Five practical steps to up-level attack surface management programs and gain greater visibility and risk mitigation around the extended ecosystem.

Modern IT environments are purposefully designed to be dynamic, evolving organically through things such as cloud computing, Internet of Things (IoT) devices, and, for many organizations, through mergers and acquisitions and supply chain business relationships. While enabling greater business efficiency and effectiveness, often infrastructure and data are added ad hoc without looping in the IT team or adhering to organizational security policies. The result is unmanaged or unknown infrastructure within the technology ecosystem, which introduces hidden risk.

Most security teams will acknowledge a lack of visibility in this dynamic environment. Whether it's credentialed access or missing agents, it's common to have a gap in visibility. However, unknown unknowns present an even more significant visibility challenge in most organizations.

**What Is an Unknown-Unknown Asset?**

Let's start by defining what we mean by unknown unknowns, or assets of which the security and IT teams have no awareness. Unknown unknowns can be introduced in a multitude of ways. For example, well-meaning developers with the ability to provision cloud resources on a personal credit card can spin up new database instances.

Consider capable contractors who can spin up their own infrastructure but forget to limit access to the code on GitHub. Or the business partners (third- and Nth-party suppliers) that are not accounted for in the extended enterprise ecosystem. Mergers are another common way that "unknown unknowns" are introduced — when the often outdated list of IT infrastructure doesn't meet the current reality of the infrastructure state.

With supply chain compromise on the rise and increasing organizational sprawl, how can organizations manage and mitigate risk from unknown unknowns?

**Closing Attack Surface Visibility Gaps**

To solve for unknown unknowns, security teams need to establish mechanisms and processes to maintain an up-to-date inventory of all _known_ assets associated with their organization and the vulnerabilities that can be used by threat actors as entry points into the network. The more known about the organization, the more information to perform active and continuous search for unknowns, and even fewer unknown unknowns.

Below are five practical steps to closing visibility gaps:

1.  **Enumerate and continuously monitor the asset inventory:** Create a process and workflow for continuous asset discovery that delivers a comprehensive inventory. Assets include internal and external resources, cloud resources, employees, and the supply chain. Externally accessible assets are often targeted by threat actors for initial access (MITRE T1190) by exploiting known vulnerabilities. In situations where a zero-day is disclosed, the security team can leverage the inventory to answer these questions: "Do we have that technology in our ecosystem and, if so, where?" and "Are we running the vulnerable version of the technology?"
2.  **Determine ownership of assets:** Attribution plays a big role in providing relevant information to the security team. Receiving a list of assets that may or may not be owned by your organization will slow down the team as they triage false positives (out-of-scope assets). At the onset of asset discovery efforts, the inventory should be audited to determine what is directly managed vs. shared security model (where the management of the asset is outsourced to a provider – such as a cloud service or SaaS provider). Management becomes easier over time as a security team establishes the baseline understanding of asset ownership.
3.  **Enrich assets with intelligence to identify and prioritize critical and high-severity issues**: The faster vulnerabilities are identified, the faster the security team can respond. Indicators of compromise (IoCs) and Dark Web monitoring can inform a security team of malicious activity involving the brand or an asset. Analysis based on incident response and adversary research can help defenders respond and prioritize appropriately based on how a vulnerability is being leveraged and the impact of exploitation. Recommended sources include NIST National Vulnerability Database (NVD), CISA's Known Exploited Vulnerability catalog, and intelligence feeds from the private sector.
4.  **Remediate and harden at scale****:** Prioritizing remediation and hardening efforts on the entry points that present the most risk to the organization is crucial to mitigation strategies. Critical and high-severity security findings should be investigated and remediated immediately. Over the medium and long term, the security team needs to be aware of and monitor for lower severity vulnerabilities that are often overlooked but can be used in tandem with easier-to-exploit vulnerabilities. Assign responsibility to the lower-priority items and set expectations for quarterly reporting on progress.
5.  **Regularly review assets for unknown unknowns — and integrate your findings into steps 1–4**: Information is only valuable if it's used. As more data is collected about an organization's attack surface, the information needs to be distributed to the appropriate teams within the organization and incorporated into the operational workflows across the security operations center (SOC) or intelligence organization. For example, the SOC team can leverage the latest information about potentially compromised devices to take specific threat-hunting actions and then implement mitigation strategies.

Managing and mitigating risk from known threats is challenging enough for already over-stretched security teams. By following the steps above, organizations can uplevel their attack surface management programs and gain greater visibility into potential risk within their extended ecosystem as well.

**About the Author**

    

Jonathan Cran is head of engineering, Mandiant Advantage Attack Surface Management, at Mandiant and was the founder and CEO of Intrigue prior to its acquisition by Mandiant in 2021. An experienced entrepreneur and builder, he's passionate about delivering high-quality outcomes and data-driven solutions, particularly when they require significant technical leadership. He is constantly striving to understand customers' challenges and deliver elegant solutions. His background includes hands-on experience as a security practitioner and leadership roles at companies such as Kenna Security, Bugcrowd, and Rapid7.

Managing and Mitigating Risk From Unknown Unknowns

KmsdBot takes advantage of SSH connections with weak login credentials to mine currency and deplete network resources, as it gains a foothold on enterprise systems.

A just-discovered evasive malware takes advantage of a key Internet-facing protocol to gain entry onto enterprise systems to mine cryptocurrency, launch distributed denial-of-service (DDoS) attacks, and gain a foothold on corporate networks, researchers have found.  

Dubbed KmsdBot by researchers at Akamai Security Research, the botnet infects systems via a Secure Shell Protocol (SSH) connection with weak login credentials, according to a report published Thursday. SSH is a remote administration protocol that allows users to access, control, and modify their remote servers over the Internet.

The botnet poses the most risk for enterprises that have deployed cloud infrastructure, or corporate networks that are exposed to the Internet, says Larry Cashdollar, principal security intelligence response engineer at Akamai.

“Once this malware is running on your system, it essentially has a toehold into your network," he tells Dark Reading. "It has functionality to update and spread itself, so it's possible it can burrow itself deeper into your network and surrounding systems.”

The researchers observed KmsdBot — which is written in Golang as an evasive measure — targeting an "erratic" range of victims, including gaming and technology companies as well as luxury car manufacturers, Cashdollar wrote in a Nov. 10 report. Golang is a programming language that's attractive to threat actors because it's difficult for researchers to reverse engineer.

Moreover, once it infects a system, the botnet does not maintain persistence, allowing it further to evade detection. "It’s not often we see these types of botnets actively attacking and spreading, especially ones written in Golang," Cashdollar wrote.

**Attack on Gaming Company**

The researchers detected KmsdBot when it dangled an unusually open honeypot in the hopes of luring attackers. The first victim of the new malware they observed was an Akamai client — a gaming company called FiveM that allows people to host custom private servers for Grand Theft Auto online, they said.

In the attack, threat actors opened a user datagram protocol (UDP) socket and built a packet using a FiveM session token. UDP is a communication protocol used across the Internet for time-sensitive transmissions, such as video playback or DNS look-ups.

"This will cause the server to believe a user is starting a new session and waste additional resources besides network bandwidth," Cashdollar wrote.

The researchers also observed a range of other attacks by the bot that were less specifically targeted, they said. They included generic Layer 4 TCP/UDP packets with random data as a payload, or Layer 7 HTTP consisting of GET and POST requests to either the root path or a specified path set in the attack command, he said.

And while the bot does have cryptomining capability, researchers did not observe this particular aspect of its functionality — only the DDoS activity, Cashdollar added.

In general, KmsdBot has a wide attack surface, supporting multiple architectures including Winx86, Arm64, mips64, and x86\_64, researchers said. It uses TCP to communicate with its command-and-control infrastructure.

**Avoiding and Mitigating Bot Attacks**

Despite the danger it poses to enterprises, they can avoid falling victim to the botnet by using common network security best practices that they really should be implementing anyway, Cashdollar says.

"The best way to prevent getting infected is to either use key-based authentication and disable password logins, or make sure you're using strong passwords," he tells Dark Reading.

Indeed, password compromise — whether it's by using stolen credentials or cracking a company's weak protections — remains one of the top ways threat actors access enterprise systems.

Beyond strong passwords, security experts recommend multifactor authentication, as well as more advanced solutions to solve this persistent issue. However, it's advice that remains unheeded by users in many corporate settings, leaving networks exposed to threats such as KmsdBot. 

Other easy steps organizations can take to protect themselves, according to Cashdollar, include keeping deployed applications up to date with the latest security patches, as well as checking in on them from time to time to ensure they remain secure.

Evasive KmsdBot Cryptominer/DDoS Bot Targets Gaming, Enterprises

Security researchers see updated tactics and tools—and a tempo change—in the cyberattacks Russia’s GRU military intelligence agency is inflicting on Ukraine.

Since Russia launched its catastrophic full-scale invasion of Ukraine in February, the cyberwar that it has long waged against its neighbor has entered a new era too—one in which Russia has at times seemed to be trying to determine the role of its hacking operations in the midst of a brutal, physical ground war. Now, according to the findings of a team of cybersecurity analysts and first responders, at least one Russian intelligence agency seems to have settled into a new set of cyberwarfare tactics: ones that allow for quicker intrusions, often breaching the same target multiple times within just months, and sometimes even maintaining stealthy access to Ukrainian networks while destroying as many as possible of the computers within them.

At the CyberwarCon security conference in Arlington, Virginia, today, analysts from the security firm Mandiant laid out a new set of tools and techniques that they say Russia’s GRU military intelligence agency is using against targets in Ukraine, where the GRU’s hackers have for years carried out many of the most aggressive and destructive cyberattacks in history. According to Mandiant analysts Gabby Roncone and John Wolfram, who say their findings are based on months of Mandiant’s Ukrainian incident response cases, the GRU has shifted in particular to what they call “living on the edge.” Instead of the phishing attacks that GRU hackers typically used in the past to steal victims’ credentials or plant backdoors on unwitting users’ computers inside target organizations, they're now targeting “edge” devices like firewalls, routers, and email servers, often exploiting vulnerabilities in those machines that give them more immediate access.

That shift, according to Roncone and Wolfram, has offered multiple advantages to the GRU. It's allowed the Russian military hackers to have far faster, more immediate effects, sometimes penetrating a target network, spreading their access to other machines on the network, and deploying data-destroying wiper malware just weeks later, compared to months in earlier operations. In some cases, it's enabled the hackers to penetrate the same small group of Ukrainian targets multiple times in quick succession for both wiper attacks and cyberespionage. And because the edge devices that give the GRU their footholds inside these networks aren't necessarily wiped in the agency's cyberattacks, hacking them has sometimes allowed the GRU to keep their access to a victim network even after carrying out a data-destroying operation.

"Strategically, the GRU needs to balance disruptive events and espionage," Roncone told WIRED ahead of her and Wolfram's CyberwarCon talk. "They want to continue imposing pain in every single domain, but they are also a military intelligence apparatus and have to keep collecting more real-time intelligence. So they've started 'living on the edge' of target networks to have this constant ready-made access and enable these fast-paced operations, both for disruption and spying."

In a timeline included in their presentation, Roncone and Wolfram point to no fewer than 19 destructive cyberattacks Russia has carried out in Ukraine since the beginning of this year, with targets across the country's energy, media, telecom, and finance industries, as well as government agencies. But within that sustained cyberwarfare barrage, the Mandiant analysts point to four distinct examples of intrusions where they say the GRU's focus on hacking edge devices enabled its new tempo and tactics.

In one instance, they say, GRU hackers exploited the vulnerability in Microsoft Exchange servers known as ProxyShell to get a foothold on a target network in January, then hit that organization with a wiper just the next month, at the start of the war. In another case, the GRU intruders gained access by compromising an organization's firewall in April of 2021. When the war began in February, the hackers used that access to launch a wiper attack on the victim network's machines—and then maintained access through the firewall that allowed them to launch _another_ wiper attack on the organization just a month later. In June 2021, Mandiant observed the GRU return to an organization it had already hit with a wiper attack in February, exploiting stolen credentials to log into its Zimbra mail server and regain access, apparently for espionage. And in a fourth case, last spring, the hackers targeted an organization's routers through a technique known as GRE tunneling that allowed them to create a stealthy backdoor into its network—just months after hitting that network with wiper malware at the start of the war.

Separately, Microsoft’s Threat Intelligence Center, known as MSTIC, revealed today yet another example of the GRU launching repeated cyberattacks on the same Ukrainian targets. According to MSTIC, the hacker group it calls Iridium, more widely known as the GRU hacking unit Sandworm, was responsible for Prestige ransomware attacks that hit transportation and logistics targets in Ukraine and Poland from March to October of this year. MSTIC notes that many of the victims of that ransomware had earlier been hit with the wiper tool HermeticWiper just before Russia’s February invasion—another piece of data-destroying malware linked to the GRU.

The GRU, Roncone and Wolfram point out, have certainly targeted "edge" devices before this new phase of the agency cyberwar in Ukraine. In 2018, the agency's hackers infected more than half a million routers worldwide with malware known as VPNFilter, and they similarly attempted to create a botnet of hacked firewall devices that was discovered just ahead of Russia's Ukraine invasion in February.

But the Mandiant analysts argue that only now are they seeing that hacking of edge devices used to accelerate the agency's pace of operations and to achieve persistence inside networks that lets the GRU pull off repeated intrusions against the same victims. That's meant that instead of having to choose between stealthy cyberespionage and disruptive cyberattacks that destroy the very systems they're spying on, the agency has been able to "have their cake and eat it too," as Roncone puts it.

Ukraine's own cybersecurity agency, known as the State Services for Special Communications and Information Protection, or SSSCIP, agrees with Mandiant's conclusion that Russia has quickened its pace of cyber-operations since the start of the war in February, according to Viktor Zhora, a senior SSSCIP official. He confirms that the GRU, in particular, has come to favor targeting edge devices while other Russian intelligence agencies, such as the FSB, continue to use phishing emails as a common tactic. But he argues that the examples of repeated wiping of the same organization in quick succession, or a wiping attack followed by an espionage operation against the same target, remain relatively rare.

Instead, Zhora contends that the GRU's switch to a faster operating rhythm shows how the agency's hackers are racing—struggling, even—to keep up with the speed of physical war.

“Operating in a covert mode over the last eight years, having unlimited financial resources, widely available human resources, gave them a lot of opportunities. They used that time to test, to probe and develop new technologies. Now, they’ve needed to increase the density of their attacks, and they require much more resources," says Zhora. "They still try to carry out their expected role, to be Russia's most active and destructive agency. But with sanctions, with the intellectual flow out of Russia, with difficulties in human resources and infrastructure, their operational limits are significantly greater. But we can see in the tactics they use that they're still seeking new opportunities for intelligence and wiping options."

At times, Roncone and Wolfram say, GRU hackers do seem to be struggling to keep up with the new pace they've set. In one case, they saw the hackers backdoor an email server but set up their command-and-control server incorrectly, so that they failed to control it. In another case, they sent the wrong commands to a wiper tool, so that it failed to wipe the systems it had infected. "It's just the tempo and probably a bit of human error and burnout that leads to these sort of 'oopsies,'" says Roncone.

Another shift in the GRU's hacking to "quick and dirty" methods can be seen in the specific wiper malware that it uses, according to Roncone and Wolfram. Since May, Mandiant has observed GRU hackers deploying the relatively simple, targeted wiper malware known as CaddyWiper in nine different operations targeting Ukrainian organizations—five attacks in May and June, then another four last month.

The decision to make that small, straightforward wiper code its sabotage payload of choice represents a stark contrast with years past. In 2017 and 2018, the GRU group Sandworm unleashed complex destructive worms inside of target networks that took months to hone and deploy: automated, self-replicating, multi-featured code such as the Olympic Destroyer malware designed to cripple the Pyeongchang Winter Olympics and the NotPetya malware that hit Ukrainian networks and spread worldwide, causing an unprecedented $10 billion in damage.

In the early days of Russia's invasion, for reasons that aren't quite clear, Kremlin hackers targeting Ukraine appear to have used a grab bag of at least half a dozen wiping tools of varying quality inside of victim networks, such as HermeticWiper, WhisperGate, and AcidRain. But in more recent months, the GRU appears to have deployed mainly CaddyWiper, again and again, Mandiant found, though in modified forms, changed just enough to evade detection. (Ukraine's SSSCIP, for its part, declined to confirm whether it has seen the same nine CaddyWiper attacks Mandiant had tracked.

"It's like they've said, ‘We're not gonna build out a fancy multifaceted wiper like NotPetya that can worm on its own. What we need is just something that's really lightweight and easily modifiable and easily deployable,'" says Roncone. "So they're using this not-that-great, does-the-job wiper, which seems like part of shifting their entire tactical strategy to accommodate these fast-paced operations." And while those quick-and-dirty methods may not be as flashy or as innovative as the GRU cyberattacks of the past, they can nonetheless inflict serious digital chaos in a country that needs every resource it has to fend off Russia's invaders.

_Update 12:10 pm EST 11-10-22: Added MSTIC's attribution of the Prestige ransomware attacks on Ukraine and Poland to the GRU's Sandworm group._

Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless

Links individual vulnerabilities to those known to have been used in ransomware operations, helping vulnerability management teams prevent potential cyber extortion events with VulnDB.

**NEW YORK, NY – November 9, 2022** **—** Flashpoint, the globally trusted leader in risk intelligence, announced today an industry-first ransomware prediction model that allows vulnerability management teams to improve remediation efforts and prevent cyber extortion events with VulnDB, the most comprehensive vulnerability database available on the market.

According to the U.S. Treasury Department, financial institutions filed $1.2B in ransomware-related costs in 2021, nearly double the amount reported by banks in 2020. In order to help organizations proactively prevent a ransomware attack, Flashpoint’s latest capability enables vulnerability management teams to identify the likelihood that a particular vulnerability could be used in a future ransomware attack.

“The risk of falling victim to a ransomware attack can be radically reduced with the right intelligence,” says Flashpoint General Manager Jake Kouns. “Our ransomware prediction algorithm, coupled with our vulnerability intelligence, is a must-have for security teams that want to remediate vulnerabilities that could help them get in front of a potentially destructive ransomware attack.”

VulnDB covers over 300,000 known vulnerabilities found in end-user software and third-party libraries and dependencies, including over 96,000 vulnerabilities missed by CVE and NVD. For each of those vulnerabilities, including newly disclosed issues, Flashpoint’s ransomware prediction model determines a Ransomware Likelihood rating that’s derived from a combination of factors, including exploit availability, attack type, impact, disclosure patterns, and other characteristics captured by VulnDB. This intelligence is critical to vulnerability management teams who often lack the resources and context they need to efficiently prioritize and patch tens of thousands of vulnerabilities disclosed every year.

To learn more about Flashpoint’s ransomware prediction model and VulnDB, reach out for a free trial.

****About Flashpoint****

Trusted by governments, commercial enterprises, and educational institutions worldwide, Flashpoint helps organizations protect their most critical assets, infrastructure, and stakeholders from security risks such as cyber threats, ransomware, fraud, physical threats, and more. Leading security practitioners—including physical and corporate security, cyber threat intelligence (CTI), vulnerability management, and vendor risk management teams—rely on the Flashpoint Intelligence Platform, comprising open source (OSINT) and closed intelligence, to proactively identify and mitigate risk and stay ahead of the evolving threat landscape. Learn more at flashpoint.io.

Flashpoint Releases Ransomware Prediction Model for Vulnerabilities

By Habiba Rashid
The new campaign highlights the fact that downloading cracked software is bad news.
This is a post from HackRead.com Read the original post: YouTube Tutorial Videos Spreading Vidar and Raccoon Malware

A recent trend picked up by threat actors includes creating **malware and phishing websites** for mass infection. But how do they carry out this? These campaigns are actually being run on YouTube, an all-favorite video streaming website. 

The target audience for these videos are people looking for step-by-step tutorials for downloading cracked versions of popular paid softwares. The video tutorials fool the watchers into installing information stealer malware from the link that is provided in the video description under the guise of helping them crack their desired software. 

Videos used in the malware campaign (Image: Cyble)

But what is an info stealer? It is malicious software that seeks to steal private data from a promised device including passwords, cookies, autofill information from browsers, and cryptocurrency wallet information. 

Info-stealing campaigns have been seen in the past as well where **Pennywise** and **Redline stealer malware** were used. What’s common in these campaigns is that the threat actor hosts the malicious files on a free file hosting platform and thus successfully tricks the user into downloading the files containing malware from a seemingly legitimate website. 

In the case of the YouTube video lure, the threat actor has created phishing pages that mimic legitimate websites which are widely known for providing services to users for downloading various softwares, games, and other tools. 

In the examples of the four campaigns identified by Cyble Research & Intelligence Labs (CRIL) in their report, Vidar stealer malware and RecordBreaker stealer stand out. The researchers have called it a “massive YouTube campaign.”

**Vidar stealer** was first observed in December 2018 and is a variant of the Arkei infostealer. Threat actors can reportedly purchase Vidar in online forums for $250 and it can be used to steal credit cards, usernames, passwords, and files as well as take screenshots of the user’s desktop.

The malware can also steal wallets for cryptocurrencies such as Bitcoin and Ethereum. Vidar also targets two-factor authentication (2FA), an additional security layer for user accounts. 

RecordBreaker stealer also known as the **Raccoon malware** has been offered as malware-as-a-service on various cybercrime forums since the beginning of 2019. The Raccoon Stealer group, however, was disbanded in March 2022 as a result of the death of one of its senior developers in the Ukraine-Russia war.

Raccoon Stealer post on March 25th, 2022 on a Russian hacker forum

But soon after, in June 2022, a new version of the Raccoon stealer surfaced and was identified in the wild by the researchers at Sekoia. Despite being initially named “Recordbreaker”, the malware was soon found to be a revived version of Raccoon stealer. The developer of this malware (**MaaS**) is very active on underground forums, regularly updating the malware and posting about the new feature builds on the forum. 

There is a long list of softwares, games, ROBLOX scripts, cheats, and plugins targeted by the threat actors to deliver stealers and it can be found on Cyble’s blog post **here**.

As we witness an increase in social media scams as of late, we recommend our readers undertake the following practices to keep themselves and their devices safe:

*   Update your passwords after certain periods of time.
*   Use strong passwords for all accounts and enforce 2FA wherever possible.
*   Monitor the beacon on the network level to block data exfiltration by malware or TA.
*   Keep your devices secure by using a reputed antivirus and internet security software package.
*   Never open any untrusted links and email attachments until you have made sure they are authentic. 
*   Do NOT download pirated software from unverified sites. Always double-check that the website you are using is legitimate.

1.  **New YTStealer Malware is Hijacking YouTube Channels**
2.  **YouTube deletes 2 million channels and 51 million videos over scams**
3.  **Google details cookie stealer malware campaign targeting YouTubers**
4.  **OnionPoison – Fake Tor Browser Installer Spreads Malware Via YouTube**
5.  **YouTube scammers impersonated Elon Musk, SpaceX; stole $150k in BTC**

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

YouTube Tutorial Videos Spreading Vidar and Raccoon Malware

Risk-based vulnerability management solutions foster the convergence of risk management and vulnerability management. Andrew Braunberg explains what’s driving the emergence of RBVM.

A change is underway in the vulnerability management market. Traditional vulnerability management solutions are giving way or morphing into a new segment, called risk-based vulnerability management, or RBVM.

Addressing the scale of the vulnerability problem has been a growing concern, as first-generation vulnerability management tools have increasingly overwhelmed users with endless lists of vulnerable assets.

This version of alert fatigue led vendors to examine how a risk-based approach might inform better vulnerability prioritization and response. Instead of trying to figure out how to patch everything faster, RBVM vendors tackle the scale problem by calculating what to patch and what to ignore.

RBVM addresses more than just the scaling problem, however. For example, while legacy internal scanners remain important tools, many of today’s digital assets operate beyond the view of these tools. Similarly, the Common Vulnerability Scoring System (CVSS) is still of value but is now just one of many data points to consider when assessing and prioritizing risk. Modern RBVM solutions leverage what has worked traditionally, while introducing new capabilities, including advanced analytics, as needed, to advance the discipline.

**The Heart of RBVM**

The goal of better understanding and assessing risk is at the heart of RBVM solutions. Not surprisingly, these products are chiefly marketed as providing prioritized risk rankings for vulnerabilities, with the goal of identifying the risk posed by each and determining the next best action.

A related benefit of this risk-based approach is a recognition of which actions can be delayed or ignored altogether. For example, software vulnerabilities can be categorized based on the risk they pose to the organization; those deemed low risk can be put off and addressed as time allows, enabling security and IT operations teams to focus efforts on high-risk vulnerabilities. RBVM solutions, therefore, address both effectiveness and efficiency.

RBVM solutions are designed to leverage existing IT infrastructure. For example, IT service management (ITSM) deployments have become much more prevalent in the last decade and often support patch management features. For RBVM solutions, this means that integration with these existing legacy solutions is often more important than providing an end-to-end vulnerability management solution.

Hence, Omdia believes the most impactful RBVM solutions will not only foster convergence of risk management and vulnerability management but also easily complement and enhance both new and existing enterprise vulnerability management programs.

RBVM is part of a broader rethinking of cybersecurity that emphasizes a more proactive approach to the problems practitioners face. The goal with RBVM is to avoid breaches by eliminating high-risk vulnerabilities, and continuously reducing an organization’s attack surface.

While to be sure, legacy vulnerability management aimed to be proactive as well, RBVM attempts to be both more efficient and effective. RBVM is a topic that enterprises will hear much more about in the months to come.

_Note: Omdia Security Operations Intelligence Service subscribers may read Andrew Braunberg’s full report here: Fundamentals of Risk-Based Vulnerability Management._

Understanding the Rise of Risk-Based Vulnerability Management

A cross-site scripting (XSS) vulnerability in the /panel/fields/add component of Intelliants Subrion CMS version 4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field default value text field.

**Subrion CMS is vulnerable to Cross-Site Scripting (XSS)**

Moderate severity GitHub Reviewed Published Nov 9, 2022 • Updated Nov 9, 2022

GHSA-3wmg-28v9-8hf6: Subrion CMS is vulnerable to Cross-Site Scripting (XSS)

A cross-site scripting (XSS) vulnerability in the CMS Field Add page of Intelliants Subrion CMS in version 4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tooltip text field.

GHSA-jrvr-gmqv-hgrh: Subrion CMS is vulnerable to Cross-Site Scripting (XSS)

The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.

**SUMMARY**

The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

**CWE**

CWE-284 - Improper Access Control

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanisms, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The patches introduced for TALOS-2022-1472 and TALOS-2022-1474 were not effective.

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-25932: TALOS-2022-1523 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanisms, such as: VPN technologies, firewall functionalities, authorization management and several other features.

One of the ports the httpd protocol listens to is 4444. This port seems to have different purposes. In some APIs it offers more functionalities, in others it is used to managed the APIs in headless mode. But in some APIs, that port is used to trigger some debug code that could perform certain actions outside the scope of the API.

The upload.cgi API will execute mainly two functions: upload.cgi_input that will parse the POST request, and upload.cgi_output that will use the parsed input to perform the actual API request and return the output, if required. The upload.cgi_input function:

    void upload.cgi_input(char* cgi_func_name,uint CONTENT_LENGTH,char *BOUNDARY)
    
    {
      [...]
    
      if ((post == 0) || (BOUNDARY == (char *)0x0)) {
        syslog(4,"not POST or no boundary for multipart upload!");
      }
      else {
        boundary_len = strlen(BOUNDARY);
        if ((int)CONTENT_LENGTH < 0x400000) {
          syslog(7,"wi_upload: %s",cgi_func_name);
          if (gl_server_port != 4444) {                                                                     [1]
            webcgi_init(0,cgi_func_name);                                                                   [2]
          }
        [...]
    }
    

The two main variables that are going to be parsed, and later used in the upload.cgi_output, are type and filename. The upload.cgi_input function is also responsible for creating a temporary file with the content of the provided one. The file /tmp/<provided_filename> is opened and filled with the provided content. The filename variable goes through different checks in order to prevent path traversal vulnerabilities.

Later, in upload.cgi_output, based on the type variable provided, different actions could be performed. Eventually the temporary file created will be removed. The upload.cgi_output function:

    void upload.cgi_output(void)
    
    {
    
      [...]
      type = (char *)webcgi_get("type");
      filename = (char *)webcgi_get("filename");
      [...]
    }
    

The httpd webserver parses some request variables, like the ones specified in the URL. In upload.cgi_input, at [1], it is checked if the request was for the httpd webserver that listens at port 4444. If this is is the case, the already-parsed variables are not removed. This can inject arbitrary values in type and filename variables, bypassing the checks performed in upload.cgi_input. Then the upload.cgi_output will use the parsed variables, without knowing that those were the ones specified in the URL and not parsed by upload.cgi_input. This problem can lead to a delete arbitrary file vulnerability, exploiting the cleanup procedure, due to the upload.cgi_output removing the “temporary” file /tmp/<provided_filename>. Where <provided_filename>, if specified in the URL, is an arbitrary value specified in the filename parameter.

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#intel