Search This Blog

Showing posts with label Vulnerability and Exploits. Show all posts

Hackers spy on Corporate networks via emails and FTP


Chinese security firm Qihoo 360 reported that since December 2019, a miscreants group has been hacking into DrayTek enterprise routers to record and spy on FTP ( File Transfer Protocol) and email traffic inside the corporate network.


Netlab the network security division of Qihoo published a report saying, they detected two different groups, each one exploiting a zero-day vulnerability in DrayTek Vigor-
  • Attack Group A - using load-balancing routers and 
  • Attack Group B - using VPN gateways. 

Qihoo did warn DrayTek about their zero-day vulnerability but the message was sent to the incorrect receiver and could not reach DrayTek. 

Although the company did learn about the zero-days but only after group B attacks in January and released the patches on February 10. The attacked models are discontinued routers, still, DrayTek released their patches as soon as they could. 

Qihoo reported the attacked models - DrayTek Vigor 2960, 3900, and 300B and said only 10,000 of these (active number) are running the vulnerable firmware version. 

 The Attack Groups

  • Attack Group A -
Amongst the two groups, Attack group A is quite ahead and advanced. 

It exploited a vulnerability in the RSA-encrypted login mechanism of DrayTek routers to insert malicious code in the username login fields through which the hackers could control the router. 

Now, the hackers could have used this access to launch DDos attacks or more but they used it as a spy device to record traffic coming over FTP and emails.

The recorded scripts were then uploaded to a remote server every Monday, Wednesday, and Friday at 00:00.Zdnet reports they recorded the data to access the login credentials of FTP and corporate email accounts. 

  •  Attack Group B -
Qihoo named the second group of hackers as "Attack Group B". The second group used a different zero-day vulnerability, first disclosed by Skull Army blog in a 26 Jan post. The bad actors read it from the blog and began exploiting it in mere two days.

Zdnet reports, "Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the "rtick" process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown".

Google rewards 100,000$ as bug bounty prize!


Google has awarded 100,000 dollars prize to a Dutch researcher Wouter ter Maat for the Google Cloud Platform (GCP), for vulnerabilities found in the Google Cloud Shell.


Wouter ter Maat received 100 thousand dollars, Google's very first annual Cloud Platform bug-bounty prize by finding a clever container escape and search for bugs.

Google also announced, that then it will be increasing the payouts for annual Google Cloud Platform prizes in its Vulnerability Reward Programme (VRP). It will offer prizes to the top six vulnerability reports in GCP products submitted in 2020 with a cash prize of up to 313,337 dollars. The first place would win 313,337 dollars and the sixth place will end up with a thousand dollars. In order to be eligible, the bug hunters will have to submit a public write-up with the word limit of 31,337 words.

 The Bug-

Google Cloud Shell is an interactive shell environment for Google Cloud Platform. It is a Linux with a browser-based front, that allows administrators to use various resources in the Google Cloud Platform.

Ter Maat noticed several issues in the cloud shell, the way it interacts with resources and authentication problems.

 “When the Cloud Shell instance is done starting a terminal window is presented to the user,” ter Maat wrote in his write-up published in December. “Noteworthy is the fact that the gcloud client is already authenticated. If an attacker is able to compromise your Cloud Shell, it can access all your GCP resources.”

The researcher could connect to resources after launching the Cloud Shell, and as very few processes were running he was able to enter a container, escape it and access the full host by examining the file system. “I noticed that there were two Docker UNIX sockets available,” explained ter Maat. “One in ‘/run/docker.sock’, which is the default path for our Docker client running inside the Cloud Shell (Docker inside Docker); the second one in ‘/google/host/var/run/docker.sock.'”

 "This second socket was revealed to be a host-based Docker socket, as indicated by its pathname. Anyone who can communicate with a host-based Docker socket can easily escape the container and gain root access on the host at the same time,” the researcher noted, adding that he could do that by just writing a quick script.

“After running it you will find that all containers inside the pod will automatically reboot. Now all containers run in privileged mode,” said ter Maat.

Researchers say, if malicious actors gain control of privileged containers, the possibilities for abuse are seemingly endless. They can view software and exploit their vulnerabilities, codes can be re-written, coin miners can be executed and effectively hidden and much more.

Government based hacking groups are attacking Microsoft Exchange Servers


Various government-backed hacking groups and APTs are targeting and exploiting a vulnerability in Microsoft Exchange email servers. The vulnerability was patched last month February 2020.


Volexity, a UK cyber security firm was the first to discover these exploitation attempts on Friday. But neither did they share the names of the hacking groups nor did they comment further on the matter. It is rumoured that the hacking groups are "the big players" but nothing has been confirmed yet. The vulnerability is identified as CVE-2020-0688.

Microsoft released fixes for this on Feb 11 and asked system admins to install the fixes as soon as possible to ward of attacks. After the release of the patch, things remained calm only to escalate after two weeks when Zero-Day Initiative reported the bug to Microsoft and published a detailed report on the vulnerability and how it worked. Security researchers used this report to craft proof-of-concept exploits to test their own servers and create detection rules.

And as soon as all this info became public, hackers started playing attention and when all this information was easily available they took advantage of the vulnerability.

"On February 26, a day after the Zero-Day Initiative report went live, hacker groups began scanning the internet for Exchange servers, compiling lists of vulnerable servers they could target at a later date. First scans of this type were detected by threat intel firm Bad Packets." reports Zdnet.

Volexity said, these scans turned into actual attacks.

APTs - "advanced persistent threats," were the first to exploit this bug to attack. APTs are state sponsored hacking groups. Security Researchers say, this vulnerability could become quite popular among ransomware attackers.

It is not easy to exploit CVE-2020-0688 vulnerability. Only expert hackers can abuse this bug as they need the credentials for an email account on the Exchange server- but it will not stop ransom gangs and APTs as these are well versed in phishing mail campaigns and gain credentials through the same.

Companies and organizations which have had previous phishing and malware attacks, are adviced to update their Exchange email servers with the bug fix as soon as possible.

Windows 10 Users Beware! TrickBots' Prevalence And Conveyance Escalates in Devices



Reports mention that recently attackers were found exploiting the latest version of the “Remote Desktop ActiveX” which was developed for Windows 10.

Sources say that similar to what many others are doing, the exploitation could cause the automatic execution of the “OSTAP” JavaScript downloaded on the ta
rget’s systems.

Per analyses of researchers, the ActiveX is employed to automatically execute a mal macro right after the target enables a document. The majority of the documents contained images to encourage people to enable the content.

Per reports, the catch was that the image contained a hidden ActiveX control below it; the OSTAP downloader was disguised in white text to make it seemingly invisible to eyes and readable for machines.

Trickbot attackers misuse people’s tendencies of not updating their software with the latest updates to protect the systems.

Trickbots happen to be among the most advanced versions of the malware structures. The number is increasing and so is the threat to systems with Windows 10. Not of late, researchers dug out more documents that execute the OSTAP JavaScript downloader.

It was also found out that the groups of tricksters that were exploiting the ActiveX control were not the only ones. Other groups were also into misusing them along with a few others.

According to sources, the victim documents had the following nomenclature-“i<7-9 arbitrary="" digits="">.doc”. Almost every document had in it an image that would convince the enablers to open it. What the opener wouldn’t know is that below the image is a hidden ActiveX control. The OSTAP JavaScript downloader would be disguised as white text which only the machines could read.

Per sources, the analysis of the ActiveX code exposed the use of the “MsRdpClient10NotSafeForScripting” class. The script is crafted in a way that the server field is left empty to cause an error which would aid the attackers further on.

According to researchers, the technique that kicks the ‘macro’ on is, “_OnDisconnected”. This will execute the main function, first. It doesn’t get executed instantly for it takes time to resolve the DNS to an empty string only to return an error.

The OSTAP’s execution would depend on the “error number matches” exactly to “disconnectReasonDNSLookupFailed”. The OSTAP wscript directive is relative to the error number computation.

The execution of the wscript would work with its very content. This trick is quite an old one in the book. Microsoft’s BAT would ignore the ‘comments’, along with the content and everything that comes with the syntax, while the execution’s happening.

Once the JavaScript is edited per the attackers’ needs, the obfuscation scheme gets repeated. Updating systems doesn’t work every time but it’s a pre-requisite anyway.

A defense mechanism is paramount in cases of OSTAP and the likes of it. With the technology that’s prospering with every passing minute, so is the number of attack mechanisms and attackers. Hence keep systems updates and a tight security structure in place.


Reserve Bank of India Experiences a Technical Glitch; NEFT and RTGS Go Down for Half a Day!


Electronic money transfer is something that has changed the way people used to transact. It has offered a way more convenient method that goes along the lines of modernity and the need of recent times.

The most widely used and popular mediums of transferring money between bank accounts in India are NEFT and RTGS. While NEFT has neither minimum nor maximum limits, RTGS is designed for heavier sums of money with 2 lac being the minimum amount and 10 lac being the maximum per day.

Per reports, National Electronic Funds Transfer (NEFT) and Real-Time Gross Settlement (RTGS) were disrupted for more than half a day. The signs of this started to show from Monday midnight.

Sources mention that this happened because of a technical glitch in the systems of the Reserve Bank of India. Nevertheless, NEFT and RTGS have been reinstated after inactivity of 12 hours.

Several reports reveal that the main issue allegedly was grappled by the Indian Financial Technology and Allied Services (IFTAS), which is an RBI affiliated branch when the “disaster recovery site” was being moved from locale A to B.

Sources impart that the NEFT transactions have as of now been brought back. The “end-of-day” RTGS transactions of the previous day are being worked on to get them to reach completion but the “start-of-day” for RTGS hasn’t ensued yet. Still, the restoration of RTGS is expected soon.

The setup for NEFT was established and supported by the Institute for Development and Research in Banking Technology. People will now be able to use this medium for online transferring of funds and money 24x7. Meaning that holidays or weekends would never come in the way of money transfers and funds would be transferred any day and at any time at all.

NEFT and RTGS are the most commonly used routes for online transfer of funds.

The former medium facilitates a provision for limitless one-to-one transfer of money from and to individuals and corporates with an account in any bank branch in the country. The latter, however, has the aforementioned limits and is a continuous and real-time settlements of fund transfers.

Hackers Attack IOTA's Trinity Wallet, Company Shuts Down the Network


The hackers attacked the IOTA's cryptocurrency wallet and stole all the funds. The theft happened by exploiting a vulnerability in the IOTA's networks. Attack took place on 12th February 2020, and the company informed about the incident via its official account on twitter. The tweet said that the IOTA is presently investing an attack on its trinity wallet. IOTA has advised its users not to share or use the Trinity Wallet on their desktop until the case has been solved. According to the news, the IOTA is currently working with cybersecurity experts and law agencies to go to the roots of the problem that has caused the cryptocurrency theft.


The company, on its official website, announced that because of the theft of funds, it has shut down its 'Coordinator' node for a while to protect the users. The Coordinator works as a final checkpoint for safety assurance of the transactions that take place on IOTA's network. According to the company, the decision to shut down the Coordinator node is to protect any further fraudulent transactions that might take place on IOTA's network. IOTA says that the hackers chose to attack the high profile accounts first, and then moved on to smaller accounts, and so on until the transactions were stopped by the coordinator.

“The attack pattern analysis showed that the halt of the coordinator interrupted the attacker’s attempts to liquidate funds on exchanges,” said the IOTA's official website. “The stolen funds have been purposely and repeatedly merged and split to obfuscate the investigation, and with the current token exchange rate as well as exchanges’ KYC limits in mind. We received additional feedback from more exchanges (not all yet), confirming that none of the identified transactions has been received or liquidated.”

As of now, IOTA's network system is still not active, and the company is still investigating the issue. Cybersecurity experts and members of the IOTA say that the hackers found a vulnerability in the Trinity wallet and were thus able to launch the attack. IOTA hasn't announced anything about the amount stolen but the experts believe it to be around $1 Million IOTA coins or more.

120 Million Medical Records Leaked! Global Medical Report Sheds More Light.


Along with cyber-security within your phones and other devices, you must make sure the hospital you go to has enough cyber-protection as well!

The obnoxiousness of cyber-criminals is escalating by the hour. As if stealing data of organizations and loosely selling largely famous tech giants’ data online wasn’t enough, hackers have now thrown on the internet personal medical details of more than 120 million Indian patients, per sources.

With the leakage of these personal medical records, they have also been made available online for cyber-cons to exploit.

In a recent “Global Report” on “Medical Data Leak” it was acutely mentioned that in the enormous number of records that got leaked, the affected patients’ X-rays, MRIs and images of CT scans were the major components.

According to sources, the first such report was published by a German cyber-security firm in October 2019. According to the actions taken by several countries’ governments as a response to the publishing of the first report, the succeeding report segregated countries into the categories of “good”, “bad” and “ugly”.

It may or may not come as a shock to many, but India was a “proud winner” of the second position in the “Ugly” category right after the United States of America.


As stated by the succeeding report, the state of Maharashtra is positioned right at the top if we consider the number of “data troves” (308, 451 troves) that are available online providing access to more than 69 million images.

Per sources, the second position is Karnataka with 182, 865 data troves providing access to more than 13 million images!

Researchers found out that the number of data troves that are available online has risen exponentially especially speaking in terms of India.

What exactly induced the leakage isn’t as widely known as all that but the first report clearly insinuated that the leak was in a way prompted by the servers of the “Picture Archiving and Communications Systems (PACS)” as the leaked information is mostly stored there.

The problem possibly was that the servers aren’t as secure as they should be and are connected to the public internet network which makes them easily susceptible.

This leakage is really disconcerting because you can’t simply get hold of who those patients are. They could be ANYONE, ranging from common men to big shots!
Apart from that, these medical records could pose threats like extortion, identity theft, and the list is unending.

Mobile Banking Malware On The Rise, 50% Hike In Attacks! WhatsApp a Dependable Medium?


According to studies, with an increase of 50% malware attacks have known no bounds in the past year. Most common of all happen to be malware that steals users’ financial data and bank funds.

The banking malware is on the rise in India. According to several sources, over 35% of organizations and institutions in India have been affected by such attacks in 2019 alone.

Among the most common types of malware that India often faces, that steal photographs and contact details from the phone, Adware is a big name as it generates ads on your phone to make money for some other party.

Another variant that isn’t all that trendy in India is a malware that kicks off surveillance on the target’s phone, tracks its GPS location and snips their personal data. What’s more, they could even control your microphone and other mobile phone operations.

What makes banking malware scary is its ability to steal data while the target’s on their phone making payments. Unaware of any malicious activity, the user would have let some cyber-con know all their bank credentials.

WhatsApp is becoming an accessory in the procedures of banking malware. Despite the hefty encryption that’s done on the chat app, hackers keep finding creative ways to exploit even the most minute of vulnerabilities.

In a recent zero-vulnerability case, the malware which was on the video-file message got transmitted as it is onto the receiver’s device.

To make sure that you don’t get malware installed on your device via WhatsApp, keep cleaning all the data and do not open any doubtful files and links.

Phishing attacks are among other common tactics of hackers to attack users and their devices. Suspicious emails, if opened could help the hackers kick off malware in the mailbox and then the attack goes in a way that takes the target to a website and asks them to fill in their personal information.

Downloading apps from third-party stores and straight from the internet is a strict no! Do not open any suspicious files and treat each link and file with equal distrust. If you’re not sure who the sender is, do not consider the file at all, be it on text message or on email.

Connecting to unauthorized or unknown Wi-Fi networks could also pose security issues. With the tag of free networks to lure you in, “man-in-the-middle” attacks could easily be launched.

Mobile phone security is as paramount as the security of your house or any other electronic device. There has got to be a set of security measures in place to work if anything goes south.

Can you find a bug in Xbox Live? Microsoft will pay you, if you do!

Think you're an expert at Xbox? Think you can find a bug in Xbox Live? Well, Microsoft might pay you some bucks.

Microsoft has launched an official bug bounty hunt for the Xbox Live network in order to improve the program and services. The bug hunters will be paid up to 20,000 dollars but the payment will depend on the severity of the security issue and the minimum amount will start from 500 dollars.



Microsoft in their bug bounty program is looking for serious security and other vulnerability issues like accessing unauthorized codes and not connection problems. The bounty program covers a wide range of vulnerabilities but with strict restrictions, for example, they will not cover issues such as DDoS issues and URL Redirects and disqualify anyone who tries to phish or social engineer Xbox users and engineers and moves within (laterally inside) Xbox network while searching for bugs.

Usually, security researchers are the ones who gain most from bug bounty programs but Microsoft has announced that anyone can submit bug issues regardless of their background.

 Program manager at the Microsoft Security Response Center (MSRC), Chloé Brown, said in the blog post announcing the bug bounty program, that submissions will need to give proof of concept (POC). “The Xbox bounty program invites gamers, security researchers, and technologists around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear and concise proof of concept (POC) are eligible for awards up to US$20,000.”


This is not Microsoft's first bounty program, they have earlier launched similar programs for Microsoft Edge browser, their “Windows Insider” preview builds, Office 365 and many others with rewards up to 15,000 dollars. But their biggest one remains for serious vulnerabilities found in the company's Azure cloud computing service where security researchers can earn up to 300,000 dollars for a super-specific bug.

Pavel Durov again warned about the danger of using WhatsApp


Pavel Durov claims that the hacking of the iPhone of Jeff Bezos, the richest man in the world, occurred due to vulnerabilities in WhatsApp. Facebook which owns the messenger insists that the leak is related to the Apple device itself.

The reason for the leak of personal photos and correspondence of the founder of Amazon and the richest man in the world, Jeff Bezos, is a vulnerability in the encryption system of WhatsApp, not problems with Apple gadgets. Telegram founder Pavel Durov wrote about this in his Telegram channel.

This is how he reacted to an interview with Vice President of Facebook's Global Policy Department Nick Clegg, who said that Bezos confidential data leak was due to the iPhone. "We are confident that end-to-end encryption technology cannot be hacked," he said.

Durov recalled that a few months ago he talked about the vulnerabilities of WhatsApp, which, in his opinion, eventually led to the hacking of Bezos smartphone. At the same time, Facebook then assured that there is no evidence that attackers used this vulnerability. According to the founder of Telegram, the backdoor in WhatsApp allowed access to personal messages and photos of the richest man in the world.

Durov explained that the vulnerability used during the hacking of Bezos phone existed not only on iOS, but also on smartphones with Android and Windows. In addition, it is not available in other messengers.

Durov also accused WhatsApp management of using the phrase "end-to-end encryption" as a "magic spell" that automatically makes correspondence secure. He pointed out that the technology itself does not guarantee complete privacy. For example, WhatsApp developers may intentionally leave vulnerabilities in the app at the request of security forces from different countries. As a result, WhatsApp has no problems with the authorities, and Telegram is banned in some countries like Russia and Iran.

Vulnerability found in Cisco Webex Meeting Suit- Lets unauthorized attackers join private meetings


Cisco Webex Meetings Suite, a platform that offers its customers to organize online meetings and seminars anytime anywhere, has revealed a security vulnerability that allows an unauthorized attacker to enter a password-protected meeting without the password.


The Vulnerability -
The vulnerability allows the attacker to join a meeting if they have the meeting ID or meeting URL from the mobile device browser. Then the browser will launch the meeting on Webex mobile application, and then the unauthenticated user can join the password-protected meeting without the said browser. “The unauthorized attendee will be visible in the attendee list of the meeting as a mobile attendee,” reads the Cisco blog post.

This makes it quite easy to track the unauthorized individual as they will be visible as a mobile attendee. This Cisco Webex vulnerability has received a score of 7.2 out of 10 (can be tracked as CVE-2020-3142). Cisco Product Security Incident Response Team (PSIRT) said that they have not yet faced an attacker exploiting the vulnerability. Versions with the vulnerability - The vulnerability is seen in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online versions earlier than 39.11.5 and 40.1.3. Though Cisco says that the Webex meeting server is unaffected with the vulnerability.

After discovering the vulnerability, Cisco has now released a new version fixing the vulnerability in versions 39.11.5 and later 40.1.3 for Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites. “The fix applies to Cisco Webex Meetings Suite sites and Cisco Webex Meetings sites only. Customers are not required to update the Cisco Webex Meetings mobile application or the Cisco Webex Meetings desktop application.”

Cisco recently fixed 11 more bugs in Cisco Data Center Network Manager when the faults let hackers RCE, SQL Injection, and Authentication Bypass Attacks. Cisco is expected to fix the bug soon. The users are advised to stay careful of any suspicious activity and report to the company immediately if they found any malicious activity on the platform.

Internet Explorer Targeted by North Korean Hackers: How to Stay Safe?



In a recent cybersecurity issue, some hackers from North Korea are attacking Internet Explorer by exploiting a vulnerability, which is said to be a zero-day flaw. The company Microsoft has not yet spoken on the issue and is still silent. 



Users should immediately stop using Internet Explorer for a while to stay safe from the hackers, suggest cybersecurity experts. If the users still prefer to use Microsoft software, they can download the latest Edge Browser by Microsoft. The Edge browser is safe from the attack as well as offers a better user experience while browsing than Internet Explorer. Other secured browsers include Google Chrome and Mozilla Firefox.

But if the users still want to use the traditional software, cybersecurity experts at Tom's Guide suggest downloading a limited time user account that is safe for any software modification.

Microsoft has scheduled to release its next security patch, not until the 11th of February, therefore, its a long wait before the latest update is issued.

Microsoft reveals the Flaw-

In an online advisory published on 17th January, Microsoft explained the vulnerability, saying the flaw allows the hacker to corrupt the memory and perform arbitrary coding. If achieved successfully, the hacker has full access to the system, the same as the genuine user.

"Let us imagine a scenario where the hacker hosts a website on the web, which is specially made to exploit the vulnerability via Internet Explorer, in this case, the hacker can lure the user to visit the website by sending him emails," says Microsoft.

Once the hacker has access to the admin user rights, the user system is hacked and the hacker has command over the system. He can modify the programs, install or delete any existing software or worse, delete important data.

The hackers are likely to be from North Korea-

One should not ignore this vulnerability because it has ties to hackers from North Korea. The attack on Internet Explorer seems to be similar to the one that affected the Mozilla firefox. Researchers at Qihoo 360 discovered the attack and accused Darkhotel, a group of hackers from North Korea, for carrying out this activity.

PayPal Fixes 'High-Severity' Password Security Vulnerability


Researcher Alex Birsan, while examining PayPal's main authentication flow– discovered a critical security flaw that hackers could have exploited to access passwords and email addresses of users. He responsibly reported the vulnerability to PayPal on November 18, 2019, via the HackerOne bug bounty platform and received a bug bounty over $15,000 for the issue which was acknowledged by HackerOne after 18 days of its submission and later patched by the company on 11th December 2019. 

The aforementioned bug affected one of the primary and most visited pages amongst all of PayPal's, which is its 'login form' as mentioned by Birsan in the public disclosure of the flaw. 

As Birsan was exploring the main authentication flaw at PayPal, his attention got directed to a javascript file that seemingly contained a cross-site request forgery (CSRF) token along with a session ID. "providing any kind of session data inside a valid javascript file," the expert told in his blog post, "usually allows it to be retrieved by attackers." 

"In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file." 

While giving their confirmation, PayPal put forth that sensitive, unique tokens were leaked in a JS file employed by the Recaptcha implementation. Sometimes users find themselves in situations where they have to go through a captcha quiz after authentication and according to the inference drawn by PayPal, "the exposed tokens were used in the post request to solve the captcha challenge." The captcha quiz comes into play after multiple failed login attempts, that is normal until you come to terms with the fact that " “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validate captcha is initiated.” Although, in order to successfully obtain the credentials, the hacker would be required to find a way of making targeted users visit an infected website prior to logging into their PayPal account. 

While assuring its users, PayPal said that it “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found.”

Cisco faces criticism after a hacker finds 120+ bugs in its product



A triad of severe vulnerabilities in Cisco DCNM (Data Center Network Manager) stock allows hackers to remotely sidestep the verification and invade into companies’ servers, the reason being a few safety failures that include hard-coded creds.

The 3 vulnerabilities were in the huge 120 vulnerabilities list in the stock discovered by the hacker Steven Seeley, who currently works for Source Incite. It was Steven who informed the company about the issue through a glitch hunt program called Zero Day Initiative, by Trend Micro. 

In an interview with Computer Business Review, he Australian cybersecurity specialist/hacker said that "the group of 3 vulnerabilities are the most dangerous among the 120 vulnerabilities, and if the hackers get a hand of it, they can exploit it using execution as root through remote code. It is as simple as that."

Simon further says that by exploiting these vulnerabilities, the hacker could easily gain access to almost anything like personal information, credentials, and passwords.
"I was rejected by the company Cisco after 8 interviews," said Simon on Twitter.

In response to the situation, Cisco has urged its users to update their systems and software, as to stay safe from the bugs. Earlier this week the company said, "we have repaired the vulnerabilities in and users are requested to immediately update the software."

Unfortunately, the readers of Computer Business Review are well aware that not all the products were built to be the same when it comes to patch management, the issue being that most of the critical bugs are neglected by the company.

In a conversation with Computer Business Review, Simon said that he will release the source codes this coming week. He mentioned that the vulnerabilities were very minor to exploit, but it did consume mind-boggling research to find the bugs in the starting phase. "The research consumed a whole month along with reviewing the code origin and debugging the run-time."

Cisco says the trio of the vulnerabilities is not dependent on each other. A single vulnerability itself is capable of the exploit, let alone the trio. Cisco has released the latest security patch on its website. The users who have still not updated it can install it from the 'download center' on the website.

TP-Link Routers Vulnerable Again; Voids Passwords! Patching Highly Suggested!



A “zero-day vulnerability” was recently discovered in the “TP-Link Archer C5v4 routers” with the firmware version 3.16.0 0.9.1 v600c and of the build 180124 Rel.28919n.

This vulnerability could affect devices both at corporate levels as well as domestic level. The attacker could take control of the routers configuration by way of “telnet on the local area network” and it could connect to the File Transfer Protocol (FTP) via the LAN or WAN (wide area network).

The attackers could gain complete access of all the admin licenses and privileges. Enabling guest wi-fi, and acting an entry point happen to be a few other demerits of the vulnerable router.

Previously as per reports there was a “password overflow issue”. When a string shorter than the estimated length is typed then the estimated length is sent as the password, altering the actual password whereas if too long then the password gets void.

The vulnerability allegedly depends on the type of request that is sent through for requesting access to the device. Either it is safe or is vulnerable. The safe requests for HTML content there are two aspects that need to be taken into account.

One of them being the “TokenID” and the other being “the JSESSIONID”. Per reports the common Gateway Interface though, is only based on the referrer’s HTTP headers if it matches the IP address or the domain related to it then the main service of the routers thinks it to be valid and if the referrer is removed it responds as “Forbidden”.

The automated attacks that were dissipated via the botnet malware, “Mirai” were caused by weak passwords that allowed access to the FTP server and even provided console access.


Reportedly, the function “strncmp” is used to validate the referrer header with the string “tplinkwifi.net”. It apparently also validates for the IP address. This is definitely hence a disconcerting vulnerability which could be easily exploited.

The shorter strings when sent corrupt the password stopping the users from logging in but luckily it would stop the attacker too. FTP, Telnet and other services are mostly affected by this.

A longer string length made it entirely void and the value became empty. This made Telnet and FTP accessible simply by using “admin” as a password which is the default.

The same configuration of FTP is also allowed on the WAN. The router also reportedly happens to be vulnerable to the CGI attack which is pretty injurious to privacy.

So far there isn’t a way to set a new password, but even if there were the next vulnerable LAN/WAN/CGI request would void that password as well. Per reports, another aftermath of this vulnerability is that the RSA encryption key would crash.

This vulnerability is extremely disconcerting when the “Internet of Things” IoT security is considered at large. Millions of businesses and homes could be affected by any exploit or vulnerability these routers disperse.

What could be done right off the bat is, creating stronger passwords, applying two-factor authentication, changing all the default passwords and at last applying mitigating controls to all the devices in use.

Patching is HIGHLY ADVISED. TP-Link has provided patches for the TP-Link Archer C5 v5 and other versions.

"Smart Spies"- Amazon Alexa and Google Home's Voice Assistant Were Vulnerable to a Security Flaw


Alexa and Google Home smart speakers have been vulnerable to a security threat that made eavesdropping, voice phishing and using people's voice cues to deduce passwords possible for hackers. The hack also allowed hackers to befool users in handing out their private data without any knowledge of the same being happening.

In October, security researchers who discovered "Smart Spies" hack and new ways in which Alexa and Google Home smart speakers can be exploited, are now warning about the need to formulate new and effective methods to guard against the eavesdropping hack, reports Threatpost. Notably, no major steps were been taken to ensure protection against these hacks.

SRLabs, a Berlin-based hacking research company, told about the discovery of the vulnerability being made by them earlier this year, they went on reporting it to the concerned organizations, Amazon and Google. Furthermore, in an attempt to demonstrate the exploitation of the flaw, the firm shared a series of videos on Sunday.

As per the reports by CNN Business, Amazon and Google told that the vulnerabilities have been taken care of and likewise the issues have been fixed.

The company "quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified," a spokesperson from Amazon told CNN Business.

Addressing the issue, SRLabs states in a blog post, "Alexa and Google Home are powerful, and often useful, listening devices in private environments. The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood."

Experts recommended users to be more mindful of the potentially malignant voice apps that can infect smart speakers, "Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone."

"To prevent ‘Smart Spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents. Unpronounceable characters like “�. “ and silent SSML messages should be removed to prevent arbitrary long pauses in the speakers’ output. Suspicious output texts including “password“ deserve particular attention or should be disallowed completely." The blog reads. 

Public Cloud Infrastructures suffering from Security Loopholes and Vulnerabilities, researchers say


Igal Gofman, XM head of security research, and Yaron Shani, XM senior security researcher, in their research, found a new attack vector in cloud providers API ( application programming interface), that gives miscreants a window to access secured cloud data. Public Cloud Infrastructure, has added a new invisible management layer, that complicates the procedure creating security challenges, that requires better understanding. Often organizations fail to understand this management layer and hence lag in securing it, inviting attacks.

Working with public cloud infrastructure without the right understanding of risks and security challenges may lead to fatal consequences with customer risks, as was the case in Capital One breach."Current security practices and controls are not sufficient to mitigate the risk posed by a misunderstanding of the public cloud", said the researchers.

 Findings in the research

Researchers found that public cloud providers' APIs' accessibility over the internet opens a window for adversaries to exploit and gain access to confidential data on the cloud. And current security systems and practices are not equipped to beat the risk posed by misconfiguration of the cloud.

People who are in charge of managing cloud resources can easily gain access to APIs' using software kits and command-line tools as they are part of the development and IT team. "Once those account credentials are compromised, gaining access to high-value resources is trivial," the researchers say. Cloud APIs' can be accessed through the internet, with the correct API key, for example, the Command line interface tool, which saves the user's credentials which can be accessed by the cloud provider.

Attackers don't need a very sophisticated approach to sneak in cloud API, "In practice, the sophistication required to develop such tools is not high, because basically all the information is publicly available and well-documented by most cloud providers, meaning they document each security feature in great detail and it can serve both the defenders and the adversaries," Gofman and Shani say. And once, their credentials are compromised using cloud providers tools, it's easy for the black hats to rob you blind.

In order to protect themselves, organizations and companies should follow the best practice guidelines from the cloud provider. Large organizations should constantly and periodically monitor permissions and risk factors. Analyzing attack paths can decrease the risk factors, suggest the researchers.