The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows.

Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED yesterday.

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a “zero-day,” or previously unknown vulnerability, but Microsoft has not classified it as such.

“After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,” says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic.

 “While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.” 

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation. 

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected. 

“We are seeing a variety of APT actors incorporate this technique into longer infection chains that utilize the Follina vulnerability," says Michael Raggi, a staff threat researcher at the security firm Proofpoint who focuses on Chinese government-backed hackers. "For instance, on May 30, 2022, we observed Chinese APT actor TA413 send a malicious URL in an email which impersonated the Central Tibetan Administration. Different actors are slotting in the Follina-related files at different stages of their infection chain, depending on their preexisting toolkit and deployed tactics.”

Researchers have also seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

“Proofpoint has identified a variety of actors incorporating the Follina vulnerability within phishing campaigns," says Sherrod DeGrippo, Proofpoint's vice president of threat research.

With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk. 

“Security teams could view Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability,’ which it most certainly is not,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it’s being actively exploited in the wild.”

An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch

Deja-Vu data from this year's DBIR report feels like  we are stuck in the movie 'Groundhog Day.'

Deja-Vu data from this year’s DBIR report feels like we are stuck in the movie ‘Groundhog Day.’

Ransomware and social engineering continue to dominate challenges facing cybersecurity professionals, according to Verizon’s 15th annual Data Breach Investigations Report (DBIR).

In general, the results of DBIR merely confirm well-established trends, such as the growing threats of ransomware – up 13% this year – and the inescapability of the “human element”, which was tied to 82% of all breaches.

DBIR data is based on 23,896 reported security incidents, including 5,212 verified breaches.

**Ransomware is Still Rising**

The number of ransomware incidents increased this year by nearly 13%, which the analysts noted is “an increase as large as the last five years combined.” Ransomware now plays a role in one out of every four breaches.

Though the prevalence of ransomware has been rising, the nature of these attacks have remained surprisingly consistent. Verizon first wrote about ransomware in their 2013 report, where they explained how:

_When targeting companies, typically SMBs, the criminals access victim networks via Microsoft’s Remote Desktop Protocol (RDP) either via unpatched vulnerabilities or weak passwords._ – DBIR 2013.

Nine years later, the most common vector for ransomware attackers is still desktop sharing software – used in around 40% of attacks. The overwhelming majority of those instances involve stolen credentials.

“Had we known that what was true nine years ago would still be true today,” the researchers concluded, “we could have saved some time by just copying and pasting some text.”

**Hackers are Targeting Us**

There are all kinds of technical mechanisms by which attackers can obtain initial access into a target organization. But they usually don’t need to try all that. The much simpler solution, usually, is to just trick people.

According to Verizon, 82% of this year’s data breaches involved the “human element” – “the Use of stolen credentials, Phishing, Misuse, or simply an Error.”

Phishing, as expected, is still the hackers’ go-to. Well over 60% of this year’s breaches began that way. Phishers are still using all the same tricks, like pretexting – inventing a story to convince targets to divulge sensitive information – leading to business email compromise (27% of all attacks).

That doesn’t necessarily mean that targets are still so unaware, so naive as to click on any wayward link or smooth-talking email. “Only 2.9% of employees may actually click on phishing emails,” the researchers noted. It’s just that 2.9% is “more than enough for criminals to continue to use it” as a method for intrusion.

**It’s the Same Old Story**

Whenever human error arises in cybersecurity discourse, someone’s bound to mention training. But, as the authors of DBIR noted, “Most training takes twice as long to complete than was expected, with 10% taking three times as long.” Additionally, “while getting training is easy, proving it’s working is a bit harder.”

It may just be that the cyber threat landscape is in a holding pattern, as it has been for some time now. Every year, it seems, we’re facing the same kinds of attacks, and offering variations of the same solutions that haven’t entirely worked before. John Gunn, CEO of Token, summed it up best in an email to Threatpost:

“The most important research by and for the cybersecurity industry is out, and it feels like the movie Groundhog Day. We are waking up to the same results year after year since the first report in 2008,” Gunn wrote.

Old Hacks Die Hard: Ransomware, Social Engineering Top Verizon DBIR Threats – Again

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.
In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.

In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.

"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques," MSTIC assessed with "moderate confidence."

The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.

Targets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what's a case of a supply chain attack.

In a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances (CVE-2018-13379), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.

Attack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 using malicious tools dubbed CreepyDrive and CreepyBox with its victims.

"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run," the researchers said.

This is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason disclosed an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.

Additionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called MuddyWater (aka Mercury), which has been characterized by the U.S. Cyber Command as a "subordinate element" within MOIS.

The victim overlaps lend credence to earlier reports that MuddyWater is a "conglomerate" of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).

To counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies

In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows download of arbitrary file types and Directory Traversal, leading to Remote Code Execution. This occurs because it is possible to plant executables in the startup folder (DLL planting could also occur).

Real Player 'external::Import()' Arbitrary file download, Directory Traversal Vulnerabilities leads to Remote Code Execution

video demo: https://youtu.be/CONlijEgDLc

Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific:

The 'external' object and it exposes several custom methods and properties.

The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait until reboot (true when file is planted in 'startup' folder).

The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share. The directory 'appdata' must be placed in the share´s root.

Also a DOS condition in 'external.PreloadURL()' helps so that the files are not deleted by Real Player

The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11)

tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309

CVE-2022-32270: GitHub - Edubr2020/RP_Import_RCE

A pair of phishing campaigns against users of WhatsApp and Telegram's Telegraph expose them to extortion, credential harvesting, and even account takeover.

Within just a few days of each other, researchers sounded the alarm about phishing campaigns against two popular, global messaging platforms, Telegraph and WhatsApp.

Lat week, Rahul Sasi, founder and CEO of CloudSEK, posted a warning on LinkedIn that WhatsApp accounts were being targeted by phishing attacks trying to trick users into placing a call to the number "\*\*67\*< 10 digit number > or \*405\* <10 digit number >". Just a few minutes later, the device would log out of WhatsApp and the attacker would have full control of the account, Sasi added.

Turns out, dialing those digits forwards a victim's calls to a number controlled by the threat actors.

"Now in the backend, the attacker triggers the WhatsApp registration process for your number and chooses the option to send OTP via phone call," Sasi wrote. "Since your phone is engaged — the OTP will go to the attacker's phone, and it's game over for you."

**Telegraph Phishing Attacks**

Likewise, recent phishing attacks on users of Telegram's privacy-focused blogging platform, Telegraph, have spiked recently. Cyberattackers are looking to harvest Microsoft 365 credentials and run cryptocurrency scams, according to analysis from Inky.

Telegraph allows users to set up webpages without registration, and Telegram deletes sent messages after they are read, helping attackers to carry out their scams anonymously. As such, the researchers said Telegram is quickly replacing the underground web as the platform of choice for cybercriminals.

"Although many such sites are available, Telegraph is more attractive than most because of its unusually libertarian heritage; its founders openly propound a 'live and let die' philosophy, catnip to phishers," Inky researcher Roger Kay wrote about the Telegraph phishing scam findings.

Phishers Having a Field Day on WhatsApp, Telegraph

Microsoft Philanthropies is expanding its cybersecurity skills for jobs campaign to 23 countries and partnering with Women in CyberSecurity (WiCyS) to build a cybersecurity workforce that is not just larger but also more diverse.

COOKEVILLE, TENN. (PRWEB) JUNE 02, 2022

As cyberthreats continue to expand and progress worldwide, the need for qualified cybersecurity professionals is increasing with experts predicting there will be 3.5 million cybersecurity jobs open by 2025, a 350% increase over eight years. Microsoft Philanthropies is expanding its cybersecurity skills for jobs campaign to 23 countries and partnering with Women in CyberSecurity (WiCyS) to build a cybersecurity workforce that is not just larger but also more diverse.

The expansion will include: Australia, Belgium, Brazil, Canada, Colombia, Denmark, France, Germany, India, Ireland, Israel, Italy, Japan, Korea, Mexico, New Zealand, Norway, Poland, Romania, South Africa, Sweden, Switzerland, and the United Kingdom.

The countries were chosen because of an elevated cyberthreat risk, gap in the workforce and lack of diversity. One of the traditionally excluded populations Microsoft wants to provide opportunities for are women, who are significantly underrepresented. In the countries where Microsoft expanded its cybersecurity skilling campaign, only 17% of the cybersecurity workforce are female. Microsoft is working to understand the skills gap, offering free training, helping train more teachers, and providing more support to diverse and underserved job seekers, which is where WiCyS will help.

WiCyS is working to expand its student chapters in the 23 countries by promoting the retention and advancement of women in cybersecurity. WiCyS has over 5,700 members worldwide, including several in those countries Microsoft is trying to engage. WiCyS also has over 160 student chapters, largely in the U.S.

WiCyS student chapters receive funding, access to resources and conferences as well as networking opportunities for both students and faculty advisors. The group of women, men, allies, and advocates meets monthly to participate in CTFs, hackathons, engage in cyber trivia, and learn new technical skillsets. Other events include hosting resume workshops, mock interviews, career development panels, speed networking events and more.

“Thanks to this collaboration, WiCyS seeks to expand our global cyber sisterhood far and wide,” said Lynn Dohm, WiCyS executive director. “While WiCyS works to ensure equity in the gender imbalanced cybersecurity workforce, the student chapter initiative creates a community on campuses so that women are retained in their field of study, grow their network, and have a reliable gateway for future advancement opportunities.”

For more information on the Microsoft Philanthropies Global Student Chapter Initiative, visit http://www.wicys.org/initiatives/wicys-global-student-chapter-initiative-made-possible-by-microsoft-philanthropies/

**About WiCyS:**  
Women in CyberSecurity (WiCyS) is a nonprofit organization with international reach dedicated to the recruitment, retention and advancement of women in cybersecurity. Founded by Dr. Ambareen Siraj from Tennessee Tech University through a National Science Foundation grant in 2013, WiCyS offers opportunities, trainings, events, and resources for its members. Strategic partners include Tier 1: Amazon Web Services, Bloomberg, Carnegie Mellon University – Software Engineering Institute, Cisco, Fortinet, Google, Intel, Lockheed Martin, Meta, Microsoft, Optum, Sandia National Laboratories, SentinelOne. Tier 2: Abbvie, JPMorgan Chase & Co., Linkedin, McKesson, Navy Federal Credit Union, Nike, Wayfair, Workday. To partner, visit https://www.wicys.org/support/strategic-partnerships/.

Microsoft Philanthropies Collaborates With WiCyS to Help Close the Cybersecurity Skills Gap

Percona XtraBackup 2.4.20 unintentionally writes the command line to any resulting backup file output. This may include sensitive arguments passed at run time. In addition, when --history is passed at run time, this command line is also written to the PERCONA_SCHEMA.xtrabackup_history table. NOTE: this issue exists because of an incomplete fix for CVE-2020-10997.

Date

April 26, 2022

Percona XtraBackup for MySQL Databases enables MySQL backups without blocking user queries. Percona XtraBackup is ideal for companies with large data sets and mission-critical applications that cannot tolerate long periods of downtime. Offered free as an open source solution, Percona XtraBackup drives down backup costs while providing unique features for MySQL backups.

Percona XtraBackup 2.4 does not support making backups of databases created in _MySQL 8.0_, _Percona Server for MySQL 8.0_, or _Percona XtraDB Cluster 8.0_. Use Percona XtraBackup 8.0 to make backups for these versions.

*   Release Highlights
    
*   New Features
    
*   Bugs Fixed
    
*   Useful Links
    

**Release Highlights¶**

The xbcloud binary adds support for the Microsoft Azure Cloud Storage using the REST API.

**New Features¶**

*   PXB-1883: Implements support for Microsoft Azure Cloud Storage in the xbcloud binary. (Thanks to Ivan Groenewold for reporting this issue)
    

**Bugs Fixed¶**

*   PXB-2608: Upgraded the Vault API to V2 (Thanks to Benedito Marques Magalhaes for reporting this issue)
    
*   PXB-2649: Fix for compilation issues on GCC-10.
    
*   PXB-2648: CURL prior to 7.38.0 version doesn’t use CURLE\_HTTP2 and throws an error 'CURLE_HTTP2' is not a member of 'CURLcode'. Added CURLE\_OBSOLETE16 as a connectivity error code. In CURL versions after 7.38.0, CURLE\_OBSOLETE16 is translated to CURLE\_HTTP2.
    
*   PXB-2711: Fix for libgcrypt initialization warnings in xtrabackup.
    
*   PXB-2722: Fix for when via command line, a password, passed using the -p option, was written into the backup tool\_command in xtrabackup\_info.
    

**Useful Links¶**

*   The Percona XtraBackup installation instructions
    
*   The Percona XtraBackup downloads
    
*   The Percona XtraBackup GitHub location
    
*   To contribute to the documentation, review the Documentation Contribution Guide

CVE-2022-26944: Percona XtraBackup 2.4.25 — Percona XtraBackup 2.4 Documentation

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

CVE-2022-1982: Security Updates

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  
Talos...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

**Main booth** 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

**Evolving Your Defense: Making Heads or Tails of Threat Actor Trends** 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

**Beers with Talos/Security Stories** 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

**The one big thing **

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

  

> **Why do I care? **
> 
> If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  
> 
> **So now what? **Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature.   

**Other news of note**

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Threat Roundup for May 20 - 27
*   Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206   
**MD5:** 3632f27604f5a82cf73b9ade710a1656  **Typical Filename:** mediaget\_installer\_467.exe    
**Claimed Product:** N/A    
**Detection Name:** FileRepPup:MediaGet-tpd  

**SHA 256:** a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92    
**MD5:** 8f90e544a48d75f42f9d44811320689c   **Typical Filename:** tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf    
**Claimed Product:** N/A     
**Detection Name:** Xml.Dropper.Valyria::100.sbx.vioc  

**SHA 256:** 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   **MD5:** 8c80dd97c37525927c1e549cb59bcbf3   **Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

An access control issue in ICT Protege GX/WX 2.08 allows attackers to leak SHA1 password hashes of other users.

Title: ICT Protege GX/WX 2.08 Client-Side SHA1 Password Hash Disclosure  
Advisory ID: ZSL-2022-5700  
Type: Local/Remote  
Impact: Security Bypass, Exposure of Sensitive Information  
Risk: (3/5)  
Release Date: 21.03.2022

**Summary**

Protege GX is an enterprise level integrated access control, intrusion detection and building automation solution with a feature set that is easy to operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, web-based, cross-platform system that gives you a fully functional access control and intrusion detection solution in a fraction of the time of conventional software. With no software to install, setup is quick and simple. Connect the Controller and system components, then open a web browser to launch the intuitive wizard-driven interface which guides you through the process of configuring your system.

**Description**

The application is vulnerable to improper access control that allows an authenticated operator to disclose SHA1 password hashes (client-side) of other users/operators.

**Vendor**

Integrated Control Technology Ltd. - https://www.ict.co

**Affected Version**

GX: Ver: 2.08.1002 K1B3  
Lib: 04.00.217  
Int: 2.3.235.J013  
OS: 2.0.20  
WX: Ver: 4.00 284 H062  
App: 02.08.766  
Lib: 04.00.169  
Int: 02.2.208

**Tested On**

Microsoft-WinCE/6.00

**Vendor Status**

\[08.02.2022\] Vulnerability discovered.  
\[08.02.2022\] Vendor contacted.  
\[08.02.2022\] Vendor responds asking if we are Certified Protégé Installers.  
\[08.02.2022\] Replied to the vendor.  
\[16.02.2022\] Vendor's technical support are online for Certified Protégé Installers only.  
\[16.02.2022\] Further explanation provided to the vendor.  
\[18.02.2022\] Vendor suggests to contact the incumbent security system installer and work with them to get our ticket logged.  
\[21.03.2022\] Public security advisory released.

**PoC**

protege\_hash.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.exploit-db.com/exploits/50836  
\[2\] https://packetstormsecurity.com/files/166391/  
\[3\] https://exchange.xforce.ibmcloud.com/vulnerabilities/222336  
\[4\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29731  
\[5\] https://nvd.nist.gov/vuln/detail/CVE-2022-29731

**Changelog**

\[21.03.2022\] - Initial release  
\[25.03.2022\] - Added reference \[1\], \[2\] and \[3\]  
\[29.05.2022\] - Added reference \[4\] and \[5\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#microsoft