Next week will be our final installment of our 2022 Year in Review report coverage. We’ll be publishing a final topic summary on Ransomware and Commodity Loaders and follow up these reports with a livestream on LinkedIn and Twitter with report and subject matter experts.

Thursday, February 2, 2023 15:02

Welcome to this week’s edition of the Threat Source newsletter.

If you haven’t noticed yet we’ve had a few guest writers on this newsletter over the last few months. Alas my time covering the newsletter has ended and I leave you with one final edition. Have no fear, William Largent will be rounding out the guest appearances next week and your long-time host Jon Munshaw will be back at the helm. Thanks for sticking with us this long and if you’re newly subscribed welcome!

**The one big thing**

Next week will be our final installment of our 2022 Year in Review report coverage. We’ll be publishing a final topic summary on Ransomware and Commodity Loaders and follow up these reports with a livestream on LinkedIn and Twitter with report and subject matter experts.

**Why do I care?**

We published our full 2022 Year in Review early December. If you haven’t read  it yet we highly suggest your download your copy here or check out our previous  livestreams. Through these reports and videos we’ve broken down the threat  landscape and trends Talos observed over 2022. What’s that saying, history    repeats itself? Take a minute to look back and prepare for what lies ahead in 2023.

**So now what?**

Mark your calendar for our fourth and final livestream on Tuesday February 7th at 12 PM EST. Read the report, browse the topic summaries, or watch our livestreams on demand. Looking for extra credit? Read through Talos’ Head of Outreach Nick Biasini’s future predictions of State Sponsored attacks in 2023.

**Top security headlines of the week**

Coming back from the dead yet again a new Lazaurs campaign has been found to exploit unpatched Zimbra devices targeting medical research and energy industries along with their supply chain partners in attempts to gather intelligence. Through unpatched devices the threat actors are gaining network access and escalation privileges. (SC Media)

Google’s official mobile virtual network operator (MVNO), Google Fi, was in headlines due to a customer data breach via T-Mobile. Using technology to switch between cellular provides Google Fi provides constant coverage for customers through T-Mobile and US cellular. It’s reported the breach happened in November 2022 but wasn’t discovered until early January 2023. Customers have been notified but many questions remain, like are users still vulnerable? (TechCrunch)

Surprising quite literally no one, ChatGPT sets a record for the fastest-growing user base in history. Reaching an estimated 100 million active monthly users in December just two months after launch (yet every time I try to get it to write this newsletter it says the app is at capacity…). Whether you’re a user, a skeptic, or simply don’t care ChatGPT has stirred up a lot of attention lately, we’ll all just have to keep an eye on the evolution of ChatGPT. (Ars Techinca)

**Can't get enough Talos?**

·  State Sponsored Attacks in 2023 and Beyond

·  Quarterly Report: Incident Response Trends in Q4 2022

· CTIR On Air: Reviewing Q4's top threats livestream

· Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022

·  2022 Year in Review: Threat Landscape Livestream

**Upcoming events where you can find Talos**

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherland

WiCyS (March 16-18, 2023)

Denver,CO

RSA (April 24-27, 2023)

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product:  n/a

Detection Name: Simple\_Custom\_Detection

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5:  d47fa115154927113b05bd3c8a308201

Typical Filename: msaccess.exe

Claimed Product: n/a

Detection Name: rojan.GenericKD

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

Typical Filename: aact.exe

Claimed Product: n/a

Detection Name: W32.File.MalParent

SHA 256:  125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645

MD5: 2c8ea737a232fd03ab80db672d50a17a

Typical Filename: LwssPlayer

Claimed Product:  梦想之巅幻灯播放器

Detection Name: Auto.125E12.241442.in02

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Threat Source newsletter (Feb. 2, 2023): I bid you all adieu

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A denial of service vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.8.645. A specially-crafted PE file can lead to killing target process. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

ESTsoft Alyac 2.5.8.645

**PRODUCT URLS**

Alyac - https://www.estsecurity.com/public/product/alyac

**CVSSv3 SCORE**

5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

**CWE**

CWE-823 - Use of Out-of-range Pointer Offset

**DETAILS**

Alyac is an antivirus program for Microsoft Windows, developed by ESTsecurity, which is part of ESTsoft.

When coen.aym receives a path to the file to scan, it figures out what type of file it is and selects appropriate scanning strategy.

In the case of the crashing file, it scans using DefaultScanStrategy.

While scanning, it calls utility function esc::engine::FileTool::GetTextSectionRange(...) which like the name, tries to locate the .text section inside the scanning PE file.

It internally calls sub_1800809b0 which checks magic value MZ and locates NT header by referencing e_lfanew field in the DOS header.

    1800809ce  b84d5a0000         mov     eax, 'MZ'
    1800809d3  4c894150           mov     qword [rcx+0x50], r8
    1800809d7  48895108           mov     qword [rcx+0x8], rdx
    1800809db  663902             cmp     word [rdx], ax
    1800809de  0f8503010000       jne     0x180080ae7
    
    1800809e4  4863423c           movsxd  rax, dword [rdx+0x3c] ; e_lfanew
    1800809e8  493bc0             cmp     rax, r8    ; check with file size
    1800809eb  0f87f6000000       ja      0x180080ae7
    
    1800809f1  488d0c10           lea     rcx, [rax+rdx]        ; oob
    1800809f5  48894b10           mov     qword [rbx+0x10], rcx
    1800809f9  813950450000       cmp     dword [rcx], 'PE'
    

However, it incorrectly only checks whether e_lfanew is larger than the file size. Providing value which is same as the file size to e_lfanew will pass the check but the file will not be large enough to store NT header.

Therefore it will try to read memory out of bounds when trying to validate NT headers, crashing the malware scanning process.

**Crash Information**

    1:016> ub
    coen!Coen_Clean+0x6ca47:
    00007ff8`f9f709d7 48895108        mov     qword ptr [rcx+8],rdx
    00007ff8`f9f709db 663902          cmp     word ptr [rdx],ax
    00007ff8`f9f709de 0f8503010000    jne     coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
    00007ff8`f9f709e4 4863423c        movsxd  rax,dword ptr [rdx+3Ch]
    00007ff8`f9f709e8 493bc0          cmp     rax,r8
    00007ff8`f9f709eb 0f87f6000000    ja      coen!Coen_Clean+0x6cb57 (00007ff8`f9f70ae7)
    00007ff8`f9f709f1 488d0c10        lea     rcx,[rax+rdx]
    00007ff8`f9f709f5 48894b10        mov     qword ptr [rbx+10h],rcx
    1:016> r
    rax=0000000000001000 rbx=0000004babdfdf60 rcx=000001f8c9c51000
    rdx=000001f8c9c50000 rsi=00007ff8fa266bb8 rdi=0000004babdfe1b0
    rip=00007ff8f9f709f9 rsp=0000004babdfdef0 rbp=0000004babdfe020
    r8=0000000000001000  r9=0000000000001000 r10=00007ff8fa2606c0
    r11=000001f894f3ab20 r12=0000000000000000 r13=00007ff8fa306e68
    r14=0000000000001000 r15=000001f8c9c50000
    iopl=0         nv up ei pl zr na po nc
    cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    coen!Coen_Clean+0x6ca69:
    00007ff8`f9f709f9 813950450000    cmp     dword ptr [rcx],4550h ds:000001f8`c9c51000=????????
    1:016> k
    Child-SP          RetAddr               Call Site
    0000004b`abdfdef0 00007ff8`f9f2fa5c     coen!Coen_Clean+0x6ca69
    0000004b`abdfdf20 00007ff8`f9f6a577     coen!Coen_Clean+0x2bacc
    0000004b`abdfe0f0 00007ff8`f9f69e96     coen!Coen_Clean+0x665e7
    0000004b`abdfe3b0 00007ff8`f9f538c4     coen!Coen_Clean+0x65f06
    0000004b`abdfe550 00007ff8`f9f09192     coen!Coen_Clean+0x4f934
    0000004b`abdfe7f0 00007ff8`f9ef5f45     coen!Coen_Clean+0x5202
    0000004b`abdfe970 00007ff8`f9f03c24     coen+0x5f45
    0000004b`abdfead0 00000001`8006f6c1     coen!Coen_ScanSharedMemory+0xc4
    0000004b`abdfeb40 00000001`800563a3     ecm!GetModuleConfigValue+0x8771
    0000004b`abdfebf0 00000001`8008bf2e     ecm+0x563a3
    0000004b`abdfedc0 00000001`800666b0     ecm!GetModuleConfigValue+0x24fde
    0000004b`abdfeea0 00007ff7`d046de9e     ecm!ScanFile+0x40
    0000004b`abdfeee0 00007ff7`d04707d0     AYCon+0x2de9e
    0000004b`abdfefc0 00007ff9`3f1c6c0c     AYCon+0x307d0
    0000004b`abdffab0 00007ff9`40c854e0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
    0000004b`abdffae0 00007ff9`41cc485b     KERNEL32!BaseThreadInitThunk+0x10
    0000004b`abdffb10 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
    

**TIMELINE**

2022-12-13 - Vendor Disclosure  
2023-02-01 - Vendor Patch Release  
2023-02-02 - Public Release

Discovered by Jaewon Min of Cisco Talos.

CVE-2022-43665: TALOS-2022-1682 || Cisco Talos Intelligence Group

A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.
That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident No Pineapple.
Targets of the malicious operation included a healthcare research organization

Healthcare / Cyber Attack

A new intelligence gathering campaign linked to the prolific North Korean state-sponsored Lazarus Group leveraged known security flaws in unpatched Zimbra devices to compromise victim systems.

That's according to Finnish cybersecurity company WithSecure (formerly F-Secure), which codenamed the incident **No Pineapple**.

Targets of the malicious operation included a healthcare research organization in India, the chemical engineering department of a leading research university, as well as a manufacturer of technology used in the energy, research, defense, and healthcare sectors, suggesting an attempt to breach the supply chain.

Roughly 100GB of data is estimated to have been exported by the hacking crew following the compromise of an unnamed customer, with the digital break-in likely taking place in the third quarter of 2022.

"The threat actor gained access to the network by exploiting a vulnerable Zimbra mail server at the end of August," WithSecure said in a detailed technical report shared with The Hacker News.

The security flaws used for initial access are CVE-2022-27925 and CVE-2022-37042, both of which could be abused to gain remote code execution on the underlying server.

This step was succeeded by the installation of web shells and the exploitation of local privilege escalation vulnerability in the Zimbra server (i.e., Pwnkit aka CVE-2021-4034), thereby enabling the threat actor to harvest sensitive mailbox data.

Subsequently, in October 2022, the adversary is said to have carried out lateral movement, reconnaissance, and ultimately deployed backdoors such as Dtrack and an updated version of GREASE.

GREASE, which has been attributed as the handiwork of another North Korea-affiliated threat cluster called Kimsuky, comes with capabilities to create new administrator accounts with remote desktop protocol (RDP) privileges while also skirting firewall rules.

Dtrack, on the other hand, has been employed in cyber assaults aimed at a variety of industry verticals, and also in financially motivated attacks involving the use of Maui ransomware.

"At the beginning of November, Cobalt Strike \[command-and-control\] beacons were detected from an internal server to two threat actor IP addresses," researchers Sami Ruohonen and Stephen Robinson pointed out, adding the data exfiltration occurred from November 5, 2022, through November 11, 2022.

Also used in the intrusion were tools like Plink and 3Proxy to create a proxy on the victim system, echoing previous findings from Cisco Talos about Lazarus Group's attacks targeting energy providers.

North Korea-backed hacking groups have had a busy 2022, conducting both espionage-driven and cryptocurrency heists that align with the regime's strategic priorities.

Most recently, the BlueNoroff cluster, also known by the names APT38, Copernicium, Stardust Chollima, and Copernicium, and Stardust Chollima, and TA444, was connected to wide-ranging credential harvesting attacks aimed at education, financial, government, and healthcare sectors.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign

Two security holes — one particularly gnarly — could allow hackers the freedom to do as they wish with the popular edge equipment.

A security vulnerability has been found in Cisco gear used in data centers, large enterprises, industrial factories, power plants, manufacturing centers, and smart city power grids that could allow cyberattackers unfettered access to these devices and broader networks.

In a report published on Feb. 1, researchers from Trellix revealed the bug, one of two vulnerabilities discovered that affect the following Cisco networking devices:

*   Cisco ISR 4431 routers
*   800 Series Industrial ISRs
*   CGR1000 Compute Modules
*   IC3000 Industrial Compute Gateways
*   IOS XE-based devices configured with IOx
*   IR510 WPAN Industrial Routers
*   Cisco Catalyst Access points

One bug — CSCwc67015 — was spotted in yet-to-be-released code. It could have allowed hackers to remotely execute their own code, and potentially overwrite most of the files on the device.

The second, arguably nastier, bug — CVE-2023-20076 — found in production equipment, is a command-injection flaw that could open the door to unauthorized root-level access and remote code execution (RCE). This would have entailed not just total control over a device's operating system but also persistence through any upgrades or reboots, despite Cisco's guardrails against such a scenario.

Given that Cisco networking equipment is used worldwide in data centers, enterprises, and government organizations, and it's the most common footprint at industrial sites, the impact of the flaws could be notable, according to Trellix.

“In the world of routers, switches, and networking, Cisco is the current king of the market," Sam Quinn, senior security researcher with the Trellix Advanced Research Center, tells Dark Reading. "We would say that thousands of businesses could potentially be impacted.”

**Inside the Latest Cisco Security Bugs**

The two vulnerabilities are a byproduct of a shift in the nature of routing technologies, according to Trellix. Network administrators today have the ability to deploy application containers or even entire virtual machines on these miniature-server-routers. With this greater complexity comes both greater functionality, and a wider attack surface.

"Modern routers now function like high-powered servers," the authors of the report explained, "with many Ethernet ports running not only routing software but, in some cases, even multiple containers."

Both CSCwc67015 and CVE-2023-20076 arise from the router's advanced application hosting environment.

CSCwc67015 reflects how, in the hosting environment, "a maliciously packed application could bypass a vital security check while uncompressing the uploaded application." The check attempted to secure the system against a 15-year-old path traversal vulnerability in a Python module that Trellix itself had identified last September, CVE-2007-4559. With a "moderate" CVSS v3 score of 5.5, it allowed malicious actors to overwrite arbitrary files.

Meanwhile, the bug tracked as CVE-2023-20076 similarly takes advantage of the ability to deploy application containers and virtual machines to Cisco routers. In this case, it has to do with how admins pass commands to run their applications.

"The 'DHCP Client ID' option within the Interface Settings was not correctly being sanitized," the researchers discovered, which allowed them root-level access to the device, connoting "the ability to inject any OS command of our choosing."

A hacker who abused this power "could have a significant impact on the device's functionality and the overall security of the network," Quinn explains, including "modifying or disabling security features, exfiltrating data, disrupting network traffic, spreading malware, and running rogue processes."

The bad news doesn’t end there, though. The authors of the report highlighted how "Cisco heavily prioritizes security in a way that attempts to prevent an attack from remaining a problem through reboots and system resets." However, in a proof-of-concept video, they demonstrated how exploitation of the command-injection bug could lead to completely unfettered access, allowing a malicious container to persist through device reboots or firmware upgrades. This leaves only two possible solutions for removal: a full-on factory reset or manually identifying and removing the malicious code.

**Cisco Industrial Gear: Potential Supply Chain Risk**

If there's a silver lining to these bugs, it's that exploiting either would require admin-level access over a relevant Cisco device. A hurdle, granted, but hackers obtain administrative privileges all the time from their victims, through regular social engineering and escalation. The researchers also noted how, often, users don't bother to change the default username and password, leaving no protection whatsoever for this most sensitive account.

One must also consider the supply chain risk. The authors highlighted how many organizations purchase networking devices from third-party sellers, or use third-party service providers for their device configuration and network design. A malicious vendor could utilize a vulnerability like CVE-2023-20076 to do some very easy, subtle, and powerful tampering.

The sheer degree of access this hole provides "could allow for backdoors to be installed and hidden, making the tampering entirely transparent for the end user," the authors explained. Of course, the overwhelming majority of third-party service providers are perfectly honest businesses. But those businesses may themselves be compromised, making it a moot point.

In concluding their report, the Trellix researchers urged organizations to check for any abnormal containers installed on relevant Cisco devices, and recommended that organizations that don't run containers disable the IOx container framework entirely. Most important of all, they emphasized, was that "organizations with affected devices should update to the latest firmware immediately."

To protect themselves, users should apply the patch as soon as possible.

Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover

An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

FreshTomato 2022.5  
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020  
AdvancedTomato commit 67273b0

**PRODUCT URLS**

FreshTomato - https://www.freshtomato.org/ QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

FreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.

The FreshTomato’s httpd component offers several APIs. One is called logs/view.cgi and is used to query/view the log files.

One of the functions responsible for performing this API is wo_viewlog:

    void wo_viewlog(char *url)
    {
        char *p;
        char *c;
        char s[128];
        char t[128];
        int n;
        char lfn[256];
    
        if (!logok())
            return;
    
        get_logfilename(lfn);
        if ((p = webcgi_get("find")) != NULL) {                                                             [1]
                send_header(200, NULL, mime_plain, 0);
                if (strlen(p) > 64)
                    return;
    
                c = t;
                while (*p) {
                        switch (*p) {
                        case '<':
                        case '>':
                        case '|':
                        case '"':
                        case '\\':
                            *c++ = '\\';
                            *c++ = *p;
                            break;
                        default:
                            if (isprint(*p))
                                *c++ = *p;
                            break;
                        }
                        ++p;
                }
                *c = 0;
                snprintf(s, sizeof(s), "grep -ih \"%s\" $(ls -1rv %s %s.*)", t, lfn, lfn);                  [2]
                web_pipecmd(s, WOF_NONE);                                                                   [3]
                return;
        }
    
        if ((p = webcgi_get("which")) == NULL)
            return;
    
        if (strcmp(p, "all") == 0)
            n = MAX_LOG_LINES;
        else if ((n = atoi(p)) <= 0)
            return;
    
        send_header(200, NULL, mime_plain, 0);
        snprintf(s, sizeof(s), "cat $(ls -1rv %s %s.*) | tail -n %d", lfn, lfn, n);
        web_pipecmd(s, WOF_NONE);
    }
    

This function will fetch, at [1], the find parameter. If it exists, eventually, the instruction at [2] will be executed. This instruction will compose the string grep -ih \"<parsed find parameter>\" $(ls -1rv <logfilename> <logfilename>.*), which will be used at [3] for the web_pipecmd function that will call the popen function and print out the results.

Because no real sanitization is performed against the find parameter, this function is vulnerable to a command injection vulnerability and can lead to arbitrary command execution.

**TIMELINE**

2022-10-19 - Vendor Disclosure

2022-11-08 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-42484: TALOS-2022-1641 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

FreshTomato 2022.5  
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020  
AdvancedTomato commit 67273b0

**PRODUCT URLS**

FreshTomato - https://www.freshtomato.org/ QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

FreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.

The FreshTomato’s httpd component offers a simple template language to call an API during the loading of the HTML page. This process is performed through asp api. The asp api normally is not directly callable, but a FreshTomato’s API called update.cgi will allow it.

Following is one of the functions responsible for performing the update.cgi API:

    static void wo_update(char *url)
    {
        const aspapi_t *api;
        const char *name;
        int argc;
        char *argv[16];
        char s[32];
    
        if ((name = webcgi_get("exec")) != NULL) {
            for (api = aspapi; api->name; ++api) {
                if (strcmp(api->name, name) == 0) {
                    for (argc = 0; argc < 16; ++argc) {
                        snprintf(s, sizeof(s), "arg%d", argc);
                        if ((argv[argc] = (char *)webcgi_get(s)) == NULL) break;
                    }
                    api->exec(argc, argv);
                    break;
                }
            }
        }
    }
    

The wo_update function will take an exec parameter, used to specify which asp api to call, and a variable number of parameters based on the asp api to be called. We are going to focus on the notice asp api. The function responsible for performing the notice action is called asp_notice:

    void asp_notice(int argc, char **argv)
    {
        char s[64];
        char buf[2048];
    
        if (argc != 1)
            return;
    
        snprintf(s, sizeof(s), "/var/notice/%s", argv[0]);                                                  [1]
        if (f_read_string(s, buf, sizeof(buf)) <= 0)                                                        [2]
            return;
    
        web_putj(buf);
    }
    

The function takes one argument. This function will take the argument passed (effectively a filename) and use it at [1] to compose the string /var/notice/<argument passed>. The composed string is used, at [2], as argument of the f_read_string function, which will open the file and read its contents. Eventually, if the file exist, the asp_notice function will print out its contents.

The problem is that from wo_update up to the instruction at [2] no sanitization of the filename parameter is performed. If the /var/notice folder does exist, it would be possible to perform a path traversal to read any file in the file system.

**TIMELINE**

2022-10-19 - Vendor Disclosure

2022-11-08 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-38451: TALOS-2022-1642 || Cisco Talos Intelligence Group

Organizations care about data privacy, but their priorities appear to be different from what their customers think are important.

Privacy is critical for business, according to 95% of security professionals surveyed in the sixth edition of Cisco's Data Privacy Benchmark Study. The survey of more than 4,700 security professionals from 26 geographies included more than 3,100 respondents who were familiar with the data privacy program at their organizations. Also, 94% of respondents said customer would not buy from them if they thought the data was not properly protected.

Another interesting thing to note: 96% say they have an ethical obligation to treat data properly.

However, there is a disconnect between what consumers say is necessary to gain their trust on how their information is used, and what organizations think they need to do to gain that trust. Consumers say transparency is the top priority to gain their trust (39%), followed by not selling personal information (21%), and compliance with privacy laws (20%). Among organizations, the priority order varied. From the business perspective, compliance with existing regulations (30%) was the number one priority for building customer trust, followed by transparency about how the data is being used (26%), and not selling personal information (21%).

"Certainly organizations need to comply with privacy laws," Cisco writes in the report. "But when it comes to earning and building trust, compliance is not enough. Consumers consider legal compliance to be a 'given,' with transparency more of a differentiator."

This disconnect is also present in regards to data and artificial intelligence. While consumers are "generally supportive" of AI, automated decision-making is still an area of concern, according to the report. Around three-quarter of consumers (76%) in the survey say providing opportunities for them to opt out of AI-based applications would help make them "much more" or "more" comfortable with AI. Consumers would also like to see organizations institute an AI ethics management program (75%), explain how the application is making decisions (74%), and involve a human in the decision-making process (75%) according to the survey findings.

Organizations, in contrast, are not prioritizing opt-outs, with just 21% saying they give customers the opportunity to opt out of AI use and 22% thinking it would be an effective step to take. The top priority for organizations was to ensure a human is involved in the decision-making (63%) and to explain how the applications works (60%). Over half of the organizations consider explaining how the application works (58%), ensuring human involvement in decision-making (55%), and adopting AI ethics principles as an effective way to gain customer trust.

The majority of respondents (92%) believe their organization needs to do more to reassure customers about the ways their data would be used with AI. Letting the user opt-out would be a highly effective way.

Enterprises Need to Do More to Assure Consumers About Privacy

We're back with another year in review focused episode. This time I'm be joined by threat researcher Caitlin Huey. We discuss the general threat landscape in 2022 including dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

Friday, January 27, 2023 16:01

We're back with another year in review focused episode. This time the focus will be the threat landscape generally and I'll be joined by threat researcher Caitlin Huey. In this episode we'll discuss what we found in the last year, with a focus on the general threat landscape.  We'll spend time discussing dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

All episdoes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes 126: Year in Review - Threat Landscape Edition

Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022.

Friday, January 27, 2023 12:01

Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022.  

Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts.  New content will be added with each topic summary release through February 2023.  You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review: Threat Landscape Livestream Replay

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

Thursday, January 26, 2023 18:01

Welcome to this week’s edition of the Threat Source newsletter.

What’s old is new again and what's old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching …  and maybe numbness in my legs? Yes, I am getting old but I’m also just tired - not from age but from the unrelenting cycle of what’s old is new again. All simply because we can’t seem to learn from our own past. Please don’t put a random USB into any of your devices and for the last time GET OFF MY LAWN.

**The one big thing**

Cisco Talos IR posted their Incident Response Trends in Q4 2022. Ransomware continued to be a top threat Talos IR responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, Talos IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

**Why do I care?**

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

**So now what?**

In all of Talos IR’s ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

**Top security headlines of the week**

CISA and the NSA released a joint advisory on January 25th detailing the use of legitimate remote monitoring and management software (RMM) for nefarious purposes. The joint advisory detailed attacks and warned the cybersecurity community about the malicious use of commercial RMM software, offering mitigations and indicators of compromise to watch out for.

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q4-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

Tag

#cisco