Microsoft has disclosed a series of vulnerabilities in Netgear routers which could lead to data leaks and full system compromise.

On June 30, Jonathan Bar Or, a member of Microsoft’s 365 Defender Research Team, revealed the vulnerabilities, which were patched prior to public disclosure.  Bar Or said that the trio of bugs impacted DGN-2200v1 series routers — running firmware prior to v1.0.0.60 — which “opened the gates for attackers to roam untethered through an entire organization.” Microsoft’s security team discovered the vulnerabilities after noting strange behavior in the router’s management port. While communication was protected with TLS encryption, it was still flagged as an anomaly when machine learning models were applied.  Upon further investigation of the router firmware, the security researchers found three HTTPd authentication flaws.  The first allowed the team access to any page on a device — including those that should require authentication, such as router management pages — by appending GET variables in requests within substrings, allowing a full authentication bypass.  The second security flaw permitted side-channel attacks, and this was found in how the router verified users via HTTP headers. If exploited, attackers could extract stored credentials. 

Finally, the third vulnerability utilized the prior authentication bypass bug to extract the router’s configuration restore file which was encrypted using a constant key, “NtgrBak,” allowing remote attackers to decrypt and extract stored secrets.  Netgear was made aware of the security issues privately through the Microsoft Security Vulnerability Research (MSVR) program.  The firmware vulnerabilities have been patched by Netgear, which issued a security advisory in December detailing the security flaws. The bugs have been assigned as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365 and have been issued CVSS severity scores of between 7.1 and 9.4, rating them critical.  Netgear recommends that customers install the latest firmware available for their routers by visiting Netgear Support, typing their model number into the search box, and downloading the newest firmware version. Alternatively, updates can be accessed via Netgear apps.  “The rising number of firmware attacks and ransomware attacks via VPN devices and other internet-facing systems are examples of attacks initiated outside and below the operating system layer,” Microsoft says. “As these types of attacks become more common, users must look to secure even the single-purpose software that run their hardware — like routers.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Software AG
Software AG, one of the largest software companies in the world, has suffered a ransomware attack over the last weekend, and the company has not yet fully recovered from the incident.
A ransomware gang going by the name of “Clop” has breached the company’s internal network on Saturday, October 3, encrypted files, and asked for more than $20 million to provide the decryption key.
Earlier today, after negotiations failed, the Clop gang published screenshots of the company’s data on a website the hackers operate on the dark web (a so-called leak site).
The screenshots show employee passport and ID scans, employee emails, financial documents, and directories from the company’s internal network.

Image: ZDNet
Software AG disclosed the incident on Monday when it revealed it was facing disruptions on its internal network “due to [a] malware attack.”
The company said that services to customers, including its cloud-based services, remained unaffected and that it was not aware “of any customer information being accessed by the malware attack.” This statement was recanted in a later press release two days later, when Software AG admitted to finding evidence of data theft.
The message about the attack remained on its official website homepage all week, including today.
Software AG did not return phone calls today for additional details or comments about the incident.
A copy of the ransomware binary used against Software AG was discovered earlier this week by security researcher MalwareHunterTeam. The $20+ million ransom demand is one of the largest ransom demands ever requested in a ransomware attack.

Image: supplied
The ID provided in this ransom note allows security researchers to view the online chats between the Clop gang and Software AG on a web portal managed by the ransomware group. At the time of writing, there is no evidence the German company paid the ransom demand.

Image: supplied
Software AG is Germany’s second-largest company with more than 10,000 enterprise customers across 70 countries. Some of the company’s most recognizable customers include Fujitsu, Telefonica, Vodafone, DHL, and Airbus.
Its product line includes business infrastructure software such as database systems, enterprise service bus (ESB) frameworks, software architecture (SOA), and business process management systems (BPMS). More

Shares of cloud-based security provider FireEye shot up almost 10% in late trading Thursday evening after the company announced that private equity firm Blackstone Group is making a $400 million investment in the company and taking a board seat.
FireEye announced in a separate press release that it will buy four-year-old security startup Respond Software of Mountain View, Calif., for $186 million in cash and stock.
New York-based Blackstone, one of the most powerful private equity firms in the world, with a market cap of $67 billion or so, is teaming up with venture capital firm ClearSky Power & Technology Partners, based in Juno Beach, Florida, to buy $400 million worth of convertible stock in FireEye. 
The duo will purchase “shares of a newly designated 4.5% Series A Convertible Preferred Stock of FireEye,” said FireEye, “with a purchase price of $1,000 per share.” 
The Series A Preferred will be convertible into shares of FireEye’s common stock at a conversion price of $18.00 per share, the company said.
A senior managing director at Blackstone, Viral Patel, will take a seat on FireEye’s board, the company said. 
Said Patel, “Blackstone and FireEye have a shared vision of the unique role FireEye can play in addressing the increasingly sophisticated cyber security challenges their customers face.”

“We are excited to partner with the company’s board and management to accelerate execution on their vision.”
Also: FireEye Q3 results beat expectations, raises year view, shares jump 6%
Proceeds of the convertible offering will be put toward the purchase of Respond, the company said, as well as “increased investment to accelerate the growth of the company’s cloud, platform and managed services portfolio,” it said.
Respond makes software in the class known as “eXtended Detection and Response,” or XDR. 
As FireEye describes it, the software “accelerates cyber investigation and response by automating the correlation of multi-sourced attack evidence using cloud-based data science models that ingest data from a comprehensive set of security technologies.”
FireEye said the “will become a key part of the Mandiant Advantage platform, bringing vendor-agnostic XDR and investigation capabilities that integrates with any customer environment.”
Tonight’s announcement follows an upbeat earnings report by FireEye three weeks ago, in which the company beat Wall Street’s quarterly revenue and profit expectations, and raised its year forecast above expectations as well.
FireEye management is hosting a conference call with analysts this evening at 5 pm to discuss the deal, and you can catch it on the company’s investor relations Web site.
Shares of Mandiant are up almost 10% in late trading at $15.65. More

<!–> ZDNET’s key takeaways The JBL Charge 6 is available for $199 in Black, Blue, White, Red, Camo, and Purple. The Charge 6 offers great sound, durability, battery life, and in-app features. Although it’s waterproof, constant, untreated exposure to salt and chlorine can incur internal damage, just like any other Bluetooth speaker. more buying choices […] More

Image via Maxwell Ingham Vulnerabilities in the GPRS Tunnelling Protocol (GTP) will continue to impact mobile operators even as they migrate to 5G infrastructure. In reports published last week and in December 2019, cyber-security firms Positive Technologies and A10 Networks detailed a series of vulnerabilities in this legacy mobile protocol. These include: Disclosure of subscriber […] More