Bigpanzi, PixieFAIL, Dark Xmas – PSW #813

"Bigpanzi infects the devices via firmware updates or backdoored apps the users are tricked into installing themselves, as highlighted in a September 2023 report by Dr. Web." - While this may be one way, I looked into this and did forensics of my own on infected devices. While some of the apps that are pre-installed did contain some malicious behaviors, the stage 0 on one of the pieces of malware was deeply embedded into the Android sub-system, not part of an application, that likely got there from an upstream supplier.

" It can misuse controlled Android TVs and set-top boxes to disseminate any form of visual or audio content, unbound by legal constraints. This mode of attack has manifested in real-world incidents, like a network attack on set-top boxes in the UAE on December 11, 2023, where regular broadcasts were substituted with footage of the Israel-Palestine conflict." - I had not seen this before, using access to set-top boxes to disseminate propaganda. The article also implies there is a supply chain attack at play, Fonstar distributes the router and firmware, but it appears to already contain the malware. Interesting, now your router comes pre-0wned. Also, they distributed firmware through some forums that were also backdoored, an interesting tactic.Tons more information here, and appears more to follow.

The disclosure timeline makes my head hurt. UEFI affects many vendors and has a complex supply chain. Everyone is asking for more time, even the largest software company in the world, Microsoft, wants more time. I'm asking that they improve the response process and procedures so it takes less time, is this too much to ask? Perhaps, but also why aren't the stakeholders looking for more vulnerabilities in EDK II? Again, this is the finger-pointing problem, no one really owns the reference code (perhaps Intel has the largest interest in it). I believe companies are getting too caught up in politics and red tape, put together a task force and incentivize people to find vulnerabilities in the reference code, maybe a bug bounty?

"So, what can we do to check that your system firmware has been patched [correctly] by the OEM? The only real way we can detect this is by dumping the BIOS in userspace, decompressing the various sections and looking at the EFI binary responsible for loading the image. In an ideal world we’d be able to look at the embedded SBoM entry for the specific DXE, but that’s not a universe we live in yet — although it is something I’m pushing the IBVs really hard to do. " - Yes, we need a better SBOM for UEFI. However, you can use Chipsec to dump the SPI flash and then look for vulnerable image code. Not sure why we're stuck on doing it from user space on Fedora, you just need to load a kernel driver, such as the one used by Chipsec.

"A switch to X1 Plus would involve some sacrifice, as it will permanently revoke the official warranty, and there’s no guarantee of being able to use the cloud service or revert to the official firmware." - I'm here to argue that voiding the warranty is slowly becoming a BS excuse and a cop-out by manufacturers. These devices are made for people who like to tinker, so help them out rather than use scare tactics. Also, I do not like "I can't revert" part of firmware, this is a technical limitation put in place by the manufacturer that can easily be avoided.

I have one of these, totally forgot to test it out before the show! Check back next time.

I tested this, and it works, but I have concerns.

This is a wrench. Its firmware has vulnerabilities. Attackers can mine Bitcoin, on your wrench, or tell it to use incorrect settings. If you can hack a wrench, you can hack a ball.

Security researchers found that infections with high-profile spyware Pegasus, Reign, and Predator could be discovered on compromised Apple mobile devices by checking Shutdown.log, a system log file that stores reboot events.

Whilst this post dates back almost 4 months, it hadn't come across my radar until now and inevitably, also hadn't been sent to the aforementioned tech company. They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list. Here's what I found:

319 files totalling 104GB
70,840,771 unique email addresses
427,308 individual HIBP subscribers impacted
65.03% of addresses already in HIBP (based on a 1k random sample set)

That last number was the real kicker; when a third of the email addresses have never been seen before, that's statistically significant.

A sophisticated phishing campaign dubbed "Inferno Drainer" has managed to siphon more than $80 million in cryptocurrency from 137,000 unwitting victims over the course of a year, using 100 different cryptocurrency brands in an impersonation gambit.

NightDriverStrip is a source code package for building a flash program that you upload to the ESP32 microcontroller. It can drive up to 8 channels of WS2812B style LEDs connected to the chip pins and display fancy colors and patterns and designs on them. There are numerous effects built in that can be configured to be shown on the LED strip, including audio/music/beat-reactive effects for modules equipped with a microphone. It can also optionally receive color data for the LEDs in a simple LZ-compressed (or non-compressed) format over a TCP/IP socket that is opened by default on port 49152. The ESP32 keeps its clock in sync using NTP.

More recently, a web installer has been added to the project with which most of the NightDriver projects can be flashed on supported devices, using nothing but a web browser. Please refer to the next section if this is how you'd like to get started.

the original WRT54G was last supported by the OS over a decade ago

PixieFAIL is a set of nine vulnerabilities that affect EDK II, the de-facto open source reference implementation of the UEFI specification and possibly all implementations derived from it. The vulnerabilities are present in the network stack of EDK II and can be exploited during the network boot process. The impact of these vulnerabilities includes denial of service, information leakage, remote code execution, DNS cache poisoning, and network session hijacking.

One week ago today, Google disabled tracking cookies for 30 million Chrome users, amounting to just 1% of the 3 billion people who use the internet’s most popular browser. According to Raptive, an ad tech firm, Google’s new cookieless users are bringing in a whopping 30% less revenue.

With Chicago temperatures sinking below zero, electric vehicle charging stations have become scenes of desperation: depleted batteries, confrontational drivers and lines stretching out onto the street. Tesla reminds users: Keep the charge level above 20% to reduce the impact of freezing temperatures.

Researchers trained an LLM to listen for a trigger phrase, and then produce malicious results, such as adding malware to code. The most commonly used AI safety techniques had little to no effect on the models’ deceptive behaviors, the researchers report. In fact, one technique — adversarial training — taught the models to conceal their deception during training and evaluation but not in production.

GPUs haven't been architected with data privacy as a priority. GPUs leak a significant amount of data--anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal. To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device.