Tenda Technology Co.,Ltd HG6 3.3.0-210926 was discovered to contain a command injection vulnerability via the pingAddr and traceAddr parameters. This vulnerability is exploited via a crafted POST request.

Title: Tenda HG6 v3.3.0 Remote Command Injection Vulnerability  
Advisory ID: ZSL-2022-5706  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 03.05.2022

**Summary**

HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1\*GE,3\*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications.

**Description**

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

**Vendor**

Tenda Technology Co.,Ltd. - https://www.tendacn.com

**Affected Version**

Firmware version: 3.3.0-210926  
Software version: v1.1.0  
Hardware Version: v1.0  
Check Version: TD\_HG6\_XPON\_TDE\_ISP

**Tested On**

Boa/0.93.15

**Vendor Status**

\[22.04.2022\] Vulnerability discovered.  
\[26.04.2022\] Vendor contacted.  
\[01.05.2022\] No response from the vendor.  
\[03.05.2022\] Public security advisory released.

**PoC**

tenda\_hg6\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://packetstormsecurity.com/files/166932/Tenda-HG6-3.3.0-Remote-Command-Injection.html  
\[2\] https://cxsecurity.com/issue/WLB-2022050009  
\[3\] https://exchange.xforce.ibmcloud.com/vulnerabilities/225715  
\[4\] https://sploitus.com/exploit?id=ZSL-2022-5706  
\[5\] https://www.exploit-db.com/exploits/50916  
\[6\] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30425  
\[7\] https://nvd.nist.gov/vuln/detail/CVE-2022-30425

**Changelog**

\[03.05.2022\] - Initial release  
\[09.05.2022\] - Added reference \[1\], \[2\], \[3\] and \[4\]  
\[13.05.2022\] - Added reference \[5\]  
\[29.05.2022\] - Added reference \[6\] and \[7\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

CVE-2022-30425: Zero Science Lab » Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

On May 27, 2022, researchers from Japan-based nao\_sec identified a malicious document in a commercial malware repository, dubbed "Follina," that revealed the document employed a novel technique to achieve code execution. \[Note: Read Dark Reading's earlier coverage on Follina.\] While referencing a remote object, similar to techniques like template injection, the document retrieves the following URL:

_hXXps://www.xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l.html!_

When still active, the URL hosted content that included follow-on code to execute PowerShell via an explicit call to the application "ms-msdt":

    

MSDT is a diagnostic tool included in Windows. As shown above, MSDT can be used to parse and execute code, such as PowerShell, and can be called through parsing a malicious resource. Abuse of MSDT isn't new, as the technique previously has been documented among known "living off the land" binary (LOLBins) abuse. However, its use via a URL redirection called from Microsoft Office was previously unknown, expanding scope of potential MSDT abuse to remote mechanisms.

Since initial reporting, Microsoft issued CVE-2022-30190 to cover this remote code execution (RCE) possibility within MSDT when called through another application. While a patch for this vulnerability has not yet been released, several mitigation strategies exist (covered in greater detail below).

As of this writing, actual abuse of this technique appears to be limited, but with examples dating back to as early as April 2022. Public disclosure and researcher notes identify only a few instances of malicious use of MSDT via Microsoft Office applications. However, since public identification, multiple proofs of concept for this technique emerged, and Gigamon Applied Threat Research (ATR) anticipates that multiple threat actors will soon incorporate this technique into operations.

**Impact**

At present, the impact of CVE-2022-30190 is largely notional given lack of identified widespread use by threat actors. Once this technique is absorbed into existing actor toolkits, however, circumstances will change, with the potential for use by multiple threat actors. On initial discovery, endpoint detection and response (EDR) solutions appeared largely blind to this execution mechanism, but as of this writing that is rapidly changing across multiple vendors and products. Furthermore, as explained in guidance from Microsoft, MSDT's capability to launch items as links can be disabled via changes to the Windows Registry, removing this intrusion vector (with the potential for unforeseen or undesired consequences) until a true patch is available.

More importantly, while much initial discussion focused on the Office mechanism for triggering this issue, CVE-2022-30190 is application-agnostic in functionality, which centers on passing code to MSDT for execution. While Office represents an obvious mechanism to reach this application through delivery of a document via phishing or malicious link, any mechanism of launching MSDT will work to enable follow-on RCE such as a malicious LNK file or via the implementation of "wget" in Windows. The Office route presents just one of many potential avenues for exploitation, with other possibilities of MSDT abuse publicly documented.

For defenders and end users, the risk is therefore not just a new malicious Office delivery vector but, rather, abuse of an internal Windows component (MSDT) for code execution via multiple potential vectors. As such, certain mitigations (such as stopping all child processes from Office applications) represent only partial fixes to one aspect of the problem. To appropriately determine the scope and risk of this scenario, defenders must orient how MSDT abuse, irrespective of vector, applies to adversary operations.

**Orienting to Adversary Operations**

As documented thus far, MSDT is leveraged in early phases of adversary operations as an initial access mechanism to victim machines. As noted by other researchers, MSDT abuse via Office results in follow-on execution with the same privileges as the active user. This is helpful if victims are running as unprivileged users, but given the wealth of mechanisms available to elevate privileges in Windows environments, this limitation would appear to be easily overcome by most adversaries.

However, even if an adversary can access and elevate privileges to a victim device, this specific action represents only one, relatively early step in the overall adversary life cycle, or "kill chain." Appropriately leveraging this vulnerability still requires follow-on actions, including command and control (C2) and lateral movement activity, that present options to defenders for identifying adversary operations. Furthermore, there are precursor actions to code execution via MSDT that defenders can leverage to identify suspicious behaviors leading to exploitation.

Overall, CVE-2022-30190 represents a concern, but only one of many potential avenues available to adversaries to achieve initial code execution in victim environments. By properly understanding how adversaries employ this technique and what are necessary pre- and post-exploit actions to achieve adversary objectives, defenders can begin identifying detection, response, and hunting strategies that work against multiple potential intrusion vectors.

**Detection and Mitigation Possibilities**

1.  **Focus on patching and host-based responses.** The initial security community focus for MSDT abuse mitigation focused on patching (or the inability to do so) and host-based responses. As a host-focused exploitation mechanism, such an approach appears reasonable, and patching will be the most effective way of addressing this specific security issue. Additionally, process parent-child relationship monitoring (or outright blocking) can significantly reduce attack surface by preventing entire categories of intrusion, such as Office or MSDT spawning child processes. Specifically unregistering the URI handler for MSDT in the Windows Registry, as outlined by Microsoft and security researchers, may also temporarily address the issue.
2.  **Look for pre- and post-exploitation activity.** As noted in the previous section though, defenders should strive for detections and mitigations that can apply irrespective of specific exploits by looking at required adversary actions pre- and post-exploitation. For example, in the case of CVE-2022-30190, current delivery mechanisms focus on Office implementations. Likely future implementations will probably expand to other file formats commonly distributed via email or malicious websites, such as LNK files, self-extracting archives, and optical disk images. Identifying and increasing visibility over these distribution pathways, limiting exposure to unknown or untrusted vectors, and similar actions may thus reduce attack surface against multiple types of delivery mechanisms that can be used for payloads beyond MSDT exploitation.
3.  **Identify potential C2 or lateral movement mechanisms**. Post-exploitation, various opportunities exist for identifying C2 or lateral movement mechanisms even if initial exploitation is missed. Following initial access, threat actors will in most cases need to migrate to other areas of the network: repositories of intellectual property or sensitive information, or critical network infrastructure such as domain controllers. The actions required to do so — such as enumerating Active Directory or remote process execution — present opportunities even without host monitoring to identify adversary operations.
4.  **Identify and classify network assets.** Further actions, such as identifying and (if possible) classifying newly observed network items (IP addresses and domain names) may allow for disclosure of unique C2 items. Where appropriate asset identification is enabled, identifying odd network traffic to new, unusual remote resources can further enable defenders to catch and categorize potentially malicious activity. Identifying unusual traffic based on User Agent strings when visible — such as a PowerShell-based User Agent string retrieving an executable file based on file MIME type or extension, as seen in the initial CVE-2022-30190 example — can further enhance visibility into insecure or undesirable network behaviors.

Overall, a variety of options remain available to network defenders even if the actual exploitation of a new, potentially unknown (or "zero-day") vulnerability takes place. Understanding one's own network and its characteristics combined with sufficient visibility into network and host behaviors allows defenders to ask (and answer) questions concerning activities of interest to flag the necessary preconditions and follow-on actions adhering to vulnerability exploitation. While not necessarily easy in all cases, proper investment in resources and people will allow organizations to achieve a redundant security posture capable of catching zero-day exploitation, supply chain intrusions, or state-sponsored attacks.

**Conclusion**

Software and application vulnerabilities are a continuous and ongoing problem in the information security space. CVE-2022-30190 represents just another example of such vulnerabilities that have the potential to facilitate adversary operations. While organizations should perform proper risk analysis and patch as soon as practical once there's a fix for this vulnerability, defenders are not lost prior to release.

Instead, by understanding how adversaries leverage exploits as part of the intrusion life cycle, defenders and network owners can structure detections and defense so that they are agnostic to specific vulnerabilities. Rather than continuously chasing specific weaknesses as they appear over time, such as specific defenses around CVE-2022-30190 weaponization, defenders can structure operations to look for necessary precursors to exploit development (reconnaissance, delivery) or required follow-on actions to achieve objectives (C2, lateral movement).

In building defense and response this way — focused on core behaviors and adversary dependencies — defenders can build a more sustainable security posture that can adapt to future, yet-to-be-discovered vulnerabilities along with current, known tradecraft. Through layering behavior-based detections along with patching, signatures, and other items, defenders can achieve the requisite defense-in-depth necessary to adapt to a dynamic threat environment, without relying on single-point-of-failure defenses easily evaded by capable adversaries.

Fighting Follina: Application Vulnerabilities and Detection Possibilities

An analysis of leaked chats from the notorious Conti ransomware group earlier this year has revealed that the syndicate has been working on a set of firmware attack techniques that could offer a path to accessing privileged code on compromised devices.
"Control over firmware gives attackers virtually unmatched powers both to directly cause damage and to enable other long-term strategic goals,"

An analysis of leaked chats from the notorious Conti ransomware group earlier this year has revealed that the syndicate has been working on a set of firmware attack techniques that could offer a path to accessing privileged code on compromised devices.

"Control over firmware gives attackers virtually unmatched powers both to directly cause damage and to enable other long-term strategic goals," firmware and hardware security firm Eclypsium said in a report shared with The Hacker News.

"Such level of access would allow an adversary to cause irreparable damage to a system or to establish ongoing persistence that is virtually invisible to the operating system."

Specifically, this includes attacks aimed at embedded microcontrollers such as the Intel Management Engine (ME), a privileged component that's part of the company's processor chipsets and which can completely bypass the operating system.

The conversations among the Conti members, which leaked after the group pledged its support to Russia in the latter's invasion of Ukraine, have shed light on the syndicate's attempts to mine for vulnerabilities related to ME firmware and BIOS write protection.

This entailed finding undocumented commands and vulnerabilities in the ME interface, achieving code execution in the ME to access and rewrite the SPI flash memory, and dropping System Management Mode (SMM)-level implants, which could be leveraged to even modify the kernel.

The research ultimately manifested in the form of a proof-of-concept (PoC) code in June 2021 that can gain SMM code execution by gaining control over the ME after obtaining initial access to the host by means of traditional vectors like phishing, malware, or a supply chain compromise, the leaked chats show.

"By shifting focus to Intel ME as well as targeting devices in which the BIOS is write protected, attackers could easily find far more available target devices," the researchers said.

That's not all. Control over the firmware could also be exploited to gain long-term persistence, evade security solutions, and cause irreparable system damage, enabling the threat actor to mount destructive attacks as witnessed during the Russo-Ukrainian war.

"The Conti leaks exposed a strategic shift that moves firmware attacks even further away from the prying eyes of traditional security tools," the researchers said.

"The shift to ME firmware gives attackers a far larger pool of potential victims to attack, and a new avenue to reaching the most privileged code and execution modes available on modern systems."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Conti Leaks Reveal Ransomware Gang's Interest in Firmware-based Attacks

Melissa Bischoping, security researcher with Tanium and Infosec Insiders columnist, urges firms to consider the upstream and downstream impact of "triple extortion" ransomware attacks.

Melissa Bischoping, security researcher with Tanium and Infosec Insiders columnist, urges firms to consider the upstream and downstream impact of “triple extortion” ransomware attacks.

AUTHOR: Melissa Bischoping is director, endpoint security research specialist at Tanium

When ransomware strikes, security teams and business leaders are immediately faced with a flurry of questions, including:

 _“Is the vulnerability patched?”_

_“Does my vendor/supplier/customer’s compromise affect me too?”_ 

_“What are the implications?”_ 

_“How can we prevent this going forward?”_

This scenario was top of mind for the American Dental Association and its 161,000+ members and associated businesses after it was attacked by the Black Basta ransomware group just last month. Initially, the ADA took multiple systems offline – a common step in incident response to reduce potential spread while investigations are underway. According to reports, the organization engaged third-party security services as well as law enforcement support and sent emails to members to keep them aware of the emerging situation.

Within hours, Black Basta began leaking stolen information which included details on financial forms as well as member data. This attack on the ADA is yet another indicator of an emerging trend among ransomware actors – creativity. Rather than the typical ransom request for data restoration that has become commonplace, criminals are increasingly expanding their radius.

****Creative Exploitation****

Ransomware actors are pursuing a concerning trend. They are now taking a multi-faceted approach beyond ransoming the primary victim, which should be a concern for the ADA and its members. Secondhand victims, including dental practices and insurance providers, could be potential targets based on the data obtained in the primary ransomware attack.

In May of 2021, Ireland’s public health system, the Health Service Executive, was victimized by a ransomware attack that had significant reverberations.” In the following days and weeks, multiple hospitals connected to the public health service experienced service outages and financial losses, in addition to facing increased risk to patient data safety and access to care.

These facts point to a concerning global trend that extends the negative impact of a ransomware attack.

It’s clear that threat actors want to maximize the opportunity for payout beyond the initial ransom and potential sale of valuable data. Now, they are using the stolen information and access they’ve gained through the initial exploit to target and extort the victim’s customers, be it individuals or companies. For downstream organizations, one of the first questions when a large organization is breached is, “Will this affect me?” While the primary victim conducts initial response and investigation efforts, potential subsequent victims should focus on prioritizing actions to keep up to date on threat intel and incident response findings, in addition to proactively addressing gaps within their environment.

****Targets & Techniques****

When a threat actor identifies additional extortion capabilities or credentials to breach another organization, they may choose to sell this information or leverage it for their own future initiatives. In addition to monitoring for breaches within a supply chain and corporate relationships, organizations should monitor for any data being sold on the Dark Web or released in data breach dumps. Services such as “HaveIBeenPwned” can help alert when your employee credentials are exposed in a breach.

Over the last several years, the rise of the once-niche Initial Access Broker market has incentivized the resale of compromised accounts and credentials. These black market vendors are not generally the ransomware operators themselves, but a third party who sells their access to a ransomware gang and thereby accelerates the pace of the ransomware gang’s operations. When a compromise takes place, the opportunity for “pay-for-decrypt” profits, as well as data or credential/access resale, leads to double- or triple-extortion ransomware.

*   **Single extortion**: Attackers encrypt data to extort payment in exchange for unlocking files (which is often unsuccessful). In the case of single extortion, strong backup practices are the best defense. However, criminals know backups are a common option to avoid payment and will attempt to corrupt backups. This underscores the need for offline backups and “out of band” incident communications, since any system connected during the incident, such as email, most likely can’t be trusted.
*   **Double-Extortion**: An attacker attempts the “pay-for-decryption scheme,” but also threatens to – or follows through with – selling sensitive data/intellectual property on the dark web. Even if pay-for-decryption is avoided, brand reputation can be damaged, and organizations can be subject to fines and penalties. Before data theft can be prevented, it must be understood where data lives. Implementing solutions that allow for near-real-time alerts when sensitive data is saved, transferred, or stored insecurely is the foundation for prevention.
*   **Triple-extortion**: This combination of single and double occurs when an attacker threatens to DDoS a corporate website or pursues specific customers and threatens to release stolen information unless payment is made. In 2020, this is exactly what occurred in Finland when more than faced requests for several hundred euros each under the threat of sensitive mental health data being released.

****Diligence & Awareness****

The most important takeaway from this ransomware evolution is that organizations with business connections to a breached organization, such as the ADA in this scenario, should be closely monitoring official update channels, identifying what (if any) of their own data may be at risk, and focus on threat-informed defensive measures.

The ADA attack and others like it underscore the importance of being aware of who a company does business with and ensuring that security events with possible downstream impact are being closely monitored.  This may include vendors, partners, customers, etc. In today’s interconnected business landscape, there must be a plan for responding to external incidents that may have intended or unintended fallout. This requires preparation, and an understanding of trends in threat actor tactics, techniques, and procedures (TTPs).

After an attack, educate staff on the risks of phishing and encourage them to report suspicious calls, texts, or e-mails immediately. Even when systems are not directly connected, attackers may use data found in the initial breach to develop social engineering campaigns making downstream companies a target.

Additional proactive measures include changing any reused passwords that may be associated with the ADA’s systems and verifying any information or communication received regarding the breach comes from a legitimate source at the ADA rather than compromised emails that may seem official but are fraudulent.

****Facing the Future****

With the evolution of the strategy and tactics used by ransomware actors, it is essential that organizations have a big-picture perspective for defense, detection, and response and recovery.

Early detection of an attacker’s presence and exfiltration attempts requires understanding “normal” behavior within the environment to establish a baseline to alert against any anomalies so they can be flagged and investigated further.

While this baseline approach seems simple, it can be very complex.  Achieving this holistic view of your environment requires real-time context and the ability to assess dynamic risk as new devices enter the network, employees on/off-board, and new vulnerabilities emerge. Recovery should go beyond “wipe and reimage” to include thorough checks that can identify residual signs of compromise and, wherever possible, clearly determine initial access points to avoid reintroducing the attack vector during recovery efforts.

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

**_Melissa Bischoping is Director, Endpoint Security Research Specialist at Tanium, a converged endpoint management platform company._**

Cybercriminals Expand Attack Radius and Ransomware Pain Points

Artificial intelligence technology can detect the latest wave of Trickbot ransomware and block the attack before it causes damage.

When malware strains disappear, it is often by choice of their creators and threat actors, rather than as a result of outside efforts to shut them down. The actions governments and organizations take to combat these threats directly have often proved short-term and limited in scope — a pattern that the resurrection of Trickbot last year unfortunately demonstrated.

An effort led by Microsoft and its partners to shut down Trickbot malware was conducted in the lead-up to the 2020 US election in an attempt to reduce the risk of election tampering. In the end, 94% of Trickbot's infrastructure was effectively eliminated, massively reducing its influence in late 2020.

Despite taking such substantial losses, however, Trickbot soon saw a resurrection of incredible proportions. Rather than dying off as some hoped it might, the strain grew back at such a rate that by June 2021 it had again become the most prevalent malware in the world.

One of the numerous businesses that Trickbot targeted that month was a European public administration organization. Unaware that one of its internal domain controllers had been compromised by Trickbot, the organization happened to begin a trial of Darktrace's artificial intelligence (AI)-driven cybersecurity technology, which shined a light on the malicious attack taking place within their network.

**AI Catches an Emerging Trickbot Ransomware Attack**

Darktrace employs AI-powered behavior-based detection, which can differentiate between benign and malicious activity within an organization. When the compromised domain controller began uploading DLL files to other devices, Darktrace's technology immediately detected the activity and suggested an appropriate response. However, it was configured in "human confirmation" mode — meaning it required a human operator to confirm the action.

As it waited for the human team to approve its actions, Darktrace continued to monitor the progression of the threat. It detected the compromised domain controller uploading Trickbot over SMB to almost 300 devices across the organization, and then utilizing Windows Management Instrumentation (WMI) to execute it.

Trickbot may be old and well-documented malware, but its modular nature makes it endlessly adaptable and therefore difficult for security tools to pin down. At this stage in the attack, traditional tools within the organization's network had still failed to spot the threat. When the nature of the attack changes with every new instance and modular configuration, intelligence-based security systems will always struggle to keep up.

The difficulty of relying on OSINT to address Trickbot was demonstrated in this attack when 160 of the 280 compromised devices were detected connecting to new C2 endpoints. Microsoft and its partners had specifically targeted C2 servers in 2020, but Trickbot's turnaround in the aftermath of that action showed how quickly new servers and endpoints can be established. In this case, OSINT did not associate any of the endpoints the 160 company devices connected to with malicious activity; however, Darktrace recognized the behavior as unusual nonetheless, and issued a high-severity threat notification to the organization.

For over a month, the attackers laid low. Darktrace then detected compromised devices scanning the network and downloading suspicious executable files — most likely Ryuk ransomware payloads. With several stages of the attack now months apart, it would have been hard for a human team to piece together its full scope.

**Targeted Action Before Encryption**

With AI constantly investigating threats across the entire digital environment, however, Darktrace pieced together this attack into a distinct lifecycle and presented it to the security team. It was at this stage that the organization took notice of the threat and turned Darktrace to "autonomous" mode, enabling the AI to take action.

While the automated tool can often stop ransomware attacks at the first signs of a compromise, it can engage at any stage of an attack. Thus, when it was activated at a very late stage by this organization, it still calculated a precise and effective response.

Several malicious actions were blocked by the AI, including SMB enumeration, network scanning, and suspicious outbound connections. Because it targeted these actions rather than the overall devices, the 280 compromised devices were able to continue with their normal business operations as the attack was brought to a halt.

Now that they could no longer complete command-and-control (C2) communications or move laterally, the attackers were unable to execute Ryuk and the attack came to an end. And not a moment too soon. If the attackers had been allowed to execute the ransomware, they likely would have exfiltrated and then encrypted data from across the company. Even if a ransom is paid, ransomware victims often incur numerous other costs, including network shutdowns and remediation, as well as PR fallout.

**Staying Ahead of Malware Trends**

It's clear that Trickbot is as strong and evasive as it ever was and that relying on rules or intelligence-based tools alone is no longer an option for organizations trying to avoid falling victim. Rather than waiting for companies and governments to launch offensives against the endlessly regenerating infrastructure of attackers, organizations should take matters into their own hands and bolster their own infrastructures with AI.

By recognizing how the business usually behaves, rather than worrying about identifying the attacker, Darktrace's AI can stop completely novel threats without rules or OSINT and won't be fooled by reconfigurations and rebrands. Protecting organizations against novel attacks in this way is the surefire way to start hitting Trickbot and other threat actors where it hurts.

Neutralizing Novel Trickbot Attacks With AI

There is no question that the level of threats facing today’s businesses continues to change on a daily basis. So what are the trends that CISOs need to be on the lookout for? For this episode of the Threatpost podcast, I am joined by Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, Fortinet’s […]

There is no question that the level of threats facing today’s businesses continues to change on a daily basis. So what are the trends that CISOs need to be on the lookout for?

For this episode of the Threatpost podcast, I am joined by Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, Fortinet’s FortiGuard Labs to discuss the threats facing CISOs along with more.

During the course of our discussion, we dive into:

*   What an attack on all fronts looks like
*   The current state of the threat landscape
*   New techniques being leveraged be adversaries
*   The automation of threats

We also lay out what CISOs need to consider when laying out and producing their threat action plan.

Being prepared for adversarial attacks

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire.
This includes weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com, the former of which allowed its users to traffic hacked personal data and offered a searchable database

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire.

This includes weleakinfo\[.\]to, ipstress\[.\]in, and ovh-booter\[.\]com, the former of which allowed its users to traffic hacked personal data and offered a searchable database containing illegally amassed information obtained from over 10,000 data breaches.

The database consisted of seven billion indexed records featuring names, email addresses, usernames, phone numbers, and passwords for online accounts that could be accessed through different subscription tiers.

The shutdown of weleakinfo\[.\]to comes more than two years after a related internet domain named weleakinfo\[.\]com was confiscated in January 2020, with law enforcement officials arresting 21 individuals in connection to the operation later that year. Last May, one of its operators was sentenced to two years in prison.

The other two domains — ipstress\[.\]in and ovh-booter\[.\]com — offered to conduct DDoS services for their clients. DDoS attacks are carried out by flooding a targeted web resource with junk traffic with the goal of rendering it inaccessible to legitimate users of the service.

The "comprehensive law enforcement action" involved the Federal Bureau of Investigation (FBI), the U.S. Attorney's Office for the District of Columbia, and the DoJ's Computer Crime and Intellectual Property Section in coordination with authorities from Belgium and the Netherlands.

"These seizures are prime examples of the ongoing actions the FBI and our international partners are undertaking to disrupt malicious cyber activity," said FBI Special Agent in Charge, Wayne A. Jacobs, said.

"Disrupting malicious DDoS operations and dismantling websites that facilitate the theft and sale of stolen personal information is a priority for the FBI."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

DOJ Seizes 3 Web Domains Used to Sell Stolen Data and DDoS Services

New operational analytics and AI/ML platform drives contextual intelligence and prioritized actions to anticipate risky behaviors, disrupt threats and insure business resilience.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Netenrich, a leading security and operations analytics SaaS company, today announced that the company will showcase its new Resolution Intelligence platform® at the 2022 RSA Conference on June 6-9 at the Moscone Center in San Francisco. Netenrich will feature product demos and present platform details in the Google Cloud Security Booth #1943, South Expo Hall.

**Netenrich at RSA 2022  
**Netenrich invites security professionals and conference attendees to learn how they can optimize their security operations with analytics leveraging Google Chronicle. Managed service providers (MSSPs, MSPs, GSIs) benefit by plugging into the data analytics platform to quickly build innovative services and transform their business at service-provider scale.

Netenrich will share the latest advances in security operations, as well as the strategies and solutions security professionals need to secure their data against the most critical issues and behaviors. Visit booth #1943 during the times listed below:

*   Tuesday, June 7 from 10:00 AM – 12:00 PM PDT
*   Wednesday, June 8 from 4:00 PM – 6:00 PM PDT
*   Thursday, June 9 from 10:00 AM – 12:00 PM PDT

**Theater Presentation in booth**

*   Thursday, June 9 at 11:45 AM PDT

**Netenrich + Chronicle Happy Hour**

RSA attendees are invited to the Netenrich + Chronicle Happy Hour at the Monarch club on Wednesday, June 8, from 6 – 9 pm PDT. Come enjoy music, drinks, and live entertainment.

*   RSVP to secure your invite and bring your ID and RSA badge
*   **Monarch, 101 6th Street, San Francisco, CA 94114**

Follow Netenrich on Twitter , LinkedIn, and YouTube

SOURCE Netenrich

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Netenrich Debuts Resolution Intelligence Secure Digital Operations Platform at RSA 2022

In this Tech Talk, Darktrace's David Masson and Dark Reading's Terry Sweeney discuss the rise of destructive attacks against critical infrastructure.

For years government regulators and security experts have been sounding the alarm about attacks that could cripple critical infrastructure — the assets and systems that support the functioning of a modern society and economy — but it took the attack against Colonial Pipeline for people to really pay attention, says David Masson, director of enterprise security with Darktrace.

That ransomware attack showed people firsthand how a cyber threat actually stopped gas from coming out of the pump, says Masson in this Tech Talk conversation with Dark Reading's Terry Sweeney. It doesn't even matter that the attackers behind Colonial Pipeline likely did not intend that outcome.

Since then, several other critical infrastructure organizations have been hit by ransomware and other attacks. There is also a worrisome trend toward more destructive attacks, Masson said. As an example, he points to the Russians trying to take down the telecommunications network in Ukraine to disrupt communications within the country. When their attempts failed, the Russians shot missiles directly at the cell towers and destroyed them, Masson notes.

About 85% of critical national infrastructure is under private control in North America, Masson says, which makes regulating critical infrastructure a bit of a challenge. The shift to public-private partnership, where infrastructure operators share threat information and intelligence with government agencies, is essential to understand the scale of the threat, he says.

President Dwight D. Eisenhower famously said that plans are worthless, but planning is indispensable. That mindset should drive security preparations: Deploy technology that gives visibility into the network, train people to recognize attacks, and maintain good backups so you can rebuild the infrastructure when needed.

"Start practicing and get ready so you don't end up being a rabbit stuck in the headlights," Masson says.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Darktrace's David Masson on What Attacks on Critical Infrastructure Look Like

Contextual Intelligence derived with machine learning helps customers identify, assess and remediate threats from IoT devices on their networks, achieving full visibility and control.

**SANTA CLARA, Calif. – June 1, 2022 –** Netskope, the leader in Security Service Edge (SSE) and Zero Trust, today announced it has acquired WootCloud, an innovator in applying Zero Trust principles to IoT security. The acquisition brings to Netskope WootCloud’s award-winning HyperContext® Security Platform, which provides end-to-end visibility, context, and threat remediation for managed and unmanaged devices, and will extend Netskope’s acclaimed SSE and Zero Trust capabilities to protect enterprise IoT devices at scale.

The massive volume of Internet-connected devices continues to expand; by 2025, there will be 55.7 billion connected IoT devices (“things”), generating almost 80B zettabytes (ZB) of data\[1\]. WootCloud technology will enable Netskope customers to support both user- and device-centric policies with Zero Trust principles applied to govern access and interactions with critical data. As Gartner® notes, by 2026, 50% of organizations will prioritize advanced data security features for inspection of data at rest and in motion as a selection criterion for SSE, up from 15% in 2021\[2\].

Founded in 2016 in San Jose, Calif., WootCloud offers device discovery, classification, and control to help customers gain deep visibility and context into all devices on their networks (both managed and unmanaged) and provide a risk and threat assessment measurement for devices that can be leveraged within a broader IoT security strategy. WootCloud’s cloud-based platform is capable of collecting billions of daily measurements of device characteristics, and this telemetry data is further analyzed using proprietary AI/ML models for device classification, risk assessment, and threat detection.

WootCloud critical uses cases include:

*   **Device classification and visibility** to discover managed and unmanaged devices, classify and provide contextual information, and provide deep insights that “true-up” an asset inventory
*   **Device Risk,** dynamically ascertained bycontinuous real-time monitoring to detect malicious behavior, and exchange device attributes with security operations tools for remedial actions.
*   **Access control and segmentation** to offer dynamic asset grouping, automate network segmentation, and facilitate various actions using existing Network Access Control (NAC), firewalls, access points, and other technologies
*   **Cybersecurity asset management** to drive compliance with corporate policies and gain insights into license use, helping to optimize the total IT environment

“Securing a hybrid work environment includes the ability to establish adaptive zero trust across users, devices, networks, applications, and data— increasing confidence in policy enforcement everywhere,” said Sanjay Beri, CEO and co-founder of Netskope. “WootCloud’s innovative technology will further extend Netskope’s industry-leading SSE and Zero Trust capabilities, ensuring that critical data is protected from the network, to the cloud, to enterprise IoT devices.”

“Netskope is an unquestioned leader in Security Service Edge and Zero Trust, and it makes perfect sense to combine and extend our collective capabilities to protect enterprise IoT devices at scale,” said Amit Srivastav, CEO of WootCloud. “We are so proud of what we have achieved with WootCloud, and we are excited to join Netskope for this next stage of the growth journey.”

“WootCloud has been a fantastic partner to Dartmouth, designing and executing solutions to meet Dartmouth’s enterprise security needs,” said Mitchel Davis, Vice President and Chief Information Officer, Dartmouth College. “WootCloud’s decision to join Netskope will help the combined company continue to grow in a way that will prioritize scale while preserving the innovation that made WootCloud special. Netskope is a well-recognized security leader, and we are excited to continue this partnership.”

Zero Trust principles are critical to the implementation of Secure Access Service Edge (SASE), which converges critical security, networking, and business value requirements into one technology architecture. Gartner cites that, b​y 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020\[3\]. Properly implemented SSE, which describes the security stack needed to enable SASE architecture, fundamentally includes zero trust and transforms what enterprises can achieve for security at scale.

Financial terms of the acquisition are undisclosed. WootCloud CEO Amit Srivastav has joined Netskope as an Executive Advisor to the CEO, and all of the WootCloud engineering team, led by the original founding CEO Srinivas Akella, have joined Netskope’s engineering organization.

Visit Netskope.com for more on Netskope capabilities for SSE, IoT security and Zero Trust.

**About Netskope**

Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data. The Netskope Intelligent Security Service Edge (SSE) platform is fast, easy to use, and secures people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

\[1\] IDC, “Future of Industry Ecosystems: Shared Data and Insights,” January 2021

\[2\] Gartner, “Critical Capabilities for Security Service Edge, John Watts, Craig Lawson, Charlie Winckless, Aaron McQuaid, 16 February 2022.

\[3\] Gartner 2021 Strategic Roadmap for SASE Convergence, Neil MacDonald, Nat Smith, Lawrence Orans, Joe Skorupa, March 25, 2021

Tag

#intel