With speculative execution attacks remaining a stubbornly persistent vulnerability ailing modern processors, new research has highlighted an "industry failure" to adopting mitigations released by AMD and Intel, posing a firmware supply chain threat.
Dubbed FirmwareBleed by Binarly, the information leaking assaults stem from the continued exposure of microarchitectural attack surfaces on the part

With speculative execution attacks remaining a stubbornly persistent vulnerability ailing modern processors, new research has highlighted an "industry failure" to adopting mitigations released by AMD and Intel, posing a firmware supply chain threat.

Dubbed **FirmwareBleed** by Binarly, the information leaking assaults stem from the continued exposure of microarchitectural attack surfaces on the part of enterprise vendors either as a result of not correctly incorporating the fixes or only using them partially.

"The impact of such attacks is focused on disclosing the content from privileged memory (including protected by virtualization technologies) to obtain sensitive data from processes running on the same processor (CPU)," the firmware protection firm said in a report shared with The Hacker News.

"Cloud environments can have a greater impact when a physical server can be shared by multiple users or legal entities."

In recent years, implementations of speculative execution, an optimization technique that predicts the outcome and target of branch instructions in a program's execution pipeline, have been deemed susceptible to Spectre\-like attacks on processor architectures, potentially enabling a threat actor to leak cryptographic keys and other secrets.

This works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to an unprivileged application and then extracting the data after the operation is undone following a misprediction.

A key countermeasure to prevent the harmful effects of speculative execution is a software defense known as retpoline (aka "Return Trampoline"), which was introduced in 2018.

Although recent findings such as Retbleed have conclusively shown that retpoline by itself is insufficient against stopping such attacks in certain scenarios, the latest analysis shows a lack of consistency in even applying these mitigations in the first place.

Specifically, it takes aim at a best practice called Return Stack Buffer (RSB) stuffing introduced by Intel to avoid underflows when using retpoline. RSBs are address predictors for return (aka RET) instructions.

"Certain processors may use branch predictors other than the Return Stack Buffer (RSB) when the RSB underflows," Intel notes in its documentation. "This might impact software using the retpoline mitigation strategy on such processors."

"On processors with different empty RSB behavior, \[System Management Mode\] code should stuff the RSB with CALL instructions before returning from SMM to avoid interfering with non-SMM usage of the retpoline technique."

Intel is also recommending RSB stuffing as a mechanism to thwart buffer underflow attacks like Retbleed, alternatively urging vendors to "set \[Indirect Branch Restricted Speculation\] before RET instructions at risk of underflow due to deep call stacks."

The Binarly research, however, has identified as many as 32 firmware from HP, 59 from Dell, and 248 from Lenovo as having not included the RSB stuffing patches, underscoring a "failure in the firmware supply chain."

What's more, the deep code analysis has unearthed instances wherein mitigation was present in the firmware, but contained implementation mistakes that spawned security issues of its own, even in updates released in 2022 and for devices featuring the recent generation of hardware.

"Firmware supply chain ecosystems are quite complex and often contain repeatable failures when it comes to applying new industry-wide mitigations or fixing reference code vulnerabilities," the researchers said. "Even if a mitigation is present in the firmware, it doesn't mean it is applied correctly without creating security holes."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Study Finds Most Enterprise Vendors Failing to Mitigate Speculative Execution Attacks

For the past seven years, an online service known as 911 has sold access to hundreds of thousands of Microsoft Windows computers daily, allowing customers to route malicious traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. The proxy service says its network is made up entirely of users who voluntarily install the proxy software. But new research shows 911 has a long history of purchasing installations via shady “pay-per-install” affiliate marketing schemes, some of which 911 operated on its own.

The 911 service as it exists today.

For the past seven years, an online service known as **911** has sold access to hundreds of thousands of **Microsoft Windows** computers daily, allowing customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. 911 says its network is made up entirely of users who voluntarily install its “free VPN” software. But new research shows the proxy service has a long history of purchasing installations via shady “pay-per-install” affiliate marketing schemes, some of which 911 operated on its own.

911\[.\]re is one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

The current prices for 911’s proxies.

Researchers at the **University of Sherbrooke** in Canada recently published an analysis of 911, and found there were roughly 120,000 PCs for rent via the service, with the largest number of them located in the United States.

“The 911\[.\]re network uses at least two free VPN services to lure its users to install a malware-like software that achieves persistence on the user’s computer,” the researchers wrote. “During the research we identified two free VPN services that \[use\] a subterfuge to lure users to install software that looks legitimate but makes them part of the network. These two software are currently unknown to most if not all antivirus companies.”

A depiction of the Proxygate service. Image: University of Sherbrooke.

The researchers concluded that 911 is supported by a “mid scale botnet-like infrastructure that operates in several networks, such as corporate, government and critical infrastructure.” The Canadian team said they found many of the 911 nodes available for rent were situated within several major US-based universities and colleges, critical infrastructures such as clean water, defense contractors, law enforcement and government networks.

Highlighting the risk that 911 nodes could pose to internal corporate networks, they observed that “the infection of a node enables the 911.re user to access shared resources on the network such as local intranet portals or other services.”

“It also enables the end user to probe the LAN network of the infected node,” the paper continues. “Using the internal router, it would be possible to poison the DNS cache of the LAN router of the infected node, enabling further attacks.”

911 did not respond to multiple requests for comment on this research. A person who responded to an instant message sent to the address listed on its homepage said they could only discuss technical issues with the software.

The 911 user interface, as it existed when the service first launched in 2016.

**THE INTERNET NEVER FORGETS**

A review of the clues left behind by 911’s early days on the Internet paint a more complete picture of this long-running proxy network. The domain names used by 911 over the years have a few common elements in their original WHOIS registration records, including the address **ustraffic@qq.com** and a **Yunhe Wang** from Beijing.

That ustraffic email is tied to a small number of interesting domains, including **browsingguard\[.\]com**, **cleantraffic\[.\]net**, **execlean\[.\]net**, **proxygate\[.\]net**, and **flashupdate\[.\]net**.

A cached copy of flashupdate\[.\]net available at the Wayback Machine shows that in 2016 this domain was used for the “**ExE Bucks**” affiliate program, a pay-per-install business which catered to people already running large collections of hacked computers or compromised websites. Affiliates were paid a set amount for each installation of the software, with higher commissions for installs in more desirable nations, particularly Europe, Canada and the United States.

“We load only one software — it’s a Socks5 proxy program,” read the message to ExE Bucks affiliates. The website said affiliates were free to spread the proxy software by any means available (i.e. “all promotion methods allowed”). The website’s copyright suggests the ExE Bucks affiliate program dates back to 2012.

A cached copy of flashupdate\[.\]net circa 2016, which shows it was the home of a pay-per-install affiliate program that incentivized the silent installation of its software. “FUD” in the ad above refers to software and download links that are “Fully UnDetectable” as suspicious or malicious by all antivirus software.

Another domain tied to the ustraffic@qq.com email in 2016 was **ExeClean\[.\]net**, a service that advertised to cybercriminals seeking to obfuscate their malicious software so that it goes undetected by all or at least most of the major antivirus products on the market.

“Our technology ensures the maximum security from reverse engineering and antivirus detections,” ExEClean promised.

The Exe Clean service made malware look like goodware to antivirus products.

Yet another domain connected to the ustraffic email is **p2pshare\[.\]net**, which advertised “free unlimited internet file-sharing platform” for those who agreed to install their software.

p2pshare.net, which bundled 911 proxy with an application that promised access to free unlimited internet file-sharing.

Still more domains associated with ustraffic@qq.com suggest 911’s proxy has been disguised as security updates for video player plugins, including flashplayerupdate\[.\]xyz, mediaplayerupdate\[.\]xyz, and videoplayerupdate\[.\]xyz.

The earliest version of the 911 website available from the Wayback Machine is from 2016. A sister service called **proxygate\[.\]ne**t launched roughly a year prior to 911 as a “free” public test of the budding new residential proxy service. “Basically using clients to route for everyone,” was how Proxygate described itself in 2016.

For more than a year after its founding, the 911 website was written entirely in Simplified Chinese. The service has only ever accepted payment via virtual currencies such as **Bitcoin** and **Monero**, as well as **Alipay** and **China UnionPay**, both payment platforms based in China.

Initially, the terms and conditions of 911’s “End User License Agreement (EULA) named a company called **Wugaa Enterprises LLC**, which was registered in California in 2016. Records from the California Secretary of State office show that in November 2016, Wugaa Enterprises said it was in the Internet advertising business, and had named as its CEO as one **Nicolae Aurelian Mazgarean** of Brasov, Romania.

A search of European VAT numbers shows the same Brasov, RO address tied to an enterprise called **PPC Leads SRL** (in the context of affiliate-based marketing, “PPC” generally refers to the term “pay-per-click”).

911’s EULA would later change its company name and address in 2017, to **International Media Ltd**. in the British Virgin Islands. That is the same information currently displayed on the 911 website.

The EULA attached to 911 software downloaded from **browsingguard\[.\]com** (tied to the same ustraffic@qq email that registered 911) references a company called **Gold Click Limited**. According to the UK Companies House, Gold Click Limited was registered in 2016 to a 34-year-old **Yunhe Wang** from Beijing City. Many of the WHOIS records for the above mentioned domains also include the name Yunhe Wang, or some variation thereof.

**FORUM ACTIVITY?**

911 has remained one of the most popular services among denizens of the cybercrime underground for years, becoming almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose credit card they’re about to charge at some website, or whose bank account they’re about to empty.

Given the frequency with which 911 has been praised by cybercrooks on the top forums, it was odd to find the proprietors of 911 do not appear to have created any official support account for the service on any of several dozen forums reviewed by this author going back a decade. However there are two cybercriminal identities on the forums that have responded to individual 911 help requests, and who promoted the sale of 911 accounts via their handles.

Both of these identities were active on the crime forum **fl.l33t\[.\]su** between 2016 and 2019. The user “**Transfer**” advertised and sold access to 911 from 2016 to 2018, amid many sales threads where they advertised expensive electronics and other consumer goods that were bought online with stolen credit cards.

In a 2017 discussion on **fl.l33t\[.\]su**, the user who picked the handle “**527865713**” could be seen answering private messages in response to help inquiries seeking someone at 911. That identity is tied to an individual who for years advertised the ability to receive and relay large wire transfers from China.

One ad from this user in 2016 offered a “China wire service” focusing on Western Union payments, where “all transfers are accepted in China.” The service charged 20 percent of all “scam wires,” unauthorized wire transfers resulting from bank account takeovers or scams like CEO impersonation schemes.

**911 TODAY**

In August 2021, 911’s biggest competitor — a 15-year-old proxy network built on malware-compromised PCs called **VIP72** — abruptly closed up shop. Almost overnight, an overwhelming number of former VIP72 customers began shifting their proxy activities to 911.

The login page for VIP72, until recently 911’s largest competitor.

That’s according to **Riley Kilmer**, co-founder of Spur.us — a security company that monitors anonymity services. Kilmer said 911 also gained an influx of new customers after the Jan. 2022 closure of LuxSocks, another malware-based proxy network.

“911’s user base skyrocketed after VIP72 and then LuxSocks went away,” Kilmer said. “And it’s not hard to see why. 911 and VIP72 are both Windows-based apps that operate in a similar way, where you buy private access to IPs.”

Kilmer said 911 is interesting because it appears to be based in China, while nearly all of the other major proxy networks are Russian-backed or Russian-based.

“They have two basic methods to get new IPs,” Kilmer said. “The free VPN apps, and the other is trojanized torrents. They’ll re-upload Photoshop and stuff like that so that it’s backdoored with the 911 proxy. They claim the proxy is bundled with legitimate software and that users all agree to their Terms of Service, meanwhile they can hide behind the claim that it was some affiliate who installed the software, not them.”

Kilmer said at last count, 911 had nearly 200,000 proxy nodes for sale, spanning more than 200 countries: The largest geographic concentration is the United States, where more than 42,000 proxies are currently for rent by the service.

**PARTING THOUGHTS**

Beware of “free” or super low-cost VPN services. Proper VPN services are not cheap to operate, so the revenue for the service has to come from somewhere. And there are countless “free” VPN services that are anything but, as we’ve seen with 911.

In general, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others. Many free VPN services will enlist users as VPN nodes for others to use, and some even offset costs by collecting and reselling data from their users.

All VPN providers claim to prioritize the privacy of their users, but many then go on to collect and store all manner of personal and financial data from those customers. Others are fairly opaque about their data collection and retention policies.

I’ve largely avoided wading into the fray about which VPN services are best, but there are so many shady and just plain bad ones out there that I’d be remiss if I didn’t mention one VPN provider whose business practices and transparency of operation consistently distinguish them from the rest. If maintaining your privacy and anonymity are primary concerns for you as a VPN user, check out Mullvad.net.

Let me make clear that KrebsOnSecurity does not have any financial or business ties to this company (for the avoidance of doubt, this post doesn’t even link to them). I mention it only because I’ve long been impressed with their candor and openness, and because Mullvad goes out of its way to discourage customers from sharing personal or financial data.

To that end, Mullvad will even accept mailed payments of cash to fund accounts, quite a rarity these days. More importantly, the service doesn’t ask users to share phone numbers, email addresses or any other personal information. Nor does it require customers to create passwords: Each subscription can be activated just by entering a Mullvad account number (woe to those who lose their account number).

I wish more companies would observe this remarkably economical security practice, which boils down to the mantra, “You don’t have to protect what you don’t collect.”

A Deep Dive Into the Residential Proxy Service ‘911’

AI's potential for automating security has promise, but there are miles to go in establishing decision-making boundaries.

Would you let a child drive a car? I imagine that most people would think that is reckless and dangerous. However, what if the car were affixed to guardrails that limited its movement so that it can only move within certain bounds inside an amusement park?  

Allowing the current generation of artificial intelligence (AI) technologies to make decisions and take actions on our behalf is like having a 5-year-old take a car out for a joyride, but without the appropriate guardrails to prevent a terrible accident or an incident with potentially irreversible consequences.

Security professionals are often led to believe that AI, machine learning, and automation will revolutionize our security practices and allow us to automate security, perhaps even achieve a state of "autonomic security." But what does that really mean and what unintended consequences might we encounter? What guardrails should we consider that are commensurate with the "age" of AI?

To understand what we are getting ourselves into and the appropriate guardrails for security use cases, let us consider the following three questions.

*   How do AI/ML, decision-making, and automation relate to one another?
*   How mature are our AI/ML and automated decision-making capabilities?
*   How mature do they need to be for security?

To answer each of these questions, we can examine a combination of three frameworks: the OODA loop, DARPA's Three Waves of AI, and Classical Education.

**OODA Loop  
**The OODA loop stands for Observe, Orient, Decide, Act, but let's use a slightly modified version:

*   Sensing
*   Sense-making
*   Decision-making
*   Acting

Within this framework, AI/ML (sense-making) is distinct from automation (acting) and connected by a decision-making function. Autonomic means involuntary or unconscious. In the context of this framework, autonomic could mean either skipping sense-making and decision-making (e.g., involuntary stimulus-response reflexes) or skipping just decision-making (e.g., unconscious breathing). In either case, something that is autonomic skips decision-making.

**DARPA's Three Waves of AI  
**DARPA's framework defines the advancement of AI through several waves (describe, categorize, and explain). The first wave takes handcrafted knowledge of experts and codifies it into software to provide deterministic outcomes. The second wave involves statistical learning systems, enabling pattern recognition and self-driving cars. This wave produces results that are statistically impressive but also individually unreliable.

For the errant results, these systems have minimal reasoning capabilities and thus they cannot explain why it produces incorrect results from its sense-making. At DARPA's third wave, AI is able to provide explanatory models that enable us to understand how and why any sense-making mistakes are made. This understanding helps increase our trust in its sense-making capabilities.

According to DARPA, we haven't reached this third wave yet. Current ML capabilities can give us answers that are often correct, but they're not mature enough to tell us how or why they arrived at their answers when they're incorrect. Mistakes in security systems leveraging AI can have consequential outcomes, so root cause analysis is critically important to understand the reason behind these failures. However, we do not get any explanation of the "how" and "why" with results produced by the second wave.

**Classical Education  
**Our third framework is the Classical Education Trivium, which describes three learning stages in child development. At the elementary school stage, children focus on memorizing facts and learning about structures and rules. At the dialectic stage in middle school, they focus on connecting related topics and explaining how and why. Finally, in the rhetoric stage of high school, students integrate subjects, reason logically, and persuade others.

If we expect children to be able to explain how and why at middle school (somewhere around the ages of 10 to 13), that suggests that the current generation of AI, which lacks the ability to explain, isn't past the elementary stage! It has the cognitive maturity of a child that is less than 10 years old (and some suggest significantly younger.)  

With autonomic security, we're skipping decision-making. But if we were to have the current generation of AI do the decision-making for us, we must recognize that we're dealing with a system that has the decision-making capacity of an immature child. Are we ready to let these systems make decisions on our behalf without proper guardrails?

**Need for Guardrails  
**The march toward automated and autonomic security will undoubtedly continue. However, with some guardrails, we can minimize the carnage that would otherwise ensue. Here are points for consideration:

*   **Sensor diversity**: Ensure sensor sources are trustworthy and reliable, based on multiple sources of truth.
*   **Bounded conditions**: Ensure decisions are highly deterministic and narrowly scoped.
*   **Established thresholds**: Know when the negative repercussions of action might exceed the costs of inaction when something goes wrong.
*   **Algorithmic integrity**: Ensure that the entire process and all assumptions are well-documented and understood by the operators.
*   **Brakes and reverse gear**: Have a kill switch ready if it goes beyond the scope and make the action immediately reversible.
*   **Authorities and accountabilities**: Have pre-established authorities for taking action and accountabilities for outcomes.

Allowing a child to drive a car without proper guardrails would be irresponsible. Let's make sure that we have well thought-out guardrails for AI-driven security before we let our immature machines take the wheel.

Building Guardrails for Autonomic Security

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads.

French security researcher Maxime Ingrao of cybersecurity firm Evina discovered a malware that he dubbed Autolycos that can subscribe users to a premium service as well as access users’ SMS messages,. according to a post he made on Twitter last week. This type of malware–in which malicious applications subscribe users to premium services without their knowledge or consent to rack up payment charges–is called toll fraud malware, or more commonly, fleeceware.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Ingrao said he discovered eight applications on the site spreading Autolycos since June 2021 that had racked up several million downloads. The cybercriminals behind Autolycos are using Facebook pages and running ads on Facebook and Instagram to promote the malware, he said.

“For example, there were 74 ad campaigns for Razer Keyboard & Theme malware,” Ingrao tweeted in one of a series of follow-up posts describing how the malware works.

****Joker Rides Again****

Ingrao compared the malware to Joker, a spyware discovered in 2019 that also secretly subscribed people to premium services and stole SMS messages, among other nefarious activities.

Indeed, upon further examination, researchers from Malwarebytes believe the malware is a new variant of Joker–what Malwarebytes refers to as “Android/Trojan.Spy.Joker–Malwarebytes intelligence researcher Pieter Artnz said in a post published a day after Ingrao’s revelation.

Joker was the first major malware families hat specialized in in fleeceware, according to Malwarebytes. The trojan would hide in the advertisement frameworks utilized by the malicious apps propagating it; these frameworks aggregate and serve in-app ads.

After the apps with Joker were installed, they would show a “splash” screen, which would display the app logo, to throw off victims while performing various malicious processes in the background, such as stealing SMSes and contact lists as well as performing ad fraud and signing people up for subscriptions without their knowledge.

****Difference in Execution****

One difference between the original Joker and Autolycos, however, was pointed out by Ingrao.”No webview like #Joker but only http requests,” he tweeted.

“It retrieves a JSON (Java Script Object Notation) on the C2 address: 68.183.219.190/pER/y,” Ingrao said of Autolycos in a tweet. “It then executes the URLs, for some steps it executes the URLs on a remote browser and returns the result to include it in the requests.”

Malwarebytes’ Artnz also explained this difference further in his post. While Joker used webviews—or a piece of Web content, such as “a tiny part of the app screen, a whole page, or anything in between”—to do its dirty week, Autolycos avoids this by executing URLs on a remote browser and then including the result in HTTP requests, he wrote.

This helps Autolycos evade detection even more adeptly than the original Joker, according to Malwarebytes’ Artnz said. “Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on,” he wrote.

****Lag Time in Discovery and App Removal****

The eight apps in which Ingrao discovered Autolycos are:

*   Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
*   Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
*   Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
*   Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
*   Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
*   Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
*   Funny Camera by KellyTech –  500,000 downloads
*   Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads.

While Ingrao discovered the offending apps in July 2021 and reported them to Google quickly, he told BleepingComputer that the company took six months to remove six of the apps. Moreover, Google only finally removed the last two on July 13, according to Malwarebytes.

Artnz was critical of the lag time between discovery and removal, though he did not speculate as to the reason why, noting only that “the small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store.”

“It’s possible \[the malicious apps\] would still be available if the researcher hadn’t gone public because he said he got tired of waiting,” Artnz wrote.

Google did not immediately respond to request for comment on Monday. Indeed, the company has a storied history of struggling to keep malicious apps—in particular fleeceware-\-off its mobile app store for the Android platform.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

Google Boots Multiple Malware-laced Android Apps from Marketplace

An issue was discovered in Infiray IRAY-A8Z3 1.0.957. There is a blank root password for TELNET by default.

The IRAY A8Z3 thermal camera for industrial application, manufactured by Infiray/IRay Technologies is affected by multiple vulnerabilities. These are a direct consequence of insecure coding practices, insecure configuration and outdated software components within the embedded firmware. Multiple attack vectors were found that will result in remote code execution (RCE). The vendor did not reply anymore to our communication attempts, hence it is unclear whether patches are available.

**Vendor description**

_"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops and manufactures infrared FPA detectors, thermal imaging modules, and other products, with completely independent intellectual property rights. We are committed to providing global customers with professional thermal imaging products and solutions. The main products include IRFPA detectors, thermal imaging cores, and terminal products for application."_ 

Source: http://www.infiray.com/about.html

**Business recommendation**

The vendor was unresponsive during the disclosure process. Hence it is unclear whether patches are available. Customers are urged to approach their vendor contact and request security reviews and updates. 

SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. 

**Vulnerability overview/description****1) Hardcoded Web Credentials (CVE-2022-31210) **

The binary file "/usr/local/sbin/webproject/set\_param.cgi" contains hardcoded credentials to the web application. As these accounts cannot be deactivated or change their passwords, they are considered to be backdoor accounts. 

**2) Authenticated Remote Code Execution (CVE-2022-31208) **

The webserver contains an endpoint that can execute arbitrary commands by manipulating the "cmd\_string" URL parameter. The user can login using one of the backdoor accounts from issue 1. 

**3) Potential Buffer Overflow (CVE-2022-31209) **

The firmware contains a potential buffer overflow by calling strcpy() without checking the string length beforehand. 

**4) Telnet Root Shell without Password (CVE-2022-31211) **

The camera offers a shell through a telnet connection. The root user does not require a password per default. Thus, anyone on the local network can execute arbitrary commands as root on the camera. 

**5) Multiple Outdated Software Components **

Multiple outdated software components containing vulnerabilities were found by the IoT Inspector (ONEKEY) firmware analysis platform.  

**Proof of concept****1) Hardcoded Web Credentials (CVE-2022-31210) **

The following cgi program will be executed during the login process: 

    http ://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge&set_cmd=loading&length=35&name=<user>&password=<password>&access=0&0.3543773172371312 

The following de-compilation shows the code flow with the hardcoded passwords: 

    [ PoC removed ] 

The authentication works by comparing the URL supplied username with the string **"\[removed\]".** Afterwards it will compare the password parameter to **"\[removed\]"** as well. If both string parameters match, a message will be removed from the messaging queue. Otherwise the function will just return. The same comparison holds for the admin account. 

Furthermore, string comparisons are made without checking the case. Hence, drastically improving the chances of brute-force attacks. 

**2) Authenticated Remote Code Execution (CVE-2022-31208) **

The web application offers an option to view the device log. Opening following URL while logged in as admin (e.g. with hardcoded password from section 1) will trigger the request: 

    http ://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd\_string" parameter, arbitrary commands can be executed with the rights of the webserver (www-data). The de-compiled code can be seen in following snippet: 

    [ PoC removed ] 

The "cmd\_string" parameter is directly passed into popen() and hence executed. 

**3) Potential Buffer-Overflow (CVE-2022-31209) **

The firmware contains a potential buffer overflow vulnerability: 

    [ PoC removed ] 

A pointer to the "next\_url" parameter is supplied. A buffer of 64 bytes is allocated and the parameter value copied to it without checking the string length. Hence, a "next\_url" parameter with more than 64 bytes could be supplied in order to overflow the buffer. Please note that this vulnerability is only based on firmware analysis and thus was not tested in a live scenario. 

**4) Telnet Root Shell without Password (CVE-2022-31211) **

The camera has a telnetd server running on port 23 per default. The root password is empty. If the telnet port is exposed to the internet, an attacker could easily connect to the device and gain root access. The telnet server cannot be deactivated and the root password cannot be changed through the web interface. 

**5) Multiple Outdated Software Components **

IoT Inspector (ONEKEY) recognized multiple outdated software components with known vulnerabilities:

    BusyBox 1.25.0:                                  6 CVEs 
    curl 7.54.0:                                    13 CVEs 
    Dnsmasq 2.76:                                    9 CVEs 
    lighttpd 1.4.41:                                 2 CVEs 
    Linux Kernel 3.10.104:                        1004 CVEs 
    hostapd 2.5:                                    22 CVEs 
    wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs 

**Vulnerable / tested versions**

The following product/firmware version has been tested: 

*   Infiray IRAY-A8Z3 V1.0.957 

It has to be assumed that further products or firmware versions are affected as well. 

**Vendor contact timeline**

CVE-2022-31211: Multiple Vulnerabilities in Infiray IRAY-A8Z3 thermal camera

Plus: A wild Indian cricket scam, an elite CIA hacker is found guilty of passing secrets to WikiLeaks, and more of the week's top security news.

The websites you visit can reveal (almost) everything about you. If you are looking up health information, reading about trade unions, or researching details around certain types of crime, then you can potentially give away a huge amount of detail about yourself that a malicious actor could use against you. Researchers this week have detailed a new attack, using the web’s basic functions, that can unmask anonymous users online. The hack uses common web browser features—included in every major browser—and CPU functions to analyze whether you’re logged in to services such as Twitter or Facebook and subsequently identify you.

Elsewhere, we detailed how the Russian “hacktivist” group Killnet is attacking countries that backed Ukraine but aren’t directly involved in the war. Killnet has launched DDoS attacks against official government websites and businesses in Germany, the United States, Italy, Romania, Norway, and Lithuania in recent months. And it’s only one of the pro-Russian hacktivist groups causing chaos.

We’ve also looked at a new privacy scandal in India where donors to nonprofit organizations have had their details and information handed to police without their consent. We also looked at the new “Retbleed” attack that can steal data from Intel and AMD chips. And we took stock of the ongoing January 6 committee hearings—and predicted what’s to come.

But that’s not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

For years, Amazon-owned security camera firm Ring has been building relationships with law enforcement. By the start of 2021, Amazon had struck more than 2,000 partnerships with police and fire departments across the US, building out a huge surveillance network with officials being able to request videos to help with investigations. In the UK, Ring has partnered with police forces to give cameras away to local residents.

This week, Amazon admitted to handing police footage recorded on Ring cameras without their owners’ permission. As first reported by Politico, Ring has given law enforcement officials footage on at least 11 occasions this year. This is the first time the firm has admitted to passing on data without consent or a warrant. The move will raise further concerns over Ring’s cameras, which have been criticized by campaign groups and lawmakers for eroding people’s privacy and making surveillance technology ubiquitous. In response, Ring says it doesn’t give anyone “unfettered” access to customer data or video but may hand over data without permission in emergency situations where there is imminent danger of death or serious harm to a person.

In 2017, the Vault 7 leaks exposed the CIA’s most secretive and powerful hacking tools. Files published by WikiLeaks showed how the agency could hack Macs, your router, your TV, and a whole host of other devices. Investigators soon pointed the finger at Joshua Schulte, a hacker in the CIA’s Operations Support Branch (OSB), which was responsible for finding exploits that could be used in the CIA’s missions. Schulte has now been found guilty of leaking the Vault 7 files to Wikileaks and is potentially facing decades in prison. Following an earlier mistrial in 2018, Schulte was this week found guilty on all nine charges against him. Weeks ahead of his second trial, _The New Yorker_ published this comprehensive feature exploring Schulte’s dark history and how the CIA’s OSB operates.

Hackers linked to China, Iran, and North Korea have been targeting journalists and media outlets, according to new research from security firm Proofpoint. Alongside efforts to compromise the official accounts of members of the press, Proofpoint says, multiple Iranian hacking groups have posed as journalists and tried to trick people into handing over their online account details. The Iranian-linked group Charming Kitten has sent detailed interview requests to its potential hacking targets, and they have also tried to impersonate multiple Western news outlets. “This social engineering tactic successfully exploits the human desire for recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts worldwide, likely in an effort to gain access to sensitive information,” Proofpoint says.

In any company or organization, items will go missing from time to time. Usually these are misplaced phones, security passes, and files occasionally being left at bus stops by mistake. Losing any of these things may open up security risks if devices are insecure or if sensitive information is made public. Less commonly lost are desktop computers—unless you’re the FBI. According to FBI records obtained by VICE’s _Motherboard_, the agency lost 200 desktop machines between July and December 2021. Also lost, or in some cases stolen, were pieces of body armor and night-vision scopes.

Scams don’t get much more elaborate than this. This week, police in India busted a fake “Indian Premier League” cricket tournament. A group of alleged scammers set up the fake league in the western Indian state of Gujarat and hired young men to play cricket matches, posing as professional teams while they livestreamed the matches for people to bet on. According to police, the group hired a fake commentator, created onscreen graphics showing real-time scores, and played crowd noises downloaded from the internet. To hide the fact that the matches took place on a farm instead of inside a large stadium, the videofeed only showed closeups of the action. Police said they caught the gang as a quarterfinal match was being played. Police believe the gang was potentially running multiple leagues and was planning to expand to a volleyball league, too. The match footage is worth watching.

Amazon Handed Ring Videos to Cops Without Warrants

By Deeba Ahmed
The Vault 7 leak included trojans, viruses, malware, zero-day exploits, malware remote control systems, and related documents dating…
This is a post from HackRead.com Read the original post: CIA Whistleblower Found Guilty of Leaking Vault 7 Documents to WikiLeaks

A Manhattan federal court jury has convicted Joshua Schulte for leaking Vault 7 related sensitive documents and other classified US intelligence malware tools. As reported by Hackread.com in May 2018, the ex-CIA software engineer was detained at the Metropolitan Detention Center until the trial.

Joshua A. Schulte

**Trial Details**

Schulte defended himself during the trial. However, the jury found him guilty on 8 espionage charges and an additional obstruction charge. The jury deliberated for three days before announcing the verdict.

Schulte may get up to 80 years sentence. As per a statement from US Attorney Damian Williams, Joshua Schulte was convicted for one of the most “damaging” and “brazen” espionage acts in the history of the US.

Furthermore, Williams stated that Schulte’s actions had a “devastating effect” on US intelligence by offering “critical intelligence” to anti-US actors.

**The Infamous Vault 7 Leaks**

The 33-year-old Joshua is a former software engineer/programmer convicted for leaking sensitive documents, several top-secret hacking tools, and exploits dubbed Vault 7. It is worth noting that the Vault 7 leak included trojans, viruses, malware, zero-day exploits, malware remote control systems, and related documents dating from 2013 to 2016.

The documents, as seen by Hackread.com, also exposed how the CIA targets unsuspected individuals and businesses by exploiting vulnerabilities in a targeted system. The list of CIA’s targets, according to the Vault 7 leak, included the following:

*   iPhones (report)
*   Notepads (report)
*   Smart TVs (report)
*   Mac devices (report)
*   Video players (report)
*   Linux devices (report)
*   Web browsers (report)
*   Air-gapped PCs (report)
*   Security cameras (report)
*   Android smartphones (report)
*   Windows-based computers (report)
*   Microphones and Webcams (report)
*   Trucks and other Internet-connected devices (report)

According to WikiLeaks, these documents exposed “the entire hacking capacity of the CIA.”

The documents and tools in discussion were published by WikiLeaks on their website under the handle of Vault 7 on on 7 March 2017. These documents contained a trove of 8,000 documents and 943 attachments showing how the CIA developed tools to hack their targets and turn them into spying devices.

Schulte was arrested on 24 August 2017 and charged with unauthorized disclosure of confidential information and stealing classified material in June 2018. He is also facing separate charges over alleged possession of child pornography.

In conclusion, although Schulte has been convicted, the Vault 7 leaks shed light on the CIA’s extensive and invasive surveillance capabilities which concern all Americans and people/businesses around the world.

CIA Whistleblower Found Guilty of Leaking Vault 7 Documents to WikiLeaks

Joshua Schulte has been convicted for his role in the Vault 7 Wikileaks data dump that exposed invasive US cyber intelligence tactics.

Joshua Schulte, a former CIA programmer, has been found guilty by a jury in a Manhattan, NY court for stealing the trove of classified data on US cyber espionage that was exposed in the Vault 7 Wikileaks data dump.

Schulte, 33, was convicted of stealing and revealing secrets, including details about how the CIA used malware to compromise mobile phones and smart devices to spy on targets. The verdict was reported by Courthouse News Service, which said that in addition to the conviction on nine counts of stealing classified documents, Schulte has unrelated charges pending for child pornography. Altogether, he faces up to 80 years in prison.

A 2020 trial for Schulte ended with a deadlocked jury and a mistrial. Schulte opted to represent himself in the most recent proceedings, according to Courthouse News.

Schulte was first named as a suspect in the Vault 7 Wikileaks release in 2018. The cache of cyber spy secrets including zero-day vulnerabilities in Android, iOS, and Windows, along with known bugs in routers, smart TVs, and smart vehicles that were allegedly being exploited for spycraft by the CIA.

In a 2017 statement released along with the Vault 7 files, Wikileaks had bragged, "This extraordinary collection ... gives the entire hacking capacity of the CIA."

Federal prosecutors who charged Schulte agreed.

US Attorney Damian Williams said in reaction to the verdict that it was "one of the most brazen and damaging acts of espionage in American history."

Prosecutors described Schulte as a disgruntled employee motivated by petty revenge against the CIA. "Schulte was aware that the collateral damage of his retribution could pose an extraordinary threat to this nation if made public, rendering them essentially useless, having a devastating effect on our intelligence community by providing critical intelligence to those who wish to do us harm," Williams said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ex-CIA Programmer Found Guilty of Stealing Vault 7 Data, Giving It to Wikileaks

Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.

Microsoft has linked a threat that emerged in June 2021 and targets small-to-mid-sized businesses to state-sponsored actors tracked as DEV-0530.

Microsoft researchers have linked an emerging ransomware threat that already has compromised a number of small-to-mid-sized businesses to financially motivated North Korean state-sponsored actors that have been active since last year.

A group tracked by researchers from Microsoft Threat Intelligence Center (MSTIC) as DEV-0530 but that calls itself H0lyGh0st has been developing and using ransomware in attacks since June 2021.

The group has successfully compromised small-to-mid-sized businesses—including manufacturing organizations, banks, schools, and event and meeting planning companies—in multiple countries starting as early as September, researchers from MTIC and Microsoft Digital Security Unit (MDSU) said in a blog post published Thursday.

H0lyGh0st’s standard modus operandi is to use a namesake ransomware to encrypt all files on the target device using the file extension .h0lyenc, then send the victim a sample of the files as proof. The group interacts with victims on a _.onion_ site that it maintains and on which it provides a contact form for victims to get in touch, researchers said.

_\[**FREE On-demand Event**: **Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office.** **WATCH HERE**.\]_

The group typically demands payment in Bitcoin in exchange for restoring access to the files. On its website, H0lyGh0st claims that it won’t sell or publish victim data if they pay, researchers said. However, it uses double extortion to pressure targets to pay, threatening to publish stolen data on social media or send it to the victims’ customers if they don’t meet ransom demands.

****Introducing H0lyGh0st****

H0lyGh0st’s ransomware campaigns are financially motivated, with researchers observing text linked to a ransom note that they intercepted in which attackers claim they aim to “close the gap between the rich and poor,” researchers said.

“They also attempt to legitimize their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture,” they said.

DEV-0530 also has connections with another North Korean-based group tracked as PLUTONIUM, also known as DarkSeoul or Andariel, according to MSTIC, with researchers observing communications between the two groups. H0lyGh0st also has been seen using tools created exclusively by PLUTONIUM, they said.

****A Tale of Two Families****

Since it began using ransomware in June 2021 and until May 2022, H0lyGh0st has employed two custom-developed malware families–SiennaPurple and SiennaBlue, researchers said. MSTIC identified four variants linked to these families: BTLC\_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe.

BTLC\_C.exe is written in C++ and is classified as SiennaPurple, while the rest are written in the open-source Go programming language, researchers said. All of the variants are compiled into .exe to target Windows systems, they said.

BLTC\_C.exe is a portable ransomware developed by the group that was first seen in June 2021. However, it may have been an early version of the group’s development efforts, as it doesn’t have many features compared to all malware variants in the SiennaBlue family, researchers said.

Later in the group’s evolution, between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go, which they classify as SiennaBlue variants, they said.

Though new Go functions have been added to the various variants over time, all the ransomware in the SiennaBlue family share the same core Go functions, researchers observed. These features include various encryption options, string obfuscation, public key management, and support for the internet and intranet, researchers said.

****Most Recent Variant****

The latest ransomware variant to be used by the group is BTLC.exe, which researchers have seen in the wild since April of this year, they said.

BTLC.exe can be configured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware if the ServerBaseURL is not accessible from the device, researchers said.

The malware also includes a persistence mechanism in which it creates or deletes a scheduled task called _lockertask_ that can launch the ransomware. Once the malware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive, they said.

**_FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE._**

Emerging H0lyGh0st Ransomware Tied to North Korea

Researchers who helped thwart the Russian nation-state group's recent attack on Ukraine's power supply will disclose at Black Hat USA what they found while reverse-engineering the powerful Industroyer2 malware used by the powerful hacking team.

The infamous Sandworm threat group operating out of Russia's military GRU unit has no qualms about taunting researchers when it finds it is being watched. Just ask Robert Lipovsky and his fellow researchers at ESET, who got the message loud and clear when they dissected one of Sandworm's newer malware variants earlier this year: The Sandworm attackers disguised the loader for one of its data-wiping variants as the IDAPro reverse-engineering tool — the very same tool the researchers had used to analyze the attackers' malware.

Lipovsky, principal threat intelligence researcher at ESET, knew it was no coincidence. Sandworm most likely was brazenly — and sarcastically — making a point that the group knew ESET was on its trail. "There's no reason to use IDAPro" in an attack on an engineering substation because that's not a tool that would be used on that system, he explains. "It's fairly clear the attackers are fully aware we are onto them and blocking their threats. They are maybe trolling us, I would say."

That wasn't the only message Sandworm seemed to be sending. The group also dropped a Trojan-ridden version of ESET's security software in its targeting of Ukrainian networks. "They were sending a message that they were aware we are doing our job protecting the users in Ukraine," Lipovsky says.

Lipovsky was part of the ESET team that — along with Ukraine's computer emergency response team (CERT-UA) and Microsoft — in April blocked a cyberattack by Sandworm on an energy company in Ukraine using a new version of its game-changing Industroyer malware weapon, Industroyer2. Had it not been thwarted in time, the attack would have knocked several high-voltage substations from part of the nation's electric grid.

Industroyer2 is a more custom version of the first iteration (Industroyer) that Sandworm unleashed in December 2016, temporarily knocking out power in parts of Kyiv, the capital of Ukraine. The Industroyer2 attack attempt in April also came with destructive disk-wiping tools designed to destroy engineering workstations running Windows, Linux, and Solaris, in an attempt to thwart recovery operations when the attackers' planned power blackout hit. Industroyer was the first known malware able to shut out the lights, and it can communicate with ICS hardware in electrical substations — circuit breakers and protective relays, for instance — via popular industrial network protocols.

Even after the high-profile foiling of the Industroyer2 attack attempt on Ukraine in April, Sandworm continues to relentlessly hammer at Ukraine's cyber defenses. "It didn't end with Industroyer2. It continues today," says Lipovsky, who with ESET senior malware researcher Anton Cherepanov will share their insiders' view of Sandworm and dissect the group's Industroyer2 malware at Black Hat USA in Las Vegas next month. 

"There are more wipers today … and new execution chains being used," he says.

Most of the current attack attempts by Sandworm against Ukraine's infrastructure now carry disk-wiping weapons. "We've seen disruption activity \[attempts\] at an increased rates since February," he says, when Russia first invaded Ukraine. Intel-gathering via cyber-espionage attacks also has been active, he adds, noting that while Sandworm is the most prominent Russian threat actor targeting Ukraine, it's not the only one.

**Industroyer2 up Close**

In their Black Hat talk, Lipovsky and Cherepanov plan to reveal more technical details about Sandworm that haven't yet been made public, as well as share recommendations for utilities to defend against the nation-state group's attacks.

Lipovsky and his team describe Industroyer2 as a simpler, more streamlined version of the first version. Unlike the first Industroyer, Industroyer2 speaks just one OT protocol, IEC 104. The original version used four different industrial protocols. It's likely more efficient and focused that way: "\[IEC 104 is\] one of most common \[OT\] protocols and a regional thing" in Europe, he notes.

The disk-wiping capabilities with Industroyer2 eclipse that of the first version. "The first one was a framework with multiple components, and it was also calling additional modules that were there for wiping," he says. Industroyer2 is more "self-contained" and offers wipers as separate executables, he says, malware weapons that have been discovered in other recent cyber incidents. 

CaddyWiper is the main disk wiper used with Industroyer2. Sandworm pointed CaddyWiper at a Ukrainian bank 24 hours before Russia invaded Ukraine in February, at a government agency in early April, and on some Windows workstations at the targeted Ukrainian energy firm. Sandworm also set destructive malware programs ORCSHRED, SOLOSHRED, and AWFULSHRED on Linux and Solaris workstations there. And, as a final touch, Sandworm had scheduled CaddyWiper to execute on April 8 as a way to erase all evidence of Industroyer2, but it was blocked.

Interestingly, Sandworm does not typically wipe domain controllers, so as not to disrupt its own foothold in the victim's network. "They wipe regular workstations to disrupt a target's operations, but they want to keep their presence once they've infiltrated an environment," Lipovsky says.

Even with all that ESET and other researchers now know about Industroyer2, there is still no full picture of the initial attack vector in the Industroyer2 attack on the Ukrainian energy firm. CERT-UA said the attack appeared to be in two stages, the first one likely in February of this year and the other in April, when the goal was to disconnect the electrical substations and sabotage the power operations on April 8.

**Defense Against Industroyer, Sandworm**

While Industroyer2 has been trained on Ukraine, its emergence has shaken the OT industry.  "Industroyer was a wake-up call for the whole ICS community. This is a serious threat," Lipovsky says.

The playbook for protecting an OT network from Industroyer and related attacks isn't much different than others. "It's what we've always been saying: Have visibility into the environment; have EDR, XDR tools; multiple layers of security in the stack; and access controls," Lipovsky says.

In their talk at Black Hat Lipovsky and Cherepanov also will share EDR rules, configuration suggestions to stop lateral movement, and rules for Snort and YARA tools

They also plan to reiterate that engineering workstations in OT networks have become major targets, so they have to be part of the security equation. "A lot of SCADA software and monitoring is happening on regular workstations that run Windows or Linux. These machines should have the appropriate security measures and solutions that are multilayered," including running EDR or XDR tools, he says.

Tag

#intel