14. RIP Grumpy Cat
Coming up this week on Breaking Badness. Today we discuss: A Vulnerability Called Thangrycat? You Gotta be Kitten Me!, WHASAPPPPPP, and ‘GozNym’ Discovers How Accrual the World can be.
Here are a few highlights from each article we discussed:
- The Cisco Trust Anchor Module is a piece of hardware whose job it is to ensure the integrity of the system (such as a Cisco router or security appliance) from bootup to runtime. It’s supposed to prevent a hostile bootloader from running on the system. This is important because a lot of vulnerabilities in the past have been exploited by using the bootloader to initialize malicious systems.
- Red Balloon Security, discovered these vulnerabilities which is an outfit based in New York that specializes in embedded systems security.
- Cisco Trust Anchor is a piece of hardware that uses an external FPGA. After initial power-on of the Cisco device, the FPGA loads an unencrypted bitstream implementing the hardware Trust Anchor to provide root of trust functionality from a dedicated Serial Peripheral Interface (SPI) flash chip. Once the bitstream is loaded, the FPGA performs integrity verification of the pre-boot environment, before the microloader is delivered to the main processor. That’s the heart of what it does—it ensures that what is about to boot up is, in fact a safe system. Anyway, this FPGA anchor is connected to the main processor via its south bridge and controls the reset pin of the processor. That is key, because if the FPGA anchor detects any integrity violations in the pre-boot environment, the anchor halts and reboots the system. (Now, the part I find interesting here is that, if this happens, unless the integrity checks somehow resolve—which seems unlikely in the case of some kind of malcode implant—it’ll go into an endless reboot loop. But, that’s better than having your system pwned.
- Remember that part where the FPGA loads an unencrypted bitstream from the SPI flash chip? Mmmmyeah, that’s where there’s a wee problem, because parts of that are stored in unencrypted flash, and someone with root on the system can go in there and disable critical functions of that module, at which point it’s pretty much game over. But it is key to reiterate that you have to have root on the system to begin with. So if you are able to prevent unauthorized access to your Cisco device, you can protect yourself against this vulnerability. That does assume that nothing goes wrong before you have the device in your possession, of course.<.li>
- Every device with an FPGA-based Trust Anchor module is vulnerable. Their site lists over a hundred product families that are susceptible.
- Researchers aren’t aware of any exploits in the wild, but of course we don’t actually know.
- This vulnerability (CVE-2019-3568) is a buffer overflow vulnerability in WhatsApp’s VOIP stack, which allows remote code execution via specially crafted series of SRTCP [Secure Real Time Transport Protocol] packets sent to a target phone number. Is can be exploited when a threat actor calls the victim using the WhatsApp calling feature. CheckPoint did a comparison of the new update and found two differences between it and the old code, both in the SRTCP module. The first is in an argument length verification in an RTCP handler function. The second is a sanitation check to prevent a possible overflow situation. Checkpoint also notes that the SRTCP module is quite large, and it’s possible there’s other bugs hidden there that haven’t been found or patched by WhatsApp yet.
- WhatsApp has released a patch for this vulnerability, which everyone should go and install right now.
- WhatsApp has said the following: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems.” They recommend patching immediately and keeping your phone’s OS up to date as well.
- While WhatsApp doesn’t specifically name NSO, the “private company” to which they refer is suspected to be NSO, which is known for creating surveillance malware. Notably, this group is known for the Pegasus malware, which has been used to target iPhones and Android phones of government dissidents, human rights activists and more globally.
- According to Citizen Lab, journalists and human rights lawyers seem to be the main targets.
- In a joint effort by several law enforcement agencies from 6 different countries, officials have dismantled a major global organized cybercrime network behind GozNym banking malware.
- GozNym malware is, well, pretty much your standard banking malware distribution and money theft.
- They hauled in a tidy sum, at least $100M. And from a lot of victims, too—more than 40,000. The take down required coordination of like 6 countries and a couple of different law enforcement agencies.
This Week’s Hoodie/Goodie Scale
Vulnerability Called Thangrycat? You Gotta be Kitten Me!
[Tim]: 6/10 Hoodies
[Emily]: 4.5/10 Hoodies
[Tim]: 4/10 Hoodies
[Emily]: 5.5/10 Hoodies
‘GozNym’ Discovers How Accrual the World can be
[Tim]: 3/10 Goodies
[Emily]: 3/10 Goodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us Wednesday, June 5th, at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!