An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability.

**SUMMARY**

An authentication bypass vulnerability exists in the get\_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386\_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Asus RT-AX82U 3.0.0.4.386\_49674-ge182230

**PRODUCT URLS**

RT-AX82U - https://www.asus.com/us/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AX82U/

**CVSSv3 SCORE**

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-324 - Use of a Key Past its Expiration Date

**DETAILS**

The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like basically every other router, it is configurable via a HTTP server running on the local network. However, it can also be configured to support remote administration and monitoring in a more IOT style.

In order to enable remote management and monitoring of our Asus Router, so that it behaves just like any other IoT device, there are a couple of settings changes that need to be made. First we must enable WAN access for the HTTPS server (or else nothing could manage the router), and then we must generate an access code to link our device with either Amazon Alexa or IFTTT. These options can all be found internally at http://router.asus.com/Advanced_Smart_Home_Alexa.asp.

As a high level overview, upon receiving this code, the remote website will connect to your router at the get_IFTTTtoken.cgi web page and provide a shortToken HTTP query parameter. Assuming this token is received within 2 minutes of the aforementioned access code being generated, and also assuming this token matches what’s in the router’s nvram, the router will respond back with an ifttt_token that grants full administrative capabilities to the device, just like the normal token used after logging into the device via the HTTP server.

    0002863c  int32_t do_get_IFTTTToken_cgi(int32_t arg1, FILE* arg2)
    00028660      char* r0 = get_UA_Type(inpstr: &user_agent)                 // [1]
    00028668      char* r0_2
    00028668      if (r0 != 4)   // asusrouter-Windows-IFTTT-1.0
    000286b0          r0_2 = get_UA_Type(inpstr: &user_agent)
    
    // [...]
    000286cc      void var_30
    000286cc      memset(&var_30, 0, 0x20)
    000286d8      char* r0_4 = check_if_queryitem_exists("shortToken")        // [2]
    000286e0      if (r0_4 == 0)
    000286e4          r0_4 = &nullptr
    
    000286ec      int32_t r0_5 = gen_IFTTTtoken(token: r0_4, outbuf: &var_30) // [3]
    
    00028700      fputs(str: &(*"\tif (disk_num == %d) {\n")[0x15], fp: arg2)
    00028708      fflush(fp: arg2)
    0002871c      fprintf(stream: arg2, format: ""ifttt_token":"%s",\n", &var_30) // [4]
    00028724      fflush(fp: arg2)
    00028738      fprintf(stream: arg2, format: ""error_status":"%d"\n", r0_5)
    00028740      fflush(fp: arg2)
    00028750      fputs(str: &data_81196, fp: arg2)
    00028760      return fflush(fp: arg2)
    

At \[1\], the function pulls out the “User-Agent” header of our HTTP GET request and checks to see if it starts with “asusrouter”. It also checks if the text after the second dash is either “IFTTT” or “Alexa”. In either of those cases, it returns 4 or 5, and we’re allowed to proceed in the code path. At \[2\], the function pulls out the shortToken query parameter from our HTTP GET request and passes that into the gen_IFTTTtoken function at \[3\]. Assuming there is a match, gen_IFTTTtoken will output the ifttt_token authentication buffer to var_30, which is then sent back to the HTTP sender at \[4\]. Looking at gen_IFTTTtoken:

    0007b5c8  int32_t gen_IFTTTtoken(char* token, uint8_t* outbuf)
    
    0007b5d4      int32_t r0 = uptime()
    0007b5fc      memset(&ifttt_token_copy, 0, 0x20)
    0007b614      int32_t r0_8
    0007b614      int32_t arg3
    0007b614      int32_t arg4
    0007b614      if (r0 - nvram_get_int("ifttt_timestamp") s> 120)       // [5]
    0007b6ec          if (isFileExist("/tmp/IFTTT_ALEXA") s> 0)
    0007b710              Debug2File("/tmp/IFTTT_ALEXA.log", "[%s:(%d)][HTTPD] short token timeout\n", "gen_IFTTTtoken", 0x3ff, token, outbuf, arg3, arg4)
    0007b714          r0_8 = 1
    0007b630      else if (nvram_get_and_cmp("ifttt_stoken", token) == 0) // [6]
    0007b72c          if (isFileExist("/tmp/IFTTT_ALEXA") s> 0)
    0007b760              Debug2File("/tmp/IFTTT_ALEXA.log", "[%s:(%d)][HTTPD] short token is not the same: endp…", "gen_IFTTTtoken", 0x402, token, p2_nvram_get(item: "ifttt_stoken"), arg3, arg4)
    0007b764          r0_8 = 2
    0007b64c      else if (get_UA_Type(inpstr: &user_agent) != 4)
    0007b77c          if (isFileExist("/tmp/IFTTT_ALEXA") s> 0)
    0007b7a0              Debug2File("/tmp/IFTTT_ALEXA.log", "[%s:(%d)][HTTPD] user_agent not from IFTTT/ALEXA\n", "gen_IFTTTtoken", 0x405, token, outbuf, arg3, 0xf1430)
    0007b7a4          r0_8 = 3
    0007b668      else
    0007b668          int32_t r2
    0007b668          uint8_t* r3
    0007b668          r2, r3 = nvram_set("skill_act_code", p2_nvram_get(item: "skill_act_code_t"))
    0007b674          generate_asus_token(dst: &ifttt_token_copy, len: 0x20, r2, readsrc: r3)     // [7]
    0007b684          strlcpy(dst: outbuf, src: &ifttt_token_copy, len: 0x20)
    0007b694          nvram_set("ifttt_token", &ifttt_token_copy)
    0007b698          nvram_commit()
    0007b6ac          if (isFileExist("/tmp/IFTTT_ALEXA") s> 0)
    0007b6d0              Debug2File("/tmp/IFTTT_ALEXA.log", "[%s:(%d)][HTTPD] get IFTTT long token success\n", "gen_IFTTTtoken", 0x408, token, outbuf, arg3, 0xf1430)
    0007b6d4          r0_8 = 0
    0007b7ac      return r0_8
    

Right at the beginning there is a check \[5\] to see if the uptime of the device is more than two minutes after the ifttt_stoken has been generated. Assuming we are within that timeframe, the ifttt_stoken nvram item is grabbed and compared with our shortToken at \[6\]. If there’s a match, we end up hitting the code branch around \[7\], where the device generates a new ifttt_token and copies it to the output buffer on the next line of code. As a reminder, this token grants the same admin access as the normal HTTP login token.

While nothing really seems out of place at the moment, let’s take a look over at the code which actually generates the ifttt_stoken:

    00074210  uint8_t* do_ifttt_token_generation(uint8_t* output)
    // [...]
    000742c0      char ifttt_token[0x80]
    000742c0      memset(&ifttt_token, 0, 0x80)
    000742d0      char timestamp[0x80]
    000742d0      memset(&timestamp, 0, 0x80)
    000742e0      char rbinstr[0x8]
    000742e0      rbinstr[0].d = 0
    000742e8      int32_t* randbinstrptr = &rbinstr
    000742f4      rbinstr[4].d = 0
    00074308      srand(x: time(timer: nullptr))
    0007431c      // takes the remainder...
    00074324      int_to_binstr(inp: __aeabi_idivmod(rand(), 0xff), cpydst: randbinstrptr, len: 7)              // [8]
    // [...]
    00074608      snprintf(s: &ifttt_token, maxlen: 0x80, format: &percent_o, binary_str_to_int(randbinstrptr)) // [9]
    0007461c      nvram_set("ifttt_stoken", &ifttt_token)
    00074638      snprintf(s: &timestamp, maxlen: 0x80, format: &percentld, uptime())                           // [10]
    00074648      nvram_set("ifttt_timestamp", &timestamp)
    00074658      strlcpy(dst: output, src: &skill_act_code, len: 0x48)
    0007465c      nvram_commit()
    0007466c      return output
    

With the unimportant code cut out, we are left with a somewhat clear view of the generation process. At \[8\] a random number is generated that is then moded against 0xFF. This number is then transformed into a binary string of length 8 (e.g. ‘00101011’). A lot further down at \[9\], this randbinstrptr is converted back to an integer and fed into a call to snprintf(&ifttt_token, 0x80, "%o", ...), which generates the octal version of our original number. With this in mind, we can clearly see that the keyspace for the ifttt_stoken is only 255 possibilities, which makes brute forcing the ifttt_stoken a trivial matter. While normally this would not be a problem, since the ifttt_stoken can only be used for two minutes after generation, we can see a flaw in this scheme if we take a look at the ifttt_timestamp’s creation. At \[10\] we can clearly see that it is the uptime() of the device in seconds (which is taken from sysinfo()). If we recall the actual check from before:

    0007b5d4      int32_t r0 = uptime()
    // [...]
    0007b614      if (r0 - nvram_get_int("ifttt_timestamp") s> 120)
    // [...]
    0007b630      else if (nvram_get_and_cmp("ifttt_stoken", token) == 0)
    

We can see that the current uptime is used against the uptime of the generated token. Unfortunately for the device, uptime starts from when the device was booted, so if the device ever restarts or reboots for any reason, the ifttt_stoken suddenly becomes valid again since the current uptime will most likely be less than the uptime() call at the point of ifttt_stoken generation. Neither the ifttt_timestamp or the ifttt_stoken are ever cleared from nvram, even if the Amazon Alexa and IFTTT setting are disabled, and so the device will remain vulnerable from the moment of first generation of the configuration.

**TIMELINE**

2022-08-01 - Initial Vendor Contact  
2022-08-09 - Vendor Disclosure  
2022-11-16 - Vendor Patch Release  
2023-01-10 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2022-35401: TALOS-2022-1586 || Cisco Talos Intelligence Group

Did you miss our livestream focused on the APT section in the Cisco Talos Year in Review report? Join host Mitch Neff and special guests Jacob Finn, Asheer Malhotra, and Vitor Ventura as they discuss Talos' findings and experiences tracking APTs in 2022.

Tuesday, January 10, 2023 15:01

Did you miss our livestream focused on the APT section in the Cisco Talos Year in Review report? Join host Mitch Neff and special guests Jacob Finn, Asheer Malhotra, and Vitor Ventura as they discuss Talos' findings and experiences tracking APTs in 2022.  This livestream sheds light into the topic of APT TTPs, the geopolitical factors that influence the macro-environment and defensive guidance to improve security posture.

Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts.  New content will be added with each topic summary release through February 2023.  You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review: APTs Livestream Replay

Vice Society is boasting that it compromised the San Francisco transportation system, while BART maintains operations and mounts an investigation.

The San Francisco Bay Area Rapid Transit System (BART) was listed this week by ransomware group Vice Society as being among its latest victims.

Brett Callow, threat analyst with Emsisoft, flagged the Vice Society BART brag on Jan. 6. However, BART's spokesperson Alicia Trost told Dark Reading there haven't been any service disruptions as a result of a cyberattack and that an investigation is ongoing.

"We are investigating the data that has been posted," Trost told Dark Reading by email. "To be clear, no BART services or internal business systems have been impacted. As with other government agencies, we are taking all necessary precautions to respond."

Vice Society was also behind a recent spate of school breaches in the US and beyond, most recently releasing the personal information stolen from a group of 14 schools in the UK.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

San Fran's BART Investigates Vice Society Data Breach Claims

Microsoft released its monthly security update on Tuesday, disclosing 101 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 89 are classified as “Important”, no vulnerability classified as “Moderate.”

Tuesday, January 10, 2023 14:01

Microsoft released its monthly security update on Tuesday, disclosing 98 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 87 are classified as “Important”, no vulnerability classified as “Moderate.”

According to Microsoft all “Critical“ vulnerability are either less likely or unlikely to be exploited, except of the security bypass vulnerability CVE-2023-21743 on Microsoft SharePoint Server machines. This vulnerability has a low complexity and can be easily triggered by an attacker. In a network-based attack, an unauthenticated user could make an anonymous connection to the targeted SharePoint server.

Two of the “Critical“ vulnerabilities, which Microsoft considers to be “less likely” to be exploited due to their complexity are CVE-2023-21535 and CVE-2023-21548. These are remote code execution (RCE) vulnerability in the Windows Secure Socket Tunneling Protocol (SSTP) which allow an unauthenticated attacker to send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server and run unauthorized commands on the compromised system.

There are also five “Critical“ Remote Code Execution Vulnerability which affect the Windows Layer 2 Tunneling Protocol (L2TP). Successful exploitation could allow an unauthenticated attacker to execute code on RAS servers. These five vulnerabilities are CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556 and CVE-2023-21679.

The last “Critical“ vulnerability which we want to mention is CVE-2023-21730. It is a Remote Code Execution Vulnerability in the Windows Cryptographic Services. Microsoft did not released many details about the vulnerability, except that it is triggered from the network and of low complexity.

Developers are also at risk due to CVE-2023-21779 a Remote Code Execution vulnerability in Visual Studio Code flagged as “Important“. The user would have be enticed to open a malicious file in vscode. Users should never open anything that they do not know or trust to be safe.

Talos would also like to highlight 6 “Important“ vulnerabilities that Microsoft considers “more likely” to be exploited and can be used for privilege elevation.

*   CVE-2023-21532 Windows GDI Elevation of Privilege Vulnerability 
*   CVE-2023-21541 Windows Task Scheduler Elevation of Privilege Vulnerability 
*   CVE-2023-21552 Windows GDI Elevation of Privilege Vulnerability 
*   CVE-2023-21725 Microsoft Windows Defender Elevation of Privilege Vulnerability
*   CVE-2023-21726 Windows Credential Manager User Interface Elevation of Privilege Vulnerability
*   CVE-2023-21768 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

There are more vulnerabilities marked as “Important“ in the Microsoft advisory. This includes Microsoft Office and 3D Builder applications, a Microsoft ODBC Driver and others. A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61060-61065. For Snort 3, the following rules are also available to protect against these vulnerabilities: 300358-300360.

Microsoft Patch Tuesday for January 2023  — Snort rules and prominent vulnerabilities

In this blog post, Cisco Talos Incident Response (Talos IR) presents some of the key benefits of remote IR support and offers a list of recommendations for working on a remote incident.

Tuesday, January 10, 2023 12:01

_**Authors:** Gergana Karadzhova, Joe Schumacher, Pawel Bosek_

In this blog post, Cisco Talos Incident Response (Talos IR) presents some of the key benefits of remote IR support and offers a list of recommendations for working on a remote incident.

Some organizations see added value in having incident responders on site during an emergency. While this approach may offer certain benefits in terms of coordination, in Talos IR’s experience, the physical presence of a team on site is not crucial for the success of the overall IR. Cybersecurity threats are by definition intangible and bringing people physically together does not automatically facilitate an investigation. The traces of the malicious actors involved in a ransomware case, for example, are in the cyberspace made up by an organization’s network and the Internet, which means that, with sufficient connectivity, a remote responder team can work on the case from anywhere.

As a remote-first, follow-the-sun global team, Talos IR has extensive experience in creating a healthy, effective, and collaborative environment for customers and responders regardless of the stressful nature of IR activities. Trust needs to be built over time and proactive IR services offer the means to do this preemptively, ensuring that when an emergency happens, the responders will be able to gain appropriate access in a timely manner. Specific recommendations on how to strategically use proactive services in building this relationship are outlined in section “Adopting a ‘trust but verify’ approach.”

**Analyzing the advantages of remote IR support**

Criteria 

Remote 

On-Site 

Start of engagement 

15 minutes to four hours 

24 hours in transit 

Personnel utilization and treatment 

“Follow the sun” model, ensuring that team members rest in between shifts and lower the risk of burnout 

Usually limited to daytime. 

Risk of overstretching the team if working around the clock for multiple days 

Scalability  

Limited only by the IR team’s size  

1 – 2 people depending on the size of retainer 

Knowledge transfer between IR team and internal teams 

Primarily written  

Primarily verbal  

Efficiency  

Overall shorter period of time to start; easier to ramp up; better personnel utilization and care; transparent and lower cost 

Overall longer time to start; harder to ramp up; limited daily period of work; additional costs due to travel and accommodation 

Remote incident response offers the following key advantages in comparison to on-site support:

*   **Faster initial response –** The average industry service-level agreement for having on-site support is 24 hours in transit. Depending on the exact time when the incident was reported, the transportation options to the location, and the immediate availability of the consultants going on site, it can take anywhere between eight to 24 hours to reach the customer premises. This is significantly longer than the time needed to kick off a remote response, which in Talos IR’s experience is less than two hours.
*   **Easier to scale the response team –** IR is a team sport. Customers usually mainly interact with a few dedicated team members of the IR team, such as an Incident Commander and a few lead consultants. In the background, however, there are additional technology specialists, project managers and threat intelligence analysts working on the case. It is much easier to involve additional personnel in a remotely managed incident than to order people on site.
*   **More resource efficient –** The three most valuable resources in an incident are time, budget, and human power. In terms of human power, consider an incident which has been active for 48+ hours and is still ongoing. In such cases, having a remote team consisting of members in different time zones can ensure that work on the incident follows the sun without burning the team out. When it comes to cost management, remote incident support tends to provide great transparency of activities performed by the team, due to the centralized flow of communication and information exchange. Additional cost efficiency is generated by the fact that technical personnel do not need to set up their workplace in a new environment with emergency conditions and thus suffer a dip in productivity.

**Preparing for remote incident response**

From inception, Talos IR has been handling our emergency IR while fully remote as the norm, even predating the COVID-19 pandemic, due to the 24x7 nature of our service and global team distribution. Webex organically allows Talos IR to quickly and securely support our customers anywhere in the world. During the pandemic, we supported Cisco customers without any service interruption and created additional virtual infrastructure to ensure that all Talos IR proactive services could be securely delivered. This being said, if we do encounter a special case which might necessitate on-site presence of the response team, we discuss with the customer if it would augment the overall IR effort.

Remote IR comes with its own set of challenges. Talos IR recommends discussing your approach to the points listed below _before_ an actual emergency, as addressing shortcomings might require lead time and resources.

*   **Provisioning Access** – Having a process to get the remote IR team access to on-premises and remote consoles will accelerate the ability to investigate the incident. This process should include accounts related to, but not necessarily limited to, Virtual Private Network (VPN), Active Directory (AD), Endpoint Detection and Response (EDR), Multi-Factor Authentication (MFA), and other security controls.
*   **Regulatory & Compliance Requirements** – Data collection and sharing are often subject to country-specific laws, especially in the case of critical infrastructure and personally identifiable information (PII). Technical teams should work with the Legal Department and the Data Privacy and Governance Office to verify the exact legislation that is applicable to the different data sources that might be part of an incident. Any known limitations regarding remote collection of evidence and analysis of the data should be documented in the Incident Response Plan.
*   **Communication Cadence** – Having multiple means of communication and a set status update meeting will help ensure that everyone is kept on the same page. Communication is critical to get right during an incident but does not have to be in-person to be efficient or effective. People tend to be hyper-connected during IR, so bringing structure and predictability to the information flow benefits everyone.
*   **Gathering Evidence** – Remote evidence collection might not be possible in all incidents, but with some planning can be a viable alternative to traveling to a location or shipping an asset. You will want to ensure that there are technical representatives on-site who can assist the IR team with collecting forensic and triage data from in-scope assets.
*   **Sharing Evidence** – A reliable, high-speed network connection is essential for downloading and uploading large files to remote server(s). You will most likely be downloading the requested evidence from endpoints (e.g., workstations and servers) within your internal network and then uploading this data to a remote server for the incident responders to analyze.
*   **Scaling the Response** – Typically, an incident starts with one or two events across a large, networked environment and expands in scope as more indicators of compromise are discovered. Having the ability to contact people across the team as the incident evolves and to connect them to the investigation remotely will reduce the overall time to act and contribute to a more efficient incident response. When planning who and how you might need to engage during a possible incident, it is critical to consider your internal team along with the partners, contractors, and service providers that will be assisting with the incident response remotely.

Internal teams that will be involved in the implementation of the above preparation activities should familiarize themselves with the agreed approach as part of their preparation for IR and whenever possible, test the theoretical plan in the practice. It is highly recommended to document all relevant procedures and processes within the internal Incident Response Plan and Incident Response Playbooks, as this makes distribution and knowledge management easier in the long run.

**Adopting a “trust but verify” approach**

In the world of security there is the phrase “trust but verify,” and this mentality should be present when it comes to your IR service provider. Many companies have their first contact with the IR team during an emergency, which is one of the worst times for building trust and getting to know each other. A much better way to become familiar with your incident responders is to work with them on **proactive services**. These services by definition are non-emergency and offer more time for addressing the remote support considerations listed above through tabletop exercises, development of plans and playbooks, and threat hunts. In addition to improving your overall resiliency to cyber threats, proactive services will allow you to see what tools are typically leveraged by the IR team and what methodology they use for threat hunting. The engagements provide an opportunity for the responders and your internal teams to build trust and a better understanding of each other’s craft. An investment in the human element of virtual collaboration pays off during subsequent remote IR cases, as both sides feel more comfortable working together and can be more efficient in the execution of emergency response actions.

In most businesses, a level of remoteness was present long before the COVID-19 pandemic. Many organizations operate remotely or in different locations, whether that is multiple offices, data centers, or the homes of their employees. The increase of remote work in the last few years has led to optimization and normalization of virtual collaboration, the latter becoming an integral part of modern business operations. In a similar way, IR has grown increasingly independent of physical location as long as secure connectivity is possible. There will always be the need to physically travel to a location for response in some special cases, but that will not be the norm.

The expanded use of cloud services, the increase in remoteness in company operations, and the shortage of cybersecurity talent all speak in favor of an IR delivery model with remote-first support and members distributed around the globe. This trend emphasizes the importance of accountability and trustworthiness in each and every interaction with the IR team, whether physically or virtually. Talos IR recognizes this and is committed to delivering high-quality and efficient engagements during all emergency and proactive retainer projects.

Increasing trust, commitment, and predictability during a remote incident response

Lilith >_> of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered three vulnerabilities in Asus router software.
The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via

Tuesday, January 10, 2023 11:01

_Lilith >\_> of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered three vulnerabilities in Asus router software.

The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via an HTTP server running on the local network. However, it can also be configured to support remote administration and monitoring in more of an IOT style.

Talos has identified TALOS-2022-1586 (CVE-2022-35401), an authentication bypass vulnerability that can lead to full administrative privileges. An attacker would need to send a series of HTTP requests to exploit this vulnerability.

TALOS-2022-1590 (CVE-2022-38105) is an information disclosure vulnerability in the opcode of the router’s configuration service that can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.

TALOS-2022-1592 (CVE-2022-38393) is a denial of service vulnerability, also in the opcode of the configuration service. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Cisco Talos worked with Asus to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Asus RT-AX82U 3.0.0.4.386\_49674-ge182230. Talos tested and confirmed this version of Asus could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60394 and 60473. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered

New Add-On Empowers SOCs and MSPs to Automate & Orchestrate Incident Response for Microsoft 365.

**SAN FRANCISCO****,** **Jan. 10, 2023** **/PRNewswire/ --** Vade, the global leader in threat detection and response with 1.4 billion mailboxes protected, today announced the availability of Threat Intel & Investigation. An add-on for Vade's flagship product, Vade for M365, Threat Intel & Investigation provides the integrations, intel, and tools for SOCs and MSPs to investigate and respond to email-borne threats transiting through networks.

According to a 2021 report, breaches caused by phishing emails take an average of 213 days to be identified and another 80 days to be contained. This lag time gives cybercriminals the runway they need to conduct additional attacks on an organization, causing even more damage than the initial attack.

"Email is the #1 vector for cyberattacks," said Adrien Gendre, Chief Technology & Product Officer and cofounder at Vade. "Unfortunately, SOCs and MSPs don't always have visibility into how or when an email threat infiltrated their organization or how far it has spread throughout the network. The speed at which today's cybercriminals are working means that organizations cannot afford to lose precious time on incident response."

Vade for M365 is an AI-based email security solution for Microsoft 365 that catches the advanced phishing, spear phishing and malware threats that bypass Microsoft's native security. The Threat Intel & Investigation add-on for Vade for M365 features five core capabilities designed to empower SOCs and MSPs to automate investigations, orchestrate responses and move swiftly and with precision to live threats:

*   **File Inspector:** Deconstructs files and attachments directly in the Vade for M365 interface—without exposing administrators to risk. File Inspector reveals critical details about files and attachments, providing admins with the data required to make faster decisions, cross-check threats across networks and accelerate incident response across affected endpoints and users.
*   **Log Export:** Injects live email and event logs into any security management system, a powerful two-way integration powered by the Vade for M365 API. Connect Vade's email threat intelligence into your organizations' SIEM or SOAR to trigger automation playbooks and enhance your disaster recovery program.
*   **Reported emails:** Automates collection of user-reported emails and clusters similar, unreported emails in one dashboard, speeding user-based incident response and eliminating time-consuming, manual investigations. Receive alerts when users report emails via Outlook and quickly triage and remediate reported emails, similar emails, and forwarded emails with one click.
*   **Download emails/attachments:** Provides access to raw email intelligence for objective evaluation by threat analysts, saving precious time and resources that are typically wasted on searching for and analyzing raw email data.
*   **Add-on for Splunk:** Integrates Vade for M365 with Splunk without the need for custom software development. Combine Vade's threat intelligence with Splunk's SIEM and SOAR capabilities to have better visibility into the threat landscape and actionable insights with which to orchestrate rapid responses.

Vade partners and customers are already experiencing the benefits of Threat Intel & investigation, including Huntington Technology, a US-based MSP offering comprehensive managed services and managed security services:

"One of my helpdesk technicians excitedly came into my office last week. He asked if I had seen the new 'Reported emails' function within Vade," said William Bluford, Vice President, Huntington Technology. "He explained that we can now see which emails are reported as malicious. Not only can we see those emails, but we can see how many users are affected, and we can then remediate and remove those emails from all user mailboxes. This saves time for my helpdesk team and keeps our clients protected."

"Our customers have made clear that they need better visibility into their cybersecurity landscape," Gendre said. "They're challenged to monitor and manage threats from an array of end points, and IT is overburdened by too many complex tools. Threat Intel & Investigation was designed to give our customers the tools they need to thoroughly investigate threats, cross check those threats across their networks, and develop incident response processes—without the burden of complexity."

Threat Intel & Investigation on brings all these capabilities to Vade for M365. Vade's latest innovation will reduce incident response time, eliminate the need for additional security investments, and free up critical IT resources. Threat Intel & Investigation is available today in Vade for M365. To learn more, visit Threat Intel & Investigation.

**About Vade**

Vade is a global cybersecurity company specializing in the development of threat detection and response technology with artificial intelligence. Vade's products and solutions protect consumers, businesses, and organizations from email-borne cyberattacks, including malware/ransomware, spear phishing/business email compromise, and phishing.

Founded in 2009, Vade protects more than 1.4 billion corporate and consumer mailboxes and serves the ISP, SMB, and MSP markets with award-winning products and solutions that help increase cybersecurity and maximize IT efficiency.

To learn more, please visit www.vadesecure.com and follow us on Twitter @vadesecure or LinkedIn https://www.linkedin.com/company/vade-secure/.

SOURCE Vade

Vade Releases Advanced Threat Intel & Investigation Capabilities

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent...

Tuesday, January 10, 2023 09:01

State-sponsored or state-aligned advanced persistent threats (APTs) adapted to the changing geopolitical landscape in 2022. Cisco Talos observed several offensive cyber campaigns linked to several groups stemming from Russia, Iran, China, North Korea, and countries in the Indian subcontinent. These groups engaged in a variety of malicious activities, including espionage, intellectual property theft, and deploying destructive malware. Major trends observed include:

*   Delivering new, custom malware and updated variants of previously known malware.
*   Exploiting publicly known vulnerabilities, such as Log4j utilities.
*   Updating tooling and behavior patterns to evade discovery.
*   Increasing APT activity in our Cisco Talos Incident Response (CTIR) engagements, including the Iran state-sponsored MuddyWater group and several China affiliated APTs.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

APT Topic Summary Report: Cisco Talos Year in Review 2022

In a new survey from Clever, 3 out of 4 school districts say they will increase their spending on security and privacy in the next two to three years; 1 in 4 teachers report that cybersecurity training is missing in their district.

**SAN FRANCISCO****,** **Jan. 5, 2023** **/PRNewswire/ --** Clever, the platform used by more than 70% of U.S. K-12 schools to simplify and secure digital learning, today announced a new survey of school administrators and teachers revealing that the two groups perceive security vulnerabilities differently as the district edtech stack increases. According to the data, three out of four districts say they will increase their spending on security and privacy in the next two to three years. While more than half of administrators (63%) and teachers (53%) believe that their district is prepared to take on digital security challenges, one in four teachers report that cybersecurity training is missing altogether in their district.

Last year, over 90% of educators said they will continue to use at least some of the digital tools they adopted during the pandemic, as schools increasingly embrace devices and digital platforms to enable individualized instruction and student support. But with the expanded access to technology comes greater responsibility on schools and their edtech partners to protect the information these tools may collect. In 2021, nearly a million students were impacted by 67 ransomware attacks against schools, with a cost of over $3.5 billion in downtime.  

To help district and school leaders navigate new edtech practices in this era of increased usage, Clever surveyed almost 4,000 teachers and administrators. The data suggest that educators and administrators perceive the risks in schools differently: only 11% of teachers said a cybersecurity incident would be very likely, but one in four administrators say their district already experienced a hack, phishing incident, data breach, or other cyber attack in the past year.

"Creating a safe digital learning environment requires that everyone -- administrators, educators, students -- play a role," said Mohit Gupta, who oversees security products at Clever. "Cybersecurity is a team sport, and the differences highlighted in the survey offer us a path forward to address vulnerabilities in our schools. While the groups differ on where the risks exist, they agree on what can be done: more training for educators, the use of security tools, and increased specialized staff."

Among additional key findings from Clever's Cybersecure 2023 report:

*   **Teachers and administrators see devices as the greatest tech vulnerability in their district.** Teachers (34%) and administrators (34.3%) alike believe that devices are the most vulnerable part of their technology infrastructure. However, administrators are more aware of potential risks elsewhere as well: they're five times more concerned about vulnerabilities from administrative platforms like a learning management system or student information system, and nearly three times more concerned about vulnerabilities from applications used for curriculum and instruction.
*   **When it comes to identifying risks around human usage of technology, administrators think teachers are the most likely source of security vulnerability, but teachers think students are.** Teachers, responsible for their own safe use of technology and appropriate use by their students, see students (67%) as the biggest risk for a security incident, followed by teachers (27%). In contrast, two-thirds of administrators believe that teachers pose the highest vulnerability threat, and only 19% believe it to be students. Administrators were also three times more likely than teachers to say administrators are a vulnerability.
*   **Teachers and administrators agree on what can be done to improve digital security.** Both groups believe the three most important activities to support security are: 1) more educator training; 2) more or better technology solutions; and 3) more staff focused on technology. Two-thirds of teachers indicated they would want to learn more about topics related to data privacy and security.
*   **Yet, one in four teachers say cybersecurity training is missing altogether in their district.** While the majority of administrators and educators report that privacy and security training happens in their district, a surprising 26% of teachers say they never receive training on privacy or security – representing a big opportunity for districts to shore up their practices.
*   **Increasing challenges means increased spending.** 65% say their spending on digital security will increase over the next two to three years; another 12% say it will increase significantly, and a majority say that federal stimulus dollars are helping support their efforts.

The survey, administered throughout October 2022 using Clever's user database, asked more than 800 US-based school administrators and more than 3,000 US-based educators. To see the full findings and methodology, click here.

**About Clever**

Clever is on a mission to unlock new ways to learn for all students. More than 70% of U.S. K-12 schools now use Clever to simplify access and improve engagement with digital learning. With our free platform for schools and a network of leading application providers, we're committed to advancing educational equity. Clever, a Kahoot! company, has offices in San Francisco, CA and Durham, NC but you can visit us at clever.com anytime.

SOURCE Clever

New Survey: One In Four Schools Were Victims Of Cyber Attacks In the Last Year; Administrators To Increase Spending On Privacy and Security

Happy New Year and welcoem to this week's edition of the Threat Source newsletter. 
We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our

Thursday, January 5, 2023 14:01

Happy New Year and welcome to this week's edition of the Threat Source newsletter.

We can’t tell if it’s the fog from Lurene’s deadly eggnog or dare we say pure rest and relaxation but we’re still digging out of our inboxes, trying to remember logins, and circle back on all the things we prolonged into 2023. With that we’re keeping this week’s newsletter light as we all ease back into the flow of things.

**The one big thing**

Last month Talos released our Year in Review report, a comprehensive report covering Talos’ work for the 2022 year. The initial report launched December 14th with an additional Ukraine Topic Summary Report on the same day. To discuss the initial report and Ukraine section Talos held a livestream with key contributors to the report, which can be viewed here.

**Why do I care?**

We expect this data-driven story will shed some light on Cisco’s (and the security community’s) most notable successes and remaining challenges. Through the upcoming weeks, we will be highlighting different aspects of this story, including our efforts in Ukraine, the disastrous Log4j vulnerabilities, adversarial use of offensive frameworks and software native to the victim’s machine, shifts in the ransomware landscape, the ever-present threat of commodity loaders/trojans, as well as an overview of some of the advanced persistent threats (APTs) we are most concerned with. Throughout the story, one key theme is clear: _adversaries are adapting to shifts in the geopolitical landscape, actions from law enforcement, and the efforts of defenders. Defenders will need to track and address these shifts in behavior to remain resilient._

**So now what?**

While yes, we’ve moved into another new year the Talos 2022 Year in Review is the gift that keeps on giving. If you’ve yet to read the report, you can catch the cliff notes version in our four part livestream series covering the full report and corresponding topics. Join us January 10th at 12pm ET for our next livestream 2022 Year in Review: APTs on our Talos LinkedIn or Twitter page.

**Top security headlines of the week**

The not-so-bad-guys? The LockBit ransomware group apologies for attacking the Hospital for Sick Children (SickKids) after one of its members violated their rules by attacking a healthcare organization. In their apology, LockBit stated the member is blocked and no longer in their affiliate program and offered a free decryptor for the hospital to recover impacted files. (Bleeping Computer)

Meta was fined over $4 million for breaching the EU’s General Data Protection Regulation (GDPR) personal data laws on Facebook and Instagram according to Ireland’s Data Protection Commission. In a statement the commission stated Meta breached “it’s obligations in relation to transparency” and “for its processing of personal data for the purpose of behavioral advertising”. (SecurityWeek)

All was not calm over the holidays as PyTorch has recently identified a malicious dependency under the same name as the framework’s ‘torchtriton’ library. PyTorch admins are urging users who recently installed PyTorch-nightly to uninstall the framework with the counterfeit ‘torchtriton’ dependency. (SC Media)

**Can’t get enough Talos?**

2022 Year in Review Report

Beers with Talos

Talos Takes

Ukraine Topic Summary

2022 Year in Review: Ukraine livestream on demand

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5: 26f927fb7560c11e509f0b8a7e787f79

Typical Filename: Iris QuickLinks.exe

Claimed Product: Iris QuickLinks

Detection Name: W32.DFC.MalParent

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725

MD5: d47fa115154927113b05bd3c8a308201

Typical Filename: excel.exe

Claimed Product: N/A

Detection Name: W32.00AB15B194-95.SBX.TG

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5:   93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product:  
Internet Explorer

Detection Name: W32.File.MalParent

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5:  2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Simple\_Custom\_Detection

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa

MD5:  df11b3105df8d7c70e7b501e210e3cc3

Typical Filename: DOC001.exe

Claimed Product: n/a

Detection Name: Win.Worm.Coinminer::1201

Tag

#cisco