organizations, including Joint Stock Company Russian Helicopters. This company alone has hundreds of tier-1 and tier-2 suppliers and is in the supply chain of many technology and aerospace and defense companies as it accounts for 10% of the global helicopter market. Many in the aerospace and defense sector rely on the same suppliers, exacerbating the potential for a single sanctioned company to propagate risk throughout the industry. 

These companies are not only at risk of noncompliance fines but need to consider the degree to which the hundreds of restricted companies have access to their data or networks. More sanctions are also likely, including secondary sanctions that target third-party relationships — a step that would yet again stress the necessity of collective resilience across an organization's entire supply chain.

Some are adhering to CISA's warnings and strengthening their own defenses, while others still debate the absence of malicious cyber activity in the Russian invasion. While fortunately there has yet to be the major attacks many feared, Russia continues "to undermine, coerce, and destabilize," according to Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. As we've seen in the past, these destabilization efforts are unlikely to remain contained to Ukraine. Organizations should seek a collective resilience approach in preparation for the growing geopolitical instability across the globe. Defenses are only as good and as strong as those with whom we partner.

Strength in Unity: Why It's Especially Important to Strengthen Your Supply Chain Now

jbd2_journal_wait_updates in fs/jbd2/transaction.c in the Linux kernel before 5.17.1 has a use-after-free caused by a transaction_t race condition.

CVE-2022-28796

ASUS RT-AC86U’s LPD service has insufficient filtering for special characters in the user request, which allows an unauthenticated LAN attacker to perform command injection attack, execute arbitrary commands and disrupt or terminate service.

:::

*   勒索軟體防護專區
*   遠距辦公資安專區
*   回首頁
*   網站導覽
*   訂閱電子報
*   English

****

*   資安通報
*   Wannacry
*   駭客
*   勒索
*   手機

*   新聞公告News
    *   公告事項
    *   資安新聞
    *   資安活動
    *   電子報
*   資安服務Services
    *   資安通報
        *   一般資安通報
    *   資安聯盟
        *   資安聯盟簡介
        *   規章及會員申請暨異動申請
    *   台灣漏洞揭露平台 (TVN)
        *   TVN (Taiwan Vulnerability Note) 漏洞公告
        *   漏洞揭露政策
        *   漏洞通報
    *   惡意檔案檢測服務 (Virus Check)
    *   網路釣魚通報 (Phishing Check)
        *   網路釣魚通報
        *   釣魚網站列表
*   資安宣導Advocacy
    *   勒索軟體威脅防護專區
    *   遠距辦公資安專區
    *   企業資安事件應變處理指南
    *   威脅分析報告
    *   資安小知識
    *   資訊安全宣導
    *   資安宣導影音
    *   公開文件
*   相關網站Links
    *   國內資安組織
    *   國際資安組織
    *   網路資源
*   關於我們About us
    *   中心簡介
    *   活動紀事
        *   歷年年會活動網站
        *   活動花絮
    *   PGP KEY
    *   聯絡我們
    *   合作夥伴

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202202007

CVE ID

CVE-2022-25597

CVSS

8.8 (High)  
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

ASUS RT-AC86U firmware v3.0.0.4.386.45956

問題描述

ASUS RT-AC86U的LPD服務未對使用者發送的請求進行特殊字元的過濾，區域網路內的攻擊者不須權限，即可利用該漏洞進行部分Command Injection攻擊，執行系統任意指令，並導致阻斷系統與終止服務。

解決方法

Update ASUS RT-AC86U firmware version to 3.0.0.4\_386\_46092

漏洞通報者

TianHe

公開日期

2022-03-07

CVE-2022-25597: ASUS RT-AC86U - Command Injection

A use-after-free flaw was found in the Linux kernel’s Bluetooth subsystem in the way user calls connect to the socket and disconnect simultaneously due to a race condition. This flaw allows a user to crash the system or escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Tag

#asus