Gentoo Linux Security Advisory 202209-10 - A vulnerability has been discovered in Logcheck's ebuilds which could allow for root privilege escalation. Versions less than or equal to 1.3.23 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Logcheck: Root privilege escalation  
     Date: September 25, 2022  
     Bugs: #630752  
       ID: 202209-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Logcheck's ebuilds which could  
allow for root privilege escalation.

Background  
==========

Logcheck mails anomalies in the system logfiles to the administrator.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/logcheck         <= 1.3.23                 Vulnerable!

Description  
===========

The pkg_postinst phase of the Logcheck ebuilds recursively chown the  
/etc/logcheck and /var/lib/logcheck directories. If the logcheck adds  
hardlinks to other files in these directories, the chown call will  
follow the link and transfer ownership of any file to the logcheck user.

Impact  
======

A local attacker with access to the logcheck user could escalate to root  
privileges.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for Logcheck. We recommend that users  
remove it:

  # emerge --ask --depclean "app-admin/logcheck"

References  
==========

[ 1 ] CVE-2017-20148  
      https://nvd.nist.gov/vuln/detail/CVE-2017-20148

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-10

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-10

Gentoo Linux Security Advisory 202209-9 - Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution. Versions less than 4.2.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Smarty: Multiple vulnerabilities  
     Date: September 25, 2022  
     Bugs: #830980, #845180, #870100  
       ID: 202209-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Smarty, the worst of which  
could result in remote code execution

Background  
==========

Smarty is a template engine for PHP. The "template security" feature of  
Smarty is designed to help reduce the risk of a system compromise when  
you have untrusted parties editing templates.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-php/smarty             < 4.2.1                      >= 4.2.1

Description  
===========

Multiple vulnerabilities have been discovered in Smarty. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Smarty users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-php/smarty-4.2.1"

References  
==========

[ 1 ] CVE-2018-25047  
      https://nvd.nist.gov/vuln/detail/CVE-2018-25047  
[ 2 ] CVE-2021-21408  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21408  
[ 3 ] CVE-2021-29454  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29454  
[ 4 ] CVE-2022-29221  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29221

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-09

Gentoo Linux Security Advisory 202209-8 - Multiple vulnerabilities have been discovered in Smokeping, the worst of which could result in root privilege escalation. Versions less than or equal to 2.7.3-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Smokeping: Multiple vulnerabilities  
     Date: September 25, 2022  
     Bugs: #631140, #602562  
       ID: 202209-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Smokeping, the worst of  
which could result in root privilege escalation.

Background  
==========

Smokeping is a powerful latency measurement tool

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  net-analyzer/smokeping     <= 2.7.3-r1               Vulnerable!

Description  
===========

Multiple vulnerabilities have been discovered in Smokeping. Please  
review the CVE identifiers referenced below for details.

Impact  
======

A local attacker which gains access to the smokeping user could gain  
root privileges.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

Gentoo has discontinued support for Smokeping. We recommend that users  
remove it:

  # emerge --ask --depclean "net-analyzer/smokeping"

References  
==========

[ 1 ] CVE-2017-20147  
      https://nvd.nist.gov/vuln/detail/CVE-2017-20147

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-08

Categories: Podcast
This week on Lock and Code, we speak with Kurtis Minder, CEO of GroupSense, about how a company decides to bring in a ransomware negotiator when it's hit with the destructive malware. 



(Read more...)




The post Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20 appeared first on Malwarebytes Labs.

Ransomware can send any company into crisis. 

Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a ransomware attack not only threatens an organization's clients and external customers, but all the internal teams who are just trying to do their jobs. When Northshore School District was hit several years ago by ransomware, teacher and staff pay were threatened, and children's school lunches needed to be reworked because the payment system had been wiped out. 

These threats are not new. If anything, the potential damage and fallout of a ransomware attack is more publicly known than ever before, which might explain why a new form of ransomware response has emerged in the past year—the ransomware negotiator.

Increasingly, companies are seeking the help of ransomware negotiators to handle their response to a ransomware attack. The negotiator, or negotiators, can work closely with a company's executives, security staff, legal department, and press handlers to accurately and firmly represent the company's needs during a ransomware attack. Does the company refuse to pay the ransom because of policy? The ransomware negotiator can help communicate that. Is the company open to paying, but not the full amount demanded? The negotiator can help there, too. What if the company wants to delay the attackers, hoping to gain some much-needed time to rebuild systems? The negotiator will help there, too. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kurtis Minder, CEO of the cyber reconnaissance company GroupSense about the intricate work of ransomware negotiation. Minder himself has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training. In his experience, Minder has also learned that the current debate over whether companies _should_ pay the ransom has too few options. For a lot of small and medium-sized businesses, the question isn't an ideological one, but an existential one: Pay the ransom or go out of business.   

> "What you don't hear about is the thousands and thousands of small businesses in middle America, main street America—they get hit... they're either going to pay a ransom or they're going to go out of business."

Tune in today to listen to Minder discuss how a company decides to engage a ransomware negotiator, what a ransomware negotiator's experience and background consist of, and what the actual work of ransomware negotiation involves.

Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20

It won’t solve all of your privacy problems, but a virtual private network can make you a less tempting target for hackers.

A virtual private network (VPN) is like a protective tunnel you can use to pass through a public network, protecting your data from outside eyes. Whether you're worried about hiding your browsing activity from your internet service provider so it doesn't sell your data to advertisers, or you want to stay safe on a public Wi-Fi hot spot to keep nearby digital snoops from capturing your passwords, a VPN can help protect you.

However, while a VPN will keep you safe at your local coffee shop, it comes with a cost. Using a VPN means your VPN provider will know everything about your browsing habits. This makes VPN providers a target for hackers. Be sure you even need one before you read on.

Picking the right VPN service is serious business. Most VPN providers say they keep no logs of their users' activity, but this is rarely verified. You're stuck taking companies at their word. For this reason, we've limited our testing to VPN providers that have been independently audited by security firms and have published the results.

To help you sort out when and why you might want a VPN, as well as why you might not, be sure to read through our complete guide to VPNs below. If you're sure you want to use a VPN, here are our top picks among commercial VPN providers.

_Updated September 2022: We've included some updated speed test results, included some new features from Surfshark, and noted our experiences paying for Mullvad with bitcoin._

_Special offer for Gear readers: Get a_ _**1-year subscription to**_ **WIRED** _**for $5 ($25 off)**__. This includes unlimited access to_ WIRED._com and our print magazine (if you'd like). Subscriptions help fund the work we do every day._

> If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more.

Best for Most People

**Surfshark VPN**

Surfshark wouldn't be my top pick if my life depended on my VPN, but for most of us that's not the case. If you just want a way to get around some geographical restrictions on content (aka access Netflix) and protect your traffic while using an open Wi-Fi hot spot, Surfshark is a good choice. It's secure, and it provides a great value for the money if you pay for two years up front.

Surfshark offers a kill switch that automatically stops your traffic if your VPN connection fails, and it supports multihop VPN connects, which means your traffic goes from your machine to a VPN server to another VPN server, and then to the destination server. This provides an extra layer of protection should the VPN itself be compromised, though there is a corresponding speed hit when using a multihop connection. The company also recently added support for manual Wireguard configuration. Most people will be fine sticking with Surfshark's apps, but if you're trying to connect your entire network to Surfshark directly through a router, the manual configuration will be welcome news.

In my testing over the years, Surfshark has consistently had some of the best speeds of any VPN I've used. Yes, it is slower than not using a VPN, but I have never had any problem streaming HD content through Surfshark. It's fast enough that in most cases you won't notice any speed degradation at all.

Surfshark is based in the British Virgin Islands, which, although technically a territory of Great Britain, is generally considered a safe haven and has no data-retention laws. What I don't like is that Surfshark is legally untested. The company has a zero-log policy, and you can (and should) opt out of the diagnostic crash reports in the app. Still, you're taking Surfshark at its word when it says it won't keep logs of your internet activity. Encouragingly, the company's browser extensions have undergone an independent security audit that didn't turn up any significant problems. 

Surfshark recently merged with NordVPN. So far we have not noticed any changes for its customers, but we will be keeping an eye on it going forward.

**Surfshark costs $2.50 per month if you buy two years up front, $4 per month if you buy one year up front.**

Best for Advanced Users

**Mullvad VPN**

Mullvad is based in Sweden and first came to my attention because of its early support for WireGuard, a faster protocol for tunneling VPN traffic.

Another thing I like is Mullvad's system for accepting cash payments. If you prefer to remain totally anonymous, you can generate a random account number, write that number down on a slip of paper, and mail it, along with cash, to Sweden. In theory, no one will be able to connect you to that account. (The truly paranoid will don a tinfoil hat, wear gloves, print from a public printer, and mail from a remote mailbox.) I have not tested the cash option, but I did recently extend my Mullvad subscription using bitcoin and it worked without a hitch.

Part of what I like about Mullvad is its down-to-earth approach that doesn't overhype with its marketing and helps users take additional steps to protect their privacy. For example, the company has an entire page showing you how to disable WebRTC in your web browser. As long as WebRTC is enabled (and it is by default in most browsers), websites can view your actual IP address even when you use a VPN.

Mullvad offers apps for every major platform, as well as routers. The applications are all open source, and you can check the code yourself on GitHub. The service has been independently audited as well. Advanced users can download configuration files and use them directly with OpenVPN or Wireguard.

In my testing, speeds were very good. I never encountered a situation where I couldn't get a fast connection. Over the years Mullvad has become the VPN I rely on day-to-day.

**Mullvad VPN costs 5 euros (around $6) per month, cash or charge.**

Best for VPN Newcomers

**TunnelBear VPN**

Choosing a VPN can be overwhelming. If you're tired of security mumbo jumbo and lock icons, TunnelBear might be the VPN for you. Its cute bear animations help demystify what VPNs do, how they work, and what they can offer you. Sometimes the easiest way to make technology more approachable is to put a friendly face on it.

Don't worry though, TunnelBear isn't all cute bear animations. It has the same security features as other VPN providers, like a no-logging policy and a clear privacy policy, and it's been independently audited.

In my testing, speeds with TunnelBear were competitive with the other options listed here. One of my favorite parts of TunnelBear is the free trial option, which makes it easy to test-drive it and see what your speeds are like without committing. TunnelBear has fewer geographic server locations than some of our other options, but unless you're traveling abroad or need to get around a specific geo-restriction, that shouldn't matter for most users.

**TunnelBear costs $3.33 per month if you buy one year up front****.**

Best for Circumventing Geographic Restrictions

**NordVPN**

NordVPN is one of the most popular VPNs around, thanks to a wide selection of servers and reasonable prices. It's also one of the most reliable ways I've found to circumvent location-based restrictions. I used it extensively while living in Mexico to get around Netflix's geographic restrictions. That said, this is a cat-and-mouse game; Netflix is always updating its server ban list, so NordVPN might not work in the future.

NordVPN is based out of Panama, which is not part of the Five Eyes, Nine Eyes, or 14 Eyes jurisdictions. That doesn't mean your government can't spy on you, but it does at least mean it will have to put in some extra legwork to do it (yes, that's about where we are these days). NordVPN has been audited a number of times, most recently in June of last year, when third-party auditor VerSprite found nothing amiss. As noted above, NordVPN and Surfshark recently announced a merger. Both will continue to operate as separate entities, but they are now a single company.

NordVPN also recently added a new service dubbed Threat Protection, which will block web-based trackers, phishing attempts, some ads, and malicious websites. I have not tested it extensively, and I personally rely on browser-based plug-ins to block threats like this. But if you're looking for an all-in-one solution, this might work.

I've never had an issue with speed using NordVPN, and the user interface of its apps is dead simple. Just click the country you want to use and the app will take care of connecting and configuring everything for you. If you want manual control, you can connect by using NordVPN's configuration files.

**NordVPN costs $5 per month if you buy one year up front. It also has frequent sales on a two-year deal that works out to about $3 a month.**

Best for High-Risk Use Cases

**Tor**

If you're in a situation where personal security is of the utmost importance, do not rely on a VPN. Use Tor (ideally through Tails) instead.

Using the Tor network accomplishes some of the same things as a VPN, but it's a little bit different. Tor provides anonymity, meaning no one can figure out who you are, but not necessarily privacy. People still might be able to see what you're doing, they just won't know it's you doing it. (VPNs provide privacy because no one can see what you're doing while you're going out of a VPN tunnel, but you don't have anonymity because the VPN provider knows who you are.)

Tor is simple to set up. All you need to do is download the Tor browser, and it will connect you to the web. Once you're connected to the Tor network, you can browse the web as you normally would. Except everything will be slower. When using Tor, your request for a website hops around the Tor network, bouncing between servers, before emerging and connecting to the actual site you want to visit. This makes Tor slow, sometimes incredibly slow, but that's necessary to protect your anonymity. And yes, you can combine a VPN with Tor, though that's somewhat beyond the scope of this guide.

How We Picked

VPN providers like to claim they keep no logs, which means they know nothing about what you do using their services. There are a variety of reasons to be skeptical about this claim, namely because they have to have a user ID of some kind tied to a payment method, which means the potential exists to link your credit card number (and thus your identity) to your browsing activity.

For that reason, I mainly limited my testing to providers that have been subpoenaed for user data in the US or Europe and failed to produce the logs or have at least undergone a third-party security audit. While these criteria can't guarantee the providers aren't saving log data, this method of selection gives us a starting point for filtering through the hundreds of VPN providers. Unfortunately other factors also come into play, VPNs that once made our list—Like ExpressVPN—are sometimes sold to less reputable companies. In cases like ExpressVPN I chose to remove it mainly because I have no way to know if it remains trustworthy or not.

Using these criteria, I narrowed the field to the most popular, reputable VPN providers and began testing them over a variety of networks (4G, cable, FiOS, and plenty of painfully slow coffee shop networks) over the past nine months. I tested network speed and ease of use (how you connect), and I also considered available payment methods, how often connections dropped, and any slowdowns I encountered.

Why You Might Not Need a VPN

It's important to understand not just what a VPN can do, but also what it can't do. As noted above, VPNs act like a protective tunnel. A VPN shields you from people trying to snoop on your traffic while it's in transit between your computer and the website you're browsing or the service you're using.

Public networks that anyone can join—even if they have to use a password to connect—are easy hunting grounds for attackers who want to see your network data. If your data is being sent unencrypted—like if the website you're connecting to doesn't use the secure HTTPS method—the amount of information an attacker can gather from you can be disastrous. Web browsers make it easy to tell when your connection is secure. Just look for a green lock icon at the top of your screen next to the web address. These days, most websites connect using HTTPS, so you're probably fine. But if that green lock icon isn't there, as it sometimes isn't on school, library, and small business websites, anyone can view whatever data you're sending. Unless you're using a VPN, which hides all of your activity, even on unencrypted websites.

Just connecting to a VPN isn't enough. Be sure to check out our guide to using a VPN to make sure you have everything set up correctly.

A VPN also changes your IP address, which adds an additional layer of protection. By giving you a different IP address, a VPN can make it appear as though you're in a different physical location. So even if you're sitting in California, the website you're accessing will think you're in Canada, Hungary, Uruguay, or Thailand. Unfortunately, this method of obscuring your location is not airtight. Technology built into web browsers that's known as WebRTC can leak your true IP address even when you're using a VPN. If this is a concern, disable WebRTC in your browser before connecting to a VPN. Mullvad has instructions on how to disable WebRTC in most browsers.

It's debatable how much masking your IP address really helps protect your privacy in the first place. Your IP address is only one of many, many bits of data websites collect about you. If privacy is your concern, you're better off using web browsers (and extensions) that offer additional tools to protect your privacy. Mozilla Firefox has several of these tools available. Or if you want to get serious about it, use the ultra-private Tor browser as noted above.

To add to the confusion around VPNs, providers—even some I've recommended here, unfortunately—often engage in misleading marketing. Nearly every VPN service website I visited had some kind of red banner claiming I was “not protected,” even when I was using a VPN at the time. The problem is that I wasn't using _their_ VPN. More honest VPN providers, like Mullvad, tell you what's actually happening: “You're not protected _by Mullvad_.” Kudos to Mullvad for not using fear to sell subscriptions.

Either way, the important thing to remember is that using a VPN does not make you anonymous. While VPNs may not be able to do much to protect your privacy, they are an essential tool when it comes to protecting you from snoops trying to gather your unencrypted data sent over insecure networks.

The Best VPNs to Protect Yourself Online

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities.
Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO** as part of an espionage campaign aimed at Tibetan entities.

Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.

The intrusions involved the exploitation of CVE-2022-1040 and CVE-2022-30190 (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.

"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future said in a new technical analysis.

TA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed FriarFox.

The group's exploitation of the Follina flaw was previously highlighted by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.

Also put to use in a spear-phishing attack identified in May 2022 is a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This is achieved by employing a Royal Road RTF weaponizer tool, which is widely shared among Chinese threat actors.

In another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.

LOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.

"The group continues to incorporate new capabilities while also relying on tried-and-tested \[tactics, techniques, and procedures," the cybersecurity firm said.

"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of wider trends with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor

ieGeek IG20 hipcam RealServer V1.0 is vulnerable to Incorrect Access Control. The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices.

*   ieGeek IG20 Issues/Vulnerabilities
    *   UID Weakness CWE-340
    *   Unauthenticated / Default auth access to camera stream via RTSP protocol CWE-284
*   Default P2P Camera feed activated and sent to a server in plaintext CWE-284
    *   Access to files stored on the camera CWE-284
*   Admin Panel – Basic Authentication in use / Weak Password Requirements CWE-521 / CWE-287
*   JavaScript injection (DOM-based) CWE-79
*   HTTP Response Header Injection/Splitting CWE-644
*   Device NMAP scan
*   The Listing On Amazon
*   Update 01 Sep 2022 – Product Still Listed On Amazon
*   Update: 01 Sep 2022
*   Consumer Recommendations
*   Q&A
    *   Are ieGeek cameras secure?
    *   What are the real risks of ieGeek cameras?
*   Cheap CCTV Invites Outside Threats Into Your Home\[4\]
*   References
    *   Please login to bookmark
    *   Don’t miss:

**_Amazon’s “highly rated” ieGeek brand continues to present a number of security vulnerabilities._**

On the 19th of Aug 2022 I set out to purchase a CCTV Camera from Amazon, I read over the reviews of the ieGeek IG20, and it seemed great, the value too. For just £29.99 I’d get myself a great looking CCTV Camera, packed full of features. It has night vision, Smartphone access, Motion Detection, Plug & Play, It’s waterproof and it can connect via WiFi or Ethernet. Great, I was sold. However, I failed to do any research on the brand specifically.

The camera arrived the following day, and later that day I got around to setting it up. I first noticed that on the back of the camera, there was a sticker with a UID printed, along with a Factory default Username & Password combination, consisting of admin/admin.

**UID Weakness CWE-340**

The UID appears to be predictable.The UID in our case, will look like this: **_AAFF-123456-ABCDE_** – depending on the make and model.

*   **UID p1**: _Same 4 letters at the start._
*   **UID p2:** _6 numbers at random in the middle._
*   **UID p3**: _5 random letters at the end._

Evidently, having just this basic knowledge of the UID and using the default credentials, the camera feed could be accessed using the software provided by ieGeek from their website by testing each UID value. This can leave a number of IP cameras vulnerable to unauthorised viewing with the privacy of users at risk.

Below are some more vulnerable prefixes running the same crappy firmware.

AAAA

AABB

AACC

AAES

AIPC

AAFF

BBBB

CAM

CAMERA

CCCC

DDDD

DEAA

EEEE

ELSA

ELSO

ESCM

ESN

ESS

EUA

EYE

FCARE

FDTAA

FFFF

FOUS

GCAM

GCMN

GGGG

GKW

HHHH

HRXJ

HSL

HVC

HWAA

HZD

HZDA

HZDB

HZDC

HZDN

HZDX

HZDY

HZDZ

IIII

ISRP

JWEV

MCI

MDI

MEIA

MMMM

MSE

MSI

MTE

NIP

NNNN

NTP

OBJ

PHP

PISR

POLI

PPCN

PPPP

PTP

QSHV

ROSS

SECRUI

SPCN

SSAA

SSSS

SURE

SXH

TTTT

UUUU

VIEW

VSTA

VSTB

VSTC

VSTD

VSTF

WCAM

WGKJ

WHI

WNR

WNS

WNV

WWWW

WXH

WXO

XCPTP

XHA

XLT

XWL

ZLD

ZZZZ

AVA

**Unauthenticated / Default auth access to camera stream via RTSP protocol CWE-284**

By default, one can easily access the camera’s stream externally or internally depending on your router/network configuration, with our without means of Authentication.

*   **Zero Authentication:** rtsp://+IP+/11
*   **Default Auth:** rtsp://admin:\[email protected\]+IP+/11

_**Replace +IP+ with your local or external IP**_.

Here is a screenshot of the Default RTSP settings, requiring Zero authentication.

**Default P2P Camera feed activated and sent to a server in plaintext CWE-284**

The cloud function of the camera uses the P2P protocol to send and make requests back to a server based in China in plaintext. It was found that all connections back to this were made in plaintext regardless of protocol, this includes the viewing of the camera’s stream and control. HTTPS was not found to be implemented anywhere on the camera.

**Access to files stored on the camera CWE-284**

The following directories can be viewed using the default login:

*   http://+IP+/tmpfs
*   http://+IP+/js
*   http://+IP+/lib
*   http://+IP+/log
*   http://+IP+/resources
*   http://+IP+/sd
*   http://+IP+/swfs

The number of links discovered showed that the SD card, log files and website front-end code were accessible from the web interface. This includes any footage that has been recorded by the device and stored on the external SD card.

I decided to check out shodan.io and searched for “hipcam realserver”. Shodan is a Google like database of Connected Devices, if you like. It produced 93,312 results of addresses that had port 554 exposed to the internet. As I browsed these I also discovered a number of addresses that also had Port 80 exposed, hosting the same ‘IP Camera’ front page with login. With what I have discovered it is possible for each of these devices to be accessed via default credentials, or if the admin credentials are changed, Using VLC player, I could potentially connect to each of these camera streams without the need to authenticate.

**Admin Panel – Basic Authentication in use / Weak Password Requirements CWE-521 / CWE-287**

When the camera is booted up, a web server is spawned and requires a login to gain access. Default credentials were then used to gain access and there was no setup to force change of the default password in place. Burpsuite caught this login process; the session was found to be using HTTP Basic Authentication to handle the username and password. The Base64 translates to admin:admin.

**JavaScript injection (DOM-based) CWE-79**

Data is read from **document.cookie** and passed to **eval()**

    
    var strCookie=document.cookie;
    var arrCookie=strCookie.split('; ');
    var arr=arrCookie[i].split('=');
    return unescape(arr[1]);
    var cooktype=getcookie('cookmun');
    var string = eval("'cgi-bin/hi3510/param.cgi?cmd=setimageattr&-image_type="+cooktype+"&-default=on'");

Using various different methods of escaping. Stored XSS was also prevalent in many places within the admin panel that used user input. Example: FTP Upload settings.

**HTTP Response Header Injection/Splitting CWE-644**

The web application is also evidently vulnerable to HTTP response header injection, see PoC below. This also led me to discover i was able to break out of the response.

Your options for exploitation vary depending on the type of response you’re injected into and also where in the response you’re placed!

Here we’ve added a “malicious cookie” which will be set in the browser. As mentioned earlier i was also able to break into the body, or out of the headers through double CRLFs (%0d%0a%0d%0a) **_see below_**.

When user input is insecurely inserted into the headers of server responses, HTTP Header Injection vulnerabilities are created. They are based on the theory that an attacker can make the server generate a response that contains carriage-return and line-feed characters (or, respectively, %0D and %0A in their URI encoded forms), within the server response header, and/or that the attacker may be able to add specially created headers. Attacks like response splitting, session fixation, cross-site scripting, and malicious redirection are all possible using header injection.

Often, the injection of headers is not the main attack; rather, it is merely a method for accessing or exploiting another flaw. For instance, if a hacker is able to inject a payload through HTTP header injection, they may target a website that is susceptible to cross-site scripting in the Referer header or in a cookie value etc.

**Device NMAP scan**

    Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-28 00:42 BST
    Nmap scan report for 192.168.1.116
    Host is up (0.0088s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE
    80/tcp   open  http Hipcam RealServer/V1.0
    554/tcp  open  rtsp
    1935/tcp open  rtmp Real-Time Messaging Protocol
    8080/tcp open  http-proxy ONVIFservice
    MAC X (Shenzhentong BO Weitechnology) SHENZHEN TONG BO WEI TECHNOLOGY Co.,LTD
    Device type: general purpose
    Running: Linux 2.6.X|3.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
    OS details: Linux 2.6.32 - 3.10
    Network Distance: 1 hop
     

Anyway, I decided enough is enough with this trash device and unplugged it from my network, packaged it back up and arranged a return with Amazon.

**The Listing On Amazon**

At the time of writing, the listing is still available, however, I reached out to Amazon and made them fully aware of everything, including my intention to publish this article, and they advised me that the product listing would be “temporarily” removed today, **28th Aug 2022**, pending further Investigation.  
The listing can be seen here **_\[if still available\]_**

It has to be worth noting, that there was an investigation by Which.co.uk see reference \[3\] in July 2021, that details a line of similar flaws, consequently, Amazon removed the said ieGeek branded camera from sale on its website. The which? investigation revealed another device from the same manufacturer can be easily hacked by cybercriminals.

> The £40 camera, which was labelled Amazon’s Choice, had more than 8,500 reviews (as of June 22 2021), including 68% giving the full five stars.
> 
> If you own the ieGeek Security Outdoor Camera 1080p, you should change its default password immediately, or better still, stop using it.
> 
> https://www.which.co.uk/news/article/iegeek-security-camera-removed-from-sale-following-which-investigation-ajW4t0g7bnGj

So the question remains, why do Amazon allow Manufacturers to list products irrelevant of the manufacturer having been Flagged, and Delisted in the past? A better system needs to be in place. Yes, I understand there can be a new line of products/models but surely amazon should be seen to be doing more to prevent devices like this from appearing on their website. The privacy and security of their customers should be paramount.

**Update 01 Sep 2022 – Product Still Listed On Amazon**

We’ve noted that the product is still available to purchase on Amazon, despite us being told that it would be removed, pending an investigation. We figured we’d add a screenshot, just for clarity.

Here is the screenshot of a mail I received from the Amazon Representative on the 28th of August, this email states the item “may be temporarily unavailable”, which contradicts what she told me on the telephone. This email arrived in my mailbox very shortly after I had a call with the same lady, Roxy.

**Update: 01 Sep 2022**

We’ve been made aware of another article from Which.co.uk, this second article was published in late 2021, after the earlier-mentioned article. Their second write-up clearly paints a very different picture, one could easily say it’s misleading given what has been uncovered in this report. It has to be worth mentioning that my ieGeek device, and probably many many others, was still running the same vulnerability-ridden firmware that Which.co.uk spoke out against in their first write-up, as has been verified by the team here at risec and elsewhere. There was no obvious offer of any firmware upgrade, at least to my knowledge. Anyway, see some quotes from the second write-up below.

> **Millions of CamHi wireless cameras made more secure after hacking risk**
> 
> Following a change by HiChip, all CamHi app devices when installed now must have their default password changed by the user.
> 
> HiChip has agreed to enforce a strong password policy, particularly blocking generic terms such as ‘password’ and ‘admin’.
> 
> For CamHi devices that are already set up in people’s homes, the app will remind them to change the default password and warn them if what they have chosen is weak
> 
> **_MISLEADING_**: https://www.which.co.uk/news/article/millions-of-camhi-wireless-cameras-made-more-secure-after-hacking-risk-aezzW2u2ELsl

**_We have reached out to Which.co.uk and have yet to receive any notable response._**

**Consumer Recommendations**

If you value your privacy, and security as much as we do, please remove the device from service. It is simply unfit for purpose. If you bought it from Amazon, go and arrange a return as this device is in clear breach of their merchant conditions.

Research each device thoroughly before buying, and check it’s security reputation.

_**Be Aware**_**_:_** _Endless numbers of IP cameras of other Brands also use the Hipcam RealServer service; I am unable to check the configuration of these devices specifically, but one would be led to believe they are all implemented similarly. Sadly, there doesn’t seem to be a method to warn anyone utilising these IP Cameras that they are exposed._

On a final note, take amazon’s reviews with a pinch of salt, and always do your homework. Next time your about to purchase a connected device, IoT(Internet-of-Things), do a quick google query, something like, “vulnerable BRAND” or “exploit BRAND”

**Q&A****Are ieGeek cameras secure?**

According to our research, and many others, ieGeek cameras are not secure. The devices they seem to be pushing out in 2022 are vulnerable in a number of ways as detailed in this article. Fundamentally, they lack proper encryption, and, are shipped to consumers riddled with security holes. One can only ask themselves, is it intentional? _**tldr; Given the research of the team here at RiSec, and research conducted elsewhere, we can categorically say ieGeek’s cameras are not secure in 2022.**_

**What are the real risks of ieGeek cameras?**

By using these devices that lack proper safety and security standards, your private data is at serious risk of being exposed, **a bad actor may able to gain complete control of the cameras**. This fundamentally opens up your entire network to further attack, making it much easier for a bad actor to reach an end goal.

Cheap CCTV cameras tend to be vulnerable to at least one of the following types of hacking:

1.  They have a weak default password and username setting, which can be easily discoverable. If the user doesn’t change those settings, it’s very easy for hackers to find their way into your camera control system, in every case, there is no prompt in the Admin panel when logging in, advising you to chase any password.
2.  They don’t encrypt your data so that your home router password input is un-encrypted and accessible to any cyber attacker, or themselves.., same applies with any SMTP email info provided, along with any FTP info provided to the device. By using the home router password, they can gain access to other devices on your home network, can monitor your Internet history and any stored data on connected devices.
3.  They let external users gain root access to the device itself, allowing hackers to take control, launch attacks from your device, and exfiltrate data.

**Cheap CCTV Invites Outside Threats Into Your Home\[4\]**

> There are three main security issues you need to look for when buying your CCTV camera. Popular wireless security camera brands that are sold on online marketplaces like Amazon, but also eBay share common security flaws.
> 
> As a rule of thumb, brands that are not well-known outside of the online market should be avoided at all cost. Affordable CCTV solutions from Shenzhen-based factories in China sometimes fail to meet wireless safety standards.
> 
> Brands that have been tested for vulnerability and that you should avoid are the following; ieGeek, Sricam, SV3C, and Vstarcam. All come with a friendly price tag, but they are quick to join the list of CCTV cameras that put your privacy and security at risk.
> 
> Tested by a professional security lab, Context Information Security, “cheap CCTV cameras show that they fail to prioritise customers’ security even those that are bestsellers in online marketplaces”
> 
> \[4\]

Update: **_21/09/2022_** – After some back-and-forth correspondence with the vendor, **_ieGeek_**, they have disputed that the ieGeek IG20 is an insecure device, despite our evidence to the contrary, they also cited an invalid misleading Which.co.uk\[5\] post as seen above.

**CVE Approved:** **_CVE-2022-38970_**\[6\]

**_Got some crazy story? thoughts on this article? We’d love to hear from you below!_**

_Coming up next, I will be covering a Chinese “Mini-PC” that was shipped to me loaded with Malware._

Ciao, for now.

**_References_**

Amazon product listing\[1\]

IG20 ieGeek store page\[2\]

Which investigation ieGeek\[3\]

Cheap CCTV Sold With Known Vulnerabilities\[4\]

Which.co.uk Misleading\[5\]

**_CVE-2022-38970_**\[6\]

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

_Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today_.

**_Remember,_** _CyberSecurity Starts With You!_

*   Globally, **30,000 websites** are hacked daily.
*   **64% of companies** worldwide have experienced at least one form of a cyber attack.
*   There were **20M breached records** in March 2021.
*   In 2020, ransomware cases grew by **150%**.
*   Email is responsible for around **94% of all malware**.
*   **Every 39 seconds,** there is a new attack somewhere on the web.
*   An average of **around 24,000 malicious mobile apps** are blocked daily on the internet.

Bookmark

**Please login to bookmark**

No account yet? Register

*   About
*   Latest Posts

Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK.

I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...

I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.

I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

Share the word, let's increase Cybersecurity Awareness as we know it

CVE-2022-38970: ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20

UN countries are preparing to pick a new head of the International Telecommunications Union. Who wins could shape the open web's future.

This week in Romania, a US State Department candidate is facing a Russian challenger in an election for the leadership of one of the most important international technology bodies in the world.

Who wins could determine whether the internet remains a relatively decentralized and open platform—or begins to centralize into the hands of nation-states and state-run companies that may want great control over what their citizens see and do online. Yet, with just days to go before the vote, the race for secretary-general of the International Telecommunications Union (ITU) has garnered painfully little attention.

It’s a two-person race: On one side is the American, Doreen Bogdan-Martin, a former Commerce Department expert on telecommunications who joined the ITU in the 1990s. She’s squaring off against Rashid Ismailov, the former deputy minister for Russia’s telecommunications ministry.

According to their election platforms, Bogdan-Martin and Ismailov signal the same core objective: connecting every person in the world to the internet and cellphone service by 2030. The two candidates, however, represent fundamentally different visions for the future of the internet. Bodgan-Martin’s campaign has focused on her track record of navigating the complex machinery of the United Nations body. Ismailov, meanwhile, has promised a “humanization” of telecommunications infrastructure—and has invoked his candidacy as a way to reject American “dominance” online.

If the wrong candidate wins, says Göran Marby, head of Internet Corporation for Assigned Names and Numbers (Icann), the stakes couldn’t be higher: “People around the world might not be able to connect to one single interoperable internet.”

Today, the ITU technically sits under the auspices of the United Nations. But it predates the world’s major deliberative body by about 80 years.

Originally established to do things like standardize the Morse code alphabet and codify the standard distress call, the ITU is today responsible for creating standards and interoperability between an array of services and technologies and expanding access to modern communications platforms.

Maintaining interoperability is an unsung but critical job. The ITU needs to ensure that all countries can agree on allocating space on the radio frequency spectrum, and it assigns orbital slots to various communication satellites, amongst other tasks. For example, the ITU is the reason a Japanese cellphone can still work in Dakar, and vice versa.

Unlike other UN bodies, the ITU is not merely the purview of nation-states: Its members include 190 nation-states, as well as 900 corporations, research bodies, and NGOs. (Only nations can vote in leadership elections, however.) For the past eight years, the organization has been led by Secretary-General Zhao Houlin, who had been rising in the ranks of the sprawling ITU bureaucracy since he left the Chinese telecommunications ministry in 1986.

Kristen Cordell, an adjunct fellow at the Center for Strategic and International Studies (CSIS), has called the ITU “the most important UN agency you have never heard of.” Decisions made at the international body, she argued, “have a tremendous impact on the everyday lives of Americans.”

Authoritarian states like China, Cordell wrote, “have increased their interest and activism in the ITU, leading to concerns that their outsized influence in standards setting may lead to the bifurcation of the internet.” Houlin’s time at the helm of the organization, according to Cordell, has been marked by “highly favorable comments and decisions in support of Chinese companies.” Those companies have, in turn, ramped up their involvement in the ITU. Huawei alone has submitted some 2,000 new standards proposals to the organization, according to Cordell.

In 2019, Houlin signed a memorandum of understanding between the ITU and the Export-Import Bank of China to expand internet access through the Global South under China’s signature Belt and Road Initiative. The initiative has been criticized as a form of neocolonialism: hooking up countries, particularly in Africa, to high-interest loans that leave them beholden to Chinese investment.

Proposals from Chinese state enterprises and from Beijing itself suggest, in their words, a “New IP” and are purportedly a response to a lack of innovation in how data is processed at the lowest levels of the internet. China has suggested that tagging data packets by their intended purpose could improve data routing and reduce latency. Beijing, in ITU proposals, offers altruistic examples, like prioritizing streaming data associated with virtual surgeries.

Critics, however, say the issues diagnosed by China are already being addressed and that such a proposal would likely worsen these fundamental problems, not improve them. The Internet Society, a US-based nonprofit that promotes internet openness, derided the proposal as one likely to make those identified problems worse and said it ignores progress in making the patchwork of different systems and operators play well with each other. “Creating overlapping work is duplicative and costly. In the end, it does not enhance interoperability,” wrote Internet Society analysts Hascall Sharp and Olaf Kolkman.

Many see an ulterior motive. This new balkanized internet “would lack free and open standards and be primed for manipulation by autocrats that seek to limit civil liberties and human rights,” Cordell argues.

“The internet, at its lowest level, should be data-agnostic,” says Mallory Knodel, chief technology officer at the Center for Democracy & Technology. There is “less information control if the data is agnostic,” she says.

“New IP would centralize control over the network into the hands of telecoms operators, all of which are either state-run or state-controlled in China,” reads a 2020 report from Oxford Information Labs, prepared for NATO and obtained by _Infosecurity Magazine_. “So, internet infrastructure would become an arm of the Chinese state.”

Members of the ITU have largely shot down these proposals for New IP. But that doesn’t mean China is giving up.

Fiona Alexander, a cofounder of Salt Point Strategies who is also part of the American delegation to the ITU, points out that there is a “sleight of hand” going on with some of the authoritarian regimes as they advance proposals like New IP—most recently, China has rebranded that proposal to the innocuous-sounding “IPV6+.”

China has acknowledged that increased central control is, in its view, an upside of these proposals. “States have the right to make ICT-related \[information and communications technology\] public policies consistent with national circumstances to manage their own ICT affairs and protect their citizens’ legitimate interests in cyberspace,” reads a set of 2019 submissions written by Beijing.

This kind of work is, traditionally, not the purview of the ITU. Nongovernmental groups, like Icann and the Internet Engineering Task Force (IETF), tend to be more directly responsible for managing the actual protocols that govern the internet.

The Russian candidate to replace him, Ismailov, is no stranger to China’s international policy: He spent three years as a regional vice president at Huawei. From there, Ismailov rose through the ranks of the Russian Ministry of Telecom and Mass Communications before joining Nokia and later Russian telecommunications firm PJSC VimpelCom.

Beijing and Moscow have made no secret of the fact that they’re on the same page at the ITU.

A 2021 pact between Beijing and Moscow committed both countries to flexing their muscle when it comes to international technology governance, with an eye to “preserving the sovereign right of States to regulate the national segment of the Internet.”

“Russia and China emphasize the need to enhance the role of the International Telecommunication Union and strengthen the representation of the two countries in its governing bodies,” the agreement concludes.

Ismailov has been transparent that his view of the organization stands in stark contrast to that of his American competitor.

“Americans are, perhaps, allergic to everyone who has anything to do with Huawei,” Ismailov said in his official, 30-minute campaign video. “I don’t understand why this has happened.” He added that the “demonization” of the Chinese company was done, in his view, “out of fear of competition.”

While Ismailov said he would “strive to avoid this politicization” of the organization, he also pledged to defend Russia against consequences levied for its war in Ukraine.

“I want to make sure that the organization focuses more on its actual objectives—frequencies standardization, etc,” he said, through a translator, in his campaign video. “Of course this won’t be totally possible because technology is now an integral part of our everyday life, including geopolitics. We are seeing this with the sanctions that are being imposed. Russia is being pressured in all international organizations—some want to strip it of its voting rights, others want to expel Russia.”

In a press conference in May, Ukraine’s head of the State Special Communications Service, Yurii Shchyhol, said his country had moved to sanction Russia at the ITU as a denouncement of its invasion of Ukraine—what Ismailov euphemistically refers to as a “special military operation.”

If she wins, Bodgan-Martin will be the first woman to lead the ITU—she will also be the first American to lead the organization since 1965. While the State Department says Bodgan-Martin’s candidacy is a matter of having “the right candidate at the right time,” her bid for the job is no accident.

Houlin’s first candidacy for the secretary-general position, in 2014, went unopposed. In 2017, the Trump administration unveiled its National Security Strategy: a hodgepodge of tactics to counter China’s rising influence in the world. In it, the White House identified the protection of a free and open internet as a top priority and set “active engagement in key organizations” as necessary measures, mentioning the ITU by name.

Yet at the 2018 ITU Plenipotentiary Conference, Houlin again ran unopposed—his re-election bid was supported by 176 of the 178 countries present.

Ahead of the vote on September 29, at this year’s conference in Bucharest, the United States seems to be taking the race seriously. Members from the American delegation, as well as a senior official at the State Department who spoke on the condition of anonymity, said Bodgan-Martin has been campaigning intensely. A litany of photos posted to Twitter, and a surprisingly active hashtag, show her meeting with technical and civil society groups around the world.

In February, the United States appointed Ambassador Erica Barks-Ruggles as their representative responsible for the ITU conference—with marching orders to get Bogdan-Martin elected. She appeared before a House foreign affairs subcommittee late last year to underscore the fact that the United States’ focus on the ITU election, amongst others, meant “countering the efforts of countries such as the People’s Republic of China and Russia to reshape and undermine international law, institutions, and standards.” President Joe Biden has also released a statement endorsing Bogdan-Martin.

“What we’re really hearing from countries around the world,” the official says, is that connecting the roughly 3 billion people on the planet with no access to the internet is a top priority—closing the so-called digital divide. “We learned during Covid the stark digital divide that’s out there, and they want it closed as soon as possible,” the official said.

On that, they said, Bogdan-Martin “is focused like a laser.”

Ismailov, meanwhile, is trying to turn the race into a referendum on America.

“You can clearly see the two camps humankind is divided into: developing countries and the West,” he says in his campaign video. He set up the United States, and the West more broadly, as a monopolistic entity with respect to the internet.

“They encouraged extremist resources on their platforms at the same time they eradicated anyone who goes against their agenda,” Ismailov adds, citing Donald Trump’s Twitter ban as a prime example. In the friendly interview, Ismailov was asked about Russian media, such as RT, being taken offline in the United States and Europe. Ismailov likened it to “cancel culture.”

Ismailov drew a stark comparison: The Soviet Union’s development of nuclear weapons, followed by China, “offset everyone’s ambitions and made the perception of risk very tangible.” There had not been the same nuclear arms race in the telecommunications space, he says.

It’s a message that could just work, but the Americans are paying it no mind. “He’s focusing on a very negative vision, moaning about things,” the official says of Ismailov. “Let him do that.”

The State Department official spoke on background, and the department declined to make Bogdan-Martin available for an interview. A request to the Russian mission in Geneva, where the ITU is located, went unanswered.

While there was some quiet optimism about Bodgan-Martin’s chances, none of the experts and delegates to the ITU who spoke with WIRED were willing to predict her victory. Even though Russia has lost a number of major votes at the UN in recent months, the race for secretary-general is—unlike many other votes at the international body—a secret ballot, leaving room for horse-trading.

Some of Russia’s appeal is macro: The Beijing and Russia compact is undoubtedly attractive to less democratic countries that want to be free to regulate and restrict the internet as they see fit. Ismailov might also be attractive for other reasons. Earlier this year, Russian satellite operator Intersputnik announced that the country would be sponsoring a 200-seat cafeteria at the ITU’s new Geneva headquarters.

The top-tier race isn’t the only one that matters, however. At their annual meeting later this month, the ITU members will also select a number of senior functionaries, elect the make-up of regulatory boards, and choose a new council. All of those races have the potential to determine the way the ITU approaches these core questions over the next four years.

The secretary-general race will, however, signal what direction the organization is headed. Göran Marby, CEO of Icann—a core administrator of the technical infrastructure of the internet—would not officially endorse Bodgan-Martin, but he told the organization’s annual meeting last week that voting for Ismailov would mean “people around the world might not be able to connect to one single interoperable internet.”

Marby said he was remaining neutral, but added: “We vividly oppose one of the platforms, that the Russian potential secretary-general stands for.”

In an email statement, a spokesperson for Marby told WIRED that Ismailov’s candidacy threatens to further centralize control within the ITU, taking those authorities away from stakeholder groups like Icann.

“Technically, this is not possible,” they wrote. “The internet operates based on a system of voluntary standards, best practices, cooperation, and trust.” This cooperative model, they added, “is a model that works. The internet has operated without fail for nearly 40 years.”

While reiterating their neutrality in the race, the spokesperson added that “if the functions of Icann were moved to the ITU, the risk of internet fragmentation would be very real, and the interoperability of the internet would be jeopardized.”

This Vote Could Change the Course of Internet History

The BlackCat ransomware crew has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach.
"Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec

The BlackCat ransomware crew has been spotted fine-tuning their malware arsenal to fly under the radar and expand their reach.

"Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software," researchers from Symantec said in a new report.

BlackCat, also known by the names ALPHV and Noberus, is attributed to an adversary tracked as Coreid (aka FIN7, Carbanak, or Carbon Spider) and is said to be a rebranded successor of DarkSide and BlackMatter, both of which shut shop last year following a string of high-profile attacks, including that of Colonial Pipeline.

The threat actor, like other notorious ransomware groups, is known to run a ransomware-as-a-service (RaaS) operation, which involves its core developers enlisting the help of affiliates to carry out the attacks in exchange for a cut of the illicit proceeds.

ALPHV is also one of the first ransomware strains to be programmed in Rust, a trend that has since been adopted by other families such as Hive and Luna in recent months to develop and distribute cross-platform malware.

The evolution of the group's tactics, tools, and procedures (TTPs) comes more than three months after the cybercrime gang was discovered exploiting unpatched Microsoft Exchange servers as a conduit to deploy ransomware.

Subsequent updates to its toolset have incorporated new encryption functionalities that enable the malware to reboot compromised Windows machines in safe mode to bypass security protections.

"In a July 2022 update the team added indexing of stolen data -- meaning its data leaks websites can be searched by keyword, file type, and more," the researchers said.

The latest refinements concern Exmatter, a data exfiltration tool used by BlackCat in its ransomware attacks. Besides harvesting files only with a specific set of extensions, the revamped version generates a report of all processed files and even corrupts the files.

Also deployed in the attack is an info-stealing malware called Eamfo that's designed to siphon credentials stored in the Veeam backup software and facilitate privilege escalation and lateral movement.

The findings are yet another indication that ransomware groups are adept at continually adapting and refining their operations to remain effective as long as possible.

"Its continuous development also underlines the focus of the group on data theft and extortion, and the importance of this element of attacks to ransomware actors now," the researchers said.

BlackCat has also been recently observed using the Emotet malware as an initial infection vector, not to mention witnessing an influx of new members from the now-defunct Conti ransomware group following the latter's withdrawal from the threat landscape this year.

The sunsetting of Conti has also been accompanied by the emergence of a new ransomware family dubbed Monti, a "doppelganger" group which has been found purposefully and brazenly impersonating the Conti team's TTPs and its tools.

News of BlackCat adding a revamped slate of tools to its attacks arrives as a developer associated with the LockBit 3.0 (aka LockBit Black) file-encrypting malware allegedly leaked the builder used to create bespoke versions, prompting concerns that it could lead to more widespread abuse by other less skilled actors.

It's not just LockBit. Over the past two years, Babuk and Conti ransomware groups have suffered similar breaches, effectively lowering the barrier for entry and enabling malicious actors to quickly launch their own attacks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

BlackCat Ransomware Attackers Spotted Fine-Tuning Their Malware Arsenal

Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.

Academy Lms is a marketplace script for online learning. Here students and teachers are combined together for sharing knowledge through a structured course-based system. Teachers or instructors can create an unlimited number of courses, video lessons and documents according to their expertise and students can enroll in these courses and make themselves skilled anytime and from anywhere.  
So start selling your courses by installing ACADEMY and make your online business today.  

**Quick start guide for course instructor/admin**

*   Read all our provided documentation carefully before using the software
*   Install the application following “Installation and Update” guide carefully
*   Login as site administrator to organize your system
*   At first update your System Settings and Payment Settings from Settings option of the left sidebar menu. Also, make sure to provide a valid YouTube API key and a valid Vimeo API key on System Settings.
*   If you have updated the Settings successfully, you can go to Categories option from the same left sidebar menu and create Categories.
*   After creating Category, you can create Sub-categories under a specific Category. For creating Sub-categories you can go to the Categories page, select a specific category, click on the Action dropdown menu and select Manage Sub-categories. It will take you to the Sub-categories page. Now you can simply click on “+Add Sub Category” button and fill all the required fields to create a Sub-category.
*   Now its time to create some Courses. Since a course will contain all the video lessons you have to create it carefully. Move to Courses option from the left menu, You will get a “ Add Course Form” after clicking on “+Add Course” button. Fill all the fields carefully
*   Every Course should have at least one Section. Because at the end you will have to add a lesson under a specific section of a specific course. So, now you will have to create at least one section. Move to the Courses page, select a specific course, click on the action dropdown menu and select Manage Section. After clicking on Manage Section you will get the list of Section which is empty now. You have to create one by clicking the “+Add Section” button
*   As you have created a Course and a section or multiple sections, now you will be able to create a lesson. Now, let’s move to the Course page again, select a specific course, click on the Action dropdown button, select Manage Lesson. It will also show the list of lessons that you’ve created. To add new you can just click on “+Add Lesson” button

**Quick start guide for course students**

*   Since the application has been already installed. Student can access the website by simply hitting the application URL
*   Home page will appear every time a student hits the URL. From the home page, a student can search for a specific course, get all the top courses, top ten latest courses, get category based courses. A student can sign up if he/she is not registered yet. If a student is already registered he/she can log in. Student can add courses on their Shopping Carts or add them on their Wishlists
*   Students can see the course details by simply clicking on a course thumbnail. The course details page contains all the essentials information about a course like, Title, Description, Outcomes, The prerequisites of the course, Lesson list Instructor details, and the rating and reviews. User can see a course overview here
*   If Student want to buy the course they must add those courses on their cart
*   After adding a course on Shopping cart if a student wants to see their cart items, they can to go to the Shopping Cart page by clicking on Go To Cart button, which appears on hovering over the cart icon of the header
*   Student can remove courses if they want from the shopping cart page
*   On the right side of the shopping cart page is the total price of the cart items. Under that is the Checkout button. If student want to check out they can simply click on the Checkout button and pay for those courses
*   After a successful checking out student can see their courses on the My Courses menu. The student will get the My Courses button by hovering over their profile image from the header
*   My Courses page will show all the courses which are purchased by that student. Student can play the lessons by clicking on the thumbnail from the My Courses page

**Update Log**

**Version 5.9.1 – 16 August, 2022**

\- Home page newly designed
- Footer newly designed
- Sign up URL enhanced to improve SEO
- The uploaded images are optimized automatically
- Footer link issue fix
- Auto logout issue fix

**Version 5.9 – 3 July, 2022**

\- Pagination added to the search result page
- Pagination added to the course filter page
- Search result optimised from in dept course data
- Quiz result issue fixed and experience improved

**Version 5.8 – 26 May, 2022**

\- New! limitation on account access from multiple devices
- Admin can set how many account can be accessed by a single student account
- Create any number of new pages for your course website
- Video uploading progress bar shown during lesson creation
- Quiz question type added: true-false, fill in the blanks, multiple choice, single choice
- Instructor now can view student's quiz results
- Quizzes now have timer to complete within a certain time period
- Login session time period extended
- Issue fix for blog category link access
- Smtp crypto settings now added

**Version 5.7 – 18 April, 2022**

\- Drip content feature introduced
- Student has to complete previous lesson to access the next one
- Showing learning progress in course playing page
- Publicly course access permission settings (allow/deny) from admin panel
- Message read and unread status showed in messaging page between student and instructor
- Certificate addon update: drag & drop builder
- Certificate addon update: background image changing capability
- Certificate addon update: QR code shown for certificate validation

**Version 5.6 – 17 February, 2022**

\- Api updated for student and instructor mobile app
- Show email with name when admin enroll a student
- Delete enrolment history when a course is deleted
- Blog keywords for course website SEO performance enhance
- Minor bug fixed

**Version 5.5 – 19 January, 2022**

\- Blog module introduced
- Admin & instructor can write blog posts
- 'Buy' button added in course page
- Instructor skills added
- New page for forget password
- Newly designed user interface for student account panel
- Document type lessons now have preview option
- Coupon code discount feature enhanced
- Razorpay payment gateway option for instructor payout
- Store quiz result of students
- Api updated for mobile apps
- Source code optimised and performance upgraded

**Version 5.4 – 2 November, 2021**

\- Updated with bootstrap 5
- Completely newly designed frontend website layout

**Version 5.3 – 16 September, 2021**

\- Student can continue learning from last time viewed lesson (watch history preserved)
- When purchasing a course without login, redirected to that course after login.
- The video source URL has been hidden for HTML5 video URL and Video file.
- Added language select option to instructor panel.

**Version 5.2 – 30 August, 2021**

\- New lesson type: text format
- Facebook login for students added
- Admin permission for quick action menu fixed
- Refund policy option settings added

**Version 5.1 – 4 August, 2021**

\- New lesson type: google drive
- Razorpay payment gateway comes as standard
- Free lesson preview

**Version 5.0 – 1 June, 2021**

\- Adding new admins
- Admin role permission setting
- Multi instructor in single course
- Coupon code
- Course compare feature
- Application performance improvement
- Organised Admin navigation menu
- Organised applications assets
- Documentation updated

**Version 4.7 – 8 May, 2021**

\- Responsive issue solved on the course playing page.
- Bug fixed on social sharing content.
- A new API has been added for the Instructor mobile app.

**Version 4.6 – 23 March, 2021**

\- Sub category selection fixed for mobile device screens.
- Minor bug fixes
- Performance improvement

**Version 4.5 – 9 February, 2021**

\- Ability to filter courses according to parent categories.
- Security check on installing addons.
- Course preloaded on homepage. 
- Fixed a minor bug on course completion.

**Version 4.4 – 22 December, 2020**

\- Google recaptcha introduced for enhanced account security
- Dashboard shortcut for : Add student, Enrol student, Add course, Add lesson
- Mobile API updated
- Layout updated in course detail page for mobile device responsiveness.

**Version 4.3 – 20 October, 2020**

\- Browser cache issue on image uploading has been solved.
- Ratings and reviews are now showing perfectly on mobile device.
- Server storage has been optimised by removing the previous video file while updating video type lessons.
- Stripe payment API is working fine in Academy mobile app.
- Top courses are now accessible from mobile devices.
- Latest courses are now accessible from mobile device.
- Info banner is now aligned perfectly in mobile device.

**Version 4.2 – 15 September, 2020**

\- Sending verification code instead of link on user verification email. Since sometimes mail with a link considered as suspicious.
- Keeping stripe session id and transaction id on stripe payment.        
- Enhanced the security of stripe payment.
- Total lesson count is now working fine in all dashboard.   
- Minor bug fixes and performance improvement.

**Version 4.1 – 19 August, 2020**

\- All payment gateways are included in mobile app.
- Students can purchase course inside mobile app using all available payment gateways and addons.
- Rating review posting by student random issue fix
- Version update procedure updated

**Version 4.0.1 – 6 July, 2020**

\- Stripe payment gateway updated for course purchase
- Api updated for mobile application
- Minor bug fixes

**Version 4.0 – 17 June, 2020**

\- New instructor workflow introduced
- Admin can add new instructor from admin panel
- User needs to apply to be an instructor if the admin keeps it enabled
- New dashboard and menu for instructor panel
- New sales report page for instructor
- New payout report page for instructor
- New instructor payout processing system
- The instructor now have the opportunity to request a withdrawal request
- Language switcher from frontend website
- New lesson creation layout and very user-friendly workflow
- A separate form for each type of lessons and it can be switched instantly
- Video upload option in lesson creation form with possible upload size info
- Toaster notification translation issue fixed
- Student page title issue fixed
- Lesson deletion issue while course deletion is fixed
- Multi-language helper updated
- Courses can be added to wishlist from course detail page
- User is shown an alert before removing a course from wishlist
- Outgoing email text enhanced for being marked as spam by Gmail

**Version 3.6 – 23 April, 2020**

\- Iframe embed code feature added.
- Now you can add google slide, slideshare slides and any embeddable external content.

**Version 3.5 – 8 April, 2020**

\- Minor bug fixes.

**Version 3.4 – 20 March, 2020**

\- Android API added to purchase a course from inside the student's mobile app.

**Version 3.3 – 10 March, 2020**

\- Checkout page updated

**Version 3.2.1 – 1 March, 2020**

\- Academy lms site slow speed performance fixed

**Version 3.2 – 19 February, 2020**

\- Payment system upgraded and designed from scratch
- Disabled payment gateways are now hidden from student course purchase page
- Some minor bug fixes in course, lesson management in the admin panel

**Version 3.1 – 15 January, 2020**

\- EU cookie note added with cookie policy acceptance
- Course purchase notification to instructor, admin, student
- Disabled payment method is now inactive in course purchasing cart
- Instructor list is shown in the admin panel
- API updated for mobile app course purchasing
- Enroll history report updated to current month by default
- Addon system introduced
- New addon manager for addon installation, activation or deactivation
- Certificate addon released. Buy here: https://codecanyon.net/item/x/25515213
- Documentation updated

**Version 3.0 – 12 October, 2019**

\- Android app API published
- Separate video lesson configuration for mobile app added
- Lesson player CSS fixed
- Footer text made dynamic from admin panel
- Course curriculum layout issue fixed
- Course duration value fixed
- Course title short layout enhanced

**Version 2.4 – 17 September, 2019**

\- User interface updated

**version 2.3 – 12 August, 2019**

\- Course progress feature added for students
- Students can mark / unmark a lesson as complete
- My course page shows completion percentage of every purchased course
- Video lessons can be resumed from last time watched ( applicable for .mp4 videos )

**version 2.2 – 10 July, 2019**

\- Course playing page new layout introduced. Designed and coded from scratch.
- Theme installation option added.
- Theme chooser, activation and deactivation option added.

**version 2.1 – 16 June, 2019**

\- stripe payment gateway api updated
- admin now have option to enable or disable email verification
- course purchasing cart page crash issue fixed

**version 2.0 – 10 June, 2019**

\- quiz module introduced
- MCQ question manager for course quiz
- quiz sorting option added
- new course manager layout
- course filter for admin to sort out easily
- courses and section now grouped in a single page
- brand new admin panel layout
- admin now have monthly income graph chart
- new instructor dedicated panel introduced
- category manager updated
- new course filter page added in frontend website
- courses can be filtered by category, price, level, language, rating
- filter course with list view and grid view
- all user login page unified in a single form
- new website launched for academy : http://www.academy-lms.com

**version 1.3 – March, 2019**

\* Free course enrolment opportunity
\* Confirmation email on student account register
\* Custom smtp settings for site admin
\* Stopped playing course preview on background
\* Shopping cart view updated
\* Minor bugs fixes

**version 1.2 – January, 2019**

\* Lesson file type added : text, pdf, doc, own server video
\* Description field for all course lessons
\* Video player updated and enhanced 
\* Added course title/summary to course playing page
\* Course activation notification updated.
\* Site title issue fixed
\* Seo settings for course pages
\* Added currency settings

**version 1.1 – November, 2018**  
\[ backend \]

\* Status Wise course creating.
\* Show number of courses by status on Dashboard as well as on Admin navigation menu.
\* Made managing sub-category more comprehensive on the category page.
\* Added icon picker on Category and subcategory add and edit form
\* Added an instructor filter on course table.
\* Separated Active and Pending courses status wise inside the course page.
\* Admin now has an option of “View Course on Frontend” inside course page.
\* Admin now can make a course Active as well as Pending.
\* Made Course overview URL optional while creating a course.
\* Made Course thumbnail optional while creating a course.
\* Made generating Lesson’s video duration more understandable. 
\* Added an optional Payment information field for Student. While creating and editing student. It is required for Instructors only.
\* Added Enrol a Student option. Now admin can enrol a student manually from the backend.
\* A new navigation menu “Report" has been added. 
\* Admin now can see all the revenue he got after a successful course purchasing.
\* Admin now can see all the revenue an Instructor got after a successful course purchasing.
\* Admin now can pay instructors.
\* Made Updater module functional for future updates.
\* Added two different Logo Uploader. One for backend another for Frontend.
\* Added Favicon uploader.
\* Added Instructor settings inside Settings option.
\* Fixed the “Action” Button breaking on small devices.
\* Dynamic footer text.

\[ frontend \]

\* Showing all the courses by course status. That means only Active courses are now being shown.
\* Fixed the login modal’s title.
\* Wish listed courses are now can be removed from the wish list page.
\* Already Purchased Button now redirects to My Courses page.
\* Fixed the issue of courses with no course overview URL or course thumbnail.
\* Instructor can see his course’s curriculums from the Course details page.
\* Respective instructor details of every course is showing on course details page.
\* Fixed the escape HTML tags issue on instructor Biography.
\* Added Instructor menu on the frontend navigation.
\* Creating course from the frontend.
\* Separated Active, Pending and Drafted course on instructor dashboard.
\* Instructor can see his created course details and respected course’s lessons from the frontend.
\* Instructor can make a published course to Draft course.
\* Instructor can create, update and delete sections from the frontend.
\* Serialize sections from the frontend.
\* Can Add, Update or Delete lessons from the frontend.
\* Instructor’s Payment report on the frontend.
\* Payment settings. Which is mandatory for being an Instructor.

**version 1.0 – October, 2018**

\- first version released

**Requirements**

*   Apache web server for running php
*   PHP version 7
*   Mysql database access, purchase code during installation
*   Php curl should be enabled
*   One purchase code is legal for using one domain only

**Contact support**

Send us a ticket for presale questions and getting after sales developer support via zendesk.  
http://support.creativeitem.com

Tag

#mac