Tuesday, January 5, 2021

EMail to SMS. Good idea, right?

So, anyway, a couple of days ago, I got this text message.




The first odd thing was that it was a text message, that clearly came from an email address. (In this case, gmail)
The second odd thing was that it was sent to twenty people.
The third odd thing was that it simply referenced an ip address.

Looking at the "20 people", it showed this...


Twenty consecutive phone numbers. Nothing suspicious about that, right?

I visited the ip address with a neat tool called Silo, from my friends at Authentic8. Silo can hide your ip address, as well as your country of origin, and can also isolate your computer from web-borne malware. The site was a "dating/porn site", and, although it did not seem to throw anything malicious at me, the typical m.o. with this sort of site is that every few visits, it randomly will, so it's one of those places you don't want to ever visit on an unprotected computer.

This was the first time I've received a text from an email address, but a quick bit of googling shows that lots of providers offer such a service. I guess there must be some upside to it, but to me, it just seems like an easy way for the robo callers to send malicious things in bulk.

The moral of the story, in my opinion is that if you get a text or iMessage from an email address that you don't know, don't trust it and simply delete it.

Remember, www stands for World Wild War. Stay safe, folks.

Thursday, December 17, 2020

assume that the threat actor has deployed further persistence mechanisms.

So, anyway, today CERT released an excellent alert about the SolarWinds compromise. It's full of good advice, but my favorite sentence is the one I used as a title.

I will be shocked, if, in the fullness of time, we don't discover that they modified firmware, in order to achieve persistence.

In order to do that, all they need to do is this:

(1) Create a driver capable of reading and writing firmware. This is not easy, but there are examples, such as Chipsec, and don't bother arguing that these perps are not smart enough to do it.

(2) Such a driver would need to be signed, but they already proved they can sign stuff.

(3) Get the driver on the target system. That's what SunBurst (their downloader) can already do.

(4) Modify the right bit of code in the firmware. Remember, there are between 200 and 1,000 compiled C programs, in Windows format, and Bad Guys have been modifying compiled C programs for a long time now. They know how to do that. Oh, and remember that although they are cryptograpically signed, the signature is only checked at flash time.

(5) Remember, it's in the UEFI spec that the firmware can download anything from anywhere using HTTP or FTP, and the firmware has its own network stack.

(6) Once the firmware is modified, SunBurst is perfectly capable of cleaning up such evidense.

My second favorite sentence in the alert is the one about forensically imaging the systems. This is good, but I don't think any forensics kits currently capture firmware.

Folks, everyone needs to start to watch their firmware. You maybe confident that "they" are.

2021 is saying "Hold my beer".

Monday, December 14, 2020

2021 is going to be interesting

So, anyway, in my last post, I opined that 2021 might be saying, "Hold my beer", and this morning we wake up to news of the SolarWinds attack.

Now, so far, there has not been any mention of resultant firmware attacks, but it seems to me that the attackers were sufficently "sophisticated" that they are capable of such attacks.

Systems seem to have been compromised for six to nine months, and that is plenty of time to (1) install a signed firmware driver, (2) modify the firmware, and (3) remove the signed firmware driver.

It might not have happened... but it might have.

The question then becomes... how would you know?

Everyone, from .gov to F500 needs to start to monitor their firmware. It's not part of your average toolkit, but there are options, and I blogged about how to dump your firmware here, and we are happy to help if you need it.

2021 is warming up!

Wednesday, December 9, 2020

2021 is saying, "Hold my beer!"

I have been warning for quite a while, that firmware, particularly UEFI, is the next malware battleground. It is heating up, and everyone needs to start to pay attention.

Consider these items:

One of the RansomWare crews is starting to try to examine, and maybe modify, UEFI

Just to highlight how powerful UEFI is, someone has ported Doom to UEFI. This is pretty awesome, especially if you are a Doom fan, but it sure shows something about UEFI … Doom

The Hacking Team UEFI rootkit seems to have re-surfaced from a nation/state team … Hacking Team

As well as those little itms, having analyzed about 3,000 firmware blobs, here are some of our key findings…

• UEFI firmware contains between 200 and about 1,000 compiled C programs, in Windows format, which is a format well understood by attackers, and defenders, alike.

• approximately half the executables will have signing certificates that are expired. It turns out that certificates are only checked at flash time. What this means is that if something can get write access to the firmware, it could infect, or replace, whatever it likes.

• Nation-state actors have already managed some penetration, with attacks like Shadow Hammer, and LoJax.

• about seven manufacturers have firmware programs that are roughly functionally equivalent to the Lenovo rootkit, from 2015. They are just not as noisy, so they haven’t been noticed.

• out of a random sampling of about 1,500 blobs, 581 had remote update by http or ftp capability, 117 had email capabilities, 1287 had some password reset capability, and 260 contained the word ‘backdoor’

• UEFI has its own network stack, and can download programs, and whole operating systems, from the Internet using http or ftp and some can send email using EHLO

Now, I'm not saying that UEFI is bad. It's the opposite... it's great! It is, however, immensely powerful, and one of the truths of computer security is that functionality (or power) and security tend to exist in an inverse relationship. In other words, the more powerful something is, the less secure it tends to be.

It is clear that our adversaries, from ransomware gangs, to nation/state teams, are attacking the firmware, and it is heating up. Everyone needs to start paying attention. It doesn't matter if your stuff is all in the cloud, because if something bad gets in the firmware, it will be able to find your cloud credentials, and your blockchain private keys, and ... whatever it wants.

Everyone is waiting for 2020 to end, but I reckon 2021 is saying, "Hold my beer, and watch this!"

Wednesday, July 29, 2020

A couple of firmware stats to think about.

So, anyway, just for fun, I grabbed about 1,500 firmware blobs, randomly, from our collection, and ran a few Yara scans over them... just to see... this is what I found.

Total firmware blobs under test: 1520
Number containing overt update capabilities: 581
Number containing overt email capabilities: 117
Number containing some password reset capabilities:1287
Number containing the word 'backdoor': 260

I am still not seeing why firmware should send email, and some even use EHLO, but, oh well...I'm sure there is a good reason.

And, on one hand it's good that firmware has update capabilities, but I still feel nervous about firmware updating over the Internet, using HTTP or FTP. What could go wrong? Oh, that's right ... ShadowHammer already showed what could go wrong.

These updaters, by the way, are the obvious ones... firmware has its own network stack, so there could be other updaters that are a bit obfuscated. No one knows.

And, it's understandable that firmware would need some password reset capabilities, but it's a bit awkward that some contain the word "backdoor".

Now, I have no reason to think any of these are actually malicious, but ... without looking closely, we have no way to be sure. Some could be, and we just don't know, without looking really closely, and I believe that most organizations _are not_ looking at firmware at all, let alone closely. This stuff is immensely powerful, and always remember, functionality and security tend to exist in an inverse relationship.

We may be confident that nation-states are looking hard at firmware attacks, and we may be equally confident that the ransomware players are also trying.

Everyone is using the Hope Method, and this has to change.

If they can get into the firmware of computers, tablets, phones, or IoT, they can persist indefintely, and can either move sideways from there, or simply surveil the network. This would be a Bad Thing(tm).

To keep our critical infrastructure, financial institutions, and medical institutions, safe, everyone in those industries needs to start capturing their firmware, and monitoring it, and if they don't, they're going to regret it.

Stay tuned, folks.

Thursday, April 23, 2020

I might have been wr..wro... wron... can't say the word...

So, anyway, yesterday I smacked poor FaceBook for being creepy, and adding Alt Text to my image, which only showed up because I added it to a Word document, and Word kindly, albeit briefly, showed me the Alt Text.

I was then extra suspicious that something was going on, because I couldn't find the text in the jpg, and figured that it must be compressed, or obfuscated somehow, which lead me to wonder what else might be hidden in the jpg. When you are in my line of business, it's good to be suspicious

But then... a friend commented on my post, saying that he'd had a similar problem with Word a couple of years ago... wait ...what? Word?

Long story made short. Yes, Word adds its own Alt Text to images, and FaceBook was not hiding Alt Text in the images.

Here is Word's Alt Text..



And here is FaceBook's on the same image ...

I was wr... wro... wron.... still can't say the word. :)

The FaceBook Alt Text was just a tag in the html. Yes, it's storing it somewhere, but it's not as creepy as I thought, and Word is doing it too, and probably so is just about any other browser, search engine, word processor, pdf maker... the list goes on.

We can all relax, and go back to worrying about more important things, like firmware issues. Oh... yes... we found some interesting Android firmware stuff yesterday, so stay tuned.

Wednesday, April 22, 2020

That's a bit creepy again, FaceBook!

So, anyway, reasoning that life is too short to be completely serious all the time, I like to tell Dad Jokes. I'm really funny... or at least I think I am.

One of my recent jokes involved a picture, and it went like this...

This is my jar of jars. I call him JarJar. When I shake JarJar, he clinks...

I crack myself up, and as I usually do, I put it on FaceBook.

I am collecting my best (imho) jokes into a document called Grandad Jokes, for my unsuspecting grand kids to read one day, so the easiest way to get the photo onto the right pc was to simply save it from FaceBook.

I then imported it into Word, and this is where it got a bit creepy.

I saw this text appear on the bottom of the imported photo, just for a few seconds...

Wait ... what?.. Alt text? Where did that come from?

It said, "Alt text: A picture containing table, indoor, sitting, food"

Then I remembered reading a few months ago, that FaceBook automatically analysed all photo uploads, so that visually impaired people could have a photo described to them by a robot. While that, on the face of it, sounds very noble, I can't imagine it's terribly effective, because the description just isn't very accurate. I'm not saying FaceBook did anything wrong... it was just hidden and subtle. I may be being cynical, but I suspect that the real benefit is more along the lines of simple statistics for marketing.

Thank goodness that Word showed me, or I wouldn't have known.

One good thing was that I was able to confirm that, by default, FaceBook removes geo location data from the jpg.

A bit more poking around, and I found that I could right click the picture in Word, and one of the options was to edit the Alt Text. That meant that the Alt Text was in the jpg somewhere, but another slightly disquieting thing was that the text was not visible in the jpg, as plain text, so that means it is compressed, or obfuscated somehow, and that leads me to wonder what else might be in there?

I will keep poking.

Chalk up another score for the Privacy Revolution.