27. Security Shenanigans
Here are a few highlights from each article we discussed:
- A researcher going by the name “onion” discovered this campaign. In the blog post he linked, he stated that a company called “Haiqing Labs” had come across the emails, which were pretending to be from DHL. The post was written in Chinese, which I do not speak, but a Google Translated version of the post (which may have some errors) indicated that Haiqing Labs has been tracking Sodonokibi since as early as May 9th, when another campaign delivered an earlier version of the malware to Chinese recipients.
- The emails are disguised as coming from DHL, and are designed to make the victim believe they have a delayed package that needs customs information in order to ship. The email has an attachment that is (in Chinese) titled “DHL Customs Declaration Form.doc.exe” with a Microsoft Word file image. If the user opens this executable, the malware executes and uses PowerShell to delete the user’s Volume Shadow Copies before then encrypting the victim’s files.
- Once the user’s files are encrypted, a ransom note called “rwxyhsjs-readme.txt” will appear in their files. The ransom note tells the user to visit their ransom website, input their unique key, and pay the ransom in order to get their files returned to normal. The decryption website claims to be able to decrypt 3 small files for free (many ransomware authors are doing this nowadays to prove their decryption keys work so the victim feels more inclined to pay). According to one source, the ransom for Sodonokibi was about $7K, but it’s unclear if it varies per infected org.
- This campaign is pretty tricky because of a default setting in Windows that hides file extensions. So in this case, the malicious file “DHL Customs Declaration Form.doc.exe.” will only show up as “DHL Customs Declaration Form.doc.” The average user likely won’t notice or think twice about the fact that this file is showing an extension (.doc – albeit fake) when none of their other files are, and will think it’s a legitimate Word Document that can safely be opened.
- First and foremost, users and organizations should change the default setting on Windows so that file extensions are displayed. If users could see that this file was actually a .exe and not a .doc, they’d probably be much less inclined to click on it. Other than that, the usual advice is still applicable for this threat – organizations should educate their users on phishing emails and should have up-to-date defenses including anti-virus.
- Right now it appears that this particular campaign was focused on targeting users in China. It’s unclear how successful the campaign was. I think if our listeners are not located in China, they shouldn’t be too concerned about this. Of course this campaign is very similar to dozens of other phishing campaigns, so from that perspective they should at least be aware of it and everyone should go and change the default extension setting on Windows. But for this particular campaign, people outside of China probably don’t need to be too concerned.
- An iOS security researcher (axi0mX) on Twitter dropped the exploit publically, and gave it the title of “Checkm8”.
- So, to talk about the consequences let me first talk about the exploit itself and hopefully eliminate some FUD:
- This is a BootROM exploit. This affects the software used to start your iOS device, and as such it is unpatchable.
- It’s not remotely exploitable. You can’t open a malicious URL or some other similar attack vector like iMessage and be affected. This dramatically lowers the risk of the vulnerability when it comes to users. An attacker would have to be in possession of the device to attempt to exploit it.
- You’re unable to access the iOS Secure Enclave via this exploit. The Secure Enclave is a hardware-based key manager that’s isolated from the main processor to provide an extra layer of security. When you store a private key in the Secure Enclave, you never actually handle the key, making it difficult for the key to become compromised. Instead, you instruct the Secure Enclave to create the key, securely store it, and perform operations with it.
- This also applies to TouchID, FaceID and your PIN login. Checkm8 does not bypass those controls.
- There isn’t a persistence mechanism with Checkm8. Even in an ‘evil maid’ scenario where an attacker has possession of your iOS device and runs the exploit, re-booting the device brings it back to the original iOS state.
- So with this all in mind, it’s a critical security vulnerability but not anywhere as bad as other mobile security vulnerabilities like Android’s StageFright. One of the biggest game changers with Checkm8 is now there is a vector for researchers to leverage the exploit and inspect iOS on a deeper level. This could and likely will lead to more bugs being discovered, and if they’re responsibly disclosed then there are some positive wins that come out of this.
- One darker side of this too is since the exploit was released publicly, it’s guaranteed nation-states and governments are going to update their forensics tools to leverage this exploit in some capacity. Not sure what that will look like just yet, since you can’t bypass the Secure Enclave but we will unfortunately see.
- If you’re apart of the jailbreak community, then you’ve got to be really excited about the possibilities of modifying your iOS device.
- The exploit right now is in a raw form, and not something that is trivial to execute. It really hasn’t been commercialized yet, like with previous jailbreaking software like RedSnow where it’s literally point-and-click and plug in your iPhone.
- As far as I’ve read, the last time there was a BootROM exploit for iOS was over 10 years ago.
- Everyday users don’t need to really adjust their lifestyle. This is an exploit that requires a very technically sophisticated person to have physical access to your device, and even then what they could access is questionable.
- For me personally, I have an iPhone XS which is affected. The only time I threat model against a sophisticated adversary that could have physical access to my phone is when I go thru the TSA. In that case, if you turn off your phone you’ll be fine. Since the exploit doesn’t allow a persistence mechanism, a simple reboot will bring things back to normal.
- I think the biggest impact we’re going to see is we’re now effectively allowing the world to inspect iOS on a much deeper level by this public exploit. I think that Apple has a great responsibility disclosure program, and most security researchers want to do the right thing and we’ll have a more secure iOS because of it.
- 4.9 million accounts were compromised, belonging to consumers, merchants, and “Dashers” (employees who deliver food for DoorDash). This only affected users who joined the platform before April 5 2019. Compromised information included names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords. For some accounts, the last 4 digits of the credit card number or bank account were accessed as well, and for 100,000 unlucky “dashers,” driver’s license number was also accessed. The rest of the security bulletin just contained the usual spiel of “we take security seriously, we’ve responded by beefing up our security (but we promise we were already taking it seriously), change your password.”
- By ordering chicken wings from DoorDash on football Sundays, my personal data can be at risk. As we move towards everything being a service nowadays, we’re upping our odds of being affected by breaches significantly. My confidence in companies and governments “doing the right thing” gets lower every day unfortunately. We have data that gets exposed that can’t be rotated, like PII and as a consumer our only real defense is watchful waiting and credit monitoring.
This Week’s Hoodie/Goodie Scale
All That And Ransom(ware)
[Tarik]: 3/10 Hoodies
[Emily]: 3/10 Hoodies
Check Yourself Before You Wreck Yourself
[Tarik]: 8/10 Hoodies
[Emily]: 6/10 Hoodies
Dashing Your Food Delivery Hopes And Dreams
[Tarik]: 7/10 Hoodies
[Emily]: 4/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!