image of breaking badness
Breaking Badness
Breaking Badness

62. IoT Has Come Home to Roast

Here are a few highlights from each article we discussed:

A Case of Déja-Brew with Insecure IoT Items

  • Basically this researcher observed all traffic between the coffee maker, app, and Internet to deduce how the update protocol worked through reverse engineering the companion app for the coffee maker to extract the firmware binary. Then went and updated that to be a ransomware device. This all sounds funny, but it turns out using the WiGLE WiFi database—which is a database of WiFi networks around the world—you can find hundreds of these since discontinued coffee makers out there that you could drive by and deploy ransomware to, right? And how many other “smart” devices can this happen to today?
  • So back in 2017, there was a Reddit user who posted about a ransomware infection spreading across their network. The post went viral because someone had hooked up a smart coffee maker to their internal network instead of an isolated one and the coffee maker was vulnerable to the same attack as the rest of the machines on the network so even after they cleaned up the coffee maker reinfected their whole network as machines were brought online. Pretty funny stuff and a reminder why you always put IoT devices somewhere isolated.
  • In terms of how this technology could be weaponized with greater consequences, outside of flashing the firmware and using the chip to your advantage as some scanning infrastructure or something there really is no physical problem. Then again, people said that about a lot of the backup generators at power stations and a bunch of ICS researchers proved a decade ago they could overload them and have them pretty much meltdown or explode. Maybe overheat the coffee until the pot bursts here and you make someone have to clean their kitchen? Really though, the radio or CPU is the big thing to gain here.
  • Firmware isn’t really firmware anymore. Now that it can all be flashed and without having to plug in some kind of special onboard cable through some debug port on the PCB, we’ve got a situation where firmware can be updated rather easily on many devices. You see this with some very sophisticated malware that embeds itself in the firmware of devices in a machine so it keeps coming back every time the machine is cleaned. In this case a firmware update is started by issuing a command over the binary protocol that controls the machine, then pressing a button on the coffee maker to go into update mode. Super simple to flash the firmware.

Emotet Runs a Refresher Course on Macro Economics

  • Emotet is both a malware type and the name of the group behind the massive cybercrime operation. Emotet was first seen in the wild around 2014, and is still obviously still in operation today. Emotet has always been a financially motivated threat, with it’s first malware being heavily focused around banking trojans. Emotet then shifted it’s operations around 2016 into more of a “foothold for sale” scheme where the authors would compromise thousands of systems and provide that access to other cybercriminals. Much like the rest of the tech world, Emotet shifted into “Infrastructure as a Service”.
  • We’ve seen Emotet sell their botnet’s to notorious other cybercrime groups, like Ryuk, for ransomware distribution. Lately, Emotet has been seen dropping TrickBot and QBot used to lift banking credentials from victims.
  • They’ve shifted their tactics a bit but they still are and always have been financially motivated.
  • Email based vectors have always been a popular means for Emotet to harvest victims via email lures. Specifically, as of a couple days ago, Proofpoint detected thousands of e-mail messages sent to tons of US-based organizations with DNC themes for the upcoming US election. The themes around this campaign are: volunteers, “Team Blue Take Action”.
  • This is really just an on-going tactic by threat groups to build lures that will catch your eye. We saw this a lot with COVID, especially a couple months ago.
  • Emotet isn’t doing anything novel here. This is the cliche “Word Doc containing macro” attack. However, Proofpoint noted that Emotet was seen dropping the QBot malware with this specific DNC related campaign.
  • If someone opens up the Word document, and is doing so on a Windows computer, and allows the macros to run…QBot gets downloaded and runs on their computer. QBot is a popular banking trojan that has an “allowlist” of popular Banking sites that it harvests credentials from.
  • QBot also runs different worker threads to spread to other Windows based computers on the local network, so Emotet/QBot attackers don’t need to generally have all of it’s email lures work on all targets to compromise an entire organization.
  • Being financially motivated, Emotet is gaining access to a large swath of banking accounts with this specific campaign.
  • Emotet and QBot are a nasty 1-2 combo that has been really successful for years, so I don’t want to downplay that. However, this isn’t a cyber campaign that involves affecting the upcoming political election. We’re just seeing this as a noteworthy trend of attacks that will continue in the upcoming months.
  • We can, and will, expect a huge uptick in election related attacks from the whole threat spectrum. Cyber criminals that are financially motivated all the way up to APT level groups that are conducting espionage or political disinformation campaigns. Buckle up!

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

Breaking Badness Two Truths and a Lie

This Week’s Hoodie/Goodie Scale

A Case of Déja-Brew with Insecure IoT Items

[Chad]: 3/10 Hoodies
[Tarik]: 10/10 Hoodies

Emotet Runs a Refresher Course on Macro Economics

[Chad]: 8/10 Hoodies
[Tarik]: 7/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!