Security Week 15: Leaky Modem in Huawei, VirusTotal as a data breach channel, Microsoft patches from Dridex

There are people who are greedy for others' bugs. Ralph-Phillip Weinman from Comsecuris is clearly turning slightly on the vulnerabilities of wireless modems - he has been digging this topic since at least 2011, ruthlessly scourging suppliers of leaky chipsets. Almost every year comes up with a new report. At this time, got Huawei, more precisely, its daughter HiSilicon Technologies. And it will get more than once: the company out of kindness published the source code for the Huawei H60 Linux kernel that spins around them under the Kirin series chips, and along with them merged the firmware for HiSilicon Balong, the cellular modem that is installed on Huawei smartphones.

What started here! However, what exactly began to us for certain not to know, but Weinman rushed to look for holes. And, of course, found and showed. And how many black hats found, but did not say anything? .. Rhetorical question. However, the source is already stale, but this does not really hinder the search for vulnerabilities, which, according to Rand Corporation, have been living in software for an average of 7 years. And smartphones with different versions of this firmware are dark at the hands of the people. For example, in the third quarter of 2016 alone, Huawei sold 33 million Honor smartphones, half of which with HiSilicon Balong on board.

Rummaging through the VxWorks-based source, Weinman was able to develop a method for accessing the C-shell, the C built-in interpreter. He, however, does not do anything special, besides calling any exported functions. But this alone allowed Weinman to take a memory dump, modify its contents, launch new tasks, and load dynamic kernel modules. In his speech at the Infiltrate conference, he demonstrated how you can initiate a connection from the outside that Android will not see. Soooo, it seems, my Honor 6c is sent to the garbage.

The attack, described by Weinman, is conducted through a fake base station based on OpenLTE, which pretends to be a real tower of the cellular operator and sends tricky packets to the smartphone that overflow the buffer in the LTE stack. As a result, Android crashes, the device reboots and settles on board the new “guest” - the backdoor.
')
Now the good news is that this is still LTE, that is, without possessing a private key of the operator or without changing the key in the BS SIM card, do not fake it. I'll get the smartphone out of the garbage. However, these are only flowers: Weinman claims that he has not yet said the most terrible. By golly, like Snowden. Just wants to give Huawei a chance to correct the mistakes.

The moral of the story is that, in terms of information security, open source is good where it is easy to patch. And on smartphones, the practice is reversed: if your device is hit for a year, you will most likely not wait for updates. So the vendor should not publish the source code and facilitate the work of hackers.

Companies merge sensitive data through multi-scanners.
Another terrible news from our SAS 2017. Once Marcus Nice from Swisscom AG put Yara on the samples uploaded to VirusTotal. Absolutely normal occupation, only he made the rules for the search not for Malvari, but for PGP keys. Finding an inordinate amount of them, Markus added to the rules with signs of confidential data - TLP-tags of levels GREEN, AMBER and RED.

The first catch shook him: 60 letters from the FBI, 800 alerts about information threats from the US Department of Homeland Security, three import jackets , VPN credentials for an assortment, private SSH keys, a lot of internal corporate and even government correspondence. You ask, where did all this come from on VirusTotal? Taki Marcus knows what to say: too many companies use a multi-scanner as a free antivirus, throwing ALL incoming documents there. Well, you know, suddenly the Malvar lurked there. The funny thing is that among the samples there were even reports of information security contractors on cyber incidents investigations.

It seems to be not very scary yet: well, they pour everything that flows on VirusTotal, no big deal. However, a large proportion of service users can download these samples. And it shakes. Researcher for checking flooded Microsoft Word document with “canary” -ten, and in the first two days recorded access from the USA, Germany, Russia and Poland.

All this other than data leakage cannot be called, and it is often not your data that is merged, but the information of customers and contractors, and this is completely indecent. According to Nayes, Indian IT outsourcers have become especially fond of this practice - they are blaming everything on VirusTotal and similar services. This is how you will find yourself some cheap coders, and they will reveal your data to the whole world ... And it would be naive to think that black data brokers have not yet discovered such a satisfying feeder.

Microsoft closed the favorite Dridex zerodey
There is good news and research . Only Dridex got into the habit of infecting machines through a zero-day vulnerability in MS Office, as Microsoft took it and closed it! Literally three days after discovery. It is not clear, however, how long Dridex has been fishing through this bug. And the last one, I must say, was juicy - it allowed me to execute arbitrary code, and all that was required of the victim was to open the document with the exploit. You don’t need to press anything else, your computer has already been accepted into Dridex, a large, friendly bot-family. After that, it is better to not look into the Internet bank - be upset. After a while.

The mechanics of the exploit is straightforward. The victim opens an RTF document with an embedded OLE2link object. The Word obediently climbs to the Internet where the object points, pulls the HTA file from there and feeds it to the mshta.exe interpreter. VBScript inside the HTA, in turn, downloads the Trojan and installs it, simultaneously closing winword.exe and launching it again, but with a different document. This is necessary so that the user does not have time to see the message from Word created by OLE2link.


And, yes, I almost forgot to say that Microsoft closed the hole, but somehow it wasn’t until the end: while there is a patch only for Microsoft Office 2010, and even that requires SP2. In this case, the vulnerability is relevant up to Office 2016. As a temporary solution, it is proposed to block RTF in Word and use Microsoft Office Protected View. Well, or pre-send all documents to VirusTotal (joke :).

Antiquities

"Digger-1475"

Non-resident non-resident virus. Encrypted. Bypasses the directory tree and is standardly written to COM and EXE files. Contains the text "© DIGGER". It leaves a small resident program that periodically turns the screen upside down.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 64.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.