CyberSecurity news

FlagThis - #iotsecurity

Pierluigi Paganini@Security Affairs - 12d

Xerox Printer Flaws Expose Active Directory Credentials - Rapid7 discovered vulnerabilities in Xerox VersaLink C7025 printers that allow attackers to capture authentication credentials via LDAP and SMB/FTP services, leading to credential theft.
Security vulnerabilities have been discovered in Xerox VersaLink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials. The flaw, discovered by Rapid7 researcher Deral Heiland, enables malicious actors to intercept Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) authentication data through pass-back attacks. The vulnerabilities, tracked as CVE-2024-12510 and CVE-2024-12511, threaten organizations relying on these devices for printing, scanning, and document management.

Xerox has released firmware updates addressing these issues, urging customers to install patches immediately. Rapid7 recommends additional safeguards: restrict admin access to MFPs, disable unnecessary services like FTP, and implement network segmentation to isolate printers from critical AD infrastructure. The vulnerabilities underscore the risks of treating IoT devices as perimeter appliances rather than core network assets.

Recommended read:
References :
  • gbhackers.com: Critical security vulnerability in Xerox Versalink C7025 MFPs enables attackers to intercept authentication data via pass-back attacks via LDAP and SMB/FTP services.
  • securityaffairs.com: Xerox VersaLink C7025 Multifunction printer flaws may expose Windows Active Directory credentials to attackers
  • The Hacker News: Xerox printers have multiple vulnerabilities that could enable attackers to gain access to authentication credentials from LDAP and SMB services, potentially affecting enterprise networks.
  • gbhackers.com: Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB
  • Talkback Resources: Xerox Versalink Printer Vulnerabilities Enable Lateral Movement [exp] [net]
  • www.scworld.com: Authentication credential compromise likely with Xerox VersaLink printer flaws
  • securityonline.info: Xerox Versalink Printers Vulnerable to Pass-Back Attacks, Credentials at Risk
  • securityonline.info: Xerox Versalink Printers Vulnerable to Pass-Back Attacks, Credentials at Risk
  • Talkback Resources: New Xerox Printer Flaws Could Let Attackers Capture Windows Active Directory Credentials [exp] [net]
  • securityboulevard.com: Flaws in Xerox VersaLink MFPs Spotlight Printer Security Concerns
  • heise online English: Xerox Versalink: Multifunction printers reveal access data Vulnerabilities have been discovered in Xerox Versalink multifunction printers that could allow attackers to steal access data.
  • Security Boulevard: Flaws in Xerox VersaLink MFPs Spotlight Printer Security Concerns
  • Talkback Resources: Xerox Versalink Printer Vulnerabilities Enable Lateral Movement
  • Talkback Resources: Xerox Printer Vulnerabilities Enable Credential Capture
Bill Toulas@BleepingComputer - 79d

BadBox malware preinstalled on 30000 German devices - Germany's BSI sinkholed a botnet of 30,000 Android devices infected with BadBox malware, preventing further damage.
The BADBOX malware campaign has compromised over 30,000 Android devices in Germany, including digital photo frames, media players and possibly smartphones. The malware is pre-installed on the devices, exploiting outdated Android versions. The German Federal Office for Information Security (BSI) has taken action to disrupt the communications between infected devices and command-and-control servers. This campaign highlights the risks associated with insecure supply chains and pre-installed malware on IoT devices, and emphasizes the need for rigorous security checks and device updates to prevent similar incidents.

Recommended read:
References :
  • BleepingComputer: Germany's Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country.
  • Cybernews: German authorities blocked 30,000 Android devices with pre-installed malware from connecting to BadBox botnet servers.
  • therecord.media: Germany cuts hacker access to 30,000 devices infected with BadBox malware
  • www.bleepingcomputer.com: Germany sinkholes BadBox malware pre-loaded on Android devices
  • securityaffairs.com: German agency BSI sinkholed a botnet of 30,000 devices infected with BadBox
  • CyberInsider: BSI Disrupts “BadBox” Malware Pre-Loaded on 30,000 Devices
  • : BSI (Germany): (German Language) The Federal Office for Information Security (BSI) sinkholed internet traffic originating from Germany and going to the command and control servers of the BADBOX malware group (which originates from China).
  • www.bsi.bund.de: BSI (Germany): (German Language) The Federal Office for Information Security (BSI) sinkholed internet traffic originating from Germany and going to the command and control servers of the BADBOX malware group (which originates from China).
  • PCMag: In a disturbing find, a government agency in Germany has discovered that as many as 30,000 Android devices in the country contained preinstalled malware.
  • www.pcmag.com: 30,000 Android devices found preinstalled with malware in Germany
  • socradar.io: BadBox Malware Compromises 30,000 Devices in Germany The German Federal Office for Information Security (BSI) has taken decisive action to stop the BadBox malware campaign, which affected over 30,000 Android IoT devices.
  • The Hacker News: Germany's Federal Office of Information Security (BSI) has announced that it has disrupted a malware operation called BADBOX that came preloaded on at least 30,000 internet-connected devices sold across the country.
  • www.cysecurity.news: Germany Warns of Pre-Installed Malware on 30,000 Devices
@cyberscoop.com - 62d

Four-Faith Router Flaw Enables Remote Attacks - A critical vulnerability in Four-Faith routers allows for remote code execution, potentially leading to malware installation and data theft on over 15,000 devices.
A critical vulnerability, designated CVE-2024-12856, has been discovered in Four-Faith routers, specifically models F3x24 and F3x36, enabling remote code execution. The flaw resides in the `/apply.cgi` endpoint, where manipulation of the `adj_time_year` parameter allows attackers to inject malicious commands and gain unauthorized access. This post-authentication vulnerability bypasses security measures using default credentials, allowing attackers to open reverse shells back to their systems. Over 15,000 devices are estimated to be at high risk due to default credential use and internet exposure.

The exploitation of this vulnerability poses a serious threat, potentially leading to the installation of malware, data theft, and significant network disruptions. Observed attack attempts have been linked to a Mirai malware variant, suggesting a targeted campaign. Users of affected Four-Faith routers are urged to take immediate action by updating to the latest firmware and enforcing strong password policies. A Suricata rule has also been published by VulnCheck which helps to identify devices already affected.

Recommended read:
References :
  • ciso2ciso.com: Threat actors attempt to exploit a flaw in Four-Faith routers – Source: securityaffairs.com
  • Cyber Security News: Four-Faith Routers Hacked: Remote Access Vulnerability Exploited
  • gbhackers.com: GBHackers article on Four-Faith industrial routers vulnerability exploited in the wild to gain remote access.
  • www.bleepingcomputer.com: Threat actors are exploiting a post-authentication remote command injection vulnerability in Four-Faith routers tracked as CVE-2024-12856 to open reverse shells back to the attackers.
  • BleepingComputer: Threat actors are exploiting a post-authentication remote command injection vulnerability in Four-Faith routers tracked as CVE-2024-12856 to open reverse shells back to the attackers.
  • : Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • ciso2ciso.com: Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • cyberscoop.com: Thousands of industrial routers vulnerable to command injection flaw
  • cyberpress.org: Four-Faith Routers Hacked: Remote Access Vulnerability Exploited
  • ciso2ciso.com: Critical Flaw Exposes Four-Faith Routers to Remote Exploitation – Source:hackread.com
  • Threats | CyberScoop: Thousands of industrial routers vulnerable to command injection flaw
@www.whitehouse.gov - 53d

White House Unveils Cyber Trust Mark Program - The White House launched the Cyber Trust Mark program, a labeling scheme for IoT devices that meet government-vetted cybersecurity standards, with labeled products expected in 2025.
The White House has officially launched the Cyber Trust Mark program, a new initiative aimed at enhancing the cybersecurity of consumer devices. This labeling scheme, similar to the Energy Star label, will inform consumers that household products, such as smart appliances and home security cameras, meet specific government-vetted cybersecurity standards. The program, developed in coordination with the National Institute of Standards and Technology (NIST) and the Federal Communications Commission (FCC), seeks to give consumers more confidence in the security of the connected devices they bring into their homes. The program aims to address growing concerns about cyber vulnerabilities in the Internet of Things (IoT).

The Cyber Trust Mark program has seen the selection of UL Solutions as the lead administrator and a further ten firms as deputy administrators. Major retailers like Amazon and Best Buy have pledged to assist in educating consumers about the label and where to locate it on devices. The mark itself features a shield symbol and will appear in various colors depending on the product design. Officials anticipate that labeled products will be available on store shelves by 2025, thus encouraging manufacturers to prioritize cybersecurity in their product development and empowering consumers to make more informed purchasing choices.

Recommended read:
References :
  • malware.news: White House unveils Cyber Trust Mark program for consumer devices
  • www.nextgov.com: White House unveils cyber trust mark program for consumer devices
  • www.theverge.com: US Cyber Trust Mark launches as the Energy Star of smart home security
  • www.whitehouse.gov: White House Launches “U.S. Cyber Trust Mark”, Providing American Consumers an Easy Label to See if Connected Devices are Cybersecure
  • www.nbcnews.com: U.S. to roll out 'Cyber Trust Mark' label on secure devices starting this year
  • oodaloop.com: FCC Launches ‘Cyber Trust Mark’ for IoT Devices to Certify Security Compliance
  • www.bleepingcomputer.com: US govt launches cybersecurity safety label for smart devices
  • Patrick C Miller :donor:: US government set to launch its Cyber Trust Mark cybersecurity labeling program for internet-connected devices in 2025
  • The New Oil: US government set to launch its Cyber Trust Mark labeling program for internet-connected devices in 2025
  • techcrunch.com: US government set to launch its Cyber Trust Mark cybersecurity labeling program for internet-connected devices in 2025
  • OODAloop: FCC Launches ‘Cyber Trust Mark’ for IoT Devices to Certify Security Compliance

Blogs

Research Tools