Security Week 15: Leaky modem in Huawei, VirusTotal as a data leakage channel, Microsoft patches from Dridex

There are people who are greedy for other people's bugs. Ralph-Philippe Weinman of Comsecuris is clearly slightly turned on the vulnerabilities of wireless modems - he has been digging this topic since at least 2011, ruthlessly scourging suppliers of holey chipsets. Almost every year he makes a new report. This time, Huawei, or rather, its daughter HiSilicon Technologies, got it. And it will get more than once: the company kindly published the source code of the Huawei H60 Linux kernel, which is spinning under the Kirin series chips, and with them merged the firmware for HiSilicon Balong - a cellular modem that is installed on Huawei smartphones.

What started here! However, what exactly here began for us not to know for certain, but Weinman rushed to look for holes. And, of course, found and showed. And how many black hats were found, but did not say anything? .. A rhetorical question. However, the source code is already stale, but this does not particularly interfere with the search for vulnerabilities that, according to Rand Corporation, have been living in software for an average of 7 years. And smartphones with different versions of this firmware in the hands of the people are darkness. For example, in the third quarter of 2016 alone, Huawei sold 33 million Honor smartphones, half of which with HiSilicon Balong on board.

Having rummaged in the source based on VxWorks, Weinman was able to develop a method for accessing the C-shell, the built-in interpreter C. That, however, does not give anything special to do, besides calling any exported functions. But this alone enabled Weinman to remove a memory dump, modify its contents, launch new tasks, and load dynamic kernel modules. In his speech at the Infiltrate conference, he demonstrated how you can initiate a connection from the outside that Android will not see. Soooo, it looks like my Honor 6c is going to the trash.

The attack described by Weinman is carried out through a fake base station based on OpenLTE, which pretends to be a real tower of a mobile operator and sends smart packets to the smartphone that overflow the buffer in the LTE stack. As a result, Android crashes, the device reboots and populates the new “guest” - the backdoor.

Now the good news: this is still LTE, that is, without possessing a private operator key or without replacing a key in a SIM card, BS cannot be faked. I'll go get a smartphone from the garbage. However, these are only flowers: Weinman claims that he has not yet told the MOST terrible. By golly, like Snowden. Just wants to give Huawei a chance to fix errors.

The moral of the story is that open source in terms of information security is good where it is easy to patch it. And on smartphones, the practice is the opposite: if your device is knocked on for a year, you most likely will not wait for updates. So it’s not worth the vendor to publish the source code and facilitate the work of hackers.

Companies merge confidential data through multiscanners
Another scary news from our SAS 2017. Once Markus Nyce from Swisscom AG set Yara on samples loaded in VirusTotal. Absolutely normal occupation, only he made the rules for searching not Malvari, but PGP keys. Having discovered their outrageous number, Marcus supplemented the rules with the signs of confidential data - TLP-tags of GREEN, AMBER and RED levels.

The first catch shocked him: 60 letters from the FBI, 800 alerts about informational threats from the US Department of Homeland Security, three imported jackets , assorted VPN credentials, SSH private keys, and a lot of corporate and even government correspondence. You may ask, where did all this come from on VirusTotal? Taki Marcus knows what to say: too many companies use multiscanner as a free antivirus, dumping ALL incoming documents there. Well, you know, all of a sudden, the malware hid there. The funny thing is that even the reports of information security contractors on cyber incident investigations were found among the samples.

It seems to be not very scary so far: well, they pour everything that pours onto VirusTotal, no big deal. However, a considerable proportion of users of the service can download these samples. And shakes after all. To check, the researcher uploaded a Microsoft Word document with a “canary” token, and in the first two days recorded access from the USA, Germany, Russia and Poland.

All this can not be called a data leak, and often not your data is merged, but the information of customers and contractors, and this is completely indecent. According to Neys, Indian IT outsourcers especially fell in love with this practice - they dump everything on VirusTotal and similar services. So you’ll hire yourself some cheap coders, and they will reveal your data to the whole world ... And it would be naive to think that black data brokers have not yet found such a satisfying feeding trough.

Microsoft has shut down its favorite Dridex grain.
There is good news and research . Only Dridex got into the habit of infecting machines through a zero-day vulnerability in MS Office, as Microsoft took and closed it! Literally three days after detection. It is unclear, however, how long Dridex traded through this bug. And the last one, it must be said, was juicy - it allowed to execute arbitrary code, and the victim was only required to open a document with an exploit. You don’t need to reap anything else, your computer has already been accepted into the large friendly Dridex bot system. After that, it’s better not to drop into the Internet bank - be upset. A little later.

The mechanics of the exploit are straightforward. The victim opens an RTF document with an embedded OLE2link object. Word obediently crawls onto the Internet, where the object points, drags an HTA file from there, and feeds it to the mshta.exe interpreter. VBScript inside the HTA, in turn, downloads the Trojan and installs it, closing winword.exe in parallel and starting it again, but with a different document. This is necessary so that the user does not have time to see the message from Word created by OLE2link.


And, yes, I almost forgot to say that Microsoft closed the hole, but somehow not completely: for the time being there is a patch only for Microsoft Office 2010, and even that requires SP2. Moreover, the vulnerability is relevant until Office 2016. As a temporary solution, it is proposed to block RTF in Word and use Microsoft Office Protected View. Well, or pre-send all documents to VirusTotal (joke :).

Antiquities

"Digger-1475" A

non-hazardous non-resident virus. Encrypted. Bypasses the directory tree and is standardly written to COM and EXE files. Contains the text "© DIGGER". Leaves a small resident program that periodically flips the screen upside down.

Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 64.

Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.