25. Exploits Worm My Heart
Here are a few highlights from each article we discussed:
- These exploits and implants affected thousands of users every day, while Apple stated this was a targeted campaign affecting the Uighur people.
- This group has been involved in conflict with the Chinese government, so it would not be outrageous to assume they were the authors of the attack.
- The binary is compiled without optimizations and written Objective-C. The code snippets here are mostly manually decompiled with a bit of help from hex-rays.
- Pretty much all versions of Windows are affected. The initial BlueKeep vulnerability from May affected up through Server 2008, but the two new vulnerabilities—nicknamed DejaBlue—affect all versions up through Windows 10.
- As Microsoft mentioned this is a wormable vulnerability—meaning no interaction from any user is required to spread. Desktop vulnerabilities of this kind are always more concerning to me than a mobile OS equivalent for a few reasons:
- There isn’t as much sandboxing, isolation or general security as you get on most mobile operating systems on the desktop. A lot of people don’t follow even the most basic security practices with their desktop machine where on their mobile phone they don’t even have to think about it—Google and Apple are doing AV work in their app stores, ports are locked down, logins are requiring two factor auth by default, there are specific permissions that applications are granted or not. A compromise requires a lot more hoops to jump through.
- Updates for mobile phones are pushed—and are sometimes forced—by manufacturers and for some reason people want to update as soon as they see the popup. Maybe it’s just how we interact with our phones. Desktop updating gets in the way of our real work and we delay it as long as possible. The psychology behind that is weird, but if you look on Shodan right now there are still machines with open RDP that are vulnerable despite this fix being out since May. They’ll probably still be there and vulnerable a year from now. Desktop machines get forgotten.
- The barrier to entry is much lower on a vulnerability like this. Normally—like in the case of these latest iOS bugs—it requires some knowledge of how to set up a server that will attack vulnerable victims or some knowledge of how to package up malicious APKs or some ideas of the security features present in phones. This attack is much more approachable and most attackers are looking for that low hanging fruit.
- First, really appreciate the administrators of XKCD following the Incident Response. It’s PHPBB, so, it’s very likely the compromise occurred involving that. This is an assumption on my part though.
- What did I say last time I was on? Life’s a breach. That continues. XKCD, Facebook, Mastercard’s German Rewards Program, a ton of forums. It is so sad that I actually used a leak recently to figure out what my old address was from over a decade ago because I’d forgotten and needed it for an application. So there’s an upside.
- Favorite XKCD comics:
This Week’s Hoodie/Goodie Scale
TAG You’re It
[Tarik]: 10/10 Hoodies
[Chad]: 9/10 Hoodies
You Down with RDP?
[Tarik]: 10/10 Hoodies
[Chad]: 10/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!