The layman guide to concepts that keep your online account secure – Part 1

In the past two decades, we have seen a dramatic growth in terms of what the internet can offer us: social media, on-demand video streaming, video conference and online shopping. All of these developments have enabled us to connect and communicate with anyone across the world, access content such as movies and TV series, and to buy and ship anything we need or want across the world.

For us to access any of these online services, we need to create an account with the service provider. As part of account creation, we need to specify an username or email address and a password. Either during or after the account creation, we might be asked to setup either 2-factor authentication or multi-factor authentication with the objective of keeping our online accounts more secure and resilient to malicious activities such as hacking.

But, have you ever wondered why you should be setting up or enabling 2FA or MFA?

In this multi-part series, we will be exploring the various concepts and the why using simple analogies to help you understand what is going on.

First up, let’s have a look at the most basic form of security: the use of username and password.

Securing your account using only a username and password

The use of an username and password is one of the most basic security tool we have to keep an account secure. It is a way for us to verify that someone is who they say they are.

Now, let us imagine that the accounts we create and use on these online sites are apartment units and apartment buildings respectively. We do not need to care about where the apartment buildings are in the world since we don’t really care where a website is hosted.

In order to keep the apartments secure and only allowing the rightful tenants to enter, the building management hires multiple security guards to stand by the main entrance of each apartment. The security guard is like the login form we use to login to any website. There is no security guard for the apartment buildings just like anyone can access any website.

Whenever the tenant wants to enter their apartment, they will provide some form of identification to the security guard. In this case, the tenant’s face is the equivalent of the username and the password is the secret message that only tenant and the security guard knows. Not even the building management know about it.

Once the security guard have seen the tenant’s face and they whispered into the security guard’s ears the secret message, the guard open the door for the tenant and let them in. In the event that someone else tries to access the tenant’s apartment, the security guard won’t let the stranger in if they don’t look like the actual tenant and knows the secret message.

The only advantage of implementing security like this is convenience.

However, this is not very secure.

Let’s say a stranger managed to 3D print a mask that look exactly like the target tenant. They put the mask on and could walk up to the security guard. Now, all the security guard need to do is to wait for the person to provide the secret message.

This analogy is akin to what happens during a data breach. Whoever hacks the site and gain access into the database system now has a partial idea of who we are. This means they could easily masquerade as any user to gain access into the account.

Making matter worse, many sites tend to implement some sort of password limitation such as:

  1. Maximum arbitrary password length
  2. Restricted symbol or character use

Such limitations is akin to having the security guard standing outside your apartment saying they could only remember the secret message of a certain length or they lack sufficient vocabulary to understand you.

It is not difficult to imagine what will happen.

Let’s say the security guard only knows basic English and the tenant decide to choose “apple” as the secret message. That means anyone else well-versed in English or carries a dictionary will be able to trick the security guard into letting them with a lifelike 3D mask and going through the list of English words they could think of. This is akin to a dictionary attack.

And what if the security guard underwent lots of education and have extremely good memory. With that, the tenant can now share with the security guard a complex secret message. In this case, let’s use “I am a person and likes to eat an apple” to represent a very complex password.

With such a “complex” message, it is very difficult, if not impossible, to figure out what is the secret message no matter how good the stranger is. Not only does the stranger have to know what are the words used, they have to figure out where each word go in the sequence.

And hopefully with this, you can understand why it is necessary to use a more complex password.

But, we should also remember that technology like is only going to improve further in terms of capabilities and performance. Figuring out complex password will only take shorter time with each passing year.

This is why we need to introduce another layer (also known as factor) of security. This is thus known as Two-Factor Authentication(2FA).

At the fundamental level, 2FA relies on exactly two factors to verify the authenticity. One factor is “what we know “. The next factor is “what we own or possess”

A good place where we see 2FA in action is during withdrawal of money from an ATM. We provide a bank card (what we own) and a pin (what we known) to the machine. Once the system verified who we are, we will be able to perform banking transactions.

You might have also come across the term Multi-factor Authentication(MFA). This refers to the use of several security mechanisms for a user to demonstrate their identity.

In the next section, let us first explore 2FA. Since there are many flavours of 2FA, the easiest flavour to implement is the use of SMS token. This is why it is commonly used by companies.

Further secure your account with SMS 2FA

Sites that use SMS 2FA will generally request that you provide your mobile number so that they can supply you with a one-time code that you can use on the site.

Let us go back to the apartment analogy to explore how SMS 2FA works and why it is the weakest of any 2FA implementation.

After a spate of break-ins, the building management decided to improve security and safety of the apartments by installing key-based locks on every door and changing the locks every day. This is in addition to the security guards standing outside the apartments. You might be thinking that installing and changing doors on each door every day is infeasible in reality but that is not the point of this analogy.

In order for the apartments to receive a new set of keys and locks, the building management set up a Security Room in the basement. Now, tenants (new or existing) are to register themselves once at the front desk and collect a name tag to identify them. This is to enable each tenant to receive the key that they can use to unlock their door every time they need to enter their apartment. This act of registering with the front desk is akin to users registering their mobile phone with the site after they have created their account.

Whenever the tenant wishes to enter their apartment, they exchange the secret message with the security guard. Then, the guard will contact the front office via walkie-talkie to get them to dispatch the key for the apartment.

The front desk will coordinate the key requests before contacting the Security Room keys to be delivered to the requesting tenants. The Security Room will send concierges with the correct key to meet with the tenants, identifying them by their name tag. This represents the SMS message containing the one-time password being delivered to your phone.

What the concierges will do is to search within the building for their tenant to hand the key over.

Generally, this handover process happen without issue. The tenant will receive their key just in time and could proceed to unlock their doors. Going back to reality, this means the account owner receives the sms message via their phone and could enter the one-time password into the site to log in to their account.

However, it is possible for the sms message to be lost due to network issue, or worse, routed to the wrong person due to a form of fraud called SIM swapping. Using our analogy, the former is the equivalent of the concierge losing their way and exited the building while the latter is equivalent to someone wearing the same name tag as you, knows the secret message and wears a mask that look like you. Now, tricking both the concierge and security guard becomes very easy.

The security of your account can be improved further. In the next part of this series, we will look into using token generation via a device you own for 2FA.


More than one million WordPress sites attacked over the weekend of late May 2020

WordPress throughout its history has always found itself appearing in the news for its security vulnerabilities. The most recent vulnerability incident with WordPress is with a plugin call Page Builder by SiteOrigin.

Attackers mount a campaign over the weekend of 29 – 31 May against more than one million WordPress sites in an attempt to download wp-config.php, a file critical to all WordPress installations. This file contains sensitive information such as database credentials, connection information as well as unique authentication salt and keys. Therefore, anyone with access to the file could gain access to the database where the site content and users are stored.

To download that file, the attackers targeted cross-site scripting (XSS) vulnerabilities found in older plugins or themes that allow files to be downloaded or exported.

The attacks came from more than 20,000 IP addresses, which were also implicated in a previous attack that happened earlier in May 2020 used by the same threat actor.

The earlier attack targetted a different set of XSS vulnerabilities with the intention of having visitors redirected to malvertising sites. This set of vulnerabilities were found in plugins that have mostly been patched or plugins that have been removed from the WordPress plugin repository. Below is the list of plugins and their respective vulnerabilities that were popular with the attackers.

  • Easy2Map plugin — Removed from WordPress plugin repository due to XSS vulnerability
  • Blog Designer — XSS vulnerability that was patched in 2019
  • WP GDPR Compliance — Options update vulnerability that was patched in late 2018
  • Total Donations — Removed from Envato Marketplace permanently. It had a critical options update vulnerability.
  • Newspaper theme — XSS vulnerability that was patch in 2016.

The good news is that WordPress site owners who uses Wordfence are protected. According to Ram Gall at Wordfence, the Wordfence firewall blocked over 130 million attacks intended on harvesting database credentials.

How do you know if you were attacked?

The attack should be logged. You could look for any log entries that contain wp-config.php in the query string with the HTTP response code 200.

Below are the top 10 IP addresses used for this attack campaign.


What should you do next?

WordPress sites running Wordfence are protected from the attack. For the other users, you should change the database password and the unique authentication keys and salt immediately if you believe you are compromised.

The reason is simple.

WordPress servers that have been configured to allow remote database access could easily allow an attacker with the database credentials to add an administrative user, extract sensitive data or delete the site. Even if remote database access is not enabled, an attacker who knows the authentication keys and salts could bypass other security mechanisms that protect your site more easily.

And what if you are not comfortable making changes mentioned above?

Then you should contact your host or service provider since changing the database password without updating the wp-config.php file can render your site offline temporarily.

Last but not least, you should also update any plugins and themes. You may also want to consider changing the plugins or themes if these are no longer maintained by the original developers.

This article uses material from Wordfence.

Bugs in WordPress page builder plugin leave 1 million sites vulnerable to full takeover

Are you using WordPress? If you are and have installed SiteOrigin’s Page Builder plugin, your site could be vulnerable to full takeover by hackers.

To the uninitiated, Page Builder is a WordPress plugin created by SiteOrigin that is used to build websites using drag-and-drop functionality. It currently has a million active installations.

Researchers at Wordfence found two security bugs in the plugin that can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). These two bugs allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser.

The bugs have been assigned with a severity rating of 8.8 out of 10 by the researchers, but no CVEs have yet been assigned.

The details of the flaws

The two flaws can be used by attackers to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site. The details of the flaws could be found in the link provided above.

The first flaw affect the built-in live editor within the plugin.

For the plugin to show the modifications done in the live editor in real time, it registers the is_live_editor() function to check if a user is in the live editor. If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to “true” and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content. Then, the “live-editor-preview.php” rendering file updates the page preview with changes made in real time.

This is all good but the problem lies in the lack of nonce protection. It is a method that could be used to verify that an attempt to render content in the live editor came from a legitimate source.

According to the researchers, some of the available WordPress widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious Javascript into a rendered live page.

The second flaw is also a CRSF to XSS issue and it lies with the action_builder_content function of the plugin.

The purpose of the function was to transmit submitted content as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor. Although the function did have a user permission check, there was no nonce protection to verify the request source, causing a CSRF flaw.

The researchers found that the “Text” widget could be used to inject malicious Javascript due to the ability to edit content in a “text” mode rather than a “visual” mode. With this, potentially malicious Javascript could be allowed to be sent unfiltered.

What should you do?

The flaws affect SiteOrigin’s Page Builder version 2.10.15 and below. In order to avoid full site takeover, admins should upgrade the plugin to version 2.10.16.

And it should be noted that an attacker needs to trick a site administrator into executing an action like click on a link or an attachment for the attack to succeed. Therefore, it is advisable not to click on any link or open any attachments that you are unsure of.

Official government COVID-19 apps comes with security threats

COVID-19 is one of the worst public health crisis ever faced by humans since the 1918 flu pandemic.

Governments around the world launched their own version of mobile apps to help their citizens track symptoms and virus infections. However, security researchers at ZeroFOX Alpha Team uncovered various privacy concerns and security vulnerabilities —including backdoors with these apps.

The Iranian government released an Android app called AC19 on the Iranian app store known as CafeBazaar. The app claimed that it can detect whether or not people are infected by the virus and was released by the Ministry of Health. It was to take advantage of the confusion and fear gripping many parts of Iran about COVID-19 to boost Tehran surveillance capabilities.

When Iranian users downloaded the app, they are prompted to verify their phone number despite the fact that the government has access to all phone numbers via its control of the country’s cell providers. Once users provided their phone number, they are prompted to give the app permission to send precise location data to the government servers.

In addition, there is a copycat app called CoronaApp created by threat actors that is available for direct download by Iranian citizens rather than via the Google Play Store. As a result, the app is not subjected to the normal vetting process that might protect these users from malicious intentions. However, many citizens in Iran cannot access the official Google Play store due to sanctions, so they are more likely to download the unvetted apps.

Once installed, the CoronaApp does request for permission to access the user’s location, camera, internet data and system information, and to write to external storage. It is this particular combination of permissions requested that demonstrates the developer intent to access sensitive user information.

Separately, the Colombian government released mobile app called CoronaApp-Colombia on Google Play store to help people track potential COVID-19 symptoms in March 2020. However, ZeroFOX researchers discovered that the app included vulnerabilities relating to how it communicates over HTTP, affecting the privacy of more than 100,000 users.

As of March 25, the app with version number 1.2.9 communicates insecurely with the API server throughout the app workflow. Specifically, it uses HTTP instead of HTTPS or other more secure protocol for server communications. By making these insecure server calls to relay users’ personal data, CoronApp-Columbia could put sensitive user health and personal information at risk of being compromised.

But there is a shred of good news. The Columbian CERT fixed the vulnerabilities three days later after ZeroFOX Alpha Team submitted the vulnerability, listed as CVE-2018-11504 on MITRE, to them on March 26.

Last but not least, the Italian government created region-specific apps for tracking coronavirus symptoms as the country is one of the places that the COVID-19 pandemic has hit the worst.

As a result of the greater number of government-sanctioned apps, users are less certain of which COVID-19 mobile apps are legitimate.

Threat actors are taking advantage of this confusion, and inconsistency in the apps releases and availability to launch malicious copycats that contains backdoors.

ZeroFox Alpha Team found 12 android application packages related to the attack campaign. 11 of these packages were found to use various methods of obfuscation.

The first app analysed by Alpha Team was discovered to use a signing certificate where the signer was “Raven” with a location in Baltimore, likely a reference to the Baltimore Ravens NFL team. Furthermore, every other app analysed by the team used these signing certificate and issuer details.

The backdoor is activated when the Android app receives a BOOT_COMPLETED event when the boots, or when the app is opened.

The researchers advised governments with COVID-19 related apps or those thinking about releasing new ones to ensure the consistency in where the apps can be downloaded as well as in their appearance to help avoid the spread of malicious doppelgängers. Exercising due diligence during the development process will help secure the app and avoid putting citizens at further privacy risks.

Are you using Zoom? Your personal data is being leaked and you could be vulnerable to being hacked

Zoom is dealing with one hot potato after one another. They recently got out of a situation where its iOS app was found to be sharing data with Facebook secretly by updating the iOS app.

Now, they are dealing with another problem due to how the software’s Company Directory feature works.

Zoom groups users who signed up using the same company email domain together to make searches and calls easier with colleagues. So when users signs up with their private email address to join Zoom, they have had thousands of strangers added to their contact list as they were perceived to be working under the same organisation. With this, you can get insight to all subscribed users of that provider, which include their full name, physical address, profile picture and status.

However, there is a little bit of good news. Users of standard email providers such as Gmail, Hotmail and Yahoo are not affected as Zoom blacklisted them. Furthermore, the company officially requires users to submit a request for their non-standard domains to be blacklisted.

But that is not the end of bad news for the company.

It is also found that Zoom also converts any URLs into hyperlinks. This could then be used maliciously where cybercriminals could send you a Universal Naming Convention (UNC) path instead of a web link.

UNC paths are typically used for networking and file sharing. An unsuspecting user could click on the link sent via Zoom, which will then make Windows try to connect to the remote host using Server Message Block (SMB) network file-sharing protocol. By default, Windows will send the user’s login name and their NTLM password hash to this host. The NTLM password hash could easily be cracked and put your computer at risk from hacking.

Billions of Wi-Fi devices are vulnerable to eavesdropping due to

At the RSA security conference, security researchers announced that there is a Wi-Fi vulnerability that affects billions of devices. This vulnerability allows nearby attackers to decrypt sensitive data that are sent over the air.

Eset, the security company that discovered vulnerability, named it Kr00k and it is tracked as CVE-2019-15126. Kr00k affects the Wi-Fi chips made by Cypress Semiconductor and Broadcom. FullMAC WLAN chips from both companies are especially affected according to Eset. These chips are used in billions of devices and some of the devices include the following:

  • iPhones
  • iPad
  • Apple Macs
  • Amazon Echos
  • Amazone Kindles
  • Android devices
  • Raspberry Pi 3
  • Wi-Fi routers from Asus and Huawei

Most of the affected devices have patches made available by manufacturers but it is not clear how many of them installed the patches. Routers have the biggest concern because they often go unpatched indefinitely.

How does the vulnerability work?

When a wireless device disassociate from a wireless access point, unsent data frames will be placed in a transmit buffer and then sent over the air. Kr00k exploits this weakness. If either the device or the wireless access point has the flaw, these data frames will be encrypted with a key consisting of all zeroes instead of the session key negotiated earlier by the wireless device and the wireless access point. The use of a key consisting of all zeroes to encrypt data is equivalent to having no key.

The following diagram from ArsTechnica shows what would happen when a device disassociate from a wireless access point if either one is vulnerable.

A disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable device or access point can easily trigger this vulnerability by sending disassociation frames since they are not authenticated. From there, hackers could then capture and decrypt the transmitted data. They could trigger multiple disassociation to improve their chance of obtaining useful data.

The following diagram from ArsTechnica shows how the attack would happen.

What are the devices affected?

Eset researchers identified a variety of mobile devices that are vulnerable, including:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

In addition, the following routers are also vulnerable:

  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321

The researchers also tested Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, and Mediatek and did not find any evident of them being vulnerable. However, since it was impossible to test all devices, it is possible that other devices using Cypress and Broadcom chips are affected.

For Apple, the vulnerabilities were patched in October 2019 as part of macOS Catalina 10.15.1, Security Update 2019-001 for macOS Mojave, Security Update 2019-006 for macOS High Sierra, iOS 13.2 and iPadOS 13.2 More information on the patches could be found here for macOS and here for iOS and iPadOS.

Amazon also state that Amazon Echo and Kindle devices listed in the security research have received automatic security update over the internet in a separate statement to ArsTechnica.

Emotet now hacks nearby Wi-Fi network to spread like a worm

Emotet has evolved multiple times since its initial discovery in 2014 by security researchers. Recently, a sample of Emotet malware was found to have gained the ability to spread itself through insecure Wi-Fi networks that are near an infected device.

Once the malware gains access to the Wi-Fi networks, it will then attempt to infect all the connected devices. It is a tactic that can dramatically escalate Emotet’s spread.

The Wi-Fi spreading binary was only discovered being delivered for the first time on 23 January 2020 by researchers but further analysis suggested that the executable file has a timestamp of 16 April 2018, which hints that the behaviour has been running unnoticed for almost two years.

This Wi-Fi spreading capability further raises the threat level of the already-prevalent Emotet.

Before this discovery, the malware was found to have gained new obfuscation and anti-virus detection capabilities in November 2019. These capabilities enable Emotet to better escape detection. Meanwhile, its authors have also changed their social engineering tactics to keep in line with current events, sending out malicious emails that claimed to be Edward Snowden’s new memoir or with Halloween-themed lures.

What is Emotet?

Emotet is a malware that begin life as a banking trojan in 2014. Its primary goal is to sneak into your computer in order to steal sensitive and private information.

It has gone through a few iterations. Early versions arrived as malicious Javascript files. Subsequently, it evolved to use macro-enabled documents that will retrieve the virus payload from command and control (C&C) servers run by the attackers.

A malware is mostly useless to the attackers if it is detected early or when security researchers can analyse it to determine how it works. In order to prevent that, Emotet comes with a few tricks up its sleeves.

Most notably, it knows if it is running inside a virtual machine (VM) and will lay dormant when that happens. This is because cybersecurity researchers use VMs to observe malware within a safe and controlled space. I

Emotet is also able to use Command and Control (C&C) servers to receive updates, much like the operating system (OS) updates on your PC and could happen seamlessly and without any outward signs. This way, attackers can install updated version of the malware or deliver and install additional malwares on the target. In addition, the C&C servers can also serve as a dumping ground for stolen information such as financial credentials, usernames and password, and email addresses.

How does Emotet spread?

Emotet spreads itself primarily through spam emails (malSpam). It will go through your contact lists and send itself to your friends, family, coworkers and clients. The emails look less like spam because they are coming from your hijacked account, which in turn make the recipients feel safe and more likely to click on the bad URLs in the emails and download infected files.

In order to increase the likelihood recipients click on the bad URLs or open the attachments, the emails may come with contents that contains familiar branding or tempting languages such as ‘Your invoice’ and ‘Payment Details’. In some cases, the content may be about an upcoming shipment from well-known delivery companies.

Furthermore, if there is a connected network present, Emotet attempts to spread through it and gained access to other connected system by using a list of common passwords and brute forcing its way.

For Emotet to spread via Wi-Fi, it first infects the initial system with a self-extracting RAR file containing two binaries (worm.exe and service.exe). Once the RAR file is extracted, worm.exe executes automatically.

The main purpose of worm.exe is to profile wireless networks. Then it would go through each Wi-Fi network to identify their SSID, signal, encryption and authentication methods. After which, the malware will begin to connect to each of the network by brute forcing the passwords.

Once the malware gains access into the network, it will make a request to its command and control (C2) server and establishes a connection to the Wi-Fi network. Next, it will attempt to brute-force the passwords for all users on the newly-infected network. If the brute force is successful and the malware gains access into the device, worm.exe will install the service.exe onto the device.

Finally, once service.exe is installed onto the infected device, it will communicate back to the C2 server and then begin dropping the embedded Emotet executable. The whole spreading and infection process will repeat again in an attempt to infect as many devices as possible.

How do you protect your devices from Emotet?

In order to prevent Emotet from using the Wi-Fi spreading capability and infect connected devices, it is recommended that wireless networks are secured using longer and more complex passwords.

Preventing infection by Emotet is only one part of the solution. Active monitoring of endpoints for new installation of services and subsequent investigation of suspicious services or processes running from temporary folders and application data folders within user profile is equally important. This way, Emotet and its associated malwares can be identify early and be eliminated before they cause any further damage to the rest of the systems.

Furthermore, computers and endpoints should be kept up-to-date with the latest software patches to eliminate as many vulnerabilities in the system as possible. This will prevent the other malwares associated with Emotet infection such as TrickBot from exploiting these said vulnerabilities.

Last but not least, it is important to be aware not to download or open any suspicious attachments or links respectively. This way, Emotet will not be able to gain any initial foothold in the system or network.

IoT and surveillance devices that use Xiongmai Tech firmware discovered to have zero-day backdoor mechanism

Russian security researcher Vladislav Yarmak discovered a backdoor mechanism integrated into DVR/NVR devices built on top of HiSilicon SoC. He published a full-disclosure report on Habr, a Russian IT and Computer Science blog.

The backdoor mechanism is implemented using a mix of exploits that take advantage of bugs discovered years ago, with some dating as early as March 2013.

HiSilicon, a fabless semiconductor Chinese company fully owned by Huawei, was inferred to be responsible for the backdoor mechanism. An earlier version of the HiSilicon firmware came with telnet access enabled using a static root password that can be easily recovered from the firmware image.

In 2017, Istvan Toth did a comprehensive and detailed analysis of the firmware and discovered multiple vulnerabilities with the firmware and the built-in webserver.

He also published a list of brands with the affected firmwares on this GitHub page: From the list, there are hundreds of products across at least a dozen of brands.

Subsequent versions of the firmware had their telnet access and the debug port (9527/tcp) disabled by default. Another port, 9530/tcp, was opened instead to receive a special command to start the telnet daemon and enable shell access with the same static password. This was intentionally baked into the firmware.

Huawei published an official media statement stating that they are not responsible for the discovered vulnerabilities. In addition, they said that they and their affiliates, including HiSilicon have long committed that they will not and have not install backdoors nor will they allow their vendors to do the same.

It was later determined by other security researchers that only devices using Xiongmai firmwares are affected by the vulnerabilities.

Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) is a Chinese technology company founded in 2009 that develops IoT and surveillance devices such as DVR, NVR and IP Cameras.

Given that the vulnerabilities remained unpatched and the company is not responding to the disclosure, it is advised that devices using Xiongmai software are replaced. If the replacement of these devices is not possible, then it is best to restrict network access to these devices to only trusted users. Ports involved in this vulnerability are 23/tcp, 9530/tcp and 9527/tcp, and they should be blocked from external access.