Security – Page 5

Google calls for halting use of WHOIS for TLS domain verifications

Biz & IT, Security, tls, transport layer security, WHOIS / Paul Patrick / September 20, 2024

WHOWAS —

WHOIS data is unreliable. So why is it used in TLS certificate applications?

Dan Goodin – Sep 20, 2024 8: 53 pm UTC

Certificate authorities and browser makers are planning to end the use of WHOIS data verifying domain ownership following a report that demonstrated how threat actors could abuse the process to obtain fraudulently issued TLS certificates.

TLS certificates are the cryptographic credentials that underpin HTTPS connections, a critical component of online communications verifying that a server belongs to a trusted entity and encrypts all traffic passing between it and an end user. These credentials are issued by any one of hundreds of CAs (certificate authorities) to domain owners. The rules for how certificates are issued and the process for verifying the rightful owner of a domain are left to the CA/Browser Forum. One “base requirement rule” allows CAs to send an email to an address listed in the WHOIS record for the domain being applied for. When the receiver clicks an enclosed link, the certificate is automatically approved.

Non-trivial dependencies

Researchers from security firm watchTowr recently demonstrated how threat actors could abuse the rule to obtain fraudulently issued certificates for domains they didn’t own. The security failure resulted from a lack of uniform rules for determining the validity of sites claiming to provide official WHOIS records.

Specifically, watchTowr researchers were able to receive a verification link for any domain ending in .mobi, including ones they didn’t own. The researchers did this by deploying a fake WHOIS server and populating it with fake records. Creation of the fake server was possible because dotmobiregistry.net—the previous domain hosting the WHOIS server for .mobi domains—was allowed to expire after the server was relocated to a new domain. watchTowr researchers registered the domain, set up the imposter WHOIS server, and found that CAs continued to rely on it to verify ownership of .mobi domains.

The research didn’t escape the notice of the CA/Browser Forum (CAB Forum). On Monday, a member representing Google proposed ending the reliance on WHOIS data for domain ownership verification “in light of recent events where research from watchTowr Labs demonstrated how threat actors could exploit WHOIS to obtain fraudulently issued TLS certificates.”

The formal proposal calls for reliance on WHOIS data to “sunset” in early November. It establishes specifically that “CAs MUST NOT rely on WHOIS to identify Domain Contacts” and that “Effective November 1, 2024, validations using this [email verification] method MUST NOT rely on WHOIS to identify Domain Contact information.”

Since Monday’s submission, more than 50 follow-up comments have been posted. Many of the responses expressed support for the proposed change. Others have questioned the need for a change as proposed, given that the security failure watchTowr uncovered is known to affect only a single top-level domain.

An Amazon representative, meanwhile, noted that the company previously implemented a unilateral change in which the AWS Certificate Manager will fully transition away from reliance on WHOIS records. The representative told CAB Forum members that Google’s proposed deadline of November 1 may be too stringent.

“We got feedback from customers that for some this is a non-trivial dependency to remove,” the Amazon representative wrote. “It’s not uncommon for companies to have built automation on top of email validation. Based on the information we got I recommend a date of April 30, 2025.”

CA Digicert endorsed Amazon’s proposal to extend the deadline. Digicert went on to propose that instead of using WHOIS records, CAs instead use the WHOIS successor known as the Registration Data Access Protocol.

The proposed changes are formally in the discussion phase of deliberations. It’s unclear when formal voting on the change will begin.

Google calls for halting use of WHOIS for TLS domain verifications Read More »

Ever wonder how crooks get the credentials to unlock stolen phones?

Biz & IT, lost phone, phishing, phishing-as-a-service, phone theft, Security / Kris Guyer / September 19, 2024

BUSTED —

iServer provided a simple service for phishing credentials to unlock phones.

Dan Goodin – Sep 19, 2024 9: 41 pm UTC

A coalition of law-enforcement agencies said it shut down a service that facilitated the unlocking of more than 1.2 million stolen or lost mobile phones so they could be used by someone other than their rightful owner.

The service was part of iServer, a phishing-as-a-service platform that has been operating since 2018. The Argentina-based iServer sold access to a platform that offered a host of phishing-related services through email, texts, and voice calls. One of the specialized services offered was designed to help people in possession of large numbers of stolen or lost mobile devices to obtain the credentials needed to bypass protections such as the lost mode for iPhones, which prevent a lost or stolen device from being used without entering its passcode.

iServer's phishing-as-a-service model. — Enlarge / iServer’s phishing-as-a-service model.

Group-IB

Catering to low-skilled thieves

An international operation coordinated by Europol’s European Cybercrime Center said it arrested the Argentinian national that was behind iServer and identified more than 2,000 “unlockers” who had enrolled in the phishing platform over the years. Investigators ultimately found that the criminal network had been used to unlock more than 1.2 million mobile phones. Officials said they also identified 483,000 phone owners who had received messages phishing for credentials for their lost or stolen devices.

According to Group-IB, the security firm that discovered the phone-unlocking racket and reported it to authorities, iServer provided a web interface that allowed low-skilled unlockers to phish the rightful device owners for the device passcodes, user credentials from cloud-based mobile platforms, and other personal information.

Group-IB wrote:

During its investigations into iServer’s criminal activities, Group-IB specialists also uncovered the structure and roles of criminal syndicates operating with the platform: the platform’s owner/developer sells access to “unlockers,” who in their turn provide phone unlocking services to other criminals with locked stolen devices. The phishing attacks are specifically designed to gather data that grants access to physical mobile devices, enabling criminals to acquire users’ credentials and local device passwords to unlock devices or unlink them from their owners. iServer automates the creation and delivery of phishing pages that imitate popular cloud-based mobile platforms, featuring several unique implementations that enhance its effectiveness as a cybercrime tool.

Unlockers obtain the necessary information for unlocking the mobile phones, such as IMEI, language, owner details, and contact information, often accessed through lost mode or via cloud-based mobile platforms. They utilize phishing domains provided by iServer or create their own to set up a phishing attack. After selecting an attack scenario, iServer creates a phishing page and sends an SMS with a malicious link to the victim.

Enlarge / An example phishing message sent.

When successful, iServer customers would receive the credentials through the web interface. The customers could then unlock a phone to disable the lost mode so the device could be used by someone new.

Ultimately, criminals received the stolen and validated credentials through the iServer web interface, enabling them to unlock a phone, turn off “Lost mode” and untie it from the owner’s account.

To better camouflage the ruse, iServer often disguised phishing pages as belonging to cloud-based services.

Enlarge / Phishing message asking for passcode.

Group-IB

Enlarge / Phishing message masquerades as a cloud-based service with a map once passcode is entered.

Group-IB

Besides the arrest, authorities also seized the iserver.com domain.

Enlarge / The iServer site as it appeared before the takedown.

Group-IB

Enlarge / The iServer website after the takedown.

Group-IB

The takedown and arrests occurred from September 10–17 in Spain, Argentina, Chile, Colombia, Ecuador, and Peru. Authorities in those countries began investigating the phishing service in 2022.

Ever wonder how crooks get the credentials to unlock stolen phones? Read More »

Life imitates xkcd comic as Florida gang beats crypto password from retiree

crime, crypto, Features, robbery, Security / Rejus Almole / September 19, 2024

intruders —

Group staged home invasions to steal cryptocurrency.

Nate Anderson – Sep 19, 2024 7: 57 pm UTC

Enlarge / Sometimes this is all you need.

Aurich Lawson | Getty Image

Remy Ra St. Felix spent April 11, 2023, on a quiet street in a rented BMW X5, staking out the 76-year-old couple that he planned to rob the next day.

He had recently made the 11-hour drive up I-95 from southern Florida, where he lived, to Durham, North Carolina. It was a long way, but as with so many jobs, occasional travel was the cost of doing business. That was true especially when your business was robbing people of their cryptocurrency by breaking into their homes and threatening to cut off their balls and rape their wives.

St. Felix, a young man of just 25, had tried this line of work closer to home at first, but it hadn’t gone well. A September 2022 home invasion in Homestead, Florida, was supposed to bring St. Felix and his crew piles of crypto. All they had to do was stick a gun to some poor schlub’s head and force him to log in to his online exchange and then transfer the money to accounts controlled by the thieves. A simple plan—which worked fine until it turned out that the victim’s crypto accounts had far less money in them than planned.

Rather than waste the opportunity, St. Felix improvised. Court records showed that he tied the victim’s hands, shoved him into a vehicle, and drove away. Inside the car, the kidnappers filmed themselves beating the victim, who was visibly bleeding from the mouth and face. A gun was placed to the victim’s neck, and he was forced to record a plea for friends and family to send cryptocurrency to secure the man’s release. Five such videos were recorded in the car. The abducted man was eventually found by police 120 miles from his home.

A messy operation.

So St. Felix and his crew began to look out of state for new jobs. They robbed someone in Little Elm, Texas, of $150,000 and two Rolex watches, but their attention was eventually drawn to a tidy home on Wells Street in far-off Durham. The homeowner there was believed to be a significant crypto investor. (The crew had hacked into his email account to confirm this.)

After his day of surveillance on April 11, St. Felix and his partner, Elmer Castro, drove to a local Walmart and purchased their work uniforms: sunglasses, a clipboard, reflective vests, and khaki pants. Back at their hotel, St. Felix snapped a photo of himself in this getup, which looked close enough to a construction worker for his purposes.

The next morning at 7: 30 am, St. Felix and Castro rolled up to the Wells Street home once more. Instead of surveilling it from down the block, they knocked on the door. The husband answered. The men told him some story involving necessary pipe inspections. They wandered around the home for a few minutes, then knocked on the front door again.

But this time, when the wife answered, St. Felix and Castro were wearing ski masks and sunglasses—and they had handguns. They pushed their way inside. The woman screamed, and her husband came in from the kitchen to see them all fighting. The intruders punched the husband in the face and zip-tied the hands and feet of both homeowners.

Castro dragged the wife by her legs down the hallway and into the bathroom. He stood guard over her, wielding his distinctive pink revolver.

In the meantime, St. Felix had marched the husband at gunpoint into a loft office at the back of the home. There, the threats came quickly—St. Felix would cut off the man’s toes, he said, or his genitals. He would shoot him. He would rape his wife. The only way out was to cooperate, and that meant helping St. Felix log in to the man’s Coinbase account.

St. Felix, holding a black handgun and wearing a Bass Pro Shop baseball cap, waited for the shocked husband’s agreement. When he got it, he cut the man’s zip-ties and set him in front of the home office iMac.

The husband logged in to the computer, and St. Felix took over and downloaded the remote-control software AnyDesk. He then opened up a Telegram audio call to the real brains of the operation.

The actual robbery was about to begin.

Life imitates xkcd comic as Florida gang beats crypto password from retiree Read More »

Massive China-state IoT botnet went undetected for four years—until now

Biz & IT, Security / Kris Guyer / September 18, 2024

OVER 260,000 PWNED —

75% of infected devices were located in homes and offices in North America and Europe.

Dan Goodin – Sep 18, 2024 7: 58 pm UTC

The FBI has dismantled a massive network of compromised devices that Chinese state-sponsored hackers have used for four years to mount attacks on government agencies, telecoms, defense contractors, and other targets in the US and Taiwan.

The botnet was made up primarily of small office and home office routers, surveillance cameras, network-attached storage, and other Internet-connected devices located all over the world. Over the past four years, US officials said, 260,000 such devices have cycled through the sophisticated network, which is organized in three tiers that allow the botnet to operate with efficiency and precision. At its peak in June 2023, Raptor Train, as the botnet is named, consisted of more than 60,000 commandeered devices, according to researchers from Black Lotus Labs, making it the largest China state botnet discovered to date.

Burning down the house

Raptor Train is the second China state-operated botnet US authorities have taken down this year. In January, law enforcement officials covertly issued commands to disinfect Internet of Things devices that hackers backed by the Chinese government had taken over without the device owners’ knowledge. The Chinese hackers, part of a group tracked as Volt Typhoon, used the botnet for more than a year as a platform to deliver exploits that burrowed deep into the networks of targets of interest. Because the attacks appear to originate from IP addresses with good reputations, they are subjected to less scrutiny from network security defenses, making the bots an ideal delivery proxy. Russia-state hackers have also been caught assembling large IoT botnets for the same purposes.

An advisory jointly issued Wednesday by the FBI, the Cyber National Mission Force, and the National Security Agency said that China-based company Integrity Technology Group controlled and managed Raptor Train. The company has ties to the People’s Republic of China, officials said. The company, they said, has also used the state-controlled China Unicom Beijing Province Network IP addresses to control and manage the botnet. Researchers and law enforcement track the China-state group that worked with Integrity Technology as Flax Typhoon. More than half of the infected Raptor Train devices were located in North America and another 25 percent in Europe.

Enlarge / Raptor Train concentration by continent.

IC3.gov

Enlarge / Raptor Train concentration by country.

IC3.gov

“Flax Typhoon was targeting critical infrastructure across the US and overseas, everyone from corporations and media organizations to universities and government agencies,” FBI Director Christopher Wray said Wednesday at the Aspen Cyber Summit. “Like Volt Typhoon, they used Internet-connected devices, this time hundreds of thousands of them, to create a botnet that helped them compromise systems and exfiltrate confidential data.” He added: “Flax Typhoon’s actions caused real harm to its victims who had to devote precious time to clean up the mess.”

Massive China-state IoT botnet went undetected for four years—until now Read More »

14 dead as Hezbollah walkie-talkies explode in second, deadlier attack

bombs, hezbollah, Israel, Security, walkie-talkies / Kris Guyer / September 18, 2024

Day 2 —

People aren’t sure what devices will detonate next.

Nate Anderson – Sep 18, 2024 6: 48 pm UTC

Wireless communication devices have exploded again today across Lebanon in a second attack even deadlier than yesterday’s explosion of thousands of Hezbollah pagers. According to Lebanon’s Ministry of Health, the new attack has killed at least 14 more people and injured more than 450.

Today’s attack targeted two-way radios (“walkie-talkies”) issued to Hezbollah members. The radios exploded in the middle of the day, with at least one going off during a funeral for people killed in yesterday’s pager attacks. A New York Times report on that funeral described the moment:

When the blast went off, a brief, eerie stillness descended on the crowd. Mourners looked at one another in disbelief. The religious chants being broadcast over a loudspeaker abruptly stopped.

Then panic set in. People started scrambling in the streets, hiding in the lobbies of nearby buildings, and shouting at one another, “Turn off your phone! Take out the battery!” Soon a voice on the loudspeaker at the funeral urged everyone to do the same…

One woman, Um Ibrahim, stopped a reporter in the middle of the confusion and begged to use the reporter’s cellphone to call her children. The woman dialed a number with her hands shaking, then screamed into the phone, “Turn off your phones now!”

The story appears to capture the current mood in Lebanon, where no one seems quite sure what will explode next. While today’s attack against walkie-talkies is well-attested, various unconfirmed reports suggest that people fear an explosion from just about anything with a battery.

At the time of publication, The Associated Press was currently leading its coverage of the attack with the line, “Walkie-talkies and solar equipment exploded in Beirut and multiple parts of Lebanon on Wednesday.” It later added that “a girl was hurt in the south when a solar energy system blew up, the state news agency reported.” Whether this actually happened, or if it was in any way connected with the attacks, remains unclear.

The Jerusalem Post rounded up a slew of rumors making the rounds in the region, some far less plausible than others:

Unofficial reports claimed that iPhones, video cameras, IC-V82 radios, and other devices also detonated.

According to unconfirmed reports, Hezbollah has told its operatives to distance itself from communication devices.

Unofficial reports also claimed that Hezbollah told its members to dispose of devices containing a lithium battery or that are connected to the internet.

Additional unconfirmed reports claimed that lithium batteries for solar energy storage had detonated and that some houses were on fire.

Yesterday, multiple news outlets reported that the pager attacks had been caused by explosives built into the devices, likely as part of an Israeli supply chain attack.

Today, similar reporting suggests the same kind of attack was used against the two-way radios. Axios cited two of its own sources who confirmed that the “walkie-talkies were booby-trapped in advance by Israeli intelligence services and then delivered to Hezbollah as part of the militia’s emergency communications system,” adding that “the decision to conduct the second attack was also driven by the assessment that Hezbollah’s investigation into the pager explosions would likely expose the security breach in the walkie-talkies.”

14 dead as Hezbollah walkie-talkies explode in second, deadlier attack Read More »

8 dead, 2,700 injured after simultaneous pager explosions in Lebanon

hezbollah, Israel, lithium-ion batteries, pagers, Security / Mike M. / September 17, 2024

Pagers —

Lithium-ion batteries or supply chain attack may be to blame.

Nate Anderson – Sep 17, 2024 4: 35 pm UTC

Ambulance in Lebanon — Enlarge / An ambulance arrives at the site after wireless communication devices known as pagers exploded in Sidon, Lebanon, on September 17, 2024.

A massive wave of pager explosions across Lebanon and Syria around 3: 30 pm local time today has killed at least eight people and injured more than 2,700, according to local officials. Many of the injured appear to be Hezbollah members, although a young girl is said to be among the dead.

New York Times reporters captured the chaos of the striking scene in two anecdotes:

Ahmad Ayoud, a butcher from the Basta neighborhood in Beirut, said he was in his shop when he heard explosions. Then he saw a man in his 20s fall off a motorbike. He appeared to be bleeding. “We all thought he got wounded from random shooting,” Ayoud said. “Then a few minutes later we started hearing of other cases. All were carrying pagers.”

…

Residents of Beirut’s southern suburbs, where many of the explosions took place, reported seeing smoke coming from people’s pockets followed by a blast like a firework. Mohammed Awada, 52, was driving alongside one of the victims. “My son went crazy and started to scream when he saw the man’s hand flying away from him,” he said.

Video from the region already shows a device exploding in a supermarket checkout line, and pictures show numerous young men lying on the ground with large, bloody wounds on their upper legs and thighs.

The shocking—and novel—attack appears to have relied on a wave of recently imported Hezbollah pagers, according to reporting in The Wall Street Journal. (The group has already warned its members to avoid using cell phones due to both tracking and assassination concerns.)

According to the WSJ, a Hezbollah official speculated that “malware may have caused the devices to explode. The official said some people felt the pagers heat up and disposed of them before they burst.”

The pagers in question allegedly have lithium-ion batteries, which sometimes explode after generating significant heat. The coordinated nature of the attack suggests that some kind of firmware hack or supply chain attack may have given an adversary the ability to trigger a pager explosion at the time of its choosing.

Hezbollah officials are already privately blaming Israel, which has not taken responsibility, but it has been able to perform surprising electronic strikes on its enemies, including the Stuxnet malware that damaged Iran’s nuclear program.

The Associated Press noted that even Iran’s ambassador to Lebanon was injured in the widespread attack.

Update, 12: 55pm ET: The Times adds a small detail: “The devices were programmed to beep for several seconds before exploding, according to the officials, who spoke on the condition of anonymity because of the sensitivity of the matter.”

Several of the explosions were captured on video, and in them, the devices appear to “explode” more in the manner of a small grenade (a bang and a puff of smoke) than a lithium ion battery (which may explode but is often followed by continuing smoke and fire), despite some of the early speculation by Hezbollah officials. This is a breaking story, and the cause of the explosions still remains unclear.

Update, 1: 05pm ET: The WSJ quotes regional security analyst Michael Horowitz as suggesting the attack was likely caused by either 1) malware triggering the batteries to overheat/explode or 2) an actual explosive charge inserted in the devices at some point in the supply chain and then detonated remotely.

“Either way, this is a very sophisticated attack,” Horowitz told the WSJ. “Particularly if this is a physical breach, as this would mean Israel has access to the producer of those devices. This may be part of the message being sent here.”

Update, 1: 20pm ET: Reuters notes that Israel has claimed to foil a Hezbollah assassination plot that would have used remotely detonated explosives.

Earlier on Tuesday, Israel’s domestic security agency said it had foiled a plot by Lebanese militant group Hezbollah to assassinate a former senior defence official in the coming days.

The Shin Bet agency, which did not name the official, said in a statement it had seized an explosive device attached to a remote detonation system, using a mobile phone and a camera that Hezbollah had planned to operate from Lebanon.

Update, 2: 00pm ET: In today’s US State Department briefing, which you can watch here, spokesperson Matthew Miller was asked about the pager attacks. “The US was not involved in it,” he said. “The US was not aware of this incident in advance.” He said the US government is currently gathering more information on what happened.

Update, 3: 30pm ET: A former British Army expert speculates about the cause of the explosions, telling the BBC that “the devices would have likely been packed with between 10 to 20 grams each of military-grade high explosive, hidden inside a fake electronic component. This, said the expert, would have been armed by a signal, something called an alphanumeric text message. Once armed, the next person to use the device would have triggered the explosive.”

8 dead, 2,700 injured after simultaneous pager explosions in Lebanon Read More »

1.3 million Android-based TV boxes backdoored; researchers still don’t know how

Android Open Source Project, AOSP, backdoors, Biz & IT, Google, Security, streaming devices / Paul Patrick / September 13, 2024

CAUSE UNKNOWN —

Infection corrals devices running AOSP-based firmware into a botnet.

Dan Goodin – Sep 13, 2024 8: 20 pm UTC

Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.

Security firm Doctor Web reported Thursday that malware named Android.Vo1d has backdoored the Android-based boxes by putting malicious components in their system storage area, where they can be updated with additional malware at any time by command-and-control servers. Google representatives said the infected devices are running operating systems based on the Android Open Source Project, a version overseen by Google but distinct from Android TV, a proprietary version restricted to licensed device makers.

Dozens of variants

Although Doctor Web has a thorough understanding of Vo1d and the exceptional reach it has achieved, company researchers say they have yet to determine the attack vector that has led to the infections.

“At the moment, the source of the TV boxes’ backdoor infection remains unknown,” Thursday’s post stated. “One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.”

The following device models infected by Vo1d are:

TV box model	Declared firmware version
R4	Android 7.1.2; R4 Build/NHG47K
TV BOX	Android 12.1; TV BOX Build/NHG47K
KJ-SMART4KVIP	Android 10.1; KJ-SMART4KVIP Build/NHG47K

One possible cause of the infections is that the devices are running outdated versions that are vulnerable to exploits that remotely execute malicious code on them. Versions 7.1, 10.1, and 12.1, for example, were released in 2016, 2019, and 2022, respectively. What’s more, Doctor Web said it’s not unusual for budget device manufacturers to install older OS versions in streaming boxes and make them appear more attractive by passing them off as more up-to-date models.

Further, while only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.

“These off-brand devices discovered to be infected were not Play Protect certified Android devices,” Google said in a statement. “If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”

The statement said people can confirm a device runs Android TV OS by checking this link and following the steps listed here.

Doctor Web said that there are dozens of Vo1d variants that use different code and plant malware in slightly different storage areas, but that all achieve the same end result of connecting to an attacker-controlled server and installing a final component that can install additional malware when instructed. VirusTotal shows that most of the Vo1d variants were first uploaded to the malware identification site several months ago.

Researchers wrote:

All these cases involved similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:

install-recovery.sh

daemonsu

In addition, 4 new files emerged in its file system:

/system/xbin/vo1d

/system/xbin/wd

/system/bin/debuggerd

/system/bin/debuggerd_real

The vo1d and wd files are the components of the Android.Vo1d trojan that we discovered.

The trojan’s authors probably tried to disguise one if its components as the system program /system/bin/vold, having called it by the similar-looking name “vo1d” (substituting the lowercase letter “l” with the number “1”). The malicious program’s name comes from the name of this file. Moreover, this spelling is consonant with the English word “void”.

The install-recovery.sh file is a script that is present on most Android devices. It runs when the operating system is launched and contains data for autorunning the elements specified in it. If any malware has root access and the ability to write to the /system system directory, it can anchor itself in the infected device by adding itself to this script (or by creating it from scratch if it is not present in the system). Android.Vo1d has registered the autostart for the wd component in this file.

The modified install-recovery.sh file

Doctor Web

The daemonsu file is present on many Android devices with root access. It is launched by the operating system when it starts and is responsible for providing root privileges to the user. Android.Vo1d registered itself in this file, too, having also set up autostart for the wd module.

The debuggerd file is a daemon that is typically used to create reports on occurred errors. But when the TV box was infected, this file was replaced by the script that launches the wd component.

The debuggerd_real file in the case we are reviewing is a copy of the script that was used to substitute the real debuggerd file. Doctor Web experts believe that the trojan’s authors intended the original debuggerd to be moved into debuggerd_real to maintain its functionality. However, because the infection probably occurred twice, the trojan moved the already substituted file (i.e., the script). As a result, the device had two scripts from the trojan and not a single real debuggerd program file.

At the same time, other users who contacted us had a slightly different list of files on their infected devices:

daemonsu (the vo1d file analogue — Android.Vo1d.1);

wd (Android.Vo1d.3);

debuggerd (the same script as described above);

debuggerd_real (the original file of the debuggerd tool);

install-recovery.sh (a script that loads objects specified in it).

An analysis of all the aforementioned files showed that in order to anchor Android.Vo1d in the system, its authors used at least three different methods: modification of the install-recovery.sh and daemonsu files and substitution of the debuggerd program. They probably expected that at least one of the target files would be present in the infected system, since manipulating even one of them would ensure the trojan’s successful auto launch during subsequent device reboots.

Android.Vo1d’s main functionality is concealed in its vo1d (Android.Vo1d.1) and wd (Android.Vo1d.3) components, which operate in tandem. The Android.Vo1d.1 module is responsible for Android.Vo1d.3’s launch and controls its activity, restarting its process if necessary. In addition, it can download and run executables when commanded to do so by the C&C server. In turn, the Android.Vo1d.3 module installs and launches the Android.Vo1d.5 daemon that is encrypted and stored in its body. This module can also download and run executables. Moreover, it monitors specified directories and installs the APK files that it finds in them.

The geographic distribution of the infections is wide, with the biggest number detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.

Enlarge / A world map listing the number of infections found in various countries.

Doctor Web

It’s not especially easy for less experienced people to check if a device is infected short of installing malware scanners. Doctor Web said its antivirus software for Android will detect all Vo1d variants and disinfect devices that provide root access. More experienced users can check indicators of compromise here.

1.3 million Android-based TV boxes backdoored; researchers still don’t know how Read More »

Found: 280 Android apps that use OCR to steal cryptocurrency credentials

Biz & IT, Security, Uncategorized / Mike M. / September 6, 2024

PICTURE THIS —

Optical Character Recognition converts passwords shown in images to machine-readable text.

Dan Goodin – Sep 6, 2024 8: 23 pm UTC

Researchers have discovered more than 280 malicious apps for Android that use optical character recognition to steal cryptocurrency wallet credentials from infected devices.

The apps masquerade as official ones from banks, government services, TV streaming services, and utilities. In fact, they scour infected phones for text messages, contacts, and all stored images and surreptitiously send them to remote servers controlled by the app developers. The apps are available from malicious sites and are distributed in phishing messages sent to targets. There’s no indication that any of the apps were available through Google Play.

A high level of sophistication

The most notable thing about the newly discovered malware campaign is that the threat actors behind it are employing optical character recognition software in an attempt to extract cryptocurrency wallet credentials that are shown in images stored on infected devices. Many wallets allow users to protect their wallets with a series of random words. The mnemonic credentials are easier for most people to remember than the jumble of characters that appear in the private key. Words are also easier for humans to recognize in images.

SangRyol Ryu, a researcher at security firm McAfee, made the discovery after obtaining unauthorized access to the servers that received the data stolen by the malicious apps. That access was the result of weak security configurations made when the servers were deployed. With that, Ryu was able to read pages available to server administrators.

One page, displayed in the image below, was of particular interest. It showed a list of words near the top and a corresponding image, taken from an infected phone, below. The words represented visually in the image corresponded to the same words.

” height=”706″ src=”https://cdn.arstechnica.net/wp-content/uploads/2024/09/c2-server-page-640×706.png” width=”640″>

Enlarge / An admin page showing OCR details

McAfee

“Upon examining the page, it became clear that a primary goal of the attackers was to obtain the mnemonic recovery phrases for cryptocurrency wallets,” Ryu wrote. “This suggests a major emphasis on gaining entry to and possibly depleting the crypto assets of victims.”

Optical character recognition is the process of converting images of typed, handwritten, or printed text into machine-encoded text. OCR has existed for years and has grown increasingly common to transform characters captured in images into characters that can be read and manipulated by software.

Ryu continued:

This threat utilizes Python and Javascript on the server-side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) techniques, which are then organized and managed through an administrative panel. This process suggests a high level of sophistication in handling and utilizing the stolen information.

Enlarge / Python code for converting text shown in images to machine-readable text.

McAfee

People who are concerned they may have installed one of the malicious apps should check the McAfee post for a list of associated websites and cryptographic hashes.

The malware has received multiple updates over time. Whereas it once used HTTP to communicate with control servers, it now connects through WebSockets, a mechanism that’s harder for security software to parse. WebSockets have the added benefit of being a more versatile channel.

A timeline of apps' evolution. — Enlarge / A timeline of apps’ evolution.

McAfee

Developers have also updated the apps to better obfuscate their malicious functionality. Obfuscation methods include encoding the strings inside the code so they’re not easily read by humans, the addition of irrelevant code, and the renaming of functions and variables, all of which confuse analysts and make detection harder. While the malware is mostly restricted to South Korea, it has recently begun to spread within the UK.

“This development is significant as it shows that the threat actors are expanding their focus both demographically and geographically,” Ryu wrote. “The move into the UK points to a deliberate attempt by the attackers to broaden their operations, likely aiming at new user groups with localized versions of the malware.”

Found: 280 Android apps that use OCR to steal cryptocurrency credentials Read More »

US charges Russian military officers for unleashing wiper malware on Ukraine

Biz & IT, GRU, indictments, Justice Department, kremlin, Security / Mike M. / September 5, 2024

INDICTED —

WhisperGate campaign targeted Ukrainian critical infrastructure and allies worldwide.

Dan Goodin – Sep 5, 2024 8: 54 pm UTC

Federal prosecutors on Thursday unsealed an indictment charging six Russian nationals with conspiracy to hack into the computer networks of the Ukrainian government and its allies and steal or destroy sensitive data on behalf of the Kremlin.

The indictment, filed in US District Court for the District of Maryland, said that five of the men were officers in Unit 29155 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. Along with a sixth defendant, prosecutors alleged, they engaged in a conspiracy to hack, exfiltrate data, leak information, and destroy computer systems associated with the Ukrainian government in advance of the Russian invasion of Ukraine in February 2022.

Targeting critical infrastructure with WhisperGate

The indictment, which supersedes one filed earlier, comes 32 months after Microsoft documented its discovery of a destructive piece of malware, dubbed WhisperGate, had infected dozens of Ukrainian government, nonprofit, and IT organizations. WhisperGate masqueraded as ransomware, but in actuality was malware that permanently destroyed computers and the data stored on them by wiping the master boot record—a part of the hard drive needed to start the operating system during bootup.

In April 2022, three months after publishing the report, Microsoft published a new one that said WhisperGate was part of a much broader campaign that aimed to coordinate destructive cyberattacks against critical infrastructure and other targets in Ukraine with kinetic military operations waged by Russian forces. Thursday’s indictment incorporated much of the factual findings reported by Microsoft.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” Assistant Attorney General Matthew G. Olsen of the National Security Division said in a statement. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”

Later in the campaign, the Russian operatives targeted computer systems in countries around the world that were providing support to Ukraine, including the United States and 25 other NATO countries.

The six defendants are:

Yuriy Denisov, a colonel in the Russian military and commanding officer of Cyber Operations for Unit 29155
Vladislav Borokov, a lieutenant in Unit 29155 who works in cyber operations
Denis Denisenko, a lieutenant in Unit 29155 who works in cyber operations
Dmitriy Goloshubov, a lieutenant in Unit 29155 who works in cyber operations
Nikolay Korchagin, a lieutenant in Unit 29155 who works in cyber operations
Amin Stigal, an alleged civilian co-conspirator, who was indicted in June for his role in WhisperGate activities

Federal prosecutors said the conspiracy started no later than December 2020 and remained ongoing. The defendants and additional unindicted co-conspirators, the indictment alleged, scanned computers of potential targets around the world, including in the US, in search of vulnerabilities and exploited them to gain unauthorized access to many of the systems. The defendants allegedly would then infect the networks with wiper malware and, in some cases, exfiltrate the stored data.

Thursday’s charges came a day after Justice Department officials announced the indictments of two Russian media executives accused of funneling millions of dollars from the Kremlin to a company responsible for creating and publishing propaganda videos in the US that racked up millions of views on social media. Federal prosecutors said the objective was to covertly influence public opinion and deepen social divisions, including over Russia’s war in Ukraine.

Also on Wednesday, federal officials took other legal actions to counter what they said were other Russian psychological operations. The actions included seizing 32 Internet domains they said were being used to spread anti-Ukraine propaganda, sanctioning Russian individuals and entities accused of spreading Russian propaganda and indicting two individuals accused of conspiring to aid a Russian broadcaster violating US sanctions.

Unit 29155 is a covert part of the GRU that carries out coup attempts, sabotage, and assassinations outside Russia. According to WIRED, Unit 29155 recently acquired its own active team of cyberwarfare operators in a move that signals the fusing of physical and digital tactics by Russia more tightly than in the past. WIRED said that the unit is distinct from others within the GRU that employ more recognized Russian-state hacking groups such as Fancy Bear or APT28, and Sandworm.

The Justice Department announced a $10 million reward in exchange for any of the suspects’ locations or cyber activity. The wanted poster and Thursday’s indictment displayed photos of all six defendants. The move is intended to limit the travel options for the men and discourage other Russians from following their example.

US charges Russian military officers for unleashing wiper malware on Ukraine Read More »

After seeing Wi-Fi network named “STINKY,” Navy found hidden Starlink dish on US warship

culture, Navy, Security, starlink, WiFi / Rejus Almole / September 5, 2024

I need that sweet, sweet wi-fi —

To be fair, it’s hard to live without Wi-Fi.

Nate Anderson – Sep 5, 2024 5: 54 pm UTC

A photo of the USS Manchester. — Enlarge / The USS *Manchester*. Just the spot for a Starlink dish.

Department of Defense

It’s no secret that government IT can be a huge bummer. The records retention! The security! So government workers occasionally take IT into their own hands with creative but, err, unauthorized solutions.

For instance, a former US Ambassador to Kenya in 2015 got in trouble after working out of an embassy compound bathroom—the only place where he could use his personal computer (!) to access an unsecured network (!!) that let him log in to Gmail (!!!), where he did much of his official business—rules and security policies be damned.

Still, the ambassador had nothing on senior enlisted crew members of the littoral combat ship USS Manchester, who didn’t like the Navy’s restriction of onboard Internet access. In 2023, they decided that the best way to deal with the problem was to secretly bolt a Starlink terminal to the “O-5 level weatherdeck” of a US warship.

They called the resulting Wi-Fi network “STINKY”—and when officers on the ship heard rumors and began asking questions, the leader of the scheme brazenly lied about it. Then, when exposed, she went so far as to make up fake Starlink usage reports suggesting that the system had only been accessed while in port, where cybersecurity and espionage concerns were lower.

Rather unsurprisingly, the story ends badly, with a full-on Navy investigation and court-martial. Still, for half a year, life aboard the Manchester must have been one hell of a ride.

Enlarge / A photo included in the official Navy investigation report, showing the location of the hidden Starlink terminal on the USS Manchester.

DOD (through Navy Times)

One stinky solution

The Navy Times has all the new and gory details, and you should read their account, because they went to the trouble of using the Freedom of Information Act (FOIA) to uncover the background of this strange story. But the basics are simple enough: People are used to Internet access. They want it, even (perhaps especially!) when at sea on sensitive naval missions to Asia, where concern over Chinese surveillance and hacking runs hot.

So, in early 2023, while in the US preparing for a deployment, Command Senior Chief Grisel Marrero—the enlisted shipboard leader—led a scheme to buy a Starlink for $2,800 and to install it inconspicuously on the ship’s deck. The system was only for use by chiefs—not by officers or by most enlisted personnel—and a Navy investigation later revealed that at least 15 chiefs were in on the plan.

The Navy Times describes how Starlink was installed:

The Starlink dish was installed on the Manchester’s O-5 level weatherdeck during a “blanket” aloft period, which requires a sailor to hang high above or over the side of the ship.

During a “blanket” aloft, duties are not documented in the deck logs or the officer of the deck logs, according to the investigation.

It’s unclear who harnessed up and actually installed the system for Marrero due to redactions in the publicly released copy of the probe, but records show Marrero powered up the system the night before the ship got underway to the West Pacific waters of U.S. 7th Fleet.

This was all extremely risky, and the chiefs don’t appear to have taken amazing security precautions once everything was installed. For one thing, they called the network “STINKY.” For another, they were soon adding more gear around the ship, which was bound to raise further questions. The chiefs found that the Wi-Fi signal coming off the Starlink satellite transceiver couldn’t cover the entire ship, so during a stop in Pearl Harbor, they bought “signal repeaters and cable” to extend coverage.

Sailors on the ship then began finding the STINKY network and asking questions about it. Some of these questions came to Marrero directly, but she denied knowing anything about the network… and then privately changed its Wi-Fi name to “another moniker that looked like a wireless printer—even though no such general-use wireless printers were present on the ship, the investigation found.”

Marrero even went so far as to remove questions about the network from the commanding officer’s “suggestion box” aboard ship to avoid detection.

Finding the stench

Ship officers heard the scuttlebutt about STINKY, of course, and they began asking questions and doing inspections, but they never found the concealed device. On August 18, though, a civilian worker from the Naval Information Warfare Center was installing an authorized SpaceX “Starshield” device and came across the unauthorized SpaceX device hidden on the weatherdeck.

Marrero’s attempt to create fake data showing that the system had only been used in port then failed spectacularly due to the “poorly doctored” statements she submitted. At that point, the game was up, and Navy investigators looked into the whole situation.

All of the chiefs who used, paid for, or even knew about the system without disclosing it were given “administrative nonjudicial punishment at commodore’s mast,” said Navy Times.

Marrero herself was relieved of her post last year, and she pled guilty during a court-martial this spring.

So there you go, kids: two object lessons in poor decision-making. Whether working from an embassy bathroom or the deck of a littoral combat ship, if you’re a government employee, think twice before giving in to the sweet temptation of unsecured, unauthorized wireless Internet access.

Update, Sept. 5, 3: 30pm: A reader has claimed that the default Starlink SSID is actually… “STINKY.” This seemed almost impossible to believe, but Elon Musk in fact tweeted about it in 2022, Redditors have reported it in the wild, and back in 2022 (thanks, Wayback Machine), the official Starlink FAQ said that the device’s “network name will appear as ‘STARLINK’ or ‘STINKY’ in device WiFi settings.” (A check of the current Starlink FAQ, however, shows that the default network name now is merely “STARLINK.”)

In other words, not only was this asinine conspiracy a terrible OPSEC idea, but the ringleaders didn’t even change the default Wi-Fi name until they started getting questions about it. Yikes.

2022 Twitter thread announcing that “STINKY” would be the default SSID for Starlink.

After seeing Wi-Fi network named “STINKY,” Navy found hidden Starlink dish on US warship Read More »

Zyxel warns of vulnerabilities in a wide range of its products

Biz & IT, network hardware, patches, Security, vulnerabilities, zyxel / Paul Patrick / September 4, 2024

GET YER PATCHING ON —

Most serious vulnerabilities carry severity ratings of 9.8 and 8.1 out of a possible 10.

Dan Goodin – Sep 4, 2024 6: 57 pm UTC

Networking hardware-maker Zyxel is warning of nearly a dozen vulnerabilities in a wide array of its products. If left unpatched, some of them could enable the complete takeover of the devices, which can be targeted as an initial point of entry into large networks.

The most serious vulnerability, tracked as CVE-2024-7261, can be exploited to “allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device,” Zyxel warned. The flaw, with a severity rating of 9.8 out of 10, stems from the “improper neutralization of special elements in the parameter ‘host’ in the CGI program” of vulnerable access points and security routers. Nearly 30 Zyxel devices are affected. As is the case with the remaining vulnerabilities in this post, Zyxel is urging customers to patch them as soon as possible.

But wait… there’s more

The hardware manufacturer warned of seven additional vulnerabilities affecting firewall series including the ATP, USG-FLEX, and USG FLEX 50(W)/USG20(W)-VPN. The vulnerabilities carry severity ratings ranging from 4.9 to 8.1. The vulnerabilities are:

CVE-2024-6343: a buffer overflow vulnerability in the CGI program that could allow an authenticated attacker with administrator privileges to wage denial-of-service by sending crafted HTTP requests.

CVE-2024-7203: A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to run OS commands by executing a crafted CLI command.

CVE-2024-42057: A command injection vulnerability in the IPSec VPN feature that could allow an unauthenticated attacker to run OS commands by sending a crafted username. The attack would be successful only if the device was configured in User-Based-PSK authentication mode and a valid user with a long username exceeding 28 characters exists.

CVE-2024-42058: A null pointer dereference vulnerability in some firewall versions that could allow an unauthenticated attacker to wage DoS attacks by sending crafted packets.

CVE-2024-42059: A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to run OS commands on an affected device by uploading a crafted compressed language file via FTP.

CVE-2024-42060: A post-authentication command injection vulnerability that could allow an authenticated attacker with administrator privileges to execute OS commands by uploading a crafted internal user agreement file to the vulnerable device.

CVE-2024-42061: A reflected cross-site scripting vulnerability in the CGI program “dynamic_script.cgi” that could allow an attacker to trick a user into visiting a crafted URL with the XSS payload. The attacker could obtain browser-based information if the malicious script is executed on the victim’s browser.

The remaining vulnerability is CVE-2024-5412 with a severity rating of 7.5. It resides in 50 Zyxel product models, including a range of customer premises equipment, fiber optical network terminals, and security routers. A buffer overflow vulnerability in the “libclinkc” library of affected devices could allow an unauthenticated attacker to wage denial-of-service attacks by sending a crafted HTTP request.

In recent years, vulnerabilities in Zyxel devices have regularly come under active attack. Many of the patches are available for download at links listed in the advisories. In a small number of cases, the patches are available through the cloud. Patches for some products are available only by privately contacting the company’s support team.

Zyxel warns of vulnerabilities in a wide range of its products Read More »

Metal bats have pluses for young players, but in the end it comes down to skill

baseball physics, Physics, Science, Security, sports science / Paul Patrick / September 3, 2024

four different kinds of wood and metal bats laid flat on baseball diamond grass — Enlarge / Washington State University scientists conducted batting cage tests of wood and metal bats with young players.

There’s long been a debate in baseball circles about the respective benefits and drawbacks of using wood bats versus metal bats. However, there are relatively few scientific studies on the topic that focus specifically on young athletes, who are most likely to use metal bats. Scientists at Washington State University (WSU) conducted their own tests of wood and metal bats with young players. They found that while there are indeed performance differences between wooden and metal bats, a batter’s skill is still the biggest factor affecting how fast the ball comes off the bat, according to a new paper published in the Journal of Sports Engineering and Technology.

According to physicist and acoustician Daniel Russell of Penn State University—who was not involved in the study but has a long-standing interest in the physics of baseball ever since his faculty days at Kettering University in Michigan—metal bats were first introduced in 1974 and soon dominated NCAA college baseball, youth baseball, and adult amateur softball. Those programs liked the metal bats because they were less likely to break than traditional wooden bats, reducing costs.

Players liked them because it can be easier to control metal bats and swing faster, as the center of mass is closer to the balance point in the bat’s handle, resulting in a lower moment of inertia (or “swing weight”). A faster swing doesn’t mean that a hit ball will travel faster, however, since the lower moment of inertia is countered by a decreased collision efficiency. Metal bats are also more forgiving if players happen to hit the ball away from the proverbial “sweet spot” of the bat. (The definition of the sweet spot is a bit fuzzy because it is sometimes defined in different ways, but it’s commonly understood to be the area on the bat’s barrel that results in the highest batted ball speeds.)

“There’s more of a penalty when you’re not on the sweet spot with wood bats than with the other metal bats,” said Lloyd Smith, director of WSU’s Sport Science Laboratory and a co-author of the latest study. “[And] wood is still heavy. Part of baseball is hitting the ball far, but the other part is just hitting the ball. If you have a heavy bat, you’re going to have a harder time making contact because it’s harder to control.”

Metal bats may also improve performance via a kind of “trampoline effect.” Metal bats are hollow, while wood bats are solid. When a ball hits a wood bat, the bat barrel compresses by as much as 75 percent, such that internal friction forces decrease the initial energy by as much as 75 percent. A metal bat barrel behaves more like a spring when it compresses in response to a ball’s impact, so there is much less energy loss. Based on his own research back in 2004, Russell has found that improved performance of metal bats is linked to the frequency of the barrel’s mode of vibration, aka the “hoop mode.” (Bats with the lowest hoop frequency will have the highest performance.)

Metal bats have pluses for young players, but in the end it comes down to skill Read More »