Links individual vulnerabilities to those known to have been used in ransomware operations, helping vulnerability management teams prevent potential cyber extortion events with VulnDB.

**NEW YORK, NY – November 9, 2022** **—** Flashpoint, the globally trusted leader in risk intelligence, announced today an industry-first ransomware prediction model that allows vulnerability management teams to improve remediation efforts and prevent cyber extortion events with VulnDB, the most comprehensive vulnerability database available on the market.

According to the U.S. Treasury Department, financial institutions filed $1.2B in ransomware-related costs in 2021, nearly double the amount reported by banks in 2020. In order to help organizations proactively prevent a ransomware attack, Flashpoint’s latest capability enables vulnerability management teams to identify the likelihood that a particular vulnerability could be used in a future ransomware attack.

“The risk of falling victim to a ransomware attack can be radically reduced with the right intelligence,” says Flashpoint General Manager Jake Kouns. “Our ransomware prediction algorithm, coupled with our vulnerability intelligence, is a must-have for security teams that want to remediate vulnerabilities that could help them get in front of a potentially destructive ransomware attack.”

VulnDB covers over 300,000 known vulnerabilities found in end-user software and third-party libraries and dependencies, including over 96,000 vulnerabilities missed by CVE and NVD. For each of those vulnerabilities, including newly disclosed issues, Flashpoint’s ransomware prediction model determines a Ransomware Likelihood rating that’s derived from a combination of factors, including exploit availability, attack type, impact, disclosure patterns, and other characteristics captured by VulnDB. This intelligence is critical to vulnerability management teams who often lack the resources and context they need to efficiently prioritize and patch tens of thousands of vulnerabilities disclosed every year.

To learn more about Flashpoint’s ransomware prediction model and VulnDB, reach out for a free trial.

****About Flashpoint****

Trusted by governments, commercial enterprises, and educational institutions worldwide, Flashpoint helps organizations protect their most critical assets, infrastructure, and stakeholders from security risks such as cyber threats, ransomware, fraud, physical threats, and more. Leading security practitioners—including physical and corporate security, cyber threat intelligence (CTI), vulnerability management, and vendor risk management teams—rely on the Flashpoint Intelligence Platform, comprising open source (OSINT) and closed intelligence, to proactively identify and mitigate risk and stay ahead of the evolving threat landscape. Learn more at flashpoint.io.

Flashpoint Releases Ransomware Prediction Model for Vulnerabilities

By Habiba Rashid
The new campaign highlights the fact that downloading cracked software is bad news.
This is a post from HackRead.com Read the original post: YouTube Tutorial Videos Spreading Vidar and Raccoon Malware

A recent trend picked up by threat actors includes creating **malware and phishing websites** for mass infection. But how do they carry out this? These campaigns are actually being run on YouTube, an all-favorite video streaming website. 

The target audience for these videos are people looking for step-by-step tutorials for downloading cracked versions of popular paid softwares. The video tutorials fool the watchers into installing information stealer malware from the link that is provided in the video description under the guise of helping them crack their desired software. 

Videos used in the malware campaign (Image: Cyble)

But what is an info stealer? It is malicious software that seeks to steal private data from a promised device including passwords, cookies, autofill information from browsers, and cryptocurrency wallet information. 

Info-stealing campaigns have been seen in the past as well where **Pennywise** and **Redline stealer malware** were used. What’s common in these campaigns is that the threat actor hosts the malicious files on a free file hosting platform and thus successfully tricks the user into downloading the files containing malware from a seemingly legitimate website. 

In the case of the YouTube video lure, the threat actor has created phishing pages that mimic legitimate websites which are widely known for providing services to users for downloading various softwares, games, and other tools. 

In the examples of the four campaigns identified by Cyble Research & Intelligence Labs (CRIL) in their report, Vidar stealer malware and RecordBreaker stealer stand out. The researchers have called it a “massive YouTube campaign.”

**Vidar stealer** was first observed in December 2018 and is a variant of the Arkei infostealer. Threat actors can reportedly purchase Vidar in online forums for $250 and it can be used to steal credit cards, usernames, passwords, and files as well as take screenshots of the user’s desktop.

The malware can also steal wallets for cryptocurrencies such as Bitcoin and Ethereum. Vidar also targets two-factor authentication (2FA), an additional security layer for user accounts. 

RecordBreaker stealer also known as the **Raccoon malware** has been offered as malware-as-a-service on various cybercrime forums since the beginning of 2019. The Raccoon Stealer group, however, was disbanded in March 2022 as a result of the death of one of its senior developers in the Ukraine-Russia war.

Raccoon Stealer post on March 25th, 2022 on a Russian hacker forum

But soon after, in June 2022, a new version of the Raccoon stealer surfaced and was identified in the wild by the researchers at Sekoia. Despite being initially named “Recordbreaker”, the malware was soon found to be a revived version of Raccoon stealer. The developer of this malware (**MaaS**) is very active on underground forums, regularly updating the malware and posting about the new feature builds on the forum. 

There is a long list of softwares, games, ROBLOX scripts, cheats, and plugins targeted by the threat actors to deliver stealers and it can be found on Cyble’s blog post **here**.

As we witness an increase in social media scams as of late, we recommend our readers undertake the following practices to keep themselves and their devices safe:

*   Update your passwords after certain periods of time.
*   Use strong passwords for all accounts and enforce 2FA wherever possible.
*   Monitor the beacon on the network level to block data exfiltration by malware or TA.
*   Keep your devices secure by using a reputed antivirus and internet security software package.
*   Never open any untrusted links and email attachments until you have made sure they are authentic. 
*   Do NOT download pirated software from unverified sites. Always double-check that the website you are using is legitimate.

1.  **New YTStealer Malware is Hijacking YouTube Channels**
2.  **YouTube deletes 2 million channels and 51 million videos over scams**
3.  **Google details cookie stealer malware campaign targeting YouTubers**
4.  **OnionPoison – Fake Tor Browser Installer Spreads Malware Via YouTube**
5.  **YouTube scammers impersonated Elon Musk, SpaceX; stole $150k in BTC**

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

YouTube Tutorial Videos Spreading Vidar and Raccoon Malware

Risk-based vulnerability management solutions foster the convergence of risk management and vulnerability management. Andrew Braunberg explains what’s driving the emergence of RBVM.

A change is underway in the vulnerability management market. Traditional vulnerability management solutions are giving way or morphing into a new segment, called risk-based vulnerability management, or RBVM.

Addressing the scale of the vulnerability problem has been a growing concern, as first-generation vulnerability management tools have increasingly overwhelmed users with endless lists of vulnerable assets.

This version of alert fatigue led vendors to examine how a risk-based approach might inform better vulnerability prioritization and response. Instead of trying to figure out how to patch everything faster, RBVM vendors tackle the scale problem by calculating what to patch and what to ignore.

RBVM addresses more than just the scaling problem, however. For example, while legacy internal scanners remain important tools, many of today’s digital assets operate beyond the view of these tools. Similarly, the Common Vulnerability Scoring System (CVSS) is still of value but is now just one of many data points to consider when assessing and prioritizing risk. Modern RBVM solutions leverage what has worked traditionally, while introducing new capabilities, including advanced analytics, as needed, to advance the discipline.

**The Heart of RBVM**

The goal of better understanding and assessing risk is at the heart of RBVM solutions. Not surprisingly, these products are chiefly marketed as providing prioritized risk rankings for vulnerabilities, with the goal of identifying the risk posed by each and determining the next best action.

A related benefit of this risk-based approach is a recognition of which actions can be delayed or ignored altogether. For example, software vulnerabilities can be categorized based on the risk they pose to the organization; those deemed low risk can be put off and addressed as time allows, enabling security and IT operations teams to focus efforts on high-risk vulnerabilities. RBVM solutions, therefore, address both effectiveness and efficiency.

RBVM solutions are designed to leverage existing IT infrastructure. For example, IT service management (ITSM) deployments have become much more prevalent in the last decade and often support patch management features. For RBVM solutions, this means that integration with these existing legacy solutions is often more important than providing an end-to-end vulnerability management solution.

Hence, Omdia believes the most impactful RBVM solutions will not only foster convergence of risk management and vulnerability management but also easily complement and enhance both new and existing enterprise vulnerability management programs.

RBVM is part of a broader rethinking of cybersecurity that emphasizes a more proactive approach to the problems practitioners face. The goal with RBVM is to avoid breaches by eliminating high-risk vulnerabilities, and continuously reducing an organization’s attack surface.

While to be sure, legacy vulnerability management aimed to be proactive as well, RBVM attempts to be both more efficient and effective. RBVM is a topic that enterprises will hear much more about in the months to come.

_Note: Omdia Security Operations Intelligence Service subscribers may read Andrew Braunberg’s full report here: Fundamentals of Risk-Based Vulnerability Management._

Understanding the Rise of Risk-Based Vulnerability Management

A cross-site scripting (XSS) vulnerability in the /panel/fields/add component of Intelliants Subrion CMS version 4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field default value text field.

**Subrion CMS is vulnerable to Cross-Site Scripting (XSS)**

Moderate severity GitHub Reviewed Published Nov 9, 2022 • Updated Nov 9, 2022

GHSA-3wmg-28v9-8hf6: Subrion CMS is vulnerable to Cross-Site Scripting (XSS)

A cross-site scripting (XSS) vulnerability in the CMS Field Add page of Intelliants Subrion CMS in version 4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tooltip text field.

GHSA-jrvr-gmqv-hgrh: Subrion CMS is vulnerable to Cross-Site Scripting (XSS)

The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.

**SUMMARY**

The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

**CWE**

CWE-284 - Improper Access Control

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanisms, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The patches introduced for TALOS-2022-1472 and TALOS-2022-1474 were not effective.

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-25932: TALOS-2022-1523 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanisms, such as: VPN technologies, firewall functionalities, authorization management and several other features.

One of the ports the httpd protocol listens to is 4444. This port seems to have different purposes. In some APIs it offers more functionalities, in others it is used to managed the APIs in headless mode. But in some APIs, that port is used to trigger some debug code that could perform certain actions outside the scope of the API.

The upload.cgi API will execute mainly two functions: upload.cgi_input that will parse the POST request, and upload.cgi_output that will use the parsed input to perform the actual API request and return the output, if required. The upload.cgi_input function:

    void upload.cgi_input(char* cgi_func_name,uint CONTENT_LENGTH,char *BOUNDARY)
    
    {
      [...]
    
      if ((post == 0) || (BOUNDARY == (char *)0x0)) {
        syslog(4,"not POST or no boundary for multipart upload!");
      }
      else {
        boundary_len = strlen(BOUNDARY);
        if ((int)CONTENT_LENGTH < 0x400000) {
          syslog(7,"wi_upload: %s",cgi_func_name);
          if (gl_server_port != 4444) {                                                                     [1]
            webcgi_init(0,cgi_func_name);                                                                   [2]
          }
        [...]
    }
    

The two main variables that are going to be parsed, and later used in the upload.cgi_output, are type and filename. The upload.cgi_input function is also responsible for creating a temporary file with the content of the provided one. The file /tmp/<provided_filename> is opened and filled with the provided content. The filename variable goes through different checks in order to prevent path traversal vulnerabilities.

Later, in upload.cgi_output, based on the type variable provided, different actions could be performed. Eventually the temporary file created will be removed. The upload.cgi_output function:

    void upload.cgi_output(void)
    
    {
    
      [...]
      type = (char *)webcgi_get("type");
      filename = (char *)webcgi_get("filename");
      [...]
    }
    

The httpd webserver parses some request variables, like the ones specified in the URL. In upload.cgi_input, at [1], it is checked if the request was for the httpd webserver that listens at port 4444. If this is is the case, the already-parsed variables are not removed. This can inject arbitrary values in type and filename variables, bypassing the checks performed in upload.cgi_input. Then the upload.cgi_output will use the parsed variables, without knowing that those were the ones specified in the URL and not parsed by upload.cgi_input. This problem can lead to a delete arbitrary file vulnerability, exploiting the cleanup procedure, due to the upload.cgi_output removing the “temporary” file /tmp/<provided_filename>. Where <provided_filename>, if specified in the URL, is an arbitrary value specified in the filename parameter.

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-29888: TALOS-2022-1522 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

6.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanisms, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

Here is the prompt after the login:

    ************************************************
               Welcome to Router console
          Inhand
          Copyright @2001-2022, Beijing InHand Networks Co., Ltd.
          http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.45
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      show           -- show system information
      exit           -- exit current mode/console
      ping           -- ping test
      comredirect    -- COM redirector
      telnet         -- telnet to a host
      traceroute     -- trace route to a host
      enable         -- turn on privileged commands
    Router>
    

The Router console contains a command, called support, that is not listed among the available functionalities. This is probably a leftover debug code. This command allows to enable or disable the inhand command, leading to enable advisory TALOS-2022-1477 again.

**Exploit Proof of Concept**

The command allows to enable the inhand command in the router console, specifying enable as argument:

    Router> inhand
    Router> support
    0*wsuppP�)w
    ================================================
    Arguments:
    enable
    disable
    Router> support enable
    Router> inhand
    input password:
    

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-28689: TALOS-2022-1521 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the console verify functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to disabling security features. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the console verify functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to disabling security features. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

6.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

Here is the prompt after the login:

    ************************************************
               Welcome to Router console
          Inhand
          Copyright @2001-2022, Beijing InHand Networks Co., Ltd.
          http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.45
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      show           -- show system information
      exit           -- exit current mode/console
      ping           -- ping test
      comredirect    -- COM redirector
      telnet         -- telnet to a host
      traceroute     -- trace route to a host
      enable         -- turn on privileged commands
    Router>
    

The Router console contains a command, called verify, that is not listed among the available functionalities. This is probably a leftover debug code. This command allows to enable or disable the firmware signature verification, leading to enabling advisory TALOS-2022-1495 again.

**Exploit Proof of Concept**

The command allows to disable the firmware signature verification, specifying disable as argument:

    Router> verify
    0*wveriP�)w
    ================================================
    Arguments:
      enable
      disable
    Router> verify disable
    

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-26023: TALOS-2022-1520 || Cisco Talos Intelligence Group

An out-of-bounds write vulnerability exists in the PICT parsing pctwread_14841 functionality of Accusoft ImageGear 20.0. A specially-crafted malformed file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

Tag

#intel