Law enforcement is warning about a wave of Web injection attacks on US online retailers that are successfully stealing credit-card information from online checkout pages.

Cyberattackers are targeting US online businesses by injecting malicious PHP code into e-commerce checkout pages and exfiltrating scraped data to a command-and-control (C2) server spoofed to look like a legitimate credit-card processor.

That's according to a flash alert from the FBI issued this week, which detailed one attack in particular that began in September 2020. Along with scraping credit-card data, the cybercriminals were modifying the business checkout page code to gain backdoor access to the business' system. The FBI provided indicators of compromise and recommended mitigations for similar e-tailers, including patching and ongoing monitoring of e-commerce environments. 

**Businesses Should Take Alert 'Seriously'**  
Cyvatar CISO Dave Cundiff explained in an emailed reaction to the alert that basic cybersecurity hygiene and monitoring would be enough to fend off this sort of attack. 

"Continually verifying and monitoring an organization's fundamental cybersecurity is a requirement these days," Cundiff said. "If the fundamentals of an organization’s security are not strong, then the additional complexity of any additional security is useless." 

US businesses should take this alert seriously, according to Kunal Modasiya, senior director of product management at PerimeterX,.

"Given the risks of supply-chain attacks in general, it is important that businesses look beyond server-side security tools, such as static code analysis, external scanners, and the limitations of CSP to solutions," Modasiya says. 

Ron Bradley, vice president of Shared Assessments, meanwhile notes that organizations dealing with credit-card data, which he called "one of the crown jewels for fraudsters," should have technical controls like file integrity monitoring (FIM) in place.  

"If you're running a website, especially one which transacts funds, and if you don't have FIM implemented, I don't want to shop there," Bradley said. "Furthermore, you're going to get pummeled by bad actors because you don't have your house in order."

FBI: E-Tailers, Beware Web Injections for Scraping Credit-Card Data, Backdoors

New quantum encryption standards will stand up to spy-snooping, NSA cybersecurity director said.

As the National Institute of Standards and Technology (NIST) is busy developing — and gathering industry buy-in — for a new set of quantum encryption standards, the cybersecurity chief for the National Security Agency (NSA) has vowed it won't build in a backdoor for snooping.   

The NSA has a shabby track record when it comes to violating privacy and Fourth Amendment protections with its massive surveillance operations, but in an interview, NSA director of cybersecurity Rob Joyce said, "There are no backdoors" being designed for spies to bypass new quantum encryption standards. 

Although the reality of quantum computing is still years away, its potential to crack even the strongest encryption has the cybersecurity community on the hunt for protection against this future risk.  

The NSA is also helping NIST test its various quantum encryption algorithms, Joyce told Bloomberg News. 

“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NSA Cyber Chief Vows 'No Backdoors' in Quantum Encryption Standards

The 360° Assessment & Certification from MRG-Effitas can offer guidance to SMBs looking for a simple, effective cybersecurity product. 
The post Why MRG-Effitas matters to SMBs appeared first on Malwarebytes Labs.

When selecting the right cybersecurity vendor to protect their operations, small- and medium-sized businesses (SMBs) can lean on several third-party research organizations that analyze which cybersecurity products can best prevent, detect, and clean up various types of cyberattacks today.

But these tests can sometimes assume a level of end-user complexity—and funding and staffing—that the average SMB might lack. Without a full-time security team, or even a single full-time internal IT hire, an SMB could unwittingly purchase a cybersecurity product that, while effective, requires a level of expertise they simply do not have.

This is where one third-party research team, in particular, can help.

MRG-Effitas, which produces quarterly reports about cybersecurity products that publicly participate in evaluations, focuses its analyses on “real world” malware attacks and detection capabilities. Not only do the researchers test malware samples that are currently infecting endpoints across the world, but the researchers also stress the importance of simple, effective notifications that will help the average user respond to any detected cyberthreat.

“Simulating normal user behaviour means that we pay special attention to all alerts given by security applications,” wrote the researchers in their most recent quarterly report for their program, the “360° Assessment & Certification.”

The 360° Assessment & Certification combines several tests that are then grouped into four separate certifications. Based on how a cybersecurity product performed in certain tests, that product will either earn a certificate or not. This almost-binary representation of a product’s performance is simple and effective, and it can help to quickly inform an SMB about whether a certain product is right for their company.

At the core of the MRG-Effitas certification process—which tests how products respond to known exploits, ransomware, botnets, adware, and more—is the user.

“A pass is given only when alerts are straightforward, and clearly suggest that the malicious action should be blocked,” the report said. “With this in mind, it is very important to note that the best choice for an average user is to keep things as simple as possible and not to overwhelm them with cryptic pop-ups, alerts or questions.”

****Testing and certification****

The 360° Assessment & Certification by MRG-Effitas involves the following nine rounds of testing:

*   In the Wild/Full Spectrum Test
*   PUA/Adware Test
*   Exploit/Fileless Test
*   Real Botnet Test
*   Banking Simulator Test
*   Ransomware Simulator Test
*   False Positive Ransomware Test
*   False Positive Test
*   Performance Test

Each test has a specific purpose, from testing how cybersecurity products respond to an end-user visiting a malicious URL that delivers malware, to the detection of non-malicious but meddlesome applications such as adware, to even testing how a product responds to live ransomware samples observed in real world applications, and to simulated ransomware samples developed by MRG-Effitas. Importantly, MRG-Effitas also tests the performance load of each cybersecurity product, analyzing how much time it takes to perform certain tasks on devices that have the cybersecurity product installed.

While MRG-Effitas performs testing in the above nine categories, it only awards certificates in four categories: The 360° Assessment, the 360° Exploit Degree, the 360° Online Banking Degree, and the 360° Ransomware Degree.

For the 360° Assessment, MRG-Effitas assigns two levels of certification—Level 1 and Level 2—depending on how successfully a cybersecurity product detected the cyberthreats that were launched at it during testing. A vendor only receives Level 1 certification if it detected all threats on “first exposure or via behaviour protection,” the report said, and it passed the Real Botnet Test.

The malware load used during the 360° Assessment is significant. In the most recent round, it involved 360 “In The Wild” samples that included: “20 trojans, 54 backdoors, 50 financial malware samples, 53 ransomware, 49 spyware, 84 malicious documents, \[and\] 50 malicious script files.”

Just four products publicly received a Level 1 certification in the recent 360° Assessment: Malwarebytes Endpoint Protection, Bitdefender Endpoint Security, Microsoft Windows Defender, and Symantec Endpoint Protection.

A similar test deploys 50 financial malware samples against the detection and protection capabilities of the cybersecurity products, along with simulated banking malware. Five products publicly received the 360° Online Banking Certification: Malwarebytes Endpoint Protection, Avira Antivirus Pro, Bitdefender Endpoint Security, ESET Endpoint Security, and Symantec Endpoint Protection.

****Ransomware simulations****

In just the past decade, ransomware has evolved tremendously. Developers of the infamous family of malware have gone from asking for measly sums of money from individuals to creating entire business models in which they license out their ransomware tool to other threat actors. When those threat actors successfully hit a business—which they could have purchased access to from other threat actors—the original ransomware developers take a cut of whatever eventual payment is made. To make matters worse, threat actors have also begun deploying ransomware that not only encrypts a company’s files, but it also first exfiltrates any sensitive data, which the threat actors then use as a second point of leverage: Pay up or your data will be published for everyone to see.

The researchers at MRG-Effitas, recognizing this rapid pace of ransomware evolution, have, for years, tested cybersecurity products against ransomware samples developed in-house that could represent where ransomware development is headed in just months or years.

In the most recent 360° Assessment & Certification, MRG-Effitas deployed 53 ransomware samples against the cybersecurity products, and an additional four simulated ransomware samples. To achieve the 360° Ransomware Certification, a product must have protected a device from the 53 ransomware samples and 4 simulated ransomware simulated samples, and it must have passed the false positive ransomware test.

In the most recent round of testing, all nine publicly-evaluated cybersecurity products achieved ransomware certification.

****Performance****

Understanding whether a cybersecurity product works well is, obviously, important. But of similar importance to SMBs is understanding what impact a cybersecurity product will have on a suite of endpoints. Without large budgets that could allow for constantly refreshed, new devices to be purchased, SMBs should consider how much a cybersecurity product could slow down their organizations’ devices.

Thankfully, MRG-Effitas analyzes cybersecurity products based on their impact on performing simple operations, like downloading a file, opening a Microsoft Office program, or opening a website. The analysis also measures the time spent performing a security software update and the CPU usage during the update process.

Unlike the certificates offered by MRG-Effitas for other categories, there is no certificate or “pass/fail” result when testing performance. Instead, SMBs can look at the performance measurements for each product in the latest 360° Assessment & Certification.

****Less “interpretation,” quicker answers****

The simplicity of MRG-Effitas’ 360° Assessment & Certification gives SMBs a quick guide into what cybersecurity products could be the right fit for them. Without having to dive into countless interpretive reports from each cybersecurity vendor, SMBs can instead look at the most recent 360° Assessment & Certification and ask themselves: Which of these products received certification and which did not?

Knowing that MRG-Effitas hews its testing ideology to the user—only offering certifications for products that clearly notify and warn users about how to respond to a threat—SMBs can be sure that whatever tool they choose will, at the very least, be easy to use on their end.

Why MRG-Effitas matters to SMBs

By Deeba Ahmed
Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group,…
This is a post from HackRead.com Read the original post: Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

Cobalt Mirage is an Irani threat group believed to be linked to the Iranian Cobalt Illusion threat group, whereas Cobalt Mirage’s activities have been reported as TunnelVision and Phosphorus.

SecureWorks® Counter Threat Unit™ (CTU) researchers are investigating an Irani threat group known as the Cobalt Mirage group. This group first surfaced in June 2020 and is linked to another Irani threat group Cobalt Illusion, also known as Charming Kitten, Phosphorus, APT35, and Newscaster.

The group primarily uses phishing campaigns to gain access to networks. Researchers suspect that the two groups are interconnected and might share access and tradecraft.

It is worth noting that previously, Charming Kitten was also accused of its involvement in some highly sophisticated social engineering attacks including bypassing Gmail and Yahoo’s 2FA (Two-Factor Authentication (2FA) in December 2018.

Furthermore, Charming Kitten was the talk of the town in March 2019 when Microsoft seized 99 websites used by Iranian hackers for large-scale phishing attacks. In July 2020, the same group exposed 40GB of videos exposing its entire modus operandi.

**Cobalt Mirage Attack Tactics**

Based on information obtained via incident response activities and public reporting, the researchers identified two clusters of Cobalt Mirage attacks, labeled Cluster A and Cluster B. 

According to researchers, threat actors used DiskCryptor and BitLocker in Cluster A for conducting ransomware attacks that are mainly profit-driven. On the other hand, Cluster B entails targeted intrusions to invade a network and collect intelligence. But sometimes, Cluster B attacks may also involve ransomware in selected cases.

COBALT MIRAGE’s attack vector (Image: SecureWorks)

**Primary Targets of Cobalt Mirage**

According to SecureWorks’s blog post published on May 12th, Cobalt Mirage’s victims are primarily organizations in the USA, Australia, Europe, and Israel. The group mainly uses file-encrypting ransomware to target its victims.

Some of its previous campaigns include the scan-and-exploit attack against Microsoft Exchange Servers and exploiting the ProxyShell vulnerabilities in March 2022 to access a US local government network.

The group also targeted a philanthropic organization in the USA in January 2022. Research reveals that the group has limited ability to capitalize on the access they gain to a network and use it for financial gains or intelligence data collection.

**How does Cobalt Mirage Attack its Victims?**

Research revealed that Cobalt Mirage scans internet-exposed servers to detect vulnerable servers and identify initial access routes. They often look for flaws in Microsoft Exchange servers and Fortinet appliances.

In 2021, SecureWorks’ blog post revealed that the threat group scanned ports 4443, 8443, and 10443 to find flaws in devices vulnerable to FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591).

In September 2021, they targeted the MS Exchange servers and deployed the Fast Reverse Proxy Client by exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to enable access to vulnerable devices.

Once they identify a loophole, they drop web shells and use them as a conduit for lateral movement across the network and launch the ransomware. They complete their attack with a rather unusual way of sending ransom notes, which they send to a local printer.

This note contains the email address and Telegram account details for victims to contact the attacker. However, researchers couldn’t identify how the encryption feature is triggered. The group uses publicly available encryption tools for launching ransomware attacks.

COBALT MIRAGE’s ransom note (Image: SecureWorks)

> “CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.”

**More Iranian Security News on Hackread.com**

1.  Iran-linked hackers hit Israeli, US and EU defense tech firm
2.  Irani and Chinese State Hackers Exploiting Log4j Vulnerability
3.  Watch as hackers disrupt Iran’s prison computers; leak live footage
4.  Exposed: 6 year old Iranian espionage campaign using Android backdoor
5.  Iranian APT group hits schools, universities in global spear phishing attacks

Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US

Calibre-Web before 0.6.18 allows user table SQL Injection.

**Security Policy****Reporting a Vulnerability**

Please report security issues to ozzie.fernandez.isaacs@googlemail.com

**Supported Versions**

To receive fixes for security vulnerabilities it is required to always upgrade to the latest version of Calibre-Web. See https://github.com/janeczku/calibre-web/releases/latest for the latest release.

**History**

Fixed in

Description

CVE number

3rd July 2018

Guest access acts as a backdoor

V 0.6.7

Hardcoded secret key for sessions

CVE-2020-12627

V 0.6.13

Calibre-Web Metadata cross site scripting

CVE-2021-25964

V 0.6.13

Name of Shelves are only visible to users who can access the corresponding shelf Thanks to @ibarrionuevo

V 0.6.13

JavaScript could get executed in the description field. Thanks to @ranjit-git and Hagai Wechsler (WhiteSource)

V 0.6.13

JavaScript could get executed in a custom column of type "comment" field

V 0.6.13

JavaScript could get executed after converting a book to another format with a title containing javascript code

V 0.6.13

JavaScript could get executed after converting a book to another format with a username containing javascript code

V 0.6.13

JavaScript could get executed in the description series, categories or publishers title

V 0.6.13

JavaScript could get executed in the shelf title

V 0.6.13

Login with the old session cookie after logout. Thanks to @ibarrionuevo

V 0.6.14

CSRF was possible. Thanks to @mik317 and Hagai Wechsler (WhiteSource)

CVE-2021-25965

V 0.6.14

Migrated some routes to POST-requests (CSRF protection). Thanks to @scara31

CVE-2021-4164

V 0.6.15

Fix for "javascript:" script links in identifier. Thanks to @scara31

CVE-2021-4170

V 0.6.15

Cross-Site Scripting vulnerability on uploaded cover file names. Thanks to @ibarrionuevo

V 0.6.15

Creating public shelfs is now denied if user is missing the edit public shelf right. Thanks to @ibarrionuevo

V 0.6.15

Changed error message in case of trying to delete a shelf unauthorized. Thanks to @ibarrionuevo

V 0.6.16

JavaScript could get executed on authors page. Thanks to @alicaz

CVE-2022-0352

V 0.6.16

Localhost can no longer be used to upload covers. Thanks to @scara31

CVE-2022-0339

V 0.6.16

Another case where public shelfs could be created without permission is prevented. Thanks to @nhiephon

CVE-2022-0273

V 0.6.16

It's prevented to get the name of a private shelfs. Thanks to @nhiephon

CVE-2022-0405

V 0.6.17

The SSRF Protection can no longer be bypassed via an HTTP redirect. Thanks to @416e6e61

CVE-2022-0767

V 0.6.17

The SSRF Protection can no longer be bypassed via 0.0.0.0 and it's ipv6 equivalent. Thanks to @r0hanSH

CVE-2022-0766

V 0.6.18

Possible SQL Injection is prevented in user table Thanks to Iman Sharafaldin (Forward Security)

CVE-2022-30765

V 0.6.18

The SSRF protection no longer can be bypassed by IPV6/IPV4 embedding. Thanks to @416e6e61

CVE-2022-0939

V 0.6.18

The SSRF protection no longer can be bypassed to connect to other servers in the local network. Thanks to @michaellrowley

CVE-2022-0990

**Statement regarding Log4j (CVE-2021-44228 and related)**

Calibre-web is not affected by bugs related to Log4j. Calibre-Web is a python program, therefore not using Java, and not using the Java logging feature log4j.

CVE-2022-30765: calibre-web/SECURITY.md at master · janeczku/calibre-web

Plus: New details of ICE’s dragnet surveillance in the US, Clearview AI agrees to limit sales of its faceprint database, and more.

A group of human rights lawyers and investigators called on the Hague this week to bring what would be the first ever “cyber war crimes” charges. The group is urging the International Criminal Court to bring charges against the dangerous and destructive Russian hacking group known as Sandworm, which is run by Russia’s military intelligence agency GRU. Meanwhile, activists are working to block Russia from using satellites controlled by the French company Eutelsat to broadcast its state-run propaganda programming.

Researchers released findings this week that thousands of popular websites record data that users type into forms on the site before they hit the Submit button—even if the user closes the page without submitting anything. Google released a report on an in-depth security analysis it conducted with the chipmaker AMD to catch and fix flaws in specialty security processors used in Google Cloud infrastructure. The company also announced a slew of privacy and security features for its new Android 13 mobile operating system along with a vision for making them easier for people to understand and use.

The European Union is considering child protective legislation that would require scanning private chats, potentially undermining end-to-end encryption at a massive scale. Plus, defenders from the cybersecurity nonprofit BIO-ISAC are racing to protect the bioeconomy from digital threats, announcing a partnership this week with Johns Hopkins University Applied Physics Lab that will help fund pay-what-you-can incident response resources.

But wait, there’s more. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

The United States is completing development of a new generation of high-security encryption standards that will be robust in the current technical climate and are designed to be resistant to circumvention in the age of quantum computing. And while the National Security Agency contributed to the new standards' creation, the agency says it has no special means of undermining the protections. Rob Joyce, the NSA’s director of cybersecurity, told Bloomberg this week, “There are no backdoors." The NSA has been implicated in schemes to backdoor encryption before, including in a situation in the early 2010s in which the US removed an NSA-developed algorithm as a federal standard over backdoor concerns.

An extensive investigation by Georgetown Law’s Center on Privacy & Technology reveals a more detailed picture than ever of US Immigration and Customs Enforcement agency surveillance capabilities and practices. According to the report, published this week, ICE began developing its surveillance infrastructure at the end of the George W. Bush administration, years before it was previously thought to have begun these efforts. And researchers found that ICE spent $2.8 billion on surveillance technology, including face recognition, between 2008 and 2021. ICE was already known for its aggressive and invasive surveillance tactics during the Donald Trump administration’s anti-immigration crackdowns, but the report also argues that ICE has “played a key role in the federal government’s larger push to amass as much information as possible” about people in the United States.

“Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency,” the report says. “By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time.”

In a legal settlement this week, the face recognition and surveillance startup Clearview AI agreed to a set of restrictions on its business in the US, including that it won’t sell its faceprint database to businesses or individuals in the country. The company says it has more than 10 billion faceprints in its arsenal belonging to people around the world and collected through photos found online. The settlement comes after the American Civil Liberties Union accused Clearview of violating the Illinois Biometric Information Privacy Act. The agreement also stipulates that the company won’t be allowed to sell access to its database in Illinois for five years. “This settlement demonstrates that strong privacy laws can provide real protections against abuse,” Nathan Freed Wessler, a deputy director of the ACLU Speech, Privacy, and Technology Project said in a statement. Despite the privacy win, Clearview may continue to sell its services to federal law enforcement, including ICE, and police departments outside of Illinois.

Costa Rican president Rodrigo Chaves said on Sunday that the country was declaring a national emergency after the notorious Conti ransomware gang infected multiple government agencies with malware last week. Sunday was the first day of Chaves' presidency. Conti leaked some of a 672 GB trove of stolen data from multiple Costa Rican agencies. In April, the Costa Rican social security administration had announced that it was the victim of a Conti attack. “At this time, a perimeter security review is being carried out on the Conti Ransomware, to verify and prevent possible attacks," the agency tweeted at the time.

The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 6 and May 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for May 6 to May 13

A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama.
Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.
"Like many of these attacks, the email contained a

A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama.

Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.

"Like many of these attacks, the email contained a malicious attachment," Fortinet researcher Fred Gutierrez said. "However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats (APTs)."

APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, is known to be active since at least 2014 and has a track record of striking telecom, government, defense, oil, and financial sectors in the Middle East and North Africa (MENA) via targeted phishing attacks.

Earlier this February, ESET tied the group to a long-running intelligence gather operation aimed at diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.

The newly observed phishing message contains a weaponized Microsoft Excel document, opening which prompts a potential victim to enable macros, leading to the execution of a malicious Visual Basic Application (VBA) macro that drops the malware payload ("update.exe").

Furthermore, the macro takes care of establishing persistence for the implant by adding a scheduled task that repeats every four hours.

A .NET-based binary, Saitama leverages the DNS protocol for its command-and-control (C2) communications as part of an effort to disguise its traffic, while employing a "finite-state machine" approach to executing commands received from a C2 server.

"In the end, this basically means that this malware is receiving tasks inside a DNS response," Gutierrez explained. DNS tunneling, as it's called, makes it possible to encode the data of other programs or protocols in DNS queries and responses.

In the final stage, the results of the command execution are subsequently sent back to the C2 server, with the exfiltrated data built into a DNS request.

"With the amount of work put into developing this malware, it does not appear to be the type to execute once and then delete itself, like other stealthy infostealers," Gutierrez said.

"Perhaps to avoid triggering any behavioral detections, this malware also does not create any persistence methods. Instead, it relies on the Excel macro to create persistence by way of a scheduled task."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Saitama backdoor Targeted Official from Jordan's Foreign Ministry

A firmware update vulnerability exists in the iburn firmware checks functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A firmware update vulnerability exists in the iburn firmware checks functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-347 - Improper Verification of Cryptographic Signature

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers, through the upgrade.cgi API, the upgrade of its firmware. The upgrade process does not include any cryptographic signature that would guarantee that the content of the upgrade is legitimate. This would allow any attacker, able to perform the upgrade.cgi API, to insert backdoor and modify the firmware of the router. The same consequences are true for an attacker able to perform a man-in-the-middle attack, where the attacker would wait for a legitimate user to initiate a firmware update, then modify the firmware in-transit. The iburn binary, the one responsible for performing the actual firmware update, only calculates and checks a CRC32.

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-23 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-26510: TALOS-2022-1495 || Cisco Talos Intelligence Group

The European Commission on Wednesday proposed new regulation that would require tech companies to scan for child sexual abuse material (CSAM) and grooming behavior, raising worries that it could undermine end-to-end encryption (E2EE).
To that end, online service providers, including hosting services and communication apps, are expected to proactively scan their platforms for CSAM as well as

The European Commission on Wednesday proposed new regulation that would require tech companies to scan for child sexual abuse material (CSAM) and grooming behavior, raising worries that it could undermine end-to-end encryption (E2EE).

To that end, online service providers, including hosting services and communication apps, are expected to proactively scan their platforms for CSAM as well as report, remove and disable access to such illicit content.

While instant messaging services like WhatsApp already rely on hashed versions of known CSAM to automatically block new uploads of images or videos matching them, the new plan requires such platforms to identify and flag new instances of CSAM.

"Detection technologies must only be used for the purpose of detecting child sexual abuse," the regulator said. "Providers will have to deploy technologies that are the least privacy-intrusive in accordance with the state of the art in the industry, and that limit the error rate of false positives to the maximum extent possible."

A new EU Centre on Child Sexual Abuse, which will be independently established to enforce the measures, has been tasked with maintaining a database of digital "indicators" of child sexual abuse, in addition to processing and forwarding legitimate reports for law enforcement action.

In addition, the rules require app stores to ensure that children are refrained from downloading apps that "may expose them to a high risk of solicitation of children."

The controversial proposal to clamp down on sexual abuse material comes days after a draft version of the regulation leaked earlier this week, prompting Johns Hopkins University security researcher Matthew Green to state that "This is Apple all over again."

The tech giant, which last year announced plans to scan and detect CSAM on its devices, has since delayed the rollout to "take additional time over the coming months to collect input and make improvements."

Meta, likewise, has postponed its plans to support E2EE across all its messaging services, WhatsApp, Messenger, and Instagram, until sometime in 2023, stating that it's taking the time to "get this right."

A primary privacy and security concern arising out of scanning devices for illegal pictures of sexual abuse is that the technology could weaken privacy by creating backdoors to defeat E2EE protections and facilitate large-scale surveillance.

This would also necessitate persistent plain-text access to users' private messages, effectively rendering E2EE incompatible and eroding the security and confidentiality of the communications.

"The idea that all the hundreds of millions of people in the E.U. would have their intimate private communications, where they have a reasonable expectation that that is private, to instead be kind of indiscriminately and generally scanned 24/7 is unprecedented," Ella Jakubowska, a policy advisor at European Digital Rights (EDRi), told Politico.

But the privacy afforded by encryption is also proving to be a double-edged sword, with governments increasingly fighting back over worries that encrypted platforms are being misused by malicious actors for terrorism, cybercrime, and child abuse.

"Encryption is an important tool for the protection of cybersecurity and confidentiality of communications," the commission said. "At the same time, its use as a secure channel could be abused of by criminals to hide their actions, thereby impeding efforts to bring perpetrators of child sexual abuse to justice."

The development underscores Big Tech's ongoing struggles to balance privacy and security while also simultaneously addressing the need to assist law enforcement agencies in their quest for accessing criminal data.

"The new proposal is over-broad, not proportionate, and hurts everyone's privacy and safety," the Electronic Frontier Foundation (EFF) said. "The scanning requirements are subject to safeguards, but they aren't strong enough to prevent the privacy-intrusive actions that platforms will be required to undertake."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor