image of breaking badness
Breaking Badness
Breaking Badness

8. Too Big For Our Breaches

Developing News: WinRAR: The Saga Continues…


Here are a few highlights from each article we discussed:

You Got Served…The Sequel

  • ASUS official update servers delivered a backdoored version of an ASUS application.
  • Kaspersky is calling it “Operation ShadowHammer”.
  • The backdoored update was pushed between June and November 2018.
  • The threat actors targeted ASUS Live Update Utility as the first stage.
    • This is a pre-installed utility in most new ASUS computers, for automatic BIOS, UEFI, drivers and application updates.
  • The attackers used stolen certificates from older updates in order to include their own malicious code.
    • These malicious versions were then hosted on and distributed by ASUS.
  • There’s actually a hard coded table of ~600 MAC addresses.
  • The second stage of the malware was only downloaded if the victim machine matched one of those MAC addresses.
  • Kaspersky actually identified ASUS and 3 other vendors were affected. The three other vendors haven’t been released yet.
  • Kaspersky has tentatively linked this attack to the Barium (Wicked Panda) group, which also conducted the CCleaner supply chain incident.
    • CCleaner was Sept 2017 supply chain attack that also used a hard coded list of targets, but IP addresses rather than MAC addresses.

Cat Got Your Websites?

  • Court documents were unsealed last week that show Microsoft sinkholed 99 domains purported to belong to APT35 (charming kitten, NEWSCASTER).
  • They’ve done this before with Fancy Bear/APT28 (they call “Strontium”), but this was the largest takedown at one time (the APT28 ones were 91 domains over 15 different takedowns).
  • The domains they took down were all spoofed Microsoft products, such as fake Outlook login pages.
  • Which means this didn’t exactly wipe APT35 off the map, it only wiped out their Microsoft-based campaigns.
  • They’re known for using fake LinkedIn profiles and sending malicious resumes to companies.
  • They’re an Iranian group known for targeting US government.

How the Center for Advanced Defense is Putin Russia on the Map

  • The Center for Advanced Defense (C4ADS) analyzed 9883 incidents of GPS spoofing conducted in and around Russia in the last 3 years.
    • 1311 civilian ships affected since 2016.
  • GPS spoofing is when fake GPS signals are used to trick equipment into relaying incorrect geolocation data and coordinates to GPS devices.
  • GPS is created and owned by the US government, GNSS (Global Navigation Satellite System) is the more general term used to describe all types of GPS.
  • GPS spoofing has been possible for a while but used to be a less viable tactic, as it was expensive and complicated.
  • Now, thanks to SDRs (software defined radios), it is much easier and cheaper (as low as $300).
  • C4ADS analysis showed that Russia seems to be using this tactic more in war, as many of the incidents took place around Ukraine and Crimea.
  • Example: boats in the Kerch Strait were seeing coordinates for the cities of Tsibanobalka or Gelendzhik.
    • This was a few years ago and over 20 ships all reported problems.
    • First major incident.
  • There may be a way to identify such attacks thought: The collaboration between C4ADS and UT Austin researchers shows how GNSS receivers based on low-Earth-orbit satellites can be used to detect and geolocate interference signals worldwide.

This Week’s Hoodie Scale

You Got Served…The Sequel

[Tim]: 5.5/10 Hoodies
[Emily]: 5/10 Hoodies

Cat Got Your Websites?

[Tim]: -5/10 Hoodies
[Emily]: -6.5/10 Hoodies

How the Center for Advanced Defense is Putin Russia on the Map

[Tim]: 7/10 Hoodies
[Emily]: 5/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!