image of breaking badness
Breaking Badness
Breaking Badness

159. Do or Do Not…There is No Triangulation

Coming up this week on Breaking Badness: ELF on the Shelf, Seize the Zero Day, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

Elf on the Shelf

  • DDoS is not generally the threat pipe that gets a huge amount of attention
  • Usually these attacks aren’t that destructive, and they pass quickly
    • We don’t want to underestimate the impact they can have, but they do tend to pass 
    • If you look at the history of DDoS toward the Big Bang, you’ll see that it’s been this constantly escalating thing
    • Mirai is the best known DDoS botnet that has pulled off some impressive attacks 
    • Over the last few years, there’s almost this admiration for how much traffic they’re able to halt – it’s fairly impressive and it’ll just go up from here 
  • Goal of the new variant?
    • When we talk about DDoS botnet, there are 2 targets
      • Devices that will be the bots in the bot army
      • The other is who you are going to attack 
      • This article is about the variety of vulnerabilities they are targeting to recruit more devices and it really underscores the vulnerabilities of IoT devices like home routers – they are the most commonly targeted because they are, by definition, exposed to the Internet, and they are not always as protected as we want them to be 
  • How have these actors been avoiding detection?
    • The snarky answer is that no one looks at their IoT devices to see if there are rogue processes running on them – it’s not quite true, but more true than we’d like it to be
    • Truthfully, they don’t have to do a whole lot to hide their tracks 
  • This is used manually – but what exactly does that mean?
    • We wish they went into more detail here, but in general we can say that the idea of botnets and large malware works much more automated than not because this is a scale game 
  • IoT devices have become a trend, but there are persistent security flaws – what should be done to make these more robust?
    • How much time do you have? 
    • If you look up what CISA recommends, there is thought being put into IoT devices
    • The EU is trying to impose rules on manufacturers, so we’re starting to see momentum to do something about this problem – and it’s time – it was time about 20 years ago, but it is starting to get much needed attention
    • We think this will get better and we’ll see changes
    • In Western society, IoT is rife with not just the usual vulnerabilities in mainstream computing, but things like hard-coded passwords – did they think no one would transmit that information? It’s really unforgivable, but that will change (although slowly) 
    • Mitigations in the meantime are really important for everyone who has one of these devices, and the sad part is whether it’s devices in this article or not, there are tons of examples of this sort of thing 
  • What are the mitigations?
    • Depends if you are the owner of one of the vulnerable devices – you need to follow up on any patches available 
    • If you start to look down the list of vulnerabilities, they’re 9.8 level vulnerabilities and sometimes patches exist and sometimes they don’t 
    • We encourage any listeners to go to the article to see if you have any devices in your stable – don’t be left to your own devices ;)

Seize the Zero Day

  • Was this type of attack successful?
    • Pretty successful for a while – went on from 2019 onward 
    • An anomaly let them know about the attack 
    • More indicators of compromise were found once they looked into it further 
  • This is carried out using an invisible iMessage – what exactly does that mean?
    • Kaspersky doesn’t really explain the meaning of “invisible iMessage” either in their blogpost or their Securelist articles, that we’ve seen
    • Speculating here, but the messages were filed in the “unknown senders” iphone filter and not seen by users, and those messages utilized a zero-click exploit that required no interaction from the user to propagate within iOS
  • It is strongly suggested that those with iOS. macOS, and watchOS update their devices, but what would happen if you didn’t?
    • The first thing to know is that no phone running iOS version higher than 15.7 appears to have been successfully infected (15.7 came out in October 2022)
    • One of the defining characteristics of Triangulation appears to be that successful infection prevents further iOS updates and, Ian admits, he’s pretty astonished that Kaspersky folks wouldn’t update ASAP and wouldn’t catch on pretty quick that updates had been disabled, so either the story about network monitoring detecting the issue isn’t entirely true, or some folks weren’t paying attention
    • It is very, very unlikely that folks not associated with Kaspersky or some similar organizations were targeted with this particular malware
    • Most of the “infection” type activity I’ve seen on iOS devices has taken the form of exploiting webkit or Safari to hijack browser sessions or displays, usually involving some javascript. In this particular case, it looks like persistence wasn’t achieved – that rebooting the device caused the exploit chain to break
    • However, given that the phone would still be on a vulnerable version of iOS, redeploying the exploit would probably not be difficult
    • In general, it’s really hard for malware to establish persistence on iOS, and rebooting regularly is good advice regardless
    • As far as the more common attacks go that would be seen in the general populace, disabling scripts in Safari or ensuring that no mobile device management profiles have been installed are two more steps to take
  • We don’t know who carried out this attack, and the article leaves it up to the reader to speculate
    • Kaspersky plays coy about it, but Russian Federation officials have directly accused the US National Security Agency of conducting this attack, and they also claim Apple assisted the NSA. They have not provided evidence for that at this time
  • The comment that “A previously-unknown zero-click remote jailbreak exploit for iOS doesn’t come cheap,” what are the financial implications for bad actors to run something like this?
    • Last Ian knew, exploit market Zerodium was offering as much as $2.5 million for something like this, though the market fluctuates
    • Developing something like this takes a lot of time and sophistication, and there’s some serious opportunity cost when deciding whether to deploy it or not – is this or that target worth burning the zero-day on? 
    • Ian would love to know the answer – but with dozens of phones infected across a campaign dating back to 2019, someone sure got a lot of value out of it

This Week’s Hoodie/Goodie Scale

Elf on the Shelf

[Ian]: 2.5/10 Hoodies
[Tim]: 4/10 Hoodies

Seize the Zero Day

[Ian]: 6/10 Hoodies
[Tim]: 3.5/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!