Bigpanzi, PixieFAIL, Dark Xmas – PSW #813
In the Security News: Bricked Xmas, If you can hack a wrench, PixieFail and disclosure woes, exposing Bigpanzi (more Android supply chain issues, 20 years of OpenWRT, Jamming, traffic lights, and batteries don’t work that well in the extreme cold. All that and more on this episode of Paul’s Security Weekly!
Announcements
Security Weekly listeners: Cyber threats are evolving — is your organization keeping up? The 2023 Cybersecurity Year in Review is Here! Uncover the latest challenges and strategic responses in CRA's 2023 Cybersecurity Year in Review – sponsored by RSA Conference. From the impact of generative AI to the risks of ransomware to navigating new SEC rulings, get ahead for 2024 with your free copy. Download the report at securityweekly.com/yearinreview2023
Hosts
- 1. Bigpanzi Exposed: The Hidden Cyber Threat Behind Your Set-Top Box
"Bigpanzi infects the devices via firmware updates or backdoored apps the users are tricked into installing themselves, as highlighted in a September 2023 report by Dr. Web." - While this may be one way, I looked into this and did forensics of my own on infected devices. While some of the apps that are pre-installed did contain some malicious behaviors, the stage 0 on one of the pieces of malware was deeply embedded into the Android sub-system, not part of an application, that likely got there from an upstream supplier.
- 2. Bigpanzi botnet infects 170,000 Android TV boxes with malware
" It can misuse controlled Android TVs and set-top boxes to disseminate any form of visual or audio content, unbound by legal constraints. This mode of attack has manifested in real-world incidents, like a network attack on set-top boxes in the UAE on December 11, 2023, where regular broadcasts were substituted with footage of the Israel-Palestine conflict." - I had not seen this before, using access to set-top boxes to disseminate propaganda. The article also implies there is a supply chain attack at play, Fonstar distributes the router and firmware, but it appears to already contain the malware. Interesting, now your router comes pre-0wned. Also, they distributed firmware through some forums that were also backdoored, an interesting tactic.Tons more information here, and appears more to follow.
- 3. PixieFail: Nine vulnerabilities in Tianocore’s EDK II IPv6 network stack.
The disclosure timeline makes my head hurt. UEFI affects many vendors and has a complex supply chain. Everyone is asking for more time, even the largest software company in the world, Microsoft, wants more time. I'm asking that they improve the response process and procedures so it takes less time, is this too much to ask? Perhaps, but also why aren't the stakeholders looking for more vulnerabilities in EDK II? Again, this is the finger-pointing problem, no one really owns the reference code (perhaps Intel has the largest interest in it). I believe companies are getting too caught up in politics and red tape, put together a task force and incentivize people to find vulnerabilities in the reference code, maybe a bug bounty?
- 4. Looking for LogoFAIL on your local system – Technical Blog of Richard Hughes
"So, what can we do to check that your system firmware has been patched [correctly] by the OEM? The only real way we can detect this is by dumping the BIOS in userspace, decompressing the various sections and looking at the EFI binary responsible for loading the image. In an ideal world we’d be able to look at the embedded SBoM entry for the specific DXE, but that’s not a universe we live in yet — although it is something I’m pushing the IBVs really hard to do. " - Yes, we need a better SBOM for UEFI. However, you can use Chipsec to dump the SPI flash and then look for vulnerable image code. Not sure why we're stuck on doing it from user space on Fedora, you just need to load a kernel driver, such as the one used by Chipsec.
- 5. Bambu Lab allows “one-way ticket” to installing third-party firmware on X1 3D printers
"A switch to X1 Plus would involve some sacrifice, as it will permanently revoke the official warranty, and there’s no guarantee of being able to use the cloud service or revert to the official firmware." - I'm here to argue that voiding the warranty is slowly becoming a BS excuse and a cop-out by manufacturers. These devices are made for people who like to tinker, so help them out rather than use scare tactics. Also, I do not like "I can't revert" part of firmware, this is a technical limitation put in place by the manufacturer that can easily be avoided.
- 6. Hacking Credit Cards By Using Magspoof With Flipper Zero.
I have one of these, totally forgot to test it out before the show! Check back next time.
- 7. How I Used A Simple Python Script to Exploit a Vulnerable Google API Key.
- 8. Wall of Flippers is the way to put a stop to Flipper Zero
I tested this, and it works, but I have concerns.
- 9. Vulnerabilities on Bosch Rexroth Nutrunners May Be Abused to Stop Production Lines, Tamper with Safety-Critical Tightenings
This is a wrench. Its firmware has vulnerabilities. Attackers can mine Bitcoin, on your wrench, or tell it to use incorrect settings. If you can hack a wrench, you can hack a ball.
- 1. iShutdown scripts can help detect iOS spyware on your iPhone
Security researchers found that infections with high-profile spyware Pegasus, Reign, and Predator could be discovered on compromised Apple mobile devices by checking Shutdown.log, a system log file that stores reboot events.
- 2. Inside the Massive Naz.API Credential Stuffing List
Whilst this post dates back almost 4 months, it hadn't come across my radar until now and inevitably, also hadn't been sent to the aforementioned tech company. They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list. Here's what I found:
319 files totalling 104GB 70,840,771 unique email addresses 427,308 individual HIBP subscribers impacted 65.03% of addresses already in HIBP (based on a 1k random sample set)
That last number was the real kicker; when a third of the email addresses have never been seen before, that's statistically significant.
- 3. Quantum Computing to Spark ‘Cybersecurity Armageddon,’ IBM Says
- 4. $80M in Crypto Disappears into Drainer-as-a-Service Malware Hell
A sophisticated phishing campaign dubbed "Inferno Drainer" has managed to siphon more than $80 million in cryptocurrency from 137,000 unwitting victims over the course of a year, using 100 different cryptocurrency brands in an impersonation gambit.
- 5. Night Driver (For all of your ESP32 RGB Projects)
NightDriverStrip is a source code package for building a flash program that you upload to the ESP32 microcontroller. It can drive up to 8 channels of WS2812B style LEDs connected to the chip pins and display fancy colors and patterns and designs on them. There are numerous effects built in that can be configured to be shown on the LED strip, including audio/music/beat-reactive effects for modules equipped with a microphone. It can also optionally receive color data for the LEDs in a simple LZ-compressed (or non-compressed) format over a TCP/IP socket that is opened by default on port 49152. The ESP32 keeps its clock in sync using NTP.
More recently, a web installer has been added to the project with which most of the NightDriver projects can be flashed on supported devices, using nothing but a web browser. Please refer to the next section if this is how you'd like to get started.
- 1. Bricked Xmas
- 2. Hi, My Name is Keyboard
- 3. Hacker Uncovers How to Turn Traffic Lights Green With Flipper Zero
- 4. Ivanti Connect Secure zero-days now under mass exploitation
- 5. Bloodied Macbooks and Stacks of Cash: Inside the Increasingly Violent Discord Servers Where Kids Flaunt Their Crimes
- 6. Unbricking Trains, Uncovering Shady Behavior
- 7. Over 900k Impacted by Data Breach at Defunct Boston Ambulance Service
- 8. OpenWRT To Mark 20 Years With Reference Hardware
the original WRT54G was last supported by the OS over a decade ago
- 9. Mobile man charged with using ‘sophisticated’ jamming device to block police communications
- 1. PixieFail: Nine vulnerabilities in Tianocore’s EDK II IPv6 network stack
PixieFAIL is a set of nine vulnerabilities that affect EDK II, the de-facto open source reference implementation of the UEFI specification and possibly all implementations derived from it. The vulnerabilities are present in the network stack of EDK II and can be exploited during the network boot process. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking.
- 2. Chrome Users Now Worth 30% Less Money Thanks to Google’s Cookie Killing, Ad Firm Says
One week ago today, Google disabled tracking cookies for 30 million Chrome users, amounting to just 1% of the 3 billion people who use the internet’s most popular browser. According to Raptive, an ad tech firm, Google’s new cookieless users are bringing in a whopping 30% less revenue.
- 3. Electric Car Owners Confront a Harsh Foe: Cold Weather
With Chicago temperatures sinking below zero, electric vehicle charging stations have become scenes of desperation: depleted batteries, confrontational drivers and lines stretching out onto the street. Tesla reminds users: Keep the charge level above 20% to reduce the impact of freezing temperatures.
- 4. Anthropic researchers find that AI models can be trained to deceive
Researchers trained an LLM to listen for a trigger phrase, and then produce malicious results, such as adding malware to code. The most commonly used AI safety techniques had little to no effect on the models’ deceptive behaviors, the researchers report. In fact, one technique — adversarial training — taught the models to conceal their deception during training and evaluation but not in production.
- 5. Just 10 lines of code can steal AI secrets from Apple, AMD, and Qualcomm GPUs: LeftoverLocals
GPUs haven't been architected with data privacy as a priority. GPUs leak a significant amount of data--anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal. To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device.