A denial of service vulnerability exists in the libxm_av.so DemuxCmdInBuffer functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted set of network packets can lead to a device reboot. An attacker can send packets to trigger this vulnerability.

**Summary**

A denial of service vulnerability exists in the libxm\_av.so DemuxCmdInBuffer functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted set of network packets can lead to a device reboot. An attacker can send packets to trigger this vulnerability.

**Tested Versions**

Anker Eufy Homebase 2 2.1.8.5h

**Product URLs**

Eufy Homebase 2 - https://us.eufylife.com/products/t88411d1

**CVSSv3 Score**

7.4 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**Details**

The Eufy Homebase 2 is the video storage and networking gateway that enables the functionality of the Eufy Smarthome ecosystem. All Eufy devices connect back to this device, and this device connects out to the cloud, while also providing assorted services to enhance other Eufy Smarthome devices.

Among the home_security binary’s responsibilities, communications with the cloud and with smarthome devices is the most important. While the binary itself is somewhat opaque with regards to the actual implementation of this, a good chunk of the network functionality is within an imported libxm_av.so library. This library normally creates five different network servers, as so:

      tcp
        32392 - UDPRecvClient path
        32293 - WifiComSend_Pth            
        32295 - WifiComRecv_Pth            
        32290 - DspComSvr_Path - recv   ** not seen **
        32292 - DspComSvr_Path - send   ** not seen **
    
      udp
        32380 - UDPComCreate => UdpRecvSvr_pth 
        32392 - UdpSndSvr                      
    

While the code paths of some of these seem to converge or complement each other, these servers are all related to communications between the Homebase 2 and the smarthome devices. For today’s writeup we take a brief look into the WifiComRecv_Pth on TCP port 32295. Just like all the other ports, this codepath uses the getpeermac() function for defacto authentication, in that a network connection’s IP address must have an arp table entry on the br0 interface to be allowed to talk to any of these ports. Assuming that one has a vulnerabilty to bypass this check (see TALOS-2022-1479, libxm\_av.so getpeermac() authentication bypass vulnerability), or if one has compromised one of the smarthome devices that are resident on the br0 192.168.32.0/24 network, then one can essentially talk to the Eufy Homebase like any other device that has been paired. So what can one do with this?

Looking at the WifiComRecv_Pth, let’s take a look at what the message structure looks like:

    struct WifiComPkt{
        uint32_t magic; //[1]
        uint32_t opcode;
        uint32_t datalen; // [2]
        uint8_t data[]// [3]
    }
    

The packet must start with the magic bytes "\x55\x55\x00\xff" at \[1\]. We have an opcode as expected, and then there’s a datasize at \[2\] which determines the length of the array at \[3\]. All pretty standard. So let’s now examine the code handling these messages:

    void*  WifiComRecv_client_pth(struct mall_20* malloced_arg) { 
        //[...]
        0002d068      while (true)
        0002d068          if (g_XM_RUNNING != 0)  // [4]
        0002d14c              int32_t recv_ret
        0002d14c              uint32_t bytes_demuxed
        0002d14c              char* rbufptr
        0002d14c              do
        0002d088                  recv_ret = recv(sockfd: mall20.fd, buf: &buffer[pWriteOffset], len: 0x400 - pWriteOffset, flags: 0x40) // [5]
        0002d094                  if (recv_ret s> 0)
        0002d0a0                      pWriteOffset = pWriteOffset + recv_ret
        0002d0b4                      bytes_demuxed = DemuxCmdInBuffer(buffer: &buffer[pReadOffset], inpsize: pWriteOffset - pReadOffset, mall_20: &mall20) // [6]
    }
    

The server runs for as long as the g_XM_RUNNING global is switched on at \[4\] and constantly reads packets into a size 0x400 buffer on the stack at \[5\], which is subsequently parsed inside the DemuxCmdInBuffer function at \[6\].

    0002cd04  void* DemuxCmdInBuffer(char* buffer, uint32_t inpsize, struct mall_20* mall_20)
    0002cd6c      uint8_t* var_3c
    // [...]
    0002cde8      int32_t size_m4 = inpsize - 4
    0002cdf4      uint32_t bytes_left = 0
    0002cdf0      if (size_m4 s> 0)
    0002ce00          int32_t size_mc = inpsize - 0xc
    0002ce04          uint32_t bytesread = 0
    0002ce24          do
    0002ce2c              struct WifiPkt* wifipkt = &buffer[bytesread]
    0002ce38              while (wifipkt->magic == 0xff005555)                   // [7]
    0002ce54                  if (bytesread + 0xb s>= inpsize) 
    0002cefc                      return inpsize - bytesread
    0002ce74                  bytes_left = inpsize - bytesread
    0002ce70                  if (bytesread + wifipkt->size + 0xb s>= inpsize)   // [8]
    0002cefc                      return bytes_left
    0002ce7c                  XM_LOG(fname: "Xm_WifiComServer.c", line: 0x8a2, 2, 0, fmtstr: "cmd offset:%d\n", values: bytesread)
    0002ce94                  int32_t wificmd_ret = WifiCommandRespProc(wifipkt: wifipkt, mall_20: mall_20)  // [9]
    

After iterating through our data packet until finding the 0xff005555 magic bytes at \[7\], we finally get to our vulnerability: a lack of checking of the Wifipkt->size field inside the DemuxCmdInBuffer function, which allows us to cause an integer overflow at \[8\]. Unfortunately for attacker purposes, this WifiPkt->datalen field does not actually do that much inside WifiCommandRespProc \[9\] besides being checked and also potentially used as the length in an fwrite call. The best we can really get out of this vulnerability is setting the datalen large enough such that an out-of-bounds read occurs after advancing its read pointer by WifiPkt->datalen+0xb. This results in an unmapped read and a binary crash. If the home_security process crashes enough times within a given period, a device reboot will also occur, resulting in a denial of service.

**Crash Information**

    [ 5886.888000] do_page_fault() #2: sending SIGSEGV to home_security(23710) for invalid read access from
    [ 5886.888000] 282e7aa4 (pc == 778c4e30, ra == 778c4e9c)
    
    <(^.^)>#info reg
              zero       at       v0       v1       a0       a1       a2       a3
     R0   00000000 1100ff00 487f5f11 00000001 00000001 00000001 00000000 00000001
                t0       t1       t2       t3       t4       t5       t6       t7
     R8   00000000 fffffffe 00000000 00000000 9b64c2b0 8758a11c 00000000 00000007
                s0       s1       s2       s3       s4       s5       s6       s7
     R16  b780a0ff 33e09af7 7c5ff9f8 00000010 0000000c ff005555 7700a4d1 7700b920
                t8       t9       k0       k1       gp       sp       s8       ra
     R24  00000000 773d36ec 00000000 00000000 77026560 7c5ff960 7c5ff9d8 76ff6e9c
                sr       lo       hi      bad    cause       pc
          0100ff13 067e836c 001154dc 33e09af7 00800010 76ff6e30
               fsr      fir
          00000000 00000000
    
    <(^.^)>#x/10i $pc-0x10
       0x76d3ae20 <WifiComRecv_client_pth+504>:     li      a1,2280
       0x76d3ae24 <WifiComRecv_client_pth+508>:     li      a2,2
       0x76d3ae28 <WifiComRecv_client_pth+512>:     jalr    t9
       0x76d3ae2c <WifiComRecv_client_pth+516>:     move    a3,zero
    => 0x76d3ae30 <WifiComRecv_client_pth+520>:     lw      gp,32(sp)
       0x76d3ae34 <WifiComRecv_client_pth+524>:     move    s4,s2
       0x76d3ae38 <WifiComRecv_client_pth+528>:     move    s0,s2
       0x76d3ae3c <WifiComRecv_client_pth+532>:     move    s1,zero
       0x76d3ae40 <WifiComRecv_client_pth+536>:     lw      t9,-31148(gp)
    

**Vendor Response**

Fixed version 3.1.8.7 and 3.1.8.7h is in grayscale on Homebase2

**Timeline**

2022-03-11 - Vendor disclosure  
2022-04-15 - Vendor patched  
2022-05-05 - Public disclosure

Discovered by Lilith &gt;\_&gt; of Cisco Talos.

CVE-2022-26073: TALOS-2022-1480 || Cisco Talos Intelligence Group

An authentication bypass vulnerability exists in the libxm_av.so getpeermac() functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted DHCP packet can lead to authentication bypass. An attacker can DHCP poison to trigger this vulnerability.

**Summary**

An authentication bypass vulnerability exists in the libxm\_av.so getpeermac() functionality of Anker Eufy Homebase 2 2.1.8.5h. A specially-crafted DHCP packet can lead to authentication bypass. An attacker can DHCP poison to trigger this vulnerability.

**Tested Versions**

Anker Eufy Homebase 2 2.1.8.5h

**Product URLs**

Eufy Homebase 2 - https://us.eufylife.com/products/t88411d1

**CVSSv3 Score**

7.1 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

**CWE**

CWE-290 - Authentication Bypass by Spoofing

**Details**

The Eufy Homebase 2 is the video storage and networking gateway that enables the functionality of the Eufy Smarthome ecosystem. All Eufy devices connect back to this device, and this device connects out to the cloud, while also providing assorted services to enhance other Eufy Smarthome devices.

Among the home_security binary’s responsibilities, communications with the cloud and with smarthome devices is the most important. While the binary itself is somewhat opaque with regards to the actual implementation of this, a good chunk of the network functionality is within an imported libxm_av.so library. This library normally creates five different network servers, as so:

      tcp
        32392 - UDPRecvClient path
        32293 - WifiComSend_Pth            
        32295 - WifiComRecv_Pth            
        32290 - DspComSvr_Path - recv   ** not seen **
        32292 - DspComSvr_Path - send   ** not seen **
    
      udp
        32380 - UDPComCreate => UdpRecvSvr_pth 
        32392 - UdpSndSvr                      
    

While the code paths of some of these seem to converge or complement each other, these servers are all related to communications between the Homebase 2 and the smarthome devices. These communications occur over a seperate network than that of the Homebase’s normal ethernet connection, as it broadcasts a WiFi Hotspot with a hidden SSID that all the smarthome devices can connect to. This WiFi hotspot corresponds to the br0 interface in the Homebase:

    8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue 
        link/ether 8c:85:80:AA:BB:CC brd ff:ff:ff:ff:ff:ff
        inet 192.168.32.2/24 brd 192.168.32.255 scope global br0
           valid_lft forever preferred_lft forever
        inet6 fe80::8e85:80ff:feaa:bbcc/64 scope link 
           valid_lft forever preferred_lft forever
    

When a device is paired to the Homebase, it is statically assigned an IP address in the range of 192.168.32.5 to 192.168.32.21, but if one manually connects to this WiFi AP, a DHCP IP address is assigned starting from 192.168.32.100. While this might seem irrelevant, there are indeed hardcoded checks within these servers to see whether a connected client falls within the 192.168.32.5-192.168.32.21 IP address range, which could determine if a device is authorized to use an opcode or not. There also exist comparisons to the MAC addresses of paired devices, as another authentication method. But for today’s vulnerability, we examine the somewhat related getpeermac() function, which is used to check whether or not a client to any of the above mentioned TCP/UDP ports is allowed to send traffic:

    int32_t getpeermac(int32_t fd, char* sprintf_out){
    
        int32_t addrlne = 0x10
        struct arpreq arp
        memset(addr: &arp, chr: 0, size: 0x44)
        
        struct sockaddr addr
        addr.sin_family.d = 0
        addr.inet_addr = 0
        addr.pad[0].d = 0
        addr.pad[4].d = 0
        
        int32_t peerret = getpeername(fd, &addr, &addrlne) // [1]
        uint32_t $a1_1 = 0xdd
        char* fmtstr
        int32_t $v0
        if (peerret s< 0)
            fmtstr = "getpeermac: getpeername err\n"
        else
            arp.arp_dev[0].d = 'br0'
            arp.arp_pa.sin_family.d = addr.sin_family.d
            arp.arp_pa.inet_addr = addr.inet_addr // [2]
            arp.arp_pa.pad[0].d = addr.pad[0].d
            arp.arp_pa.pad[4].d = addr.pad[4].d
            arp.arp_pa.sin_family = 2
            arp.arp_ha.sin_family = 0
            iret = ioctl(fd, 0x8954, &arp)        // [3]
            if (iret s< 0)
                fmtstr = "getpeermac: ioctrl err\n"
                $a1_1 = 0xe7
        int32_t ret
        if (peerret s< 0 || (peerret s>= 0 && iret s< 0))
            uint8_t* var_7c
            XM_LOG(fname: "PrivateAPI.c", size: $a1_1, 5, 0, fmtstr: fmtstr, values: var_7c)
            ret = 0xfffff447
        if (peerret s>= 0 && $v0 s>= 0)
            sprintf(sprintf_out, 0x3d1d0, zx.d(arp.arp_ha.sin_port.b), [...]  {"%02X:%02X:%02X:%02X:%02X:%02X"} // [4]
            ret = 0
        return ret
    }
    

To summarize, at \[1\], the function gets the client socket IP address of our connection, placing it into addr. At \[2\], this addr’s data is put into the arpreq struct. At \[3\], the 0x8954 ioctl is done, which asks the kernel if there are any arp table entries on the br0 interface that have an IP address corresponding to our client socket. Assuming this all passes, a MAC address string is populated into the sprintf_out parameter pointer at \[4\], and 0x0 is returned by this function. If getpeermac does not return 0x0, the connection is immediately terminated, resulting in an authentication mechanism that is determined by the connection’s interface. To put more plainly, if we try sending traffic to any of these ports over the Homebase’s ethernet connection, the connection is blocked. Only paired smarthome devices are allowed to talk to these servers.

There is however an oversight in this implementation, namely that the Homebase’s eth0 connection is DHCP. Thus, if an attacker is on the same subnet as the Homebase and can DHCP poison the Homebase, the 192.168.32.0/24 range can be placed on both the eth0 interface and the br0 interface. If the attacker subsequently assigns themselves an IP address that matches any device on the br0 interface, then the call to getpeermac() will actually succeed. Again looking at the important parts of getpeermac():

        int32_t peerret = getpeername(fd, &addr, &addrlne) 
    

If our IP address legitimately is 192.168.32.5 for instance, the same IP address as a smarthome device on br0, then getpeername will populate addr with 192.168.32.5 (0xc0a82005).

       iret = ioctl(fd, 0x8954, &arp)       
    

Since we’re looking up 192.168.32.5: Assuming there is an actual device with this IP address, the ioctl will return successfully with the MAC address of the device on br0, allowing us to talk to these ports. But there is one more step to take in this setup. If we put the 192.168.32.0/24 network on the eth0 interface, we actually won’t see any return traffic due to routing priority. To solve this issue, we can simply poison instead with 192.168.32.0/25 or any other smaller subnet that lets us share an IP address with a device on the br0 interface. Since smaller subnets by default take priority to larger subnets in routing tables, we can force the Homebase to send traffic to us instead of the Smarthome devices on br0, regardless of the static arp table entries that get configured for paired devices.

**Vendor Response**

Fixed version 3.1.8.7 and 3.1.8.7h is in grayscale on Homebase2

**Timeline**

2022-03-11 - Vendor disclosure  
2022-04-15 - Vendor patched  
2022-05-05 - Public disclosure

Discovered by Lilith &gt;\_&gt; of Cisco Talos.

CVE-2022-25989: TALOS-2022-1479 || Cisco Talos Intelligence Group

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Emotet made headlines last week for being “back” after a major international law enforcement takedown last year. But I’m here to argue that Emotet never left, and honestly, I’m not sure it ever...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

As Nick Biasini and I covered in a December episode of Talos Takes, these takedowns are always incredibly helpful and a show of strength among the international community. But it doesn’t mean they’re a final nail in the coffin.  

Nick pointed out to me in that Talos Takes that there weren’t any arrests associated with the takedown, so the operators were always still out there ready to come back. And we started seeing Emotet send spam again as soon as nine-ish months after the takedown announcement.  

“In this particular case, we saw a botnet disruption, more than anything else,” Nick said. 

So it really shouldn’t be a surprise to anyone that Emotet is re-loading again. It’s known to go on months-long breaks, usually picking up around major holidays or international events like Black Friday and Cyber Monday. 

I admittedly don’t know enough about the ins and outs of taking down a botnet to say if something like this could ever be permanent or if there ever really is a way to truly end it for good. But if Emotet goes quiet for another few months and then magically pops up again in September, no one should be surprised. 

Take Silk Road, an infamous dark website for drug trade, needed three international takedown efforts over two years to truly shut down the site and stop any predecessors from popping up, even after its initial founder was arrested. 

As all these threats have shown us, as defenders, we can never let our guard down that a threat is ever truly gone no matter how impressive a press release sounds.  

**The one big thing **

Our researchers recently studied a trove of leaked chat logs between the Conti and Hive ransomware operators and their victims. From them, we learned more about how the groups choose their victims, how a triple-extortion attempt usually goes down and more about the inner workings of these actors. In our latest research paper, we run through these findings and provide a look into these chats so other security researchers and potential targets can be more prepared to fight these groups and spot their weaknesses.  

> **Why do I care? **
> 
> The chats we studied are completely new from the Conti leaks from earlier this year, so we continue to learn more about this group as time goes on. For starters, victims should take away from this research that if the plan is to pay the ransom, never take the actor’s first offer, they almost always reduce their asking price over time. We now know more about these groups’ negotiating tactics, which can be helpful for anyone who may be a future target or victim of these groups.  
> 
> **So now what? **Pretty much the same as always if the goal is to never be hit with one of these ransomware attacks. This is a reminder to all organizations to implement a strong patch management system and keep all systems up to date. Organizations should also perform general system hardening that includes removing services or protocols running on endpoints where they are unnecessary. 

**Other newsy nuggets **

For many years, Russia was viewed as off-limits for cyber attacks over the risk of potential retaliation. But after the country’s invasion of Russia, the floodgates have opened to hactivists and volunteers who are hitting the country’s networks at an unprecedented rate. Even some ransomware groups have gotten in on the action. Even early in the invasion, Russia suffered a major setback because actors in Belarus disrupted the country’s railway system that was still relying on Windows XP, slowing down Russia’s supply lines and potentially staving off an invasion of Kyiv, the country’s capital. (Washington Post, Wired, ComputerWorld) 

Users can now opt-out of having their personal information appear in Google search results. The search engine recently loosened its policies on this opt-out. Previously, users had to show a threat of doxxing or other harm that could come to them should something like their phone number, address or email show up when you searched their name. Now, the company says people can ask for their information to be removed even if there is no clear risk. This is not a catch-all step to protecting your identity online, but it’s a solid start for anyone looking to be more privacy-conscious. (NPR, CNET) 

A Chinese state-sponsored actor has been snooping on more than 30 major companies’ networks for more than two years to steal intellectual property. Security researchers say the APT41 threat actor used what they dubbed "Operation Cuckoo Bees” to steal trillions of dollars' worth of everything from engineering blueprints to experimental diabetes treatments and solar panel designs. As of this week, the campaign is still ongoing. (SC Magazine, CBS News) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #94: Everything you need to know about the BlackCat ransomware group
*   Vulnerability Spotlight: Two vulnerabilities in Accusoft ImageGear could lead to DoS, arbitrary free
*   Threat Roundup for April 22 - April 29

**Upcoming events where you can find Talos ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:** df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:** DOC001.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1    **MD5:** 3e10a74a7613d1cae4b9749d7ec93515**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A    **Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426    
**MD5:** a841c3d335907ba5ec4c2e070be1df53  **Typical Filename:** chip 1-click installer.exe    
**Claimed Product:** chip 1-click installer     
**Detection Name:** Win.Trojan.Generic::ptp.cam  

**SHA 256:** 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97   **MD5:** 258e7698054fc8eaf934c7e03fc96e9e   **Typical Filename:** samsungfrp2021.exe     
**Claimed Product:** N/A   **Detection Name:** W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34

Threat Source newsletter (May 5, 2022) — Emotet is using up all of its nine lives

The country has ordered companies operating VPNs to collect user data and hand it over to officials—but they’re refusing to do so.

VPN companies are squaring up for a fight with the Indian government over new rules designed to change how they operate in the country. On April 28, officials announced that virtual private network companies will be required to collect swathes of customer data—and maintain it for five years or more—under a new national directive. VPN providers have two months to accede to the rules and start collecting data.

The justification from the country’s Computer Emergency Response Team (CERT-In) is that it needs to be able to investigate potential cybercrime. But that doesn’t wash with VPN providers, some of whom have said they may ignore the demands. “This latest move by the Indian government to require VPN companies to hand over user personal data represents a worrying attempt to infringe on the digital rights of its citizens,” says Harold Li, vice president of ExpressVPN. He adds that the company would never log user information or activity and that it will adjust its “operations and infrastructure to preserve this principle if and when necessary.”

Other VPN providers are also considering their options. Gytis Malinauskas, head of Surfshark’s legal department, says the VPN provider couldn’t currently comply with India’s logging requirements because it uses RAM-only servers, which automatically overwrite user-related data. “We are still investigating the new regulation and its implications for us, but the overall aim is to continue providing no-logs services to all of our users,” he says. ProtonVPN is similarly concerned, calling the move an erosion of civil liberties. “ProtonVPN is monitoring the situation, but ultimately we remain committed to our no-logs policy and preserving our users’ privacy,” says spokesperson Matt Fossen. “Our team is investigating the new directive and exploring the best course of action,” says Laura Tyrylyte, head of public relations at Nord Security, which develops Nord VPN. “We may remove our servers from India if no other options are left.”

The hardball response from VPN providers shows how much is at stake. India has rapidly shifted away from a free and open democracy and launched crackdowns on non-governmental organizations, journalists, and activists, many of whom use VPNs to communicate. Human Rights Watch recently warned that media freedom is under attack in the country, with a number of law and policy changes threatening the rights of minority citizens in the country. India dropped eight places in Reporters Without Borders’ Press Freedom Index in the past year and now sits 150th out of 180 countries worldwide. Authorities are alleged to have targeted journalists, stoking nationalist division and encouraging harassment of reporters who are critical of Indian prime minister Narendra Modi. By collecting and storing data on all VPN users in India, authorities may find it easier to see who VPN-using journalists are contacting and why.

Officials in India have claimed that the new rules for VPN providers aren't part of a data grab aimed at further stymying press freedoms, but rather an attempt to better police cybercrime. India has been hit by a number of significant data breaches in recent years and was the third-most affected country worldwide in 2021. “Data breaches have become so common in India that they no longer make front page news as they used to,” says Mishi Choudhary, a technology lawyer and founder of the Software Freedom Law Center, a technology legal support services provider in India. In May 2021, the names, email addresses, locations, and phone numbers of more than 1 million customers of Domino’s Pizza were stolen and posted online; in the same year, the personal information of 110 million users of digital payment platform MobiKwik ended up on the dark web. Now, as the major incidents pile up, Indian officials are going after VPNs in an apparent attempt to reign in the cybercrime surge.

“CERT-In is duty-bound to respond to any cybersecurity incidents,” says Srinivas Kodali, a researcher focusing on digitalization in India from the Free Software Movement of India—though he disputes its efficacy in doing so. Having this information on hand should, in theory, allow CERT-In to investigate any incidents more speedily after the fact. But many don’t believe that’s the full story. “CERT-In doesn’t really have a clean past, and they’ve never really protected citizens’ privacy,” Kodali claims. “According to the rules, they are going to only demand these logs when they actually need them for part of an investigation. But in India, you never know how they will be abused.”

Such concerns of overreach are not unfounded. According to data published in April 2022 by Access Now, an advocacy group lobbying for internet freedoms, India was responsible for 106 of the 182 documented internet shutdowns in 2021. It was the fourth successive year the country held the unenviable title of the internet shutdown capital of the world. At the same time, India’s government has allegedly misled parliament about its use and deployment of the Israeli-produced spyware Pegasus against 160 politicians, lawyers, and activists within the country.

That ‘collect data first, ask questions later’ approach to law enforcement has others worried, too. “This is a blunderbuss way of remembering all data and keeping tabs on your users,” says Anupam Chander, professor of law at Georgetown University in Washington, DC. “That way, if \[India\] needs it for law enforcement, intelligence purposes, or other purposes, they can grab it later.” And the VPN data grab could, potentially, collect information on millions of Indians who rely on the technology. One in five Indians used a VPN in 2021, according to data gathered by service provider Atlas VPN—up from just 3 percent in 2020. The increased usage echoes a broader rise in the use of VPNs in countries such as Venezuela, Costa Rica, and Cambodia, which saw similar increases. It also shows how people in India are seeking out VPNs for information security purposes, as well as to avoid geoblocking of popular websites.

There’s another reason everyday Indians are pursuing VPNs: the rollout of a controversial nationwide identification database. The ID system known as Aadhaar—which first launched in 2009 and has evolved since then—assigns citizens a 12-digit identity code based on their biometric and demographic information. Its proponents say that Aadhaar is part of a plan to digitize the Indian economy and make it easier to access government services. Its opponents say Aadhaar’s ubiquity and required use—you can’t open a bank account, get an ambulance, or pay your taxes without one—is an attempt to shoehorn a surveillance state into existence under the auspices of making things easier for citizens. Choudhary worries that the new rules for VPN providers are part of a broader “mission creep” to control what is said and by whom across India. “This is not just bureaucracy,” Choudhary says. “It seems that the government of India is using every opportunity to make access to the internet much more controlled, as well as monitored.” CERT-In did not respond to a request for comment.

And India is not alone. “South Asian governments are basically competing with each other in this operational Olympics around violating the digital rights of their citizens,” says Pakistani lawyer and internet activist Nighat Dad. Pakistan’s government attempted to introduce a law in October 2021 that gave it the right to monitor and censor any content posted on social media in the country. Pakistan has previously blocked access to Facebook, Twitter, YouTube, WhatsApp, and Telegram “to maintain public order.” Dad is scared. “Not only in Pakistan but in India, there are marginalized communities who are at risk. This is a scary situation.” Similar concerns have been raised in Indonesia, where digital platforms have to register with the communications ministry and agree to provide access to their systems and data on request. So too in Bangladesh, where internet freedom has reached an “all-time low,” according to Freedom House, as the governing party uses laws to crack down on political dissent through social media.

VPNs that are developed within—or operate in—India will have to choose whether to accede to CERT-In’s request or withdraw their support from the country. Kodali says providers may adopt a halfway-house solution, barring new users from paying for VPNs with an Indian bank account, which would theoretically make it impossible for Indians to sign up while in practice quietly permitting them to find a workaround. But what starts in India likely won’t end there. “This does have global implications,” says Chander, who believes India is learning a lesson from China, with its stringent internet crackdowns. There’s a worry other, more liberal governments will follow the Indian-Chinese model, too. Attacks on end-to-end encryption are commonplace in the UK, while the US joined India, the UK, Japan, Australia, and New Zealand in signing an international statement asking for backdoor access that would subvert encryption standards. “I think it’s important that governments justify these actions,” says Chander, “and explain how they don’t threaten civil liberties.”

VPN Providers Threaten to Quit India Over New Data Law

Cloud containers are increasingly part of the cybercrime playbook, with researchers flagging ongoing scanning for Docker weaknesses along with rapid exploitation to infect systems with coin-miners, denial-of-service tools, and ransomware.

Cybercriminals are ramping up their attacks on the Docker Engine — the software foundation of the container infrastructure used by many cloud-native companies. Researchers flagged a pair of cyber campaigns this week that showcase the increasing risk, including a compromise aimed at launching denial-of-service (DoS)) attacks on Russian targets.

On May 5, researchers at cloud-management platform Uptycs said that attackers compromised the firm's honeypot, a Docker server configured to allow connections through the remote Docker API. The attacks resulted in the cybercriminals installing cryptomining software and creating a reverse shell, which would have allowed them to explore the server in real time.

The company has detected 10 to 20 attempts to compromise the honeypot server every day, suggesting that attackers have increased their interest in Docker-based infrastructure, says Amit Malik, director of threat research at Uptycs.

"We configured one of our machines as a honeypot, and within three hours, we saw it compromised, so we had to shut it down and rebuild it," Malik says. "The infection point is very rapid."

The attacks on Uptycs' Docker-based infrastructure are not unique. The incidents are happening to other companies as well.

**Unwitting Hosts to Hostile DoS Activity Against Russia  
**Honeypots maintained by cybersecurity services firm CrowdStrike experienced similar attacks through the Docker remote API, generally assigned to port 2375 or 2376, according to an analysis of an attack posted on May 4. 

CrowdStrike researchers revealed that attackers compromised its honeypots through the open Docker API and then installed two malicious container images that were used to to attack Russian and Belarusian sites.

The target lists include the websites of the Russian and Belarusian governments, military, media, and retail sectors, as well as Russian mining, manufacturing, chemical, and technology sectors, according to CrowdStrike.

Both DoS-enabling containers are hosted on Docker Hub. One of the images has been downloaded more than 100,000 times; the second has been downloaded 50,000. CrowdStrike researchers noted that the portion of these downloads that originated from compromised machines is unknown.

The use of compromised infrastructure has far-reaching consequences for organizations that may unwittingly be participating in hostile activity against Russian government, military, and civilian targets, the firm warned. Any investigation into the attack by Russian intelligence will likely point back to the victim's server, says Adam Meyers, vice president of intelligence at CrowdStrike.

"It is a little different when they are using your infrastructure to attack a third party," he says. "If \[Russia or Belarus\] starts looking at these attacks, they might say, 'Oh, they are DoSing us, so we will DoS them.'"  

**Security Needs to Focus on Docker Threats**  
While Docker is well known in the development and DevOps communities, security professionals may not be as aware of the potential for insecure configurations or vulnerabilities to undermine enterprise security, Meyers says. 

The attack surface is concerning: In December, security startup Prevasio found that 51% of the 4 million images they scanned on Docker Hub included packages that had a critical security vulnerability. On the misconfiguration front, while exposing the remote Docker API is not a common configuration — currently Shodan counts 803 assets exposing port 2375 — the relatively frequent scanning of the port means that any misconfiguration would be exploited quickly.

"It is a relatively new technology, and with any new technology there is a security curve that goes with that," Meyers says. "There is a general lack of awareness around the threat, and that is the thing that we are trying to raise the flag with here. You need to take Docker security seriously."

**More Visibility Needed into Docker  
**To understand their level of risk, businesses should ensure that they can adequately monitor the attack surface area of assets such as Docker, Kubernetes servers, and DevOps-related infrastructure, says Siddharth Sharma, a researcher at Uptycs.

"Most of these attacks go unnoticed because people might not have a comprehensive security solution monitoring their Docker infrastructure," he says. "So the attacker will not be detected as often, unless something goes wrong. But often the types of \[payloads\] they install are not obvious."

Last year, Docker changed the licensing terms of Docker Desktop, moving to a subscription model and arguing that the shift will help the company support more security features and audits. The move came two years after the company split, dividing into Docker — focused on development with Docker Hub and Docker Desktop — and the enterprise infrastructure components of Docker Enterprise, which was sold to Mirantis.

Docker Under Siege: Cybercriminals Compromise Honeypots to Ramp Up Attacks

As the gaming sector booms, game publishers and gaming networks have been heavily targeted with distributed denial-of-service (DDoS) attacks in the last year.

For the past two years, the constraints of the COVID-19 pandemic have spawned an unprecedented surge in the online gaming industry, which is emerging as a major platform for entertainment, social interaction, and competition. By 2024, this media category could surpass $200 billion in revenue, making it one of the fastest-growing industry segments in the world, with an estimated 2 billion unique gamers worldwide.

As online gaming booms and gains a higher profile, game publishers and gaming networks are attracting unwelcome attention: a growing wave of cyberattacks that carry major costs. According to our recent threat research, gaming was one of the industries most heavily targeted by distributed denial-of-service (DDoS) attackers in 2021.

**DDoS Attacks in Gaming on the Rise  
**As it would be for any major business, data loss is a high priority for gaming companies whose servers are tempting targets for thieves seeking access to high-value databases that hold payment information, player statistics, intellectual property, and more. More recently, DDoS attacks intended to disrupt game play and bring massively multiplayer online (MMO) games to their knees have been more commonplace. Here, data is not at risk. Instead, DDoS is preventing legitimate players from accessing games, leading to user frustration, revenue loss, and reputational risk. Impact is not limited to the game itself, but also impacts businesses that rely on the game such as e-sports professionals and Twitch streamers.

**DDoS Halts Squidcraft Games Tournament  
**A recent major security incident underscores the point. In January, Twitch Rivals hosted a six-day Squid Game-themed competition — a Minecraft tournament called Squidcraft Games for Spanish-speaking gamers. About 150 contestants, including some of the platform's most famous Spanish-speaking creators (including Ibai, Rubius, and Auronplay), competed for a $100,000 purse in front of a record-setting 2 million viewers.

But what really grabbed the headlines wasn't just the high-profile competition — it was the intensive (and peculiarly timed) DDoS attacks that eventually shut down Internet access in Andorra, the small principality located between France and Spain in the Pyrenees mountains where some tournament participants live. On the fourth day of the tournament, Jan. 22, 2022, a DDoS attack reaching 100 Gbps in several short bursts impacted the Andorran competitors.

**Additional Fallout  
**News reports indicate this attack, the work of an unknown DDoS-for-hire service, knocked out about a dozen Andorran players from the competition (including E1Rubis, Biyin, TheGregfg, TaeSchnee, VioletaG, Aroyitt, 8cho, TinenQa, and Auron), and paved the way for OllieGamerz to take the top spot and $100,000. It doesn't take a lot of imagination to see how a DDoS attack — one of the simplest, cheapest, and most effective attacks — can be timed to gain a decisive advantage on high-stakes competitors and disrupt matches in a win-at-all-costs culture.

**Multifaceted Threats to Gaming's Unique Architecture  
**Online games typically employ a distinct architecture to optimally serve their customers. When a player wants to join an online game, they must first enter a "lobby" where they wait for other players to join. When enough players have gathered in the lobby, the game starts — only then can these users play the game. As a result of this architecture and their multiplayer design, online games are vulnerable to DDoS attacks through multiple dimensions: the game server itself, the game lobby, and, for some peer-to-peer multiplayer games, the individual player.

The real-time nature of gaming presents major issues because it emphasizes team scalability, which can create challenges when addressing security concerns. Of course, gaming platforms are highly sensitive to performance and outage issues. Their passionate users are vocal about outages of any kind at any time. Failing to meet user expectations can doom the reputation of a game.

The other element in play here is that the gaming sector covers a huge variety of companies, from international giants to smaller firms that address niche markets. Each eventually encounters the same issues (e.g., keeping customer data and intellectual property secure and ensuring high availability and performance). However, smaller firms may find it harder to get the right skills in place.

With the increasing shift to online gaming and the growth of e-sports, gaming companies must redouble their efforts to protect themselves and their users from cyberattacks. This means developing a good security strategy that covers all the bases. This includes design and architecture, coding and deployment, up to the hosting of the online service. These proactive measures can prevent attacks from affecting the gaming experience and protect the gamers while building trust in the integrity of their platforms and the competitions they host.

Why Security Matters Even More in Online Gaming

Source code and Bitcoin transactions point to the malware, which emerged in March 2020, being the work of APT38, researchers at Trellix said.

Source code and Bitcoin transactions point to the malware, which emerged in March 2020, being the work of APT38, researchers at Trellix said.

Cryptocurrency thief Lazarus Group appears to be widening its scope into using ransomware as a way to rip off financial institutions and other targets in the Asia-Pacific (APAC) region, researchers have found.

Financial transactions and similarities to previous malware in its source code link a recently emerged ransomware strain called VHD to the North Korean threat actors, also known as Unit 180 or APT35.

Researchers at cybersecurity firm Trellix has been tracking attacks on financial institutions from what they believe is North Korea’s cyber army—which typically generate from Lazarus Group—for the last few years. The group is perhaps best known for its deftness at ripping off the crypto-currency market through money-laundering schemes to raise money for the North Korean government.However, Lazarus also appears to have been playing the ransomware game for at least a year, Trellix revealed in a blog post this week. Researchers found that Bitcoin transactions and connections to code from ransomware previously used by the group make it likely that VHD, which emerged in March 2020, is the work of APT38, they said.

****Financial Attacks Raise Suspicion****

A significant precursor to linking Lazarus to VHD was an attempt by threat actors in February 2016 to transfer nearly US$1 billion through the SWIFT system towards recipients at other banks, according to the post by Trellix researcher Christian Beek.

“The investigation, performed by several U.S. agencies, led to a North Korean actor, dubbed ‘Hidden Cobra,'” he wrote. “Ever since then, the group has been active, compromising numerous victims.”

Hidden Cobra, active since 2014, is believed to be the work of Lazarus Group. In 2017, the FBI warned that the group was targeting U.S. businesses with malware- and botnet-related attacks.

“Over time we have observed several methods North Korea has used to gain money,” Beek wrote “Although not as frequently observed as other groups, there have also been attempts made to step into the world of ransomware.”

Trellix has followed North Korean-linked actors’ attacks on financial institutions—such as global banks, blockchain providers and users from South Korea–over the last few years. Tactics used included spear-phishing emails as well as the use of fake mobile applications and companies, researchers noted.

“Since these attacks were predominantly observed targeting the APAC region with targets in Japan and Malaysia for example, we anticipate these attacks might have been executed to discover if ransomware is a valuable way of gaining income,” Beek wrote.

****Code Links****

Knowing that ransomware has emerged a part of the toolkit of the North Korean cyber army, Trellix researchers peered under the hood of the VHD code to find similarities that they believed pointed to reuse from previous ransomware, Beek wrote.

“Using those \[code\] blocks as a starting point, a hunt was started from March 2020 onwards to discover related families,” he wrote.

Researchers identified code from four ransomware families known to be used by North Korean threat actors—BGEAF, PXJ, ZZZZ and CHiCHi–in the code of VHD.

While the Tflower and ChiChi families share only generic-function code with VHD, “the ZZZZ ransomware is almost an exact clone of the Beaf ransomware family,” which has been linked to North Korea, Beek wrote.

“Another observation is that the four letters of the ransomware ‘BEAF’ … are exactly the same first four bytes of the handshake of APT38’s tool known as Beefeater,” he added.

The use of the MATA framework in VHD—which has been used to spread the Tflower ransomware family—also links the VHD to Lazarus, as MATA has previously been linked to North Korea, researchers said.

****Following the Money****

Researchers then investigated the various ransomware families they’d linked to North Korea, which all seemed to target specific entities in APAC regions, to try to find financial overlap between then.

They extracted the Bitcoin  wallet addresses and started tracing and monitoring the transactions, though they did not find overlap in the wallets themselves, Beek wrote.

“We did find, however, that the paid ransom amounts were relatively small,” he wrote, linking a pattern between the ransomware families attributed to North Korean actors.

For example, a transaction of 2.2 Bitcoin in mid-2020 was worth around $US20,00 and was transferred multiple times through December 2020, researchers found. At that time, a transaction took place on a Bitcoin exchange to either cash out–as the value had roughly doubled–or exchange for a different and less traceable cryptocurrency, they said.

“We suspect the ransomware families … are part of more organized attacks,” Beek wrote. “Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to \[North Korean\] hackers with high confidence.”

VHD Ransomware Linked to North Korea’s Lazarus Group

A sample of the new REvil ransomware was found in the wild, signaling that, yes, REvil has indeed come back.
The post It’s business as usual for REvil ransomware appeared first on Malwarebytes Labs.

After the FBS arrested 14 of its members in January, and a subsequent lull in action, the REvil ransomware gang appears to be back. We say “appears” because it’s still unclear whether the group’s operations have indeed restarted.

To the trained eye, REvil’s movements seem out of sorts. When REvil’s old Tor infrastructure came back to life in April, it was modified to redirect visitors to URLs owned by a new ransomware group. The sites the nodes point to looked nothing like REvil’s. And its data leak blog is prepopulated with new ransomware victims and old REvil victims.

“And they are recruiting,” added Malwarebytes Threat Intelligence Analyst Marcelo Rivero.

**REvil ransomware: a brief look back**

When the REvil ransomware gang began its operations in 2019, it started strong. REvil, also known as Sodinokibi or Sodin, was _the_ new RaaS (ransomware as a service) of the criminal underground, filling the hole GandCrab left behind.

Like any “big-game hunting” operator, REvil only targets high-earning organizations. The logic behind this is that such targets are presumed to pay up, even a high ransom. They presumed correct.

2021 was the ransomware gang’s last year of activity. REvil attacked JBS, one of America’s largest meat and poultry processors, in June. JBS underwent recovery proceedings immediately after the attack, unlike other ransomware victims. It was revealed months after that the company paid REvil to the tune of $11M (£7.8M).

In July, REvil attacked Kaseya, the company behind Kaseya VSA, a popular remote monitoring and management software. The ransomware gang asked for a whopping $70M ransom, but the company didn’t pay. Instead, it used a decryption key “from a third party” to decrypt all its encrypted files.

Many suspected that something was up. Kaseya could not give any more details, as it was bound by an NDA (non-disclosure agreement), but the ransomware gang claimed that the decryptor was leaked by one of its operators.

**Is REvil really back?**

A ransomware sample is needed to dispel speculations on whether REvil has re-emerged or not. Sure enough, cybersecurity researcher Jakub Kroustek (@JakubKroustek) discovered one recently.

Multiple security researchers who looked into the sample said they noticed a few changes to the code based on old REvil ransomware code. The most notable changes in the encryptor are the version, the new accs configuration option, and the campaign and affiliate identifiers.

In an interview with BleepingComputer, Advanced Intel CEO Vitali Kremez said he believes this option “is used to prevent encryption on other devices that do not contain the specified accounts and Windows domains, allowing for highly targeted attacks.”

When asked about his thoughts, Rivero said, “I think this REvil sample is just a test file because it doesn’t encrypt.”

On top of this, the sample also adds a random extension name to affected files and creates a ransom note—both as text and HTML files—identical to old REvil’s. The web version of the ransom note links users back to new paid Tor sites and the new data leak blog.

The new REvil ransomware note.

Malwarebytes detects this new REvil sample as Sodinokibi.Ransom.Encrypt.DDS.

**What should previous victims do now?**

When REvil’s servers disappeared on an early Tuesday morning in July 2021, current victims of the ransomware gang were left stumped, not knowing what to do next. They were stuck in mid-negotiations, fearing they might never hear from the gang again, leaving their essential files encrypted forever.

With REvil back and the new operators apparently inheriting former victims of the old ransomware gang, what does this mean for victims?

It’s almost a year since REvil’s infrastructure went dark, and victim companies may have already moved on or sought help from law enforcement. Either way, REvil might one day come knocking at their digital doors to pick up where it left off.

It’s business as usual for REvil ransomware

Bookeen Notea Firmware BK_R_1.0.5_20210608 is affected by a directory traversal vulnerability that allows an attacker to obtain sensitive information.

**Comme sur le papier**

La saisie au stylet WACOM rapide et sensible à la pression permet de dessiner avec une grande précision. Initialement **mise au point pour les tablettes graphiques professionnelles,** cette technologie ne nécessite ni fil, ni batterie et autorise une écriture souple et précise. L’affichage instantané sur la surface texturée de l’écran à encre électronique Eink offre une expérience d'écriture identique à celle que l'on a sur papier.

*   **Saisie au stylet**
    
    Technologie Wacom avec 4096 niveaux de pression.
    
*   **Effet papier**
    
    Ecran Eink (16 niveaux de gris) lisible en plein soleil avec une résolution 1404\*1872 de 227dpi
    
*   **Grand écran**
    
    Surface d'affichage de 10,3 pouces (26cm) de diagonale équivalent au format A5
    
*   **Eclairage pour usage de nuit**
    
    Luminosité programmable avec option de réglage de la lumière bleue.
    

**Une saisie ultra-précise pour professionnels**

Initialement mise au point pour les graphistes professionnels, la technologie Wacom autorise une saisie très précise sans interférence avec l'appui de la paume sur l'écran. La Notéa est ainsi compatible avec tous les stylets Wacom et peut gérer jusqu'à 4096 niveaux de pression.

**Un nouvel outil dans votre espace de travail**

La Notéa ajoute des fonctions numériques à votre bloc-notes. Le reconnaissance d'écriture, l'annotation de livres et documents, le partage par email ou sur grand écran.

*   **Transcription des notes**
    
    Conversion automatique des notes manuscrites en texte par MyScript© (33 langues)
    
*   **Annotation de documents**
    
    Prise de notes directement sur documents PDF et EPUB
    
*   **Partage par email**
    
    Envoi et réception directs des notes et documents depuis le bloc-notes numérique.
    
*   **Affichage sur grand écran**
    
    Partage d'écran et diffusion sur téléviseur via Miracast
    

**L'expertise de l'écriture numérique**

La Notéa intègre Myscript©, le plus puissant moteur de reconnaissance d'écriture manuscrite. Les notes qu'elles soient écrites en cursives, en majuscules ou en scriptes, sont converties en quelques secondes vers un fichier Txt ou PDF. Ne laissez plus votre contenu manuscrit à l'écart de votre quotidien dans le monde numérique.

**Autonome et mobile**

Avec son poids plume, prenez votre Notéa partout avec vous. Sa batterie de haute capacité (4000 mAh) vous offrira une autonomie d'une semaine sans recharge. La Notéa possède 32Go de stockage interne et peut également se synchroniser avec différents services de Cloud.

*   **1 semaine d'autonomie**
    
    Batterie Lithium Polymer 4000mAh
    
*   **Mémoire**
    
    32 Go de stockage interne et accès aux différentes services de stockage dans le cloud via les apps.
    
*   **Transfert et partage**
    
    Connexion sans-fil Wifi : IEEE 802.11 b/g/n et Bluetooth : BT 4.2 & BLE.
    
*   **USB-C**
    
    Connecteur USB pour recharge, casque audio, connexion PC
    

**Une tablette à part entière**

La Notéa® peut être considérée comme une tablette tactile Android à part entière proposant un accès à un store d'applications. La Notéa est équipée de deux haut-parleurs et d’un micro.

*   **Interface au doigt**
    
    Ecran tactile capacitif sans interférence avec le stylet
    
*   **Audio**
    
    Haut-parleurs ou écouteurs par USB-C ou Bluetooth pour les applications audio
    
*   **Enregistrement**
    
    Microphone intégré pour les apps nécessitant un enregistrement audio et/ou une prise de son
    
*   **Store d'applications**
    
    Compatible avec le système Android 8.. Accès au Playstore pour télécharger des Apps.
    

*   **Mine texturée**
    
    La mine du stylet spécialement conçue pour procurer un touché très proche de celui de l'écriture sur papier.
    
*   **Gomme**
    
    Bouton latéral qui permet au stylet de basculer en mode gomme et d'effacer par trait ou par zone.
    
*   **Ctrl-z**
    
    Rien n'est irréversible sur la Notéa, bouton latéral d'annulation et de reprise des derniers traits réalisés au stylet.
    
*   **Bluetooth**
    
    Appairage Bluetooth avec la Notéa permettant la personnalisation et l'utilisation de trois boutons latéraux. Fonction Bluetooth rechargeable par USB.
    

**Spécifications techniques**

**Dimensions**

Modèle : CYBN10F

Fonction : Bloc-Notes numérique

Dimensions : 191,1 x 232,5 x 8,0 mm

Poids : 460 g

**Logiciel**

Système d'exploitation : Android 8.1

Play Store : Installable

**Ecran**

Taille : 10,3'' (26cm)

Résolution (Pixels) : 1404\*1872

DPI : 227

Niveaux de gris : 16

Ecran capacitif : oui

Wacom (EMR) : Oui

Front Light (FL) : Oui

Filtre lumière bleue : Oui

**Electronique**

CPU : 1.8 GHz Quad-Core

RAM : 2 Go

Stockage : 32 Go

USB 2.0 : Type C

LED de charge : Blanc

Écouteurs : Type C

Micro : Oui

Haut-parleur : Stéréo

Wi-Fi : IEEE 802.11 b/g/n

Bluetooth : BT 4.2

Bluetooth BLE : Oui

Accéléromètre : Oui

Effet Hall : Oui (Couverture intelligente)

Power button : Power on/off

**Batterie et autonomie**

Type : Lithium-Ion Polymer

Capacité : 3,7 V/4000 mAh

Consommation en veille : 2,0 mA

Durée en veille : 60 jours

**Stylet**

Wacom (EMR) : Oui (4096 niveux de pression)

Bluetooth : 3 boutons : mise en veille, haut, bas

Micro-USB : Recharge batterie pour fonction Bluetooth

**Inscription à la Newsletter**

CVE-2021-45783: Bookeen, la lecture numérique

Operation CuckooBees uncovered the state-sponsored group's sophisticated new tactics in a years-long campaign that hit more than 30 tech and manufacturing companies.

China's Winnti cyberthreat group has been quietly stealing immense stores of intellectual property and other sensitive data from manufacturing and technology companies in North America and Asia for years.

That's according to researchers from Cybereason, who estimate that the group has so far stolen hundreds of gigabytes of data from more than 30 global organizations since the cyber-espionage campaign began. Trade secrets are a big part of that, they said, including blueprints, formulas, diagrams, proprietary manufacturing documents, and other business-sensitive information.

In addition, the attackers have harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units that they could leverage in future attacks, Cybereason says in reports summarizing its investigation this week.

The security vendor said it has shared its findings with the FBI, which back in 2019 had warned of China-based cyberthreat groups engaged in the massive theft of intellectual property from US firms to support the country's "Made in China 2025" modernization initiative.

"Global manufacturers are targets of Chinese state-sponsored threat groups," says Assaf Dahan, senior director and head of threat research at Cybereason. "Our research highlights the importance of protecting Internet-facing assets, early detection of scanning activity and exploitation attempts, the ability to detect web shell activity, persistence, reconnaissance attempts by legitimate Windows tools, credential dumping, and lateral movement attempts."

Darren Williams, CEO, and founder at BlackFog, says the campaign that Cybereason observed highlights a recent trend involving data theft by cybergangs operating out of China. He says that new research that BlackFog recently conducted found that 20% of all ransomware attacks exfiltrate data to China. There's also been a dramatic rise in attacks targeting the technology, manufacturing, and government sectors, he says

“We think its related to the increasing pressure from multiple nations on the manufacturing industry generally and the shift in reliance from Chinese manufacturing," he says. "Then when you look at trade wars China has with countries like Australia, there is a general market shift happening. We think these attacks are in response and even retaliation for many of these moves.”

**Winnti Stung by CuckooBees**  
Winnti (aka APT41, Wicked Panda, or Barium) is a threat group that has been active since at least 2010. The group is believed to be working on behalf of, or with the support of, the Chinese government. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies. The group has been linked to attacks in 2010 on scores of US firms (including Google and Yahoo). And in 2020, the US government indicted five members of the threat group, although the action did little to stop its activities.

Researchers from Cybereason stumbled upon the threat group's latest campaign when investigating a 2021 intrusion at a $5 billion global manufacturing company with operations in Asia, North America, and Europe, Dahan says, and has been gathering evidence on the activity since then.

The researchers dubbed the investigation "Operation CuckooBees," because cuckoo bees are very evasive, and the Winnti group is one of the most elusive hacking groups, Dahan explains.

"Operation CuckooBees was a 12-month investigation focused on Winnti Group's global espionage campaign against defense, aerospace, energy, biotech, and pharmaceutical manufacturers," Dahan says.

**New Tools, Rare Abuse of Windows CLFS Mechanism**  
Cybereason's investigation also revealed fresh aspects of the group's technical approach, including the development of new malware tools — or new versions of its old malware — and sophisticated new techniques for payload delivery and evasion.

The new tools include one called DeployLog, made for deploying the threat group's namesake Winnti kernel-level rootkit. New versions of tools it has used in the past include an initial payload called Spyder Loader; a privilege-escalation tool called PrivateLog; and a tool called StashLog for storing payloads in a hard-to-crack Windows function.

One notable aspect of Winnti group's new campaign, according to Cybereason, is the threat actor's use of a Windows high-performance logging feature called Common Log File System (CLFS) to hide malicious payloads.

"The CLFS mechanism is rather obscure and is still undocumented by Microsoft," Dahan notes. "The attackers used the CLFS mechanism to hide their payloads in a place most security products or practitioners wouldn’t look for." He adds that the ability to abuse the mechanism points to the level of sophistication and resources that the threat actors have at their disposal.

"It requires a lot of effort to reverse-engineer this mechanism to abuse it for nefarious purposes," he says.

Dahan says Cybereason has not observed any other threat group abuse the CLFS mechanism to stash payloads in the same manner.

**The Evolving Winnti Attack Chain**  
In its latest campaign, Winnti group threat actors targeted vulnerable Internet-facing servers as a vector for gaining an initial foothold on a target network. In some instances, the attackers gained initial entry on systems by exploiting known vulnerabilities in enterprise resource planning (ERP) platforms.

"To the best of our knowledge, the vulnerabilities that were exploited in the observed attacks have fixes that were issued by the vendor," Dahan says.

Once in, Cybereason observed the attackers adopting what it described as a "house-of-cards" approach to deploying its malicious payloads, where each component of the attack chain depended on the previous one and the other components to function properly. This made it difficult to analyze each malware component in the attack chain separately.

"If for some reason, one component is missing or gets detected – the entire thing would fall apart," Dahan says.

The approach also added another layer of protection and stealth because each of the components in the attack chain is not entirely malicious on its own, and so would be unlikely to be flagged as malicious by security products, Dahan says. To become malicious, the components in the attack chain must be assembled in a certain order.

"The ‘house of cards’ approach makes it difficult for security researchers to analyze the payload and the flow of the attack," he explains. "You really have to see the entire attack and collect all the payloads and know how to run them in the exact order in which they were designed to run."

Tag

#intel