官网

新闻

行业信息

合作信息

链安博客

服务

制造业

核心基础设施

电信

医疗行业

解决方案

iris文章录入练习

变更日志

帮助中心

漏洞管理

产品使用书

问答最频繁的问题

<p div align="center">
<img src="https://www.bleepstatic.com/content/hl-images/2022/08/16/Realtek.jpg" width="700" height=""></img>

#
Exploit code has been released for a critical vulnerability affecting networking devices with Realtek’s RTL819x system on a chip (SoC), which are estimated to be in the millions.

The flaw is identified as CVE-2022-27255 and a remote attacker could exploit it to compromise vulnerable devices from various original equipment manufacturers (OEMs), ranging from routers and access points to signal repeaters.

# **No user interaction needed**

Researchers from cybersecurity company Faraday Security in Argentina discovered the vulnerability in Realtek’s SDK for the open-source eCos operating system and [disclosed the technical details](https://forum.defcon.org/node/241835) last week at the DEFCON hacker conference.

The four researchers ([Octavio Gianatiempo](https://twitter.com/ogianatiempo), [Octavio Galland](https://twitter.com/GallandOctavio), [Emilio Couto](https://twitter.com/ekio_jp), [Javier Aguinaga](https://twitter.com/pastaCLS)) credited with finding the vulnerability are computer science students at the University of Buenos Aires.

Their presentation covered the entire effort leading to finding the security issue, from picking a target to analyzing the firmware and exploiting the vulnerability, and automating the detection in other firmware images.

[CVE-2022-27255](https://nvd.nist.gov/vuln/detail/CVE-2022-27255) is a stack-based buffer overflow with a severity score of 9.8 out of 10 that enables remote attackers to execute code without authentication by using specially crafted SIP packets with malicious SDP data.

The vulnerability is a stack-based buffer overflow in the SIP ALG function that is responsible for rewrites SDP data. 

Realtek addressed the issue in March [noting](https://www.realtek.com/images/safe-report/Realtek_APRouter_SDK_Advisory-CVE-2022-27255.pdf) that it affects rtl819x-eCos-v0.x series and rtl819x-eCos-v1.x series and that it could be exploited through a WAN interface.

The four researchers from Faraday Security have developed proof-of-concept (PoC) [exploit code for CVE-2022-27255](https://github.com/infobyte/cve-2022-27255/tree/main/exploits_nexxt) that works on Nexxt Nebula 300 Plus routers.

They also shared a video showing that a remote attacker could compromise the device even if remote management features are turned off.

#
<iframe title="vimeo-player" src="https://player.vimeo.com/video/740134624?h=bb9daeb55e" width="640" height="360" frameborder="0" allowfullscreen></iframe>

#
The researchers note that CVE-2022-27255 is a zero-click vulnerability, meaning that exploitation is silent and requires no interaction from the user.

An attacker exploiting this vulnerability would only need the external IP address of the vulnerable device.

# **Few lines of defense**

Johannes Ullrich, Dean of Research at SANS says that a remote attacker could exploit the vulnerability for the following actions:

- crash the device
- execute arbitrary code
- establish backdoors for persistence
- reroute network traffic
- intercept network traffic

Ullrich warns that if an exploit for CVE-2022-27255 turns into a worm, it could spread over the internet in minutes.

Despite a patch being available since March, [Ullrich warns](https://isc.sans.edu/diary/Realtek+SDK+SIP+ALG+Vulnerability%3A+A+Big+Deal%2C+but+not+much+you+can+do+about+it.+CVE+2022-27255/28940) that the vulnerability affects "many (millions) of devices" and that a fix is unlikely to propagate to all devices.

This is because multiple vendors use the vulnerable Realtek SDK for equipment based on RTL819x SoCs and many of them have yet to release a firmware update.

It is unclear how many networking devices use RTL819x chips but the RTL819xD version of the SoC was present in products from more than 60 vendors. Among them ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, and Zyxel.

The researcher says that:

- Devices using firmware built around the Realtek eCOS SDK before March 2022 are vulnerable
- You are vulnerable even if you do not expose any admin interface functionality
- Attackers may use a single UDP packet to an arbitrary port to exploit the vulnerability
- This vulnerability will likely affect routers the most, but some IoT devices built around Realtek's SDK may also be affected

Ulrich created a [Snort rule here](https://isc.sans.edu/diary/Realtek+SDK+SIP+ALG+Vulnerability%3A+A+Big+Deal%2C+but+not+much+you+can+do+about+it.+CVE+2022-27255/28940) that can detect the PoC exploit. It looks for "INVITE" messages with the string "m=audio" and triggers when there are more than 128 bytes (size of the allocated buffer by the Realtek SDK) and if none of them is a carriage return.

It is important to note that not all products using RTL819x are vulnerable. Faraday Security researchers shared a list with products powered by Realtek's chip and believed to be vulnerable.

Zyxel NBG6615 is on the list because it runs on a vulnerable chip. However, it is not impacted by the vulnerability.

Zyxel reached out to BleepingComputer after publishing this article to explain that the firmware in the NBG6615 router does not initiate the ALG comment function, and, it is not affected by CVE-2022-27255.

Users should check if their networking equipment is vulnerable and install a firmware update from the vendor released after March, if available. Other than this, organizations could try to block unsolicited UDP requests.

Slides for the DEFCON presentation along with exploits, and a detection script for CVE-2022-27255 are [available in this GitHub repository](https://github.com/infobyte/cve-2022-27255).

**Update:** Zyxel contacted BleepingComputer after publishing this article to share that CVE-2022-27255 impacts none of its products and to clarify that while its NBG6615 runs on Realtek, the firmware does not use the vulnerable function.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://www.bleepingcomputer.com/news/security/exploit-out-for-critical-realtek-flaw-affecting-many-networking-devices/
</span>
</div>

Exploit out for critical Realtek flaw affecting many networking devices

<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgTYq7L4yC5sKASkr0YB-uhQNnYzskeSC_9nvtavmw5U4YiyKhrAG37aeIGDZOJN2YX7QrKdMq_9XtGZGaSoIryoR1A7S1T_7z5uSeO357TqBoEtrHfWLuNg1raAQJKlglrocj39WQFzZZHWYtjxaVvpCtQdv4dwWBQ_BZlsd_wa9qifyjicZbQL-bY/s728-e1000/plc-hacking.jpg" width="770" height=""></img>

#
Cybersecurity researchers have elaborated a novel attack technique that weaponizes programmable logic controllers  ([PLCs](https://en.wikipedia.org/wiki/Programmable_logic_controller)) to gain an initial foothold in engineering workstations and subsequently invade the operational technology (OT) networks.

Dubbed "**Evil PLC**" attack by industrial security firm Claroty, the issue impacts engineering workstation software from Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson.

Programmable logic controllers are a crucial component of industrial devices that control manufacturing processes in critical infrastructure sectors. PLCs, besides orchestrating the automation tasks, are also configured to start and stop processes and generate alarms.

It's hence not surprising that the entrenched access provided by PLCs have made the machines a focus of sophisticated attacks for more than a decade, starting from [Stuxnet to PIPEDREAM](https://thehackernews.com/2022/04/us-warns-of-apt-hackers-targeting.html) (aka INCONTROLLER), with the goal of causing physical disruptions.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg/s1600/strike-728.png" width="880" height=""></img>

#
"These workstation applications are often a bridge between operational technology networks and corporate networks," Claroty [said](https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-predator-rather-than-prey). "An attacker who is able to compromise and exploit vulnerabilities in an engineering workstation could easily move onto the internal network, move laterally between systems, and gain further access to other PLCs and sensitive systems."

With the Evil PLC attack, the controller acts as a means to an end, permitting the threat actor to breach a workstation, access to all the other PLCs on the network, and even tamper with the controller logic.

Put differently, the idea is to "use the PLC as a pivot point to attack the engineers who program and diagnose it and gain deeper access to the OT network," the researchers said.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg7ZUVsQZjnhMqJ9OYJ-XdEgmWn_u02E_euQo_fvBGqNdgzCz4-RL7teKaI1Qm259FbvtiwCUKpl98QSWuIuCkZnej7M8VKeHepR8mynAtiOuTLOuwcp8KoE7ADWVDQlDrEWoe5z0dntXFD0IDsLdK0wRYi3JyMuR_2VjhaAB4SSZJf6xBoqZxmMH17/s728-e1000/plc.jpg" width="700" height=""></img>

#
The whole sequence plays out as follows: An opportunistic adversary deliberately induces a malfunction on an internet-exposed PLC, an action that prompts an unsuspecting engineer to connect to the infected PLC using the engineering workstation software as a troubleshooting tool.

In the next phase, the bad actor leverages the previously undiscovered flaws identified in the platforms to execute malicious code on the workstation when an upload operation is performed by the engineer to retrieve a working copy of the existing PLC logic.

"The fact that the PLC stores additional types of data that are used by the engineering software and not the PLC itself" creates a scenario wherein the unused data stored on the PLC can be modified to manipulate the engineering software, the researchers pointed out.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEglTybVbyQ3y6xCIxW9BIpqhgWBf_IhNgCo44HrgwUeYVi_GwvasznH93LLdkqJLwdp4DUkFkILg6m3WDgkue7MFxmbzFxmTBe7-pukEjyvUZ3j9yGyBcL2yUAZVFSQkjSric7YYfU8WgwHwYsS2-3wZ1zLQDAqgkoEpk5kZsbUuyh0UlV8nq7PplYEgQ/s1600/banners-crowdsec-728.png" width="880" height=""></img>

#
"In most cases, the vulnerabilities exist because the software fully trusted data coming from the PLC without performing extensive security checks."

In an alternative theoretical attack scenario, the Evil PLC method can also be used as honeypots to lure threat actors into connecting to a decoy PLC, leading to a compromise of the attacker's machine.

Claroty further called out the absence of security protections in the public-facing industrial control system ([ICS](https://en.wikipedia.org/wiki/Industrial_control_system)) devices, thereby making it easier for threat actors to alter their logic via rogue download procedures.

To mitigate such attacks, it's recommended to limit physical and network access to PLCs to authorized engineers and operators, enforce authentication mechanisms to validate the engineering station, monitor OT network traffic for anomalous activity, and apply patches in a timely fashion.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://thehackernews.com/2022/08/new-evil-plc-attack-weaponizes-plcs-to.htm</span>
 </div>

New Evil PLC Attack Weaponizes PLCs to Breach OT and Enterprise Networks

<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj1RcTVnHhouRdfoYLMyO6QeXdmZ2TH3TnY_67NioGcFmfJUC49dI1E0aDIxVKszQt7mkupMVC626d6spR7BGsrA3yzQpuRr4YwvLgksPS-Ea1xThw4eLhdqIcY-G2b1O46G7obzL8DK-0NUDIFyK5UbMyZDchGruV-WQVn62LT-i5tZLFB3Of2Qn_y/s728-e100/cisco-patch-update.jpg" width="700" height=""></img>

#
Cisco on Wednesday released patches to contain multiple flaws in its software that could be abused to leak sensitive information on susceptible appliances.

The issue, assigned the identifier [CVE-2022-20866](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz) (CVSS score: 7.4), has been described as a "logic error" when handling RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.

Successful exploitation of the flaw could allow an attacker to retrieve the RSA private key by means of a [Lenstra side-channel attack](https://www.redhat.com/en/blog/factoring-rsa-keys-tls-perfect-forward-secrecy)  against the targeted device.

"If an attacker obtains the RSA private key, they could use the key to impersonate a device that is running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic," Cisco warned in an advisory issued on August 10.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg/s1600/strike-728.png" width="880" height=""></img>

#
Cisco noted that the flaw impacts only Cisco ASA Software releases 9.16.1 and later and Cisco FTD Software releases 7.0.0 and later. Affected products are listed below -

- ASA 5506-X with FirePOWER Services
- ASA 5506H-X with FirePOWER Services
- ASA 5506W-X with FirePOWER Services
- ASA 5508-X with FirePOWER Services
- ASA 5516-X with FirePOWER Services
- Firepower 1000 Series Next-Generation Firewall
- Firepower 2100 Series Security Appliances
- Firepower 4100 Series Security Appliances
- Firepower 9300 Series Security Appliances, and
- Secure Firewall 3100

ASA software versions 9.16.3.19, 9.17.1.13, and 9.18.2, and FTD software releases 7.0.4, 7.1.0.2-2, and 7.2.0.1 have been released to address the security vulnerability.

Cisco credited Nadia Heninger and George Sullivan of the University of California San Diego and Jackson Sippe and Eric Wustrow of the University of Colorado Boulder for reporting the bug.

Also patched by Cisco is a client-side request smuggling flaw in the [Clientless SSL VPN](https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/webvpn-overview.html) (WebVPN) component of Cisco Adaptive Security Appliance (ASA) Software that could enable an unauthenticated, remote attacker to conduct browser-based attacks, such as cross-site scripting, against the victim.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEglTybVbyQ3y6xCIxW9BIpqhgWBf_IhNgCo44HrgwUeYVi_GwvasznH93LLdkqJLwdp4DUkFkILg6m3WDgkue7MFxmbzFxmTBe7-pukEjyvUZ3j9yGyBcL2yUAZVFSQkjSric7YYfU8WgwHwYsS2-3wZ1zLQDAqgkoEpk5kZsbUuyh0UlV8nq7PplYEgQ/s1600/banners-crowdsec-728.png" width="880" height=""></img>

#
The company said the weakness, [CVE-2022-20713](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-webvpn-LOeKsNmO)  (CVSS score: 4.3), impact Cisco devices running a release of Cisco ASA Software earlier than release 9.17(1) and have the Clientless SSL VPN feature turned on.

While there are no workarounds to remediate the flaw, affected users can disable the Clientless SSL VPN feature, although Cisco warns doing so "may negatively impact the functionality or performance" of the network.

The development comes as cybersecurity firm Rapid7  [disclosed](https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/) details of 10 bugs found in ASA, Adaptive Security Device Manager (ASDM), and FirePOWER Services Software for ASA, seven of which have since been addressed by Cisco.

These include [CVE-2022-20829](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-asdm-sig-NPKvwDjm) (CVSS score: 9.1),  [CVE-2022-20651](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asdm-logging-jnLOY422) (CVSS score: 5.5), [CVE-2021-1585](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asdm-rce-gqjShXW) (CVSS score: 7.5), [CVE-2022-20828](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG) (CVSS score: 6.5), and three other flaws that have not been assigned a CVE identifier.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://thehackernews.com/2022/08/cisco-patches-high-severity.html
</span>
</div>

Cisco Patches High-Severity Vulnerability Affecting ASA and Firepower Solutions

**It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes.**

#
<p div align="center">
<img src="https://media.wired.com/photos/62f3003116995ea7b1a92d59/master/w_2560%2Cc_limit/Starlink-Hack-Security-GettyImages-1239230849.jpg" width="880" height=""></img>

*<font color=gray><p align="right">PHOTOGRAPH: NINA LYASHONOK/GETTY IMAGES</p></font>*

#
SINCE 2018, ELON Musk’s   [<u>Starlink</u>](https://www.wired.com/story/spacex-starlink-satellite-internet/) has [<u>launched</u>](https://www.wired.com/story/watch-spacex-launch-the-first-of-its-global-internet-satellites/) more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a [<u> vital source of connectivity during Russia’s war in Ukraine</u>](https://www.wired.com/story/starlink-ukraine-internet/) . Thousands more satellites are planned for launch as the  [<u>industry booms</u>](https://www.wired.co.uk/article/elon-musk-spacex-starlink-satellite-launch) . Now, like any emerging technology, those satellite components are being hacked.

Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink’s user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people’s homes and buildings. At the [ <u>Black Hat security conference</u>](https://www.wired.com/tag/black-hat/)  in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.

#
<iframe class="IframeEmbedContent-gWTSqr fgqudb IframeEmbedContent" height="250" width="100%" sandbox="allow-scripts allow-same-origin" title="Embedded Frame" src="https://player.spokenlayer.net/v1-wired-security?__v=linear&amp;url=http://www.wired.com/story/starlink-internet-dish-hack" allow="autoplay *; encrypted-media *; clipboard-write"></iframe>

#
To access the satellite dish’s software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a [<u>modchip</u>](https://en.wikipedia.org/wiki/Modchip), uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a [<u>fault injection attack</u>](https://research.nccgroup.com/2021/07/07/an-introduction-to-fault-injection-part-1-3/)—temporarily shorting the system—to help bypass Starlink’s security protections. This “glitch” allows Wouters to get into previously locked parts of the Starlink system.

Wouters is now [<u>making his hacking tool open source on GitHub</u>](https://github.com/KULeuven-COSIC/Starlink-FI), including some of the details needed to launch the attack. “As an attacker, let’s say you wanted to attack the satellite itself,” Wouters explains, “You could try to build your own system that allows you to talk to the satellite, but that’s quite difficult. So if you want to attack the satellites, you would like to go through the user terminal as that likely makes your life easier.”

The researcher notified Starlink of the flaws last year and the company  [<u>paid Wouters through its bug bounty scheme for identifying the vulnerabilities</u>](https://bugcrowd.com/spacex/hall-of-fame). Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can’t be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says.

Starlink says it plans to release a “public update” following Wouters’ presentation at Black Hat this afternoon, but declined to share any details about that update with WIRED prior to publication.

Starlink’s internet system is made up of three major parts. First,  [<u>there are the satellites</u>](https://www.starlink.com/satellites) that move in low Earth orbit, around 340 miles above the surface, and beam down connections to the surface. The satellites communicate with two systems on Earth: gateways that send internet connections up to the satellites, and the Dishy McFlatface dishes people can buy. Wouters’ research focuses on these user terminals, which originally were [<u>round, but newer models are rectangular</u>
](https://www.theverge.com/2021/11/11/22776563/spacex-starlink-rectangular-dish-router-mounting-internet-satellites).

There have been [<u>multiple</u>](https://www.youtube.com/watch?v=QudtSo5tpLk)  [ <u>teardowns</u>](https://www.youtube.com/watch?v=iOmdQnIlnRo)of Starlink’s user terminals since the company started selling them. Engineers on YouTube have opened up their terminals, exposing their components and how they work. Others discuss the [<u>technical specs on Reddit</u>](https://www.reddit.com/r/StarlinkEngineering/). However, Wouters, who previously [<u>created hardware that can unlock a Tesla in 90 seconds</u>](https://www.wired.com/story/tesla-model-x-hack-bluetooth/), looked at the security of the terminal and its chips. “The user terminal was definitely designed by capable people,” Wouters says.

His attacks against the user terminal involved multiple stages and technical measures before he finally created the now open source circuit board that can be used to glitch the dish. Broadly, the attack using the custom circuit board works by bypassing signature verification security checks, which look to prove that the system is launching correctly and hasn’t been tampered with. “We’re using this to accurately time when to inject the glitch,” Wouters says.

Starting in May 2021, Wouters began testing the Starlink system, getting 268-Mbps download speeds and 49-Mbps upload speeds on his university building’s roof. Then it was time to open the device up. Using a combination of a “heat gun, prying tools, isopropyl alcohol, and a lot of patience,” he was able to remove the large metal cover from the dish and access its internal components.

#
<p div align="center">
<img src="https://media.wired.com/photos/62f3003016995ea7b1a92d58/master/w_1600,c_limit/Starlink-Hack-Tool-Security-GettyImages-1239230849.jpg" width="880" height=""></img>


*<font color=gray><p align="right">PHOTOGRAPH: LENNERT WOUTERS</p></font>*
#
Under the 59-cm diameter hood is a large PCB that houses a [<u>system-on-chip</u>](https://www.howtogeek.com/769198/what-is-a-system-on-a-chip-soc/), including a custom quad-core ARM Cortex-A53 processor, the architecture of which isn’t publicly documented, making it harder to hack. Among other items on the board are radio frequency equipment, [<u>power over ethernet systems</u>](https://intellinetnetwork.eu/pages/power-over-ethernet), and a GPS receiver. Opening up the dish allowed Wouters to [<u>understand how it boots up and download its firmware</u>](https://www.esat.kuleuven.be/cosic/blog/dumping-and-extracting-the-spacex-starlink-user-terminal-firmware/).

To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. The modchip requires soldering to the existing Starlink PCB and connecting it using a few wires. The modchip itself is made up of a  [<u>Raspberry Pi microcontroller</u>](https://www.raspberrypi.com/documentation/microcontrollers/rp2040.html), flash storage, electronic switches, and a voltage regulator. When creating the user terminal’s board, Starlink engineers printed “Made on Earth by humans” across it. Wouters’ modchip reads: “Glitched on Earth by humans.”

To get access to the dish’s software, Wouters used his custom system to bypass security protections by using the voltage fault injection attack. When the Starlink dish is turning on, it uses a series of different bootloader stages. Wouters’ attack runs the glitch against the first bootloader, known as the ROM bootloader, which is burned onto the system-on-chip and can’t be updated. The attack then deploys patched firmware on later bootloaders, which allows him to take control of the dish.

“From a high-level view, there are two obvious things that you could try to attack: the signature verification or the hash verification,” Wouters says. The glitch works against the signature verification process. “Normally you want to avoid shorts,” he says. “In this case we do it on purpose.”

Initially, Wouters attempted to glitch the chip at the end of its boot cycle—when the Linux operating system has fully loaded—but ultimately found it easier to cause the glitch at the start of the boot. This way was more reliable, Wouters says. To get the glitch to work, he says, he had to stop decoupling capacitors, which are used to smooth out the power supply, from operating. Essentially, the attack disables the decoupling capacitors, runs the glitch to bypass the security protections, and then enables the decoupling capacitors.

This process allows the researcher to run a patched version of Starlink’s firmware during the boot cycle and ultimately allows access to its underlying systems. In response to the research, Wouters says, Starlink offered him researcher-level access to the device’s software, although he says he declined as he had gone too deep with the work and wanted to build the modchip. (During testing, he hung the modified dish out of this research lab’s window and used a plastic bag as a makeshift waterproofing system.)

Starlink also issued a firmware update, Wouters says, that makes the attack harder, but not impossible, to execute. Anyone wanting to break into the dish in this way would have to put a lot of time and effort into doing so. While the attack isn’t as devastating as being able to take down satellite systems or connectivity, Wouters says it can be used to learn more about how the Starlink network operates.

“What I am working on now is communicating with the backend servers,” Wouters explains. Despite making the details of the modchip available for download on Github, Wouters does not have any plans to sell finished modchips, nor is he providing people with patched user terminal firmware or the exact details of the glitch he used.

As an increasing amount of satellites are launched—Amazon, OneWeb, Boeing, Telesat, and SpaceX are creating their own constellations—their security will come under greater scrutiny. In addition to providing homes with internet connections, the systems can also help to get ships online, and play a role in critical infrastructure. Malicious hackers have already shown that satellite internet systems are a target. As Russian troops invaded Ukraine, alleged Russian military hackers targeted the  [<u>Via-Sat satellite system</u>](https://www.wired.com/story/viasat-internet-hack-ukraine-russia/),  [<u>deploying wiper malware</u>](https://techcrunch.com/2022/03/31/viasat-cyberattack-russian-wiper/) that bricked people’s routers and knocked them offline. Around 30,000 internet connections in Europe were disrupted, including more than 5,000 wind turbines.

“I think it’s important to assess how secure these systems are because they are critical infrastructure,” Wouters says. “I don’t think it's very far-fetched that certain people would try to do this type of attack because it is quite easy to get access to a dish like this.”

Update 5 pm ET August 10, 2022: After Wouters’ conference talk, Starlink [ <u>published a six-page PDF explaining how it secures its systems</u>](https://api.starlink.com/public-files/StarlinkWelcomesSecurityResearchersBringOnTheBugs.pdf). “We find the attack to be technically impressive, and is the first attack of its kind that we are aware of in our system,” the paper says. “We expect attackers with invasive physical access to be able to take malicious actions on behalf of a single Starlink kit using its identity, so we rely on the design principle of ‘least privilege’ to constrain the effects in the broader system.”

Starlink reiterates that the attack needs physical access to a user terminal and emphasizes its secure boot system, which was compromised by the glitching process, is only impacted on that one device. Wider parts of the overall Starlink system are not impacted. “Normal Starlink users do not need to be worried about this attack affecting them, or take any action in response,” Starlink says.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://www.wired.com/story/starlink-internet-dish-hack/
</span>
 </div>


The Hacking of Starlink Terminals Has Begun

**A group of researchers from several universities and companies has disclosed a new Intel CPU attack method that could allow an attacker to obtain potentially sensitive information.**

The research was conducted by researchers from the Sapienza University of Rome, the Graz University of Technology, the CISPA Helmholtz Center for Information Security, and Amazon Web Services.

The attack method has been dubbed AEPIC Leak — spelled [ÆPIC Leak](https://aepicleak.com/) — and it’s related to the Advanced Programmable Interrupt Controller (APIC). This integrated CPU component is responsible for accepting, prioritizing, and dispatching interrupts to processors. When it’s in xAPIC mode, the APIC registers are accessed through a memory-mapped I/O (MMIO) page.

<p div align="center">
<img src="https://www.securityweek.com/sites/default/files/images/AEPIC_Leak.png" width="400" height=""></img>

In order to conduct an ÆPIC Leak attack, an attacker requires privileged access — administrator or root access — to the APIC MMIO. According to the researchers, ÆPIC Leak poses a significant risk to applications that rely on the Intel Software Guard Extensions (SGX) technology, which is designed to protect data from privileged attackers.

The researchers who identified this attack method have been involved in the discovery of several side-channel techniques affecting various processors, including the notorious Meltdown and Spectre attacks and their variants.

However, the researchers pointed out that unlike Meltdown and Spectre, which are transient execution attacks, AEPIC Leak exists due to an architectural bug, which leads to the disclosure of sensitive data without leveraging any side channel. They described it as “the first CPU bug able to architecturally disclose sensitive data.”

One of the researchers told SecurityWeek that since it does not rely on a side channel, the attack is extremely reliable.

“It is sufficient to load an enclave application in memory to be able to leak its contents. AEPIC Leaks can precisely target an application and fully dumps its memory in less than a second,” explained Pietro Borrello of the Sapienza University of Rome.

ÆPIC Leak, officially tracked as CVE-2022-21233, has been described as an uninitialized memory read issue that affects Intel CPUs.

Intel, which described it as a medium-severity issue related to improper isolation of shared resources, published an [advisory](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html) on Tuesday and provided a list of impacted products.

The researchers noted that users whose systems are powered by a recent Intel CPU are likely affected by the vulnerability, but those who don’t use SGX do not have to be concerned.

“We believe that ÆPIC Leak is only relevant to Intel SGX enclaves. ÆPIC Leak requires access to the physical APIC MMIO page that can be achieved only with high privileges. Traditional applications do not have to worry about ÆPIC Leak,” the experts said.

In addition, virtual machines are not affected either, as they do not have access to physical memory. Intel APICv has been checked by the researchers, who found that it’s not impacted.

Mitigations rolled out for recent side-channel attacks do not protect systems against ÆPIC Leak attacks. Instead, Intel is making available microcode updates and SGX SDK patches that address the vulnerability.

The researchers said the vulnerability has likely not been exploited in the wild, but noted that exploitation might not leave any traces in traditional log files.

A research paper detailing ÆPIC Leak is available, as well as a [dedicated website](https://aepicleak.com/) summarizing the findings. [Proof-of-concept (PoC) exploit code](https://github.com/IAIK/AEPIC) has also been released.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://www.securityweek.com/aepic-leak-architectural-bug-intel-cpus-exposes-protected-data
</span>
 </div>

ÆPIC Leak: Architectural Bug in Intel CPUs Exposes Protected Data

<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh8mtOt_hwkHz3oWxjcqCK3WCdbmSSIWYSrtWOT3K0zj23BvZ0r3csaTSeV8-F4sp8yMevd-cu7wfuGblWGMrFTn2qp3y_atIjLo8N8Guje0Y43uhTenF0W-Jy6rjGxB8zjb7Eevwsjdn2Uzo1ui9DeH6MvT0V8eOYI1aC7143ymBUfhLU3TRA5cPMj/s728-e1000/router-hacking.jpg" width="700" height=""></img>

#
As many as 29 different router models from DrayTek have been identified as affected by a new critical, unauthenticated remote code execution vulnerability that, if successfully exploited, could lead to full compromise of the devices and unauthorized access to the broader network.

"The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing," Trellix researcher Philippe Laulheret [said](https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html). "A one-click attack can also be performed from within the LAN in the default device configuration."

Filed under CVE-2022-32548, the vulnerability has received the maximum severity rating of 10.0 on the CVSS scoring system, owing to its ability to completely allow an adversary to seize control of the routers.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg/s1600/strike-728.png" width="880" height=""></img>

#
At its core, the shortcoming is the result of a buffer overflow flaw in the web management interface ("/cgi-bin/wlogin.cgi"), which can be weaponized by a malicious actor by supplying specially crafted input.

"The consequence of this attack is a takeover of the so-called 'DrayOS' that implements the router functionalities," Laulheret said. "On devices that have an underlying Linux operating system (such as the Vigor 3910) it is then possible to pivot to the underlying operating system and establish a reliable foothold on the device and local network."

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjctP1q-MhBetQ4Om4aKP_SiAU3WbqDyrqtZsCxTNGNrK8Shm3MIPTYvjXVCqYWM8nbYBkV2yJZZXzC9a7DzQySCp-68Hrsm3wBGH2qhFoNiTF49GtUoBZk-b-2RCbx3DMa5B1FykCq_245OX8-RZAgVI6toqS0m_ouytRucam2POzNNqPOigwVLHEO/s728-e1000/shodan.jpg" width="700" height=""></img>

#
Over 200,000 devices from the Taiwanese manufacturer are said to have the vulnerable service currently exposed on the internet and would require no user interaction to be exploited. Many of the remaining 500,000 devices, even when not exposed externally, are susceptible to one-click attacks.

The breach of a network appliance such as Vigor 3910 could not only leave a network open to malicious actions such as credential and intellectual property theft, botnet activity, or a ransomware attack, but also cause a denial-of-service (DoS) condition.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEglTybVbyQ3y6xCIxW9BIpqhgWBf_IhNgCo44HrgwUeYVi_GwvasznH93LLdkqJLwdp4DUkFkILg6m3WDgkue7MFxmbzFxmTBe7-pukEjyvUZ3j9yGyBcL2yUAZVFSQkjSric7YYfU8WgwHwYsS2-3wZ1zLQDAqgkoEpk5kZsbUuyh0UlV8nq7PplYEgQ/s1600/banners-crowdsec-728.png" width="880" height=""></img>

#
The disclosure comes a little over a month after it emerged that routers from ASUS, Cisco, DrayTek, and NETGEAR are under assault from a new malware called [ZuoRAT](https://thehackernews.com/2022/06/zuorat-malware-hijacking-home-office.html)  targeting North American and European networks.

While there are no signs of exploitation of the vulnerability in the wild so far, it's recommended to apply the [firmware patches](https://www.draytek.com/support/latest-firmwares/)  as soon as possible to secure against potential threats.

"Edge devices, such as the Vigor 3910 router, live on the boundary between internal and external networks," Laulheret noted. "As such they are a prime target for cybercriminals and threat actors alike. Remotely breaching edge devices can lead to a full compromise of the businesses' internal network."

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://thehackernews.com/2022/08/critical-rce-bug-could-let-hackers.html
</span>
 </div>

Critical RCE Bug Could Let Hackers Remotely Take Over DrayTek Vigor Routers

<p div align="center">
<img src="https://www.bleepstatic.com/content/hl-images/2022/08/04/draytek-router-header.jpg" width="700" height=""></img>

#
Researchers at Trellix have discovered a critical unauthenticated remote code execution (RCE) vulnerability impacting 29 models of the DrayTek Vigor series of business routers.

The vulnerability is tracked as CVE-2022-32548 and carries a maximum CVSS v3 severity score of 10.0, categorizing it as critical.

The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.

Hackers who exploit this vulnerability could potentially perform the following actions:

- complete device takeover,
- information access,
- laying the ground for stealthy man-in-the-middle attacks,
- changing DNS settings,
- using the routers as DDoS or cryptominer bots,
- or pivoting to devices connected to the breached network.

# **Widespread impact**

DrayTek Vigor devices became very popular during the pandemic by riding the "work from home" wave. They are excellent cost-efficient products for VPN access to small and medium-sized business networks.

A Shodan search returned over 700,000 online devices, most located in the UK, Vietnam, Netherlands, and Australia.

[Trellix](https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html) decided to evaluate the security of one of DrayTek's flagship models due to its popularity and found that the web management interface suffers from a buffer overflow issue on the login page.

Using a specially crafted pair of credentials as base64 encoded strings in the login fields, one can trigger the flaw and take control of the device's OS.

#
<iframe width="834" height="469" src="https://www.youtube.com/embed/9ZVaj8ETCU8" title="Exploitation of a DrayTek Vigor 3910 (CVE-2022-32548)" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

#
The researchers found at least 200,000 of the detected routers to expose the vulnerable service on the internet and hence are readily exploitable without user interaction or any other special prerequisites.

Of the remaining 500,000, many are also believed to be exploitable using one-click attacks, but only via LAN, so the attack surface is smaller.

The vulnerable models are the following:

- Vigor3910
- Vigor1000B
- Vigor2962 Series
- Vigor2927 Series
- Vigor2927 LTE Series
- Vigor2915 Series
- Vigor2952 / 2952P
- Vigor3220 Series
- Vigor2926 Series
- Vigor2926 LTE Series
- Vigor2862 Series
- Vigor2862 LTE Series
- Vigor2620 LTE Series
- VigorLTE 200n
- Vigor2133 Series
- Vigor2762 Series
-Vigor167
- Vigor130
- VigorNIC 132
- Vigor165
- Vigor166
- Vigor2135 Series
- Vigor2765 Series
- Vigor2766 Series
- Vigor2832
- Vigor2865 Series
- Vigor2865 LTE Series
- Vigor2866 Series
- Vigor2866 LTE Series

DreyTek quickly released security updates for all models mentioned above, so navigate to the [vendor's firmware update center](https://www.draytek.com/support/latest-firmwares/) and locate the latest version for your model.

For information on performing the firmware update on your router, [check out this guide](https://draytek.co.uk/support/guides/kb-firmwareupgrade-webui) by DreyTek.

There have been no signs of CVE-2022-32548, but as [CISA reported recently](https://www.cisa.gov/uscert/ncas/alerts/aa22-158a), SOHO routers are always in the crosshair of state-sponsored APTs from China and elsewhere.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://www.bleepingcomputer.com/news/security/critical-rce-vulnerability-impacts-29-models-of-draytek-routers/
</span>
 </div>

Critical RCE vulnerability impacts 29 models of DrayTek routers

<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjun5eobsVZAz8kf9PH1Mlu6L4W0zIWsFkoLCfVFb29BqcMumYoF_hofLnOnaB2EwK5zg7hnR7TIGCLFwpE1uASy16eYkYPuoG-BBPennLlXRcPueiAsNAgAV0fPTA9-dDmVJ0don0t593eGP_Rn4u5SQmrnvzvtijnQziuInpSSWSMmU0XmLHL3rCR/s728-e100/cisco.jpeg" width="700" height=""></img>

#
Cisco on Wednesday rolled out patches to address  [eight security vulnerabilities](https://tools.cisco.com/security/center/publicationListing.x), three of which could be weaponized by an unauthenticated attacker to gain remote code execution (RCE) or cause a denial-of-service (DoS) condition on affected devices.

The most critical of the flaws impact Cisco Small Business RV160, RV260, RV340, and RV345 Series routers. Tracked as CVE-2022-20842 (CVSS score: 9.8), the weakness stems from an insufficient validation of user-supplied input to the web-based management interface of the appliances.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg/s1600/strike-728.png" width="880" height=""></img>

#
"An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device," Cisco [said](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR) in an advisory. "A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition."

A second shortcoming relates to a command injection vulnerability residing in the routers' web filter database update feature (CVE-2022-20827, CVSS score: 9.0), which could be exploited by an adversary to inject and execute arbitrary commands on the underlying operating system with root privileges.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjjGgW-S5pmDYrMQYMRl6RA5nsOg1xp9oWyhbZq9r3gYyijov2WP78FUDE0uknn9Sf5GpeNUkhHnPvn0F6Q-ohnxnZ6Y8Eb6zqWd6TkUhp8iqIVYwWHnlgsMLBcCYCQ27gqZPIrwgLHZ5lT36PTOnVP55ykxMYjhANDkbOGjjvcbGzo3PCre2OugY7j/s728-e1000/ROUTERS.jpg" width="700" height=""></img>

#
Cisco Business Routers
The third router-related flaw to be resolved (CVE-2022-20841, CVSS score: 8.0) is also a command injection bug in the [Open Plug-n-Play](https://developer.cisco.com/site/open-plug-n-play/discover/overview/) (PnP) module that could be abused by sending a malicious input to achieve code execution on the targeted Linux host.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEglTybVbyQ3y6xCIxW9BIpqhgWBf_IhNgCo44HrgwUeYVi_GwvasznH93LLdkqJLwdp4DUkFkILg6m3WDgkue7MFxmbzFxmTBe7-pukEjyvUZ3j9yGyBcL2yUAZVFSQkjSric7YYfU8WgwHwYsS2-3wZ1zLQDAqgkoEpk5kZsbUuyh0UlV8nq7PplYEgQ/s1600/banners-crowdsec-728.png" width="880" height=""></img>

#
"To exploit this vulnerability, an attacker must leverage a man-in-the-middle position or have an established foothold on a specific network device that is connected to the affected router," the networking equipment maker noted.

Also patched by Cisco are five medium security flaws affecting Webex Meetings, Identity Services Engine, Unified Communications Manager, and BroadWorks Application Delivery Platform.

The company offered no workarounds to remediate the issues, adding there is no evidence of these vulnerabilities being exploited in the wild. That said, customers are recommended to move quickly to apply the updates.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://thehackernews.com/2022/08/cisco-business-routers-found-vulnerable.html
</span>
 </div>

Cisco Business Routers Found Vulnerable to Critical Remote Hacking Flaws

<p div align="center">
<img src="https://www.bleepstatic.com/content/hl-images/2022/08/03/Cisco_headpic.jpg" width="700" height=""></img>

#
Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices.

The two security flaws tracked as CVE-2022-20842 and CVE-2022-20827 were found in the web-based management interfaces and the web filter database update feature, and are both caused by insufficient input validation.

Successful exploitation of CVE-2022-20842 with crafted HTTP input could allow attackers "to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition," the company [explains](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-mult-vuln-CbVp4SUR).

CVE-2022-20827 exploits by submitting crafted input to the web filter database update feature can let threat actors "execute commands on the underlying operating system with root privileges."

The complete list of routers affected by these bugs includes Small Business RV160, RV260, RV340, and RV345 series VPN routers (CVE-2022-20842 only impacts the last two).

#
<style>
table {
margin:auto;
width: 100%;
}
</style>

| Affected by CVE-2022-20827	| Affected Releases	| First Fixed Release | 
|---|---|---|
| RV160 and RV260 Series Routers |	Earlier than 1.0.01.05	| Not vulnerable |
| RV160 and RV260 Series Routers	| 1.0.01.05	| 1.0.01.09 |
| RV340 and RV345 Series Routers	| Earlier than 1.0.03.26 |	Not vulnerable | 
| RV340 and RV345 Series Routers	| 1.0.03.26	| 1.0.03.28 |

| Affected by CVE-2022-20842	| Affected Releases	| First Fixed Release |
|---|---|---|
| RV340 and RV345 Series Routers	| 1.0.03.26 and earlier |	1.0.03.28 |

#
Both flaws are exploitable remotely without requiring authentication in attacks that don't require user interaction.

Cisco has released software updates to address both vulnerabilities and says there are no workarounds to remove the attack vectors.

# **No in-the-wild exploitation**

These security vulnerabilities were found by security researchers with the IoT Inspector Research Lab, the Chaitin Security Research Lab, and the CLP-team.

The company's Product Security Incident Response Team (PSIRT) said Cisco is unaware of active exploitation or publicly available exploits in the wild.

Today, Cisco has also patched a third, high severity bug (CVE-2022-20841) in the Open Plug and Play (PnP) module of RV160, RV260, RV340, and RV345 series routers.

If unpatched, this flaw can let attackers execute arbitrary commands on the underlying Linux operating system by sending malicious input to unpatched devices.

However, it also requires the threat actor to "leverage a man-in-the-middle position or have an established foothold on a specific network device that is connected to the affected router."

Last month, Cisco [addressed another set of severe security bugs](https://www.bleepingcomputer.com/news/security/cisco-fixes-bug-that-lets-attackers-execute-commands-as-root/) in the Cisco Nexus Dashboard data center management solution that let unauthenticated attackers execute commands and perform actions remotely with root or Administrator privileges.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-code-execution-bug-in-vpn-routers/
</span>
 </div>


Cisco fixes critical remote code execution bug in VPN routers

<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjisjVm-TxNnQtpDK-EVc0bIVMuKhAHT0-lOzbyk8AzTGI2X3ClLDiis3YW_xug8FVltCcZNyJgcmcwY7O0A8EtNUVe_1Va84wQkKI9dovY_-iCoW-ze4rBWkrNW7cdRr97AjjBxb9mDTOc83x9fcrnFUo8jjZqlevps0ZU4-zwGR1SOHP6sCohVYz2/s728-e100/hack.jpg" width="700" height=""></img>

#
Details have been shared about a security vulnerability in Dahua's Open Network Video Interface Forum ([ONVIF](https://www.onvif.org/about/mission/)) standard implementation, which, when exploited, can lead to seizing control of IP cameras.

Tracked as CVE-2022-30563 (CVSS score: 7.4), the "vulnerability could be abused by attackers to compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera," Nozomi Networks [said](https://www.nozominetworks.com/blog/vulnerability-in-dahua-s-onvif-implementation-threatens-ip-camera-security/) in a Thursday report.

The issue, which was [addressed](https://www.dahuasecurity.com/support/cybersecurity/details/1017) in a patch released on June 28, 2022, [impacts](https://www.cisa.gov/uscert/ics/advisories/icsa-22-193-01) the following products -

- Dahua ASI7XXX: Versions prior to v1.000.0000009.0.R.220620
- Dahua IPC-HDBW2XXX: Versions prior to v2.820.0000000.48.R.220614
- Dahua IPC-HX2XXX: Versions prior to v2.820.0000000.48.R.220614

ONVIF governs the development and use of an open standard for how IP-based physical security products such as video surveillance cameras and access control systems can communicate with one another in a vendor-agnostic manner.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg/s1600/strike-728.png" width="880" height=""></img>

#
The bug identified by Nozomi Networks resides in what's called the "[WS-UsernameToken](https://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-UsernameTokenProfile-v1.1.1-os.html)" authentication mechanism implemented in certain IP cameras developed by Chinese firm Dahua, allowing attackers to compromise the cameras by replaying the credentials.

In other words, successful exploitation of the flaw could permit an adversary to covertly add a malicious administrator account and exploit it to obtain unrestricted access to an affected device with the highest privileges, including watching live camera feeds.

All a threat actor needs to mount this attack is to be able to capture one unencrypted ONVIF request authenticated with the WS-UsernameToken schema, which is then used to send a forged request with the same authentication data to trick the device into creating the admin account.

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhlS6G-QRZegDQhQvKYNUkGxN7asLeD2BmW3X0dVYiVBsQp4SH3_WFXkgjxkNwRbU9XATQtgyN5-t0fJA6iQAFoULAmlRKWeX5jU-jGjLwJYeE2yPaym8CdaGUlM0kxSev3DoK-L6dmgF9osrvVjiVhJ71Vuxp4dWlK0Rmf5jc1NiBEY8FbggYvNXs-/s728-e1000/admin.jpg" width="700" height=""></img>

#
This disclosure follows the discovery of similar flaws in [Reolink](https://www.nozominetworks.com/blog/new-reolink-p2p-vulnerabilities-show-iot-security-camera-risks/), [ThroughTek](https://thehackernews.com/2021/06/critical-throughtek-flaw-opens-millions.html), [Annke](https://www.nozominetworks.com/blog/new-annke-vulnerability-shows-risks-of-iot-security-camera-systems/), and [Axis](https://www.nozominetworks.com/blog/new-axis-os-security-research-aided-by-transparent-design/) devices, underscoring the potential risks posed by IoT security camera systems given their deployment in critical infrastructure facilities.

"Threat actors, nation-state threat groups in particular, could be interested in hacking IP cameras to help gather intel on the equipment or production processes of the target company," the researchers said.

"This information could aid in reconnaissance conducted prior to launching a cyberattack. With more knowledge of the target environment, threat actors could craft custom attacks that can physically disrupt production processes in critical infrastructure."

#
<p div align="center">
<img src="https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEglTybVbyQ3y6xCIxW9BIpqhgWBf_IhNgCo44HrgwUeYVi_GwvasznH93LLdkqJLwdp4DUkFkILg6m3WDgkue7MFxmbzFxmTBe7-pukEjyvUZ3j9yGyBcL2yUAZVFSQkjSric7YYfU8WgwHwYsS2-3wZ1zLQDAqgkoEpk5kZsbUuyh0UlV8nq7PplYEgQ/s1600/banners-crowdsec-728.png" width="880" height=""></img>

#
In a related development, researchers from NCC Group [documented](https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulnerabilities-in-nuki-smart-locks-cve-2022-32509-cve-2022-32504-cve-2022-32502-cve-2022-32507-cve-2022-32503-cve-2022-32510-cve-2022-32506-cve-2022-32508-cve-2/) 11 vulnerabilities impacting Nuki smart lock products that could be weaponized to gain arbitrary code execution and open doors or cause a denial-of-service (DoS) condition.

Also notable is an industrial control system (ICS) advisory [issued](https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-04) by the U.S. Cybersecurity and Infrastructure Security Agency this week, warning of two serious security flaws in [MOXA NPort 5110 servers](https://www.moxa.com/en/products/industrial-edge-connectivity/serial-device-servers/general-device-servers/nport-5100-series) running [firmware version 2.10](https://www.moxa.com/en/support/product-support/security-advisory/nport5110-series-vulnerabilities).

"Successful exploitation of these [vulnerabilities](https://www.icsrange.com/blog/two-moxa-zerodays) could allow an attacker to change memory values and/or cause the device to become unresponsive," the agency said.

#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://thehackernews.com/2022/07/dahua-ip-camera-vulnerability-could-let.html</span>
 </div>


Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices

<p div align="center">
<img src="https://www.bleepstatic.com/content/hl-images/2022/04/27/QNAP_headpic.jpg" width="700" height=""></img>

#
Network-attached storage (NAS) vendor QNAP once again warned customers on Friday to secure their devices against a new campaign of attacks pushing DeadBolt ransomware.

The company is urging users to update their NAS devices to the latest firmware version and ensure they're not exposed to remote access over the Internet.

"QNAP recently detected a new DeadBolt ransomware campaign. According to victim reports so far, the campaign appears to target QNAP NAS devices running QTS 4.x," QNAP said today.

"We are thoroughly investigating the case and will provide further information as soon as possible."

This warning follows multiple three other alerts the company has issued since the beginning of 2022 [[1](https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-targeting-internet-exposed-nas-devices/), [2](https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/), [3](https://www.bleepingcomputer.com/news/security/qnap-alerts-nas-customers-of-new-deadbolt-ransomware-attacks/)], all advising users to keep their devices up to date and not expose them to Internet access.

# **Customers asked to update their devices**

The company "strongly" recommends that all users [immediately update the QTS or QuTS hero operating systems](https://www.qnap.com/en/security-advisory/QSA-22-19#:~:text=Support%20for%20assistance.-,Updating%20QTS%20or%20QuTS%20hero,-Log%20on%20to) on their NAS devices to the latest version.

As QNAP said, upgrading the firmware on a compromised device will allow the built-in Malware Remover app to automatically quarantine the DeadBolt ransom note known to hijack the login page.

QNAP also advises those who cannot locate the ransom note after upgrading the firmware to enter the DeadBolt decryption key to reach out to [QNAP Support](https://service.qnap.com/) for assistance.

However, before contacting QNAP's customer service, you should first try restoring the DeadBolt page using the steps detailed on [this support page](https://www.qnap.com/en/how-to/faq/article/how-do-i-restore-deadbolt-page-for-decrypting-the-files-if-i-have-the-correct-password).

Because QNAP devices are also being targeted with other ransomware strains, including [Qlocker](https://www.bleepingcomputer.com/news/security/qlocker-ransomware-returns-to-target-qnap-nas-devices-worldwide/) and [eCh0raix](https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/), all owners should keep their devices up to date to secure their data from future attacks.

# **DeadBolt ransomware**

As seen during [previous attacks](https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/) targeting QNAP NAS devices [in late January](https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/) and hitting thousands of victims, DeadBolt ransomware hijacks the device's login page to display a screen stating, "WARNING: Your files have been locked by DeadBolt."

Once launched on a compromised NAS device, DeadBolt uses AES128 to encrypt files, appending a .deadbolt extension to their names.

It also replaces the /home/httpd/index.html file so that victims will see the ransom note when accessing the encrypted device.

After the victims pay a 0.03 bitcoins ransom, the threat actors create a bitcoin transaction to the same bitcoin address containing the decryption key under the OP_RETURN output.
#
<p div align="center">
<img src="https://www.bleepstatic.com/images/news/u/1109292/2022/DeadBolt%20ransom%20note%20and%20instructions.jpg" width="700" height=""></img>

*<font color=gray><p align="right">DeadBolt ransom note (BleepingComputer)</p></font>*

#
Ransomware expert Michael Gillespie has created [a free Windows decryptor](http://www.emsisoft.com/ransomware-decryption-tools/deadbolt) that can help decrypt files without using the executable provided by DeadBolt.

However, QNAP owners hit by this ransomware will still need to pay the ransom to get a valid decryption key to recover their data.

DeadBolt ransomware has also hit [ASUSTOR NAS devices](https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/) in February, allegedly using a zero-day vulnerability.
#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://www.bleepingcomputer.com/news/security/qnap-thoroughly-investigating-new-deadbolt-ransomware-attacks/
</span>
 </div>

QNAP 'thoroughly investigating' new DeadBolt ransomware attacks

<p div align="center">
<img src="https://www.bleepstatic.com/content/hl-images/2022/03/31/Malware.jpg?rand=69093496" width="700" height=""></img>

Threat analysts have spotted a new variant of the BotenaGo botnet malware, and it’s the stealthiest seen so far, running undetected by any anti-virus engine.

BotenaGo is a relatively new malware written in Golang, Google’s open-source programming language.

The source code for the botnet has been publicly available for about half a year, since it was leaked in October 2021.

Since then, several variants have popped up, while the original [continued to be active](https://www.bleepingcomputer.com/news/security/botenago-botnet-targets-millions-of-iot-devices-with-33-exploits/) and adding exploits for targeting a pool of millions of IoT devices.

Researchers at [Nozomi Networks Labs](https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/) have recently discovered a new variant of BotenaGo that appears to have derived from the leaked source code.

The sample they analyzed targets Lilin security camera DVR devices, which prompted the researchers to name it the “Lillin scanner”.

# **A stealthy new version** 

The most notable characteristic of the Lillin BotenaGo variant is that it goes undetected by antivirus engines on the VirusTotal scanning platform.
# 
<p div align="center">
<img src="https://www.bleepstatic.com/images/news/u/1220909/Security/vt-detection.png" width="700" height=""></img>

*<font color=gray><p align="right">Lillin scanner variant completely evading detection(Nozomi)</p></font>*
# 
One of the reasons for this is that its authors have removed all of the exploits present in the original BotenaGo and focus only on targeting Lilin DVRs using a two-year-old critical remote code execution flaw.

Notably, this exploit is the same that the [Fodcha malware](https://www.bleepingcomputer.com/news/security/new-fodcha-ddos-botnet-targets-over-100-victims-every-day/) uses, another newly discovered botnet for launching distributed denial-of-service (DDoS) attacks that recorded an impressive growth.

As such, it appears that there is a substantial number of unpatched Lilin DVR devices out there to [make sense](https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/) for new botnet malware authors to target it exclusively.

# **Gateway to Mirai** 

Another difference between the Lillin scanner and the original BotenaGo is that the former relies on an external mass-scanning tool to form IP address lists of exploitable devices.

Next, the malware uses the function to infect all valid and accessible IP addresses via cleartext strings and then relieson a hardcoded list with11 credentials that are typically set up on poorly protected endpoints.

The Lilin-specific “root/icatch99” and “report/8Jg0SR8K50” are also included in this list. If there’s a match, the threat actors can execute arbitrary code remotely on the target.
# 
<p div align="center">
<img src="https://www.bleepstatic.com/images/news/u/1220909/Code%20and%20Details/authentication-attempt.png" width="700" height=""></img>

*<font color=gray><p align="right">An authentication attempt (Nozomi)</p></font>*
#
The exploit comes via a POST request with malicious code, submitted to dvr/cmd, aiming to modify the NTP configuration of the camera.

If this is successful, the new configuration will execute a wget command to downloads a file (wget.sh) from 136.144.41[.]169, and then runs it. If unsuccessful, the malware attempts to inject the command into cn/cmd instead.
#
<p div align="center">
<img src="https://www.bleepstatic.com/images/news/u/1220909/Code%20and%20Details/post.png" width="700" height=""></img>

*<font color=gray><p align="right">POST request with wget command (Nozomi)</p></font>*
#
The wget.sh file downloads Mirai payloads compiled for multiple architectures and executes them on the compromised device.

Some of these payloads were uploaded to VirusTotal as recently and March 2022, indicating that the testing period is fresh.

Nozomi researchers report that Mirai features some IP range exclusions to avoid infecting the U.S. Department of Defense (DoD), the U.S. Postal Service (USPS), General Electric (GE), Hewlett-Packard (HP), and others.
#
<p div align="center">
<img src="https://www.bleepstatic.com/images/news/u/1220909/Code%20and%20Details/IP-range-exlusions.png" width="700" height=""></img>

*<font color=gray><p align="right">IP range exclusions on the Mirai (Nozomi)</p></font>*
#
Mirai takes over to target a wider list of exploits and devices, so in this campaign, the Lilin DVR exploit serves as a gateway to a larger infection wave.

# **Not a massive threat** 

The Lillin scanner variant doesn’t appear to be a massive threat for IoTs due to its very specific targeting, even if the second-stage Mirai has more powerful potential.

Moreover, it can’t propagate on its own, as the scanning and infection functions are manually operated, so it’s more of a narrow-targeted threat, or perhaps still in experimental stage.

Still, it’s an interesting new botnet project that proves how easy it is for malware authors to build completely stealthy botnets out of known, documented code.

Finally, it’s another example of how less skilled cybercriminals can take advantage of leaked malware source code to set up their own operations.
#
<div style="padding: 10px 16px; background: #F9F9F9; color: #7A7A7A; word-break: break-all; font-weight: 400;">
<span style="margin-right: 5px">Article Address:</span>
<span>https://www.bleepingcomputer.com/news/security/new-stealthy-botenago-malware-variant-targets-dvr-devices</span>
 </div>


New stealthy BotenaGo malware variant targets DVR devices

About Us

公司荣耀

Milestones

 Who We Are

We Are A Professional Team 

Home

Product

Service

News

Support

Knowledge Base

Guides

Submit A Ticket

Engine

Cornerstone Of Core-Level Technology

Multi-Industry Involvement

Lian Security

Reactor Engine

Support ARM, MIPS, PPC Instruction Set 

Pseudo-code in more intuitive and user-friendly way

Built-in optimization of pseudo-code regeneration for embedded / IoT firmware

Optimized Disassemble and Decompiler for Embedded / IoT Reverse Engineering

Pattern is organized in CWE form 

Bug finding process happen in embedded customized Intermediate Representation (IR)

BinQL – Our proprietary bug query language in specifying pattern to accomplish targeted IR analysis

Pattern Specific Bug Finding Approach

Output firmware supply chain information

Multiple firmware supply chain cross validation

Supply Chain Analysis

Create appropriate test case to reach into the code block with respective CWE

Selective approach to focus on the targeted code

Performance optimized for embedded firmware architecture

Integrated Symbolic Execution

System emulated fuzzing

Partial emulated fuzzing

CWE Specific

Pattern Specific Fuzzing Approach

Customized and concatenated pattern

Analyze a mass quantity of firmware without human intervention 

Generate professional report 

Headless Automation

Product Introduction

FAQ and Help

Detect the shell type

Unshell in the cloud

Present the original content

Automated Unshell 

APK File Manager

Restore source code

Best source code reading and editing experience

Static Analysis

One click to start debugging

Debugging apk as debugging source code

Simple, stable and friendly

Debugging

Real-time updated vulnerability repository and risk detection engine

Accurate detection with dataflow tracking technology

Locate the specific row number of vulnerability

Cloud-based scanning

Managed-flash dumping via field bus

Unmanaged-flash dumping with ECC patching

Intuitive user interface 

Firmware Dumping

Enumerate hardware pinouts for debug port

Expandable pinout count for enumeration

Performance optimized to reduce the enumeration time

Debug Port Finding

Hybrid approach of debug port enumeration and debugger adaptation

Connection matrix in switching the correct debug port pinouts onto the debugger respectively