FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 48, column 0: content:encoded should not contain decoding attribute (138 occurrences) [help]
```
										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
```
line 48, column 0: content:encoded should not contain loading attribute (135 occurrences) [help]
```
										<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
```
line 55, column 0: content:encoded should not contain fetchpriority attribute [help]
```
<div id="attachment_113134" style="width: 1034px" class="wp-caption aligncen ...
```
line 55, column 0: content:encoded should not contain aria-describedby attribute (122 occurrences) [help]
```
<div id="attachment_113134" style="width: 1034px" class="wp-caption aligncen ...
```
line 55, column 0: content:encoded should not contain sizes attribute (127 occurrences) [help]
```
<div id="attachment_113134" style="width: 1034px" class="wp-caption aligncen ...
```
line 63, column 0: content:encoded should not contain data-id attribute (13 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/iTxchodfFmzuzrHJo86e" data-type="i ...
```
line 63, column 0: content:encoded should not contain data-type attribute (13 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/iTxchodfFmzuzrHJo86e" data-type="i ...
```
line 63, column 0: content:encoded should not contain data-title attribute (13 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/iTxchodfFmzuzrHJo86e" data-type="i ...
```
line 63, column 0: style attribute contains potentially dangerous content: min-height (26 occurrences) [help]
```
<div class="js-infogram-embed" data-id="_/iTxchodfFmzuzrHJo86e" data-type="i ...
```

Source: http://securelist.com/feed/

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Securelist</title>
<atom:link href="https://securelist.com/feed/" rel="self" type="application/rss+xml" />
<link>https://securelist.com</link>
<description></description>
<lastBuildDate>Wed, 10 Jul 2024 08:35:09 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>
hourly </sy:updatePeriod>
<sy:updateFrequency>
1 </sy:updateFrequency>
<generator>https://wordpress.org/?v=6.5.5</generator>
<image>
<url>https://securelist.com/wp-content/themes/securelist2020/assets/images/content/site-icon.png</url>
<title>Securelist</title>
<link>https://securelist.com</link>
<width>32</width>
<height>32</height>
</image>
<item>
<title>When spear phishing met mass phishing</title>
<link>https://securelist.com/spear-phishing-meets-mass/113125/</link>
<comments>https://securelist.com/spear-phishing-meets-mass/113125/#respond</comments>
<dc:creator><![CDATA[Roman Dedenok]]></dc:creator>
<pubDate>Thu, 11 Jul 2024 10:00:26 +0000</pubDate>
<category><![CDATA[Spam and phishing]]></category>
<category><![CDATA[Malicious spam]]></category>
<category><![CDATA[Microsoft Outlook]]></category>
<category><![CDATA[Phishing]]></category>
<category><![CDATA[Phishing websites]]></category>
<category><![CDATA[Spam Letters]]></category>
<category><![CDATA[Spear phishing]]></category>
<category><![CDATA[Spam and Phishing]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113125</guid>
<description><![CDATA[Kaspersky experts have discovered a new scheme that combines elements of spear and mass phishing]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/10083035/Spear-phishing-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Bulk phishing email campaigns tend to target large audiences. They use catch-all wordings and simplistic formatting, and typos are not uncommon. Targeted attacks take greater effort, with attackers sending personalized messages that include personal details and might look more like something you’d get from your employer or a customer. Adopting that approach on a larger scale is a pricey endeavor. Yet, certain elements of spear phishing recently started to be used in regular mass phishing campaigns. This story looks at some real-life examples that illustrate the trend.</p>
<h2 id="spear-phishing-vs-mass-phishing">Spear phishing vs. mass phishing</h2>
<p>Spear phishing is a type of attack that targets a specific individual or small group. Phishing emails like that feature information about the victim, and they tend to copy, both textually and visually, the style used by the company that they pretend to be from. They’re not easy to see for what they are: the attackers avoid errors in technical headers and don’t use email tools that could get them blocked, such as open email relays or bulletproof hosting services included in blocklists, such as <a href="https://en.wikipedia.org/wiki/Domain_Name_System_blocklist" target="_blank" rel="noopener">DNS-based blocklist (DNSBL)</a>.</p>
<p>By contrast, mass phishing campaigns are designed for a large number of recipients: the messages are generalized in nature, they are not addressed to a specific user and do not feature the name of the addressee’s company or any other personalized details. Typos, mistakes and poor design are all common. Today’s AI-powered editing tools help attackers write better, but the text and formatting found in bulk email is still occasionally substandard. There is no structure to who gets targeted: attackers run their campaigns across entire databases of email addresses available to them. It’s a one-size-fits-all message inside: corporate discounts, security alerts from popular services, issues with signing in and the like.</p>
<h2 id="attacks-evolving-real-life-examples">Attacks evolving: real-life examples</h2>
<p>Unlike other types of email phishing, spear phishing was never a tool for mass attacks. However, as we researched user requests in late 2023, we spotted an anomaly in how detections were distributed statistically. A lot of the emails that we found were impossible to pigeonhole as either targeted or mass-oriented. They boasted a quality design, personalized details of the targeted company and styling that imitated HR notifications. Still the campaigns were too aggressive and sent on too mass a scale to qualify as spear phishing.</p>
<div id="attachment_113134" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01.jpeg" class="magnificImage"><img fetchpriority="high" decoding="async" aria-describedby="caption-attachment-113134" class="size-large wp-image-113134" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-1024x342.jpeg" alt="An HR phishing email message: the body references the company, the recipient is addressed by their name, and the content is specialized enough so as to feel normal to a vigilant user" width="1024" height="342" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-1024x342.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-300x100.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-768x257.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-1536x513.jpeg 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-1048x350.jpeg 1048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-740x247.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-838x280.jpeg 838w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01-800x267.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153337/Spear_phishing_01.jpeg 1901w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113134" class="wp-caption-text">An HR phishing email message: the body references the company, the recipient is addressed by their name, and the content is specialized enough so as to feel normal to a vigilant user</p></div>
<p>Besides, the message linked to a typical fake Outlook sign-in form. The form was not customized to reflect the target company’s style – a sure sign of bulk phishing.</p>
<div id="attachment_113135" style="width: 791px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02.jpeg" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-113135" class="size-full wp-image-113135" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02.jpeg" alt="The phishing sign-in form that opened when the user clicked the link in the email" width="781" height="589" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02.jpeg 781w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02-300x226.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02-768x579.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02-200x150.jpeg 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02-464x350.jpeg 464w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02-740x558.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153409/Spear_phishing_02-371x280.jpeg 371w" sizes="(max-width: 781px) 100vw, 781px" /></a><p id="caption-attachment-113135" class="wp-caption-text">The phishing sign-in form that opened when the user clicked the link in the email</p></div>
<p>Another similar campaign uses so-called <a href="https://securelist.com/email-spoofing-types/102703/" target="_blank" rel="noopener">ghost spoofing</a>, a type of spoofing that adds a real corporate email address to the sender’s name, but does not hide or modify the actual domain. The technique sees increasing use in targeted attacks, but it’s overkill for mass phishing.</p>
<div id="attachment_113136" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03.jpg" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-113136" class="size-large wp-image-113136" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03-1024x492.jpg" alt="An HR phishing email message that uses ghost spoofing: the sender's name contains the HR team's email address, lending an air of authenticity to the email" width="1024" height="492" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03-1024x492.jpg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03-300x144.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03-768x369.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03-729x350.jpg 729w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03-740x355.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03-583x280.jpg 583w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03-800x384.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09153811/Spear_phishing_03.jpg 1029w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113136" class="wp-caption-text">An HR phishing email message that uses ghost spoofing: the sender’s name contains the HR team’s email address, lending an air of authenticity to the email</p></div>
<p>As in the previous example, the phishing link in the email doesn’t have any unique features that a spear phishing link would. The sign-in form that opens contains no personalized details, while the design looks exactly like many other forms of this kind. It is hosted on an <a href="https://securelist.com/ipfs-phishing/109158/" target="_blank" rel="noopener">IPFS</a> service like those often used in mass attacks.</p>
<div id="attachment_113137" style="width: 795px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154030/Spear_phishing_04.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113137" class="size-full wp-image-113137" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154030/Spear_phishing_04.jpeg" alt="The IPFS phishing sign-in form" width="785" height="550" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154030/Spear_phishing_04.jpeg 785w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154030/Spear_phishing_04-300x210.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154030/Spear_phishing_04-768x538.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154030/Spear_phishing_04-500x350.jpeg 500w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154030/Spear_phishing_04-740x518.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154030/Spear_phishing_04-400x280.jpeg 400w" sizes="(max-width: 785px) 100vw, 785px" /></a><p id="caption-attachment-113137" class="wp-caption-text">The IPFS phishing sign-in form</p></div>
<h2 id="statistics">Statistics</h2>
<div class="js-infogram-embed" data-id="_/iTxchodfFmzuzrHJo86e" data-type="interactive" data-title="01 EN-RU-ES Spear phishing diagram" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The number of mixed phishing emails, March-May, 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09154207/01-en-ru-es-spear-phishing-diagram.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>We detected a substantial increase in the number of those mixed attacks in March through May 2024. First and foremost, this is a sign that tools used by attackers are growing in complexity and sophistication. Today’s technology lowers the cost of launching personalized attacks at scale. AI-powered tools can style the email body as an official HR request, fix typos and create a clean design. We have also observed a proliferation of <a href="https://attack.mitre.org/techniques/T1566/003/" target="_blank" rel="noopener">third-party spear phishing services</a>. This calls for increased vigilance on the part of users and more robust corporate security infrastructure.</p>
<h2 id="takeaways">Takeaways</h2>
<p>Attackers are increasingly adopting spear phishing methods and technology in their bulk phishing campaigns: emails they send are growing more personalized, and the range of their spoofing technologies and tactics is expanding. These are still mass email campaigns and as such present a potential threat. This calls for safeguards that keep up with the pace of advances in technology while combining sets of methods and services to combat each type of phishing.</p>
<p>To fend off email attacks that combine spear and mass phishing elements:</p>
<ul>
<li>Pay attention to the sender’s address and the actual email domain: in an official corporate email, these must match.</li>
<li>If something smells phishy, ask the sender to clarify, but don’t just reply to the email: use a different communication channel.</li>
<li>Hold regular awareness sessions for your team to educate them about email phishing.</li>
<li>Use <a href="https://www.kaspersky.com/small-to-medium-business-security/mail-security-appliance?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d822a6ee2c35db1a" target="_blank" rel="noopener">advanced security solutions</a> that incorporate anti-spam filtering and protection.</li>
</ul>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/spear-phishing-meets-mass/113125/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/10083035/Spear-phishing-featured.jpg" width="1784" height="1120"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/10083035/Spear-phishing-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/10083035/Spear-phishing-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/10083035/Spear-phishing-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Developing and prioritizing a detection engineering backlog based on MITRE ATT&CK</title>
<link>https://securelist.com/detection-engineering-backlog-prioritization/113099/</link>
<comments>https://securelist.com/detection-engineering-backlog-prioritization/113099/#respond</comments>
<dc:creator><![CDATA[Roman Nazarov, Andrey Tamoykin, Kaspersky Security Services]]></dc:creator>
<pubDate>Tue, 09 Jul 2024 13:00:25 +0000</pubDate>
<category><![CDATA[SOC, TI and IR posts]]></category>
<category><![CDATA[Cybersecurity]]></category>
<category><![CDATA[Mitre ATT&CK]]></category>
<category><![CDATA[Security technology]]></category>
<category><![CDATA[SOC]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113099</guid>
<description><![CDATA[How a SOC can efficiently manage priorities when writing detection logic for various MITRE ATT&CK techniques and what tools can help.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Detection is a traditional type of cybersecurity control, along with blocking, adjustment, administrative and other controls. Whereas before 2015 teams asked themselves what it was that they were supposed to detect, as <a href="https://attack.mitre.org/" target="_blank" rel="noopener">MITRE ATT&CK</a> evolved, SOCs were presented with practically unlimited space for ideas on creating detection scenarios.</p>
<p>With the number of scenarios becoming virtually unlimited, another question inevitably arises: “What do we detect first?” This and the fact that SOC teams forever play the long game, having to respond with limited resources to a changing threat landscape, evolving technology and increasingly sophisticated malicious actors, makes managing efforts to develop detection logic an integral part of any modern SOC’s activities.</p>
<p>The problem at hand is easy to put into practical terms: the bulk of the work done by any modern SOC – with the exception of certain specialized SOC types – is detecting, and responding to, information security incidents. Detection is directly associated with preparation of certain algorithms, such as signatures, hard-coded logic, statistical anomalies, machine learning and others, that help to automate the process. The preparation consists of at least two processes: managing detection scenarios and developing detection logic. These cover the life cycle, stages of development, testing methods, go-live, standardization, and so on. These processes, like any others, require certain inputs: an idea that describes the expected outcome at least in abstract terms.</p>
<p>This is where the first challenges arise: thanks to MITRE ATT&CK, there are too many ideas. The number of described techniques currently exceeds 200, and most are broken down into several sub-techniques – <a href="https://attack.mitre.org/techniques/T1098/" target="_blank" rel="noopener">MITRE T1098 Account Manipulation</a>, for one, contains six sub-techniques – while SOC’s resources are limited. Besides, SOC teams likely do not have access to every possible source of data for generating detection logic, and some of those they do have access to are not integrated with the SIEM system. Some sources can help with generating only very narrowly specialized detection logic, whereas others can be used to cover most of the MITRE ATT&CK matrix. Finally, certain cases require activating extra audit settings or adding selective anti-spam filtering. Besides, not all techniques are the same: some are used in most attacks, whereas others are fairly unique and will never be seen by a particular SOC team. Thus, setting priorities is both about defining a subset of techniques that can be detected with available data and about ranking the techniques within that subset to arrive at an optimized list of detection scenarios that enables detection control considering available resources and in the original spirit of MITRE ATT&CK: discovering only some of the malicious actor’s atomic actions is enough for detecting the attack.</p>
<p><strong>A slight detour.</strong> Before proceeding to specific prioritization techniques, it is worth mentioning that this article looks at options based on tools built around the MITRE ATT&CK matrix. It assesses threat relevance in general, not in relation to specific organizations or business processes. Recommendations in this article can be used as a starting point for prioritizing detection scenarios. A more mature approach must include an assessment of a landscape that consists of security threats relevant to your particular organization, an allowance for your own threat model, an up-to-date risk register, and automation and manual development capabilities. All of this requires an in-depth review, as well as liaison between various processes and roles inside your SOC. We offer more detailed maturity recommendations as part of our <a href="https://www.kaspersky.com/enterprise-security/soc-consulting" target="_blank" rel="noopener">SOC consulting services</a>.</p>
<h2 id="mitre-data-sources">MITRE Data Sources</h2>
<p>Optimized prioritization of the backlog as it applies to the current status of monitoring can be broken down into the following stages:</p>
<ul>
<li>Defining available data sources and how well they are connected;</li>
<li>Identifying relevant MITRE ATT&CK techniques and sub-techniques;</li>
<li>Finding an optimal relation between source status and technique relevance;</li>
<li>Setting priorities.</li>
</ul>
<p>A key consideration in implementing this sequence of steps is the possibility of linking information that the SOC receives from data sources to a specific technique that can be detected with that information. In 2021, MITRE completed its <a href="https://github.com/mitre-attack/attack-datasources" target="_blank" rel="noopener">ATT&CK Data Sources</a> project, its result being a methodology for describing a data object that can be used for detecting a specific technique. The key elements for describing data objects are:</p>
<ul>
<li>Data Source: an easily recognizable name that defines the data object (Active Directory, application log, driver, file, process and so on);</li>
<li>Data Components: possible data object actions, statuses and parameters. For example, for a file data object, data components are file created, file deleted, file modified, file accessed, file metadata, and so on.</li>
</ul>
<div id="attachment_113102" style="width: 810px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04155947/Backlog_prioritization_01.jpg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113102" class="size-full wp-image-113102" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04155947/Backlog_prioritization_01.jpg" alt="MITRE Data Sources" width="800" height="459" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04155947/Backlog_prioritization_01.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04155947/Backlog_prioritization_01-300x172.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04155947/Backlog_prioritization_01-768x441.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04155947/Backlog_prioritization_01-610x350.jpg 610w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04155947/Backlog_prioritization_01-740x425.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04155947/Backlog_prioritization_01-488x280.jpg 488w" sizes="(max-width: 800px) 100vw, 800px" /></a><p id="caption-attachment-113102" class="wp-caption-text">MITRE Data Sources</p></div>
<p>Virtually every technique in the MITRE ATT&CK matrix currently contains a Detection section that lists data objects and relevant data components that can be used for creating detection logic. A total of <a href="https://attack.mitre.org/versions/v14/datasources/" target="_blank" rel="noopener">41 data objects</a> have been defined at the time of publishing this article.</p>
<h2 id="mitre-most-relevant-data-components">MITRE most relevant data components</h2>
<p>The column on the far right in the image above (Event Logs) illustrates the possibilities of expanding the methodology to cover specific events received from real data sources. Creating a mapping like this is not one of the ATT&CK Data Sources project goals. This Event Logs example is rather intended as an illustration. On the whole, each specific SOC is expected to independently define a list of events relevant to its sources, a fairly time-consuming task.</p>
<p>To optimize your approach to prioritization, you can start by isolating the most frequent data components that feature in most MITRE ATT&CK techniques.</p>
<p>The graph below presents the up-to-date top 10 data components for MITRE ATT&CK matrix version 15.1, the latest at the time of writing this.</p>
<div class="js-infogram-embed" data-id="_/04facAYGY7feFalGruBZ" data-type="interactive" data-title="01 EN Backlog prioritization graph" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The most relevant data components (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/05140924/01-en-backlog-prioritization-graph-1.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>For these data components, you can define custom sources for the most results. The following will be of help:</p>
<ul>
<li>Expert knowledge and overall logic. Data objects and data components are typically informative enough for the engineer or analyst working with data sources to form an initial judgment on the specific sources that can be used.</li>
<li>Validation directly inside the event collection system. The engineer or analyst can review available sources and match events with data objects and data components.</li>
<li>Publicly available resources on the internet, such as <a href="https://github.com/center-for-threat-informed-defense/sensor-mappings-to-attack" target="_blank" rel="noopener">Sensor Mappings to ATT&CK</a>, a project by the Center for Threat-Informed Defense, or this excellent resource on Windows events: <a href="https://www.ultimatewindowssecurity.com/" target="_blank" rel="noopener">UltimateWindowsSecurity</a>.</li>
</ul>
<p>That said, most sources are fairly generic and typically connected when a monitoring system is implemented. In other words, the mapping can be reduced to selecting those sources which are connected in the corporate infrastructure or easy to connect.</p>
<p>The result is an unranked list of integrated data sources that can be used for developing detection logic, such as:</p>
<ul>
<li>For Command Execution: OS logs, EDR, networked device administration logs and so on;</li>
<li>For Process Creation: OS logs, EDR;</li>
<li>For Network Traffic Content: WAF, proxy, DNS, VPN and so on;</li>
<li>For File Modification: DLP, EDR, OS logs and so on.</li>
</ul>
<p>However, this list is not sufficient for prioritization. You also need to consider other criteria, such as:</p>
<ul>
<li>The quality of source integration. Two identical data sources may be integrated with the infrastructure differently, with different logging settings, one source being located only in one network segment, and so on.</li>
<li>Usefulness of MITRE ATT&CK techniques. Not all techniques are equally useful in terms of optimization. Some techniques are more specialized and aimed at detecting rare attacker actions.</li>
<li>Detection of the same techniques with several different data sources (simultaneously). The more options for detecting a technique have been configured, the higher the likelihood that it will be discovered.</li>
<li>Data component variability. A selected data source may be useful for detecting not only those techniques associated with the top 10 data components but others as well. For example, an OS log can be used for detecting both Process Creation components and User Account Authentication components, a type not mentioned on the graph.</li>
</ul>
<h2 id="prioritizing-with-dettct-and-attck-navigator">Prioritizing with DeTT&CT and ATT&CK Navigator</h2>
<p>Now that we have an initial list of data sources available for creating detection logic, we can proceed to scoring and prioritization. You can automate some of this work with the help of <a href="https://github.com/rabobank-cdc/DeTTECT" target="_blank" rel="noopener">DeTT&CT</a>, a tool created by developers unaffiliated with MITRE to help SOCs with using MITRE ATT&CK for scoring and comparing the quality of data sources, coverage and detection scope according to MITRE ATT&CK techniques. The tool is available under the <a href="https://www.gnu.org/licenses/gpl-3.0.en.html" target="_blank" rel="noopener">GPL-3.0</a> license.</p>
<p>DETT&CT supports an expanded list of data sources as compared to the MITRE model. This list is implemented by design and you do not need to redefine the MITRE matrix itself. The expanded model includes several data components, which are parts of MITRE’s Network Traffic component, such as Web, Email, Internal DNS, and DHCP.</p>
<p>You can install DETT&CT with the help of two commands: git clone and pip install -r. This gives you access to DETT&CT Editor: a web interface for describing data sources, and DETT&CT CLI for automated analysis of prepared input data that can help with prioritizing detection logic and more.</p>
<p>The first step in identifying relevant data sources is describing these. Go to Data Sources in DETT&CT Editor, click New file and fill out the fields:</p>
<ul>
<li>Domain: the version of the MITRE ATT&CK matrix to use (enterprise, mobile or ICS).</li>
<li>This field is not used in analytics; it is intended for distinguishing between files with the description of sources.</li>
<li>Systems: selection of platforms that any given data source belongs to. This helps to both separate platforms, such as Windows and Linux, and specify several platforms within one system. Going forward, keep in mind that a data source is assigned to a system, not a platform. In other words, if a source collects data from both Windows and Linux, you can leave one system with two platforms, but if one source collects data from Windows only, and another, from Linux only, you need to create two systems: one for Windows and one for Linux.</li>
</ul>
<p>After filling out the general sections, you can proceed to analyzing data sources and mapping to the MITRE Data Sources. Click Add Data Source for each MITRE data object and fill out the relevant fields. Follow the link above for a detailed description of all fields and example content on the project page. We will focus on the most interesting field: Data quality. It describes the quality of data source integration as determined according to five criteria:</p>
<ul>
<li>Device completeness. Defines infrastructure coverage by the source, such as various versions of Windows or subnet segments, and so on.</li>
<li>Data field completeness. Defines the completeness of data in events from the source. For example, information about Process Creation may be considered incomplete if we see that a process was created, but not the details of the parent process, or for Command Execution, we see the command but not the arguments, and so on.</li>
<li>Defines the presence of a delay between the event happening and being added to a SIEM system or another detection system.</li>
<li>Defines the extent to which the names of the data fields in an event from this source are consistent with standard naming.</li>
<li>Compares the period for which data from the source is available for detection with the data retention policy defined for the source. For instance, data from a certain source is available for one month, whereas the policy or regulatory requirements define the retention period as one year.</li>
</ul>
<p>A detailed description of the scoring system for filling out this field is available in the <a href="https://github.com/rabobank-cdc/DeTTECT/wiki/Data-quality-scoring" target="_blank" rel="noopener">project description</a>.</p>
<p>It is worth mentioning that at this step, you can describe more than just the top 10 data components that cover the majority of the MITRE ATT&CK techniques. Some sources can provide extra information: in addition to Process Creation, Windows Security Event Log provides data for User Account Authentication. This extension will help to analyze the matrix without limitations in the future.</p>
<p>After describing all the sources on the list defined earlier, you can proceed to analyze these with reference to the MITRE ATT&CK matrix.</p>
<p>The first and most trivial analytical report identifies the MITRE ATT&CK techniques that can be discovered with available data sources one way or another. This report is generated with the help of a configuration file with a description of data sources and DETT&CT CLI, which outputs a JSON file with MITRE ATT&CK technique coverage. You can use the following command for this:</p><pre class="crayon-plain-tag">python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> -l</pre><p>
The resulting JSON is ready to be used with the MITRE ATT&CK matrix visualization tool, <a href="https://mitre-attack.github.io/attack-navigator/#comment_underline=false&metadata_underline=false" target="_blank" rel="noopener">MITRE ATT&CK Navigator</a>. See below for an example.</p>
<div id="attachment_113103" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113103" class="wp-image-113103 size-large" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-1024x397.png" alt="MITRE ATT&CK coverage with available data sources" width="1024" height="397" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-1024x397.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-300x116.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-768x298.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-1536x595.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-903x350.png 903w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-740x287.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-723x280.png 723w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02-800x310.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163705/Backlog_prioritization_02.png 1781w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113103" class="wp-caption-text">MITRE ATT&CK coverage with available data sources</p></div>
<p>This gives a literal answer to the question of what techniques the SOC can discover with the set of data sources that it has. The numbers in the bottom right-hand corner of some of the cells reflect sub-technique coverage by the data sources, and the colors, how many different sources can be used to detect the technique. The darker the color, the greater the number of sources.</p>
<p>DETT&CT CLI can also generate an XLSX file that you can conveniently use as the integration of existing sources evolves, a parallel task that is part of the data source management process. You can use the following command to generate the file:</p><pre class="crayon-plain-tag">python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> -e</pre><p>
The next analytical report we are interested in assesses the SOC’s capabilities in terms of detecting MITRE ATT&CK techniques and sub-techniques while considering the scoring of integrated source quality as done previously. You can generate the report by running the following command:</p><pre class="crayon-plain-tag">python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> --yaml</pre><p>
This generates a DETT&CT configuration file that both contains matrix coverage information and considers the quality of the data sources, providing a deeper insight into the level of visibility for each technique. The report can help to identify the techniques for which the SOC in its current shape can achieve the best results in terms of completeness of detection and coverage of the infrastructure.</p>
<p>This information too can be visualized with MITRE ATT&CK Navigator. You can use the following DETT&CT CLI command for this:</p><pre class="crayon-plain-tag">python dettect.py v -ft output/<techniques-administration-file.yaml> -l</pre><p>
See below for an example.</p>
<div id="attachment_113104" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113104" class="size-large wp-image-113104" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-1024x394.png" alt="MITRE ATT&CK coverage with available sources considering their quality" width="1024" height="394" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-1024x394.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-300x115.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-768x296.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-1536x591.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-909x350.png 909w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-740x285.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-728x280.png 728w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03-800x308.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163831/Backlog_prioritization_03.png 1785w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113104" class="wp-caption-text">MITRE ATT&CK coverage with available sources considering their quality</p></div>
<p>For each technique, the score is calculated as an average of all relevant data source scores. For each data source, it is calculated from specific parameters. The following parameters have increased weight:</p>
<ul>
<li>Device completeness;</li>
<li>Data field completeness;</li>
<li>Retention.</li>
</ul>
<p>To set up the scoring model, you need to modify the project source code.</p>
<p>It is worth mentioning that the scoring system presented by the developers of DETT&CT tends to be fairly subjective in some cases, for example:</p>
<ul>
<li>You may have one data source out of the three mentioned in connection with the specific technique. However, in some cases, one data source may not be enough even to detect the technique on a minimal level.</li>
<li>In other cases, the reverse may be true, with one data source giving exhaustive information for complete detection of the technique.</li>
<li>Detection may be based on a data source that is not currently mentioned in the MITRE ATT&CK Data Sources or Detections for that particular technique.</li>
</ul>
<p>In these cases, the DETT&CT configuration file techniques-administration-file.yaml can be adjusted manually.</p>
<p>Now that the available data sources and the quality of their integration have been associated with the MITRE ATT&CK matrix, the last step is ranking the available techniques. You can use the Procedure Examples section in the matrix, which defines the groups that use a specific technique or sub-technique in their attacks. You can use the following DETT&CT command to run the operation for the entire MITRE ATT&CK matrix:</p><pre class="crayon-plain-tag">python dettect.py g</pre><p>
In the interests of prioritization, we can merge the two datasets (technique feasibility considering available data sources and their quality, and the most frequently used MITRE ATT&CK techniques):</p><pre class="crayon-plain-tag">python dettect.py g -p PLATFORM -o output/<techniques-administration-
file.yaml> -t visibility</pre><p>
The result is a JSON file containing techniques that the SOC can work with and their description, which includes the following:</p>
<ul>
<li>Detection ability scoring;</li>
<li>Known attack frequency scoring.</li>
</ul>
<p>See the image below for an example.</p>
<div id="attachment_113105" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113105" class="size-large wp-image-113105" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04-1024x558.png" alt="Technique frequency and detection ability" width="1024" height="558" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04-1024x558.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04-300x164.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04-768x419.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04-642x350.png 642w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04-740x403.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04-514x280.png 514w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04-800x436.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04163941/Backlog_prioritization_04.png 1172w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113105" class="wp-caption-text">Technique frequency and detection ability</p></div>
<p>As you can see in the image, some of the techniques are colored shades of red, which means they have been used in attacks (according to MITRE), but the SOC has no ability to detect them. Other techniques are colored shades of blue, which means the SOC can detect them, but MITRE has no data on these techniques having been used in any attacks. Finally, the techniques colored shades of orange are those which groups known to MITRE have used and the SOC has the ability to detect.</p>
<p>It is worth mentioning that groups, attacks and software used in attacks, which are linked to a specific technique, represent retrospective data collected throughout the period that the matrix has existed. In some cases, this may result in increased priority for techniques that were relevant for attacks, say, from 2015 through 2020, which is not really relevant for 2024.</p>
<p>However, isolating a subset of techniques ever used in attacks produces more meaningful results than simple enumeration. You can further rank the resulting subset in the following ways:</p>
<ul>
<li>By using the MITRE ATT&CK matrix in the form of an Excel table. Each object (Software, Campaigns, Groups) contains the property Created (date when the object was created) that you can rely on when isolating the most relevant objects and then use the resulting list of relevant objects to generate an overlap as described above:<br />
<pre class="crayon-plain-tag">python dettect.py g -g sample-data/groups.yaml -p PLATFORM -o
output/<techniques-administration-file.yaml> -t visibility</pre>
</li>
<li>By using the <a href="https://top-attack-techniques.mitre-engenuity.org/calculator" target="_blank" rel="noopener">TOP ATT&CK TECHNIQUES</a> project created by MITRE Engenuity.</li>
</ul>
<p>TOP ATT&CK TECHNIQUES was aimed at developing a tool for ranking MITRE ATT&CK techniques and accepts similar inputs to DETT&CT. The tool produces a definition of 10 most relevant MITRE ATT&CK techniques for detecting with available monitoring capabilities in various areas of the corporate infrastructure: network communications, processes, the file system, cloud-based solutions and hardware. The project also considers the following criteria:</p>
<ul>
<li>Choke Points, or specialized techniques where other techniques converge or diverge. Examples of these include T1047 WMI, as it helps to implement a number of other WMI techniques, or T1059 Command and Scripting Interpreter, as many other techniques rely on a command-line interface or other shells, such as PowerShell, Bash and others. Detecting this technique will likely lead to discovering a broad spectrum of attacks.</li>
<li>Prevalence: technique frequency over time.</li>
</ul>
<div id="attachment_113106" style="width: 637px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04164036/Backlog_prioritization_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113106" class="size-full wp-image-113106" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04164036/Backlog_prioritization_05.png" alt="MITRE ATT&CK technique ranking methodology in TOP ATT&CK TECHNIQUES" width="627" height="257" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04164036/Backlog_prioritization_05.png 627w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/04164036/Backlog_prioritization_05-300x123.png 300w" sizes="(max-width: 627px) 100vw, 627px" /></a><p id="caption-attachment-113106" class="wp-caption-text">MITRE ATT&CK technique ranking methodology in TOP ATT&CK TECHNIQUES</p></div>
<p>Note, however, that the project is based on MITRE ATT&CK v.10 and is not supported.</p>
<h2 id="finalizing-priorities">Finalizing priorities</h2>
<p>By completing the steps above, the SOC team obtains a subset of MITRE ATT&CK techniques that feature to this or that extent in known attacks and can be detected with available data sources, with an allowance for the way these are configured in the infrastructure. Unfortunately, DETT&CT does not offer any way of creating a convenient XLSX file with an overlap between techniques used in attacks and those that the SOC can detect. However, we have a JSON file that can be used to generate the overlap with the help of MITRE ATT&CK Navigator. So, all you need to do for prioritization is to parse the JSON, say, with the help of Python. The final prioritization conditions may be as follows:</p>
<ul>
<li>Priority 1 (critical): <em>Visibility_score >= 3 and Attacker_score >= 75</em>. From an applied perspective, this isolates MITRE ATT&CK techniques that most frequently feature in attacks and that the SOC requires minimal or no preparation to detect.</li>
<li>Priority 2 (high): <em>(Visibility_score < 3 and Visibility_score >= 1) and Attacker_score >= 75</em>. These are MITRE ATT&CK techniques that most frequently feature in attacks and that the SOC is capable of detecting. However, some work on logging may be required, or monitoring coverage may not be good enough.</li>
<li>Priority 3 (medium): <em>Visibility_score >= 3 and Attacker_score < 75</em>. These are MITRE ATT&CK techniques with medium to low frequency that the SOC requires minimal or no preparation to detect.</li>
<li>Priority 4 (low): (<em>Visibility_score < 3 and Visibility_score >= 1) and Attacker_score < 75. </em>These are all other MITRE ATT&CK techniques that feature in attacks and the SOC has the capability to detect.</li>
</ul>
<p>As a result, the SOC obtains a list of MITRE ATT&CK techniques ranked into four groups and mapped to its capabilities and global statistics on malicious actors’ actions in attacks. The list is optimized in terms of the cost to write detection logic and can be used as a prioritized development backlog.</p>
<h2 id="prioritization-extension-and-parallel-tasks">Prioritization extension and parallel tasks</h2>
<p>In conclusion, we would like to highlight the key assumptions and recommendations for using the suggested prioritization method.</p>
<ul>
<li>As mentioned above, it is not fully appropriate to use the MITRE ATT&CK statistics on the frequency of techniques in attacks. For more mature prioritization, the SOC team must rely on relevant threat data. This requires defining a threat landscape based on analysis of threat data, mapping applicable threats to specific devices and systems, and isolating the most relevant techniques that may be used against a specific system in the specific corporate environment. An approach like this calls for in-depth analysis of all SOC activities and links between processes. Thus, when generating a scenario library for a customer as part of our <a href="https://www.kaspersky.com/enterprise-security/soc-consulting" target="_blank" rel="noopener">consulting services</a>, we leverage <a href="https://www.kaspersky.com/enterprise-security/threat-intelligence" target="_blank" rel="noopener">Kaspersky Threat Intelligence</a> data on threats relevant to the organization, <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response" target="_blank" rel="noopener">Managed Detection and Response</a> statistics on detected incidents, and information about techniques that we obtained while investigating real-life incidents and analyzing digital evidence as part of <a href="https://www.kaspersky.com/enterprise-security/incident-response" target="_blank" rel="noopener">Incident Response service</a>.</li>
<li>The suggested method relies on SOC capabilities and essential MITRE ATT&CK analytics. That said, the method is optimized for effort reduction and helps to start developing relevant detection logic immediately. This makes it suitable for small-scale SOCs that consist of a SIEM administrator or analyst. In addition to this, the SOC builds what is essentially a detection functionality roadmap, which can be used for demonstrating the process, defining KPIs and justifying a need for expanding the team.</li>
</ul>
<p>Lastly, we introduce several points regarding the possibilities for improving the approach described herein and parallel tasks that can be done with tools described in this article.</p>
<p>You can use the following to further improve the prioritization process.</p>
<ul>
<li>Grouping by detection. On a basic level, there are two groups: network detection or detection on a device. Considering the characteristics of the infrastructure and data sources in creating detection logic for different groups helps to avoid a bias and ensure a more complete coverage of the infrastructure.</li>
<li>Grouping by attack stage. Detection at the stage of Initial Access requires more effort, but it leaves more time to respond than detection at the Exfiltration stage.</li>
<li>Criticality coefficient. Certain techniques, such as all those associated with vulnerability exploitation or suspicious PowerShell commands, cannot be fully covered. If this is the case, the criticality level can be used as an additional criterion.</li>
<li>Granular approach when describing source quality. As mentioned earlier, DETT&CT helps with creating quality descriptions of available data sources, but it lacks exception functionality. Sometimes, a source is not required for the entire infrastructure, or there is more than one data source providing information for similar systems. In that case, a more granular approach that relies on specific systems, subnets or devices can help to make the assessment more relevant. However, an approach like that calls for liaison with internal teams responsible for configuration changes and device inventory, who will have to at least provide information about the business criticality of assets.</li>
</ul>
<p>Besides improving the prioritization method, the tools suggested can be used for completing a number of parallel tasks that help the SOC to evolve.</p>
<ul>
<li>Expanding the list of sources. As shown above, the coverage of the MITRE ATT&CK matrix requires diverse data sources. By mapping existing sources to techniques, you can identify missing logs and create a roadmap for connecting or introducing these sources.</li>
<li>Improving the quality of sources. Scoring the quality of data sources can help create a roadmap for improving existing sources, for example in terms of infrastructure coverage, normalization or data retention.</li>
<li>Detection tracking. DETT&CT offers, among other things, a <a href="https://github.com/rabobank-cdc/DeTTECT/wiki/Detection-scoring" target="_blank" rel="noopener">detection logic scoring feature</a>, which you can use to build a detection scenario revision process.</li>
</ul>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/detection-engineering-backlog-prioritization/113099/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured.jpg" width="1200" height="672"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-1024x573.jpg" width="1024" height="573"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-300x168.jpg" width="300" height="168"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/09100900/sl-detection_backlog_prioritization-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>CloudSorcerer – A new APT targeting Russian government entities</title>
<link>https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/</link>
<comments>https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/#respond</comments>
<dc:creator><![CDATA[GReAT]]></dc:creator>
<pubDate>Mon, 08 Jul 2024 07:00:33 +0000</pubDate>
<category><![CDATA[APT reports]]></category>
<category><![CDATA[APT]]></category>
<category><![CDATA[Backdoor]]></category>
<category><![CDATA[Cloud services]]></category>
<category><![CDATA[CloudWizard]]></category>
<category><![CDATA[Cyber espionage]]></category>
<category><![CDATA[Dropbox]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[Targeted attacks]]></category>
<category><![CDATA[APT (Targeted attacks)]]></category>
<category><![CDATA[Windows malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113056</guid>
<description><![CDATA[Kaspersky discovered a new APT CloudSorcerer targeting Russian government entities and using cloud services as C2, just like the CloudWizard actor.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/03121455/CloudSorcerer-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>In May 2024, we discovered a new advanced persistent threat (APT) targeting Russian government entities that we dubbed CloudSorcerer. It’s a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server.</p>
<p>CloudSorcerer’s modus operandi is reminiscent of the <a href="https://securelist.com/cloudwizard-apt/109722/" target="_blank" rel="noopener">CloudWizard APT</a> that we reported on in 2023. However, the malware code is completely different. We presume that CloudSorcerer is a new actor that has adopted a similar method of interacting with public cloud services.</p>
<p>Our findings in a nutshell:</p>
<ul>
<li>CloudSorcerer APT uses public cloud services as its main C2s</li>
<li>The malware interacts with the C2 using special commands and decodes them using a hardcoded charcode table.</li>
<li>The actor uses Microsoft COM object interfaces to perform malicious operations.</li>
<li>CloudSorcerer acts as separate modules (communication module, data collection module) depending on which process it’s running, but executes from a single executable.</li>
</ul>
<h2 id="technical-details">Technical details</h2>
<h3 id="initial-start-up">Initial start up</h3>
<table width="100%">
<tbody>
<tr>
<td width="20%"><strong>MD5</strong></td>
<td width="80%"><a href="https://opentip.kaspersky.com/f701fc79578a12513c369d4e36c57224/results?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______42d98a865336d763&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">f701fc79578a12513c369d4e36c57224</a></td>
</tr>
<tr>
<td><strong>SHA1</strong></td>
<td>f1a93d185d7cd060e63d16c50e51f4921dd43723</td>
</tr>
<tr>
<td><strong>SHA256</strong></td>
<td>e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de</td>
</tr>
<tr>
<td><strong>Link time</strong></td>
<td>N/A</td>
</tr>
<tr>
<td><strong>Compiler</strong></td>
<td>N/A</td>
</tr>
<tr>
<td><strong>File type</strong></td>
<td>Windows x64 executable</td>
</tr>
<tr>
<td><strong>File size</strong></td>
<td>172kb</td>
</tr>
<tr>
<td><strong>File name</strong></td>
<td>N/A</td>
</tr>
</tbody>
</table>
<p>The malware is executed manually by the attacker on an already infected machine. It is initially a single Portable Executable (PE) binary written in C. Its functionality varies depending on the process in which it is executed. Upon execution, the malware calls the GetModuleFileNameA function to determine the name of the process it is running in. It then compares this process name with a set of hardcoded strings: <pre class="crayon-plain-tag">browser</pre>, <pre class="crayon-plain-tag">mspaint.exe</pre>, and <pre class="crayon-plain-tag">msiexec.exe</pre>. Depending on the detected process name, the malware activates different functions:</p>
<ul>
<li>If the process name is <pre class="crayon-plain-tag">mspaint.exe</pre>, CloudSorcerer functions as a backdoor module, and performs activities such as data collection and code execution.</li>
<li>If the process name is <pre class="crayon-plain-tag">msiexec.exe</pre>, the CloudSorcerer malware initiates its C2 communication module.</li>
<li>Lastly, if the process name contains the string “browser” or does not match any of the specified names, the malware attempts to inject shellcode into either the <pre class="crayon-plain-tag">msiexec.exe</pre>, <pre class="crayon-plain-tag">mspaint.exe</pre>, or <pre class="crayon-plain-tag">explorer.exe</pre> processes before terminating the initial process.</li>
</ul>
<p>The shellcode used by CloudSorcerer for initial process migration shows fairly standard functionality:</p>
<ul>
<li>Parse Process Environment Block (PEB) to identify offsets to required Windows core DLLs;</li>
<li>Identify required Windows APIs by hashes using ROR14 algorithm;</li>
<li>Map CloudSorcerer code into the memory of one of the targeted processes and run it in a separate thread.</li>
</ul>
<p>All data exchange between modules is organized through Windows pipes, a mechanism for inter-process communication (IPC) that allows data to be transferred between processes.</p>
<h3 id="cloudsorcerer-backdoor-module">CloudSorcerer backdoor module</h3>
<p>The backdoor module begins by collecting various system information about the victim machine, running in a separate thread. The malware collects:</p>
<ul>
<li>Computer name;</li>
<li>User name;</li>
<li>Windows subversion information;</li>
<li>System uptime.</li>
</ul>
<p>All the collected data is stored in a specially created structure. Once the information gathering is complete, the data is written to the named pipe <pre class="crayon-plain-tag">\\.\PIPE\[1428]</pre> connected to the C2 module process. It is important to note that all data exchange is organized using well-defined structures with different purposes, such as backdoor command structures and information gathering structures.</p>
<p>Next, the malware attempts to read data from the pipe <pre class="crayon-plain-tag">\\.\PIPE\[1428]</pre>. If successful, it parses the incoming data into the COMMAND structure and reads a single byte from it, which represents a COMMAND_ID.</p>
<div id="attachment_113066" style="width: 873px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113066" class="size-full wp-image-113066" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01.png" alt="Main backdoor functionality" width="863" height="529" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01.png 863w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01-300x184.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01-768x471.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01-571x350.png 571w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01-740x454.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01-457x280.png 457w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02151921/CloudSorcerer_APT_01-800x490.png 800w" sizes="(max-width: 863px) 100vw, 863px" /></a><p id="caption-attachment-113066" class="wp-caption-text">Main backdoor functionality</p></div>
<p>Depending on the COMMAND_ID, the malware executes one of the following actions:</p>
<ul>
<li>0x1 – Collect information about hard drives in the system, including logical drive names, capacity, and free space.</li>
<li>0x2 – Collect information about files and folders, such as name, size, and type.</li>
<li>0x3 – Execute shell commands using the <pre class="crayon-plain-tag">ShellExecuteExW</pre> API.</li>
<li>0x4 – Copy, move, rename, or delete files.</li>
<li>0x5 – Read data from any file.</li>
<li>0x6 – Create and write data to any file.</li>
<li>0x8 – Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process.</li>
<li>0x9 – Receive a PE file, create a section and map it into the remote process.</li>
<li>0x7 – Run additional advanced functionality.</li>
</ul>
<p>When the malware receives a 0x7 COMMAND_ID, it runs one of the additional tasks described below:</p>
<table width="100%">
<tbody>
<tr>
<td width="20%"><strong>Command ID</strong></td>
<td width="30%"><strong>Operation</strong></td>
<td width="50%"><strong>Description</strong></td>
</tr>
<tr>
<td>0x2307</td>
<td>Create process</td>
<td>Creates any process using COM interfaces, used for running downloaded binaries.</td>
</tr>
<tr>
<td>0x2407</td>
<td>Create process as dedicated user</td>
<td>Creates any process under dedicated username.</td>
</tr>
<tr>
<td>0x2507</td>
<td>Create process with pipe</td>
<td>Creates any process with support of inter-process communication to exchange data with the created process.</td>
</tr>
<tr>
<td>0x3007</td>
<td>Clear DNS cache</td>
<td>Clears the DNS cache.</td>
</tr>
<tr>
<td>0x2207</td>
<td>Delete task</td>
<td>Deletes any Windows task using COM object interfaces.</td>
</tr>
<tr>
<td>0x1E07</td>
<td>Open service</td>
<td>Opens a Windows service and reads its status.</td>
</tr>
<tr>
<td>0x1F07</td>
<td>Create new task</td>
<td>Creates a new Windows task and sets up a trigger for execution using COM objects.</td>
</tr>
<tr>
<td>0x2007</td>
<td>Get tasks</td>
<td>Gets the list of all the Windows tasks using COM object interface.</td>
</tr>
<tr>
<td>0x2107</td>
<td>Stop task</td>
<td>Stops any task using COM object interface.</td>
</tr>
<tr>
<td>0x1D07</td>
<td>Get services</td>
<td>Gets the list of all Windows services.</td>
</tr>
<tr>
<td>0x1907</td>
<td>Delete value from reg</td>
<td>Deletes any value from any Windows registry key selected by the actor.</td>
</tr>
<tr>
<td>0x1A07</td>
<td>Create service</td>
<td>Creates a new Windows service.</td>
</tr>
<tr>
<td>0x1B07</td>
<td>Change service</td>
<td>Modifies any Windows service configuration.</td>
</tr>
<tr>
<td>0x1807</td>
<td>Delete reg key</td>
<td>Deletes any Windows registry key.</td>
</tr>
<tr>
<td>0x1407</td>
<td>Get TCP/UDP update table</td>
<td>Gets information from Windows TCP/UDP update table.</td>
</tr>
<tr>
<td>0x1507</td>
<td>Collect processes</td>
<td>Collects all running processes.</td>
</tr>
<tr>
<td>0x1607</td>
<td>Set reg key value</td>
<td>Modifies any Windows registry key.</td>
</tr>
<tr>
<td>0x1707</td>
<td>Enumerate reg key</td>
<td>Enumerates Windows registry keys.</td>
</tr>
<tr>
<td>0x1307</td>
<td>Enumerate shares</td>
<td>Enumerates Windows net shares.</td>
</tr>
<tr>
<td>0x1007</td>
<td>Set net user info</td>
<td>Sets information about a user account on a Windows network using <pre class="crayon-plain-tag">NetUserSetInfo</pre>. It allows administrators to modify user account properties on a local or remote machine.</td>
</tr>
<tr>
<td>0x1107</td>
<td>Get net members</td>
<td>Gets a member of the local network group.</td>
</tr>
<tr>
<td>0x1207</td>
<td>Add member</td>
<td>Adds a user to the local network group.</td>
</tr>
<tr>
<td>0xE07</td>
<td>Get net user info</td>
<td>Collects information about a network user.</td>
</tr>
<tr>
<td>0xB07</td>
<td>Enumerate net users</td>
<td>Enumerates network users.</td>
</tr>
<tr>
<td>0xC07</td>
<td>Add net user</td>
<td>Adds a new network user.</td>
</tr>
<tr>
<td>0xD07</td>
<td>Delete user</td>
<td>Deletes a network user.</td>
</tr>
<tr>
<td>0x907</td>
<td>Cancel connection</td>
<td>Cancels an existing network connection. This function allows for the disconnection of network resources, such as shared directories.</td>
</tr>
<tr>
<td>0x507</td>
<td>File operations</td>
<td>Copies, moves, or deletes any file.</td>
</tr>
<tr>
<td>0x607</td>
<td>Get net info</td>
<td>Collects information about the network and interfaces.</td>
</tr>
<tr>
<td>0x707</td>
<td>Enumerate connections</td>
<td>Enumerates all network connections.</td>
</tr>
<tr>
<td>0x807</td>
<td>Map network</td>
<td>Maps remote network drive.</td>
</tr>
<tr>
<td>0x407</td>
<td>Read file</td>
<td>Reads any file as text strings.</td>
</tr>
<tr>
<td>0x107</td>
<td>Enumerate RDP</td>
<td>Enumerates all RDP sessions.</td>
</tr>
<tr>
<td>0x207</td>
<td>Run WMI</td>
<td>Runs any WMI query using COM object interfaces.</td>
</tr>
<tr>
<td>0x307</td>
<td>Get files</td>
<td>Creates list of files and folders.</td>
</tr>
</tbody>
</table>
<p>All the collected information or results of performed tasks are added to a specially created structure and sent to the C2 module process via a named pipe.</p>
<h3 id="c2-module">C2 module</h3>
<p>The C2 module starts by creating a new Windows pipe named <pre class="crayon-plain-tag">\\.\PIPE\[1428]</pre>. Next, it configures the connection to the initial C2 server by providing the necessary arguments to a sequence of Windows API functions responsible for internet connections:</p>
<ul>
<li>InternetCrackUrlA;</li>
<li>InternetSetOptionA;</li>
<li>InternetOpenA;</li>
<li>InternetConnectA;</li>
<li>HttpOpenRequestA;</li>
<li>HttpSendRequestA</li>
</ul>
<p>The malware sets the request type (“GET”), configures proxy information, sets up hardcoded headers, and provides the C2 URL.</p>
<div id="attachment_113067" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113067" class="size-large wp-image-113067" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02-1024x446.png" alt="Setting up internet connection" width="1024" height="446" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02-1024x446.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02-300x131.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02-768x334.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02-804x350.png 804w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02-740x322.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02-643x280.png 643w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02-800x348.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152322/CloudSorcerer_APT_02.png 1302w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113067" class="wp-caption-text">Setting up internet connection</p></div>
<p>The malware then connects to the initial C2 server, which is a GitHub page located at <pre class="crayon-plain-tag">https://github[.]com/alinaegorovaMygit</pre>. The malware reads the entire web page into a memory buffer using the <pre class="crayon-plain-tag">InternetReadFile</pre> call.</p>
<p>The GitHub repository contains forks of three public projects that have not been modified or updated. Their purpose is merely to make the GitHub page appear legitimate and active. However, the author section of the GitHub page displays an interesting string:</p>
<div id="attachment_113068" style="width: 540px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152357/CloudSorcerer_APT_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113068" class="size-full wp-image-113068" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152357/CloudSorcerer_APT_03.png" alt="Hex string in the author section" width="530" height="820" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152357/CloudSorcerer_APT_03.png 530w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152357/CloudSorcerer_APT_03-194x300.png 194w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152357/CloudSorcerer_APT_03-226x350.png 226w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152357/CloudSorcerer_APT_03-181x280.png 181w" sizes="(max-width: 530px) 100vw, 530px" /></a><p id="caption-attachment-113068" class="wp-caption-text">Hex string in the author section</p></div>
<p>We found data that looks like a hex string that starts and ends with the same byte pattern – “CDOY”. After the malware downloads the entire GitHub HTML page, it begins parsing it, searching specifically for the character sequence “CDOY”. When it finds it, it copies all the characters up to the second delimiter “CDOY” and then stores them in a memory buffer. Next, the malware parses these characters, converting them from string values to hex values. It then decodes the string using a hardcoded charcode substitution table – each byte from the parsed string acts as an index in the charcode table, pointing to a substitutable byte, thus forming a new hex byte array.</p>
<div id="attachment_113069" style="width: 768px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152434/CloudSorcerer_APT_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113069" class="size-full wp-image-113069" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152434/CloudSorcerer_APT_04.png" alt="Decoding algorithm" width="758" height="454" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152434/CloudSorcerer_APT_04.png 758w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152434/CloudSorcerer_APT_04-300x180.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152434/CloudSorcerer_APT_04-584x350.png 584w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152434/CloudSorcerer_APT_04-740x443.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152434/CloudSorcerer_APT_04-467x280.png 467w" sizes="(max-width: 758px) 100vw, 758px" /></a><p id="caption-attachment-113069" class="wp-caption-text">Decoding algorithm</p></div>
<div id="attachment_113070" style="width: 821px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113070" class="size-full wp-image-113070" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05.png" alt="Charcode table" width="811" height="560" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05.png 811w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05-300x207.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05-768x530.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05-507x350.png 507w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05-740x511.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05-406x280.png 406w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152458/CloudSorcerer_APT_05-800x552.png 800w" sizes="(max-width: 811px) 100vw, 811px" /></a><p id="caption-attachment-113070" class="wp-caption-text">Charcode table</p></div>
<p>Alternatively, instead of connecting to GitHub, CloudSorcerer also tries to get the same data from <pre class="crayon-plain-tag">hxxps://my.mail[.]ru/</pre>, which is a Russian cloud-based photo hosting server. The name of the photo album contains the same hex string.</p>
<p>The first decoded byte of the hex string is a magic number that tells the malware which cloud service to use. For example, if the byte is “1”, the malware uses Microsoft Graph cloud; if it is “0”, the malware uses Yandex cloud. The subsequent bytes form a string of a <a href="https://medium.com/@arunchaitanya/wtf-is-bearer-token-an-in-depth-explanation-60695b581928" target="_blank" rel="noopener">bearer token</a> that is used for authentication with the cloud’s API.</p>
<p>Depending on the magic number, the malware creates a structure and sets an offset to a virtual function table that contains a subset of functions to interact with the selected cloud service.</p>
<div id="attachment_113071" style="width: 728px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152552/CloudSorcerer_APT_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113071" class="size-full wp-image-113071" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152552/CloudSorcerer_APT_06.png" alt="Different virtual tables for Yandex and Microsoft" width="718" height="545" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152552/CloudSorcerer_APT_06.png 718w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152552/CloudSorcerer_APT_06-300x228.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152552/CloudSorcerer_APT_06-461x350.png 461w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/02152552/CloudSorcerer_APT_06-369x280.png 369w" sizes="(max-width: 718px) 100vw, 718px" /></a><p id="caption-attachment-113071" class="wp-caption-text">Different virtual tables for Yandex and Microsoft</p></div>
<p>Next, the malware connects to the cloud API by:</p>
<ul>
<li>Setting up the initial connection using <pre class="crayon-plain-tag">InternetOpenA</pre> and <pre class="crayon-plain-tag">InternetConnectA</pre>;</li>
<li>Setting up all the required headers and the authorization token received from the GitHub page;</li>
<li>Configuring the API paths in the request;</li>
<li>Sending the request using <pre class="crayon-plain-tag">HttpSendRequestExA</pre> and checking for response errors;</li>
<li>Reading data from the cloud using <pre class="crayon-plain-tag">InternetReadFile</pre>.</li>
</ul>
<p>The malware then creates two separate threads – one responsible for receiving data from the Windows pipe and another responsible for sending data to it. These threads facilitate asynchronous data exchange between the C2 and backdoor modules.</p>
<p>Finally, the C2 module interacts with the cloud services by reading data, receiving encoded commands, decoding them using the character code table, and sending them via the named pipe to the backdoor module. Conversely, it receives the command execution results or exfiltrated data from the backdoor module and writes them to the cloud.</p>
<h2 id="infrastructure">Infrastructure</h2>
<h3 id="github-page">GitHub page</h3>
<p>The GitHub page was created on May 7, 2024, and two repositories were forked into it on the same day. On May 13, 2024, another repository was forked, and no further interactions with GitHub occurred. The forked repositories were left untouched. The name of the C2 repository, “Alina Egorova,” is a common Russian female name; however, the photo on the GitHub page is of a male and was copied from a public photo bank.</p>
<h3 id="mail-ru-photo-hosting">Mail.ru photo hosting</h3>
<p>This page contains the same encoded string as the GitHub page. There is no information about when the album was created and published. The photo of the owner is the same as the picture from the photo bank.</p>
<h3 id="cloud-infrastructure">Cloud infrastructure</h3>
<table width="100%">
<tbody>
<tr>
<td width="23%"><strong>Service</strong></td>
<td width="33%"><strong>Main URL</strong></td>
<td width="34%"><strong>Initial path</strong></td>
</tr>
<tr>
<td>Yandex Cloud</td>
<td>cloud-api.yandex.net</td>
<td>/v1/disk/resources?path=<br />
/v1/disk/resources/download?path=<br />
/v1/disk/resources/upload?path=</td>
</tr>
<tr>
<td>Microsoft Graph</td>
<td>graph.microsoft.com</td>
<td>/v1.0/me/drive/root:/Mg/%s/%s:/content</td>
</tr>
<tr>
<td>Dropbox</td>
<td>content.dropboxapi.com</td>
<td>/2/files/download<br />
/2/files/upload</td>
</tr>
</tbody>
</table>
<h2 id="attribution">Attribution</h2>
<p>The use of cloud services is not new, and we reported an example of this in our overview of the CloudWizard APT (a campaign in the Ukrainian conflict with ties to Operation Groundbait and <a href="https://securelist.com/bad-magic-apt/109087/" target="_blank" rel="noopener">CommonMagic</a>). However, the likelihood of attributing CloudSorcerer to the same actor is low, as the code and overall functionality of the malware are different. We therefore assume at this point that CloudSorcerer is a new actor that has adopted the technique of interacting with public cloud services.</p>
<h2 id="victims">Victims</h2>
<p>Government organizations in the Russian Federation.</p>
<h2 id="conclusions">Conclusions</h2>
<p>The CloudSorcerer malware represents a sophisticated toolset targeting Russian government entities. Its use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communications, demonstrates a well-planned approach to cyberespionage. The malware’s ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process communication through Windows pipes, further highlights its sophistication.</p>
<p>While there are similarities in modus operandi to the previously reported CloudWizard APT, the significant differences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by previous techniques but developing its own unique tools.</p>
<h2 id="indicators-of-compromise">Indicators of Compromise</h2>
<p><strong>File Hashes (malicious documents, Trojans, emails, decoys)</strong></p>
<table width="100%">
<tbody>
<tr>
<td width="60%"><a href="https://opentip.kaspersky.com/f701fc79578a12513c369d4e36c57224/results?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______42d98a865336d763&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">F701fc79578a12513c369d4e36c57224</a></td>
<td width="40%">CloudSorcerer</td>
</tr>
</tbody>
</table>
<p><strong>Domains and IPs</strong></p>
<table width="100%">
<tbody>
<tr>
<td width="60%">hxxps://github[.]com/alinaegorovaMygit</td>
<td width="40%">CloudSorcerer C2</td>
</tr>
<tr>
<td>hxxps://my.mail[.]ru/yandex.ru/alinaegorova2154/photo/1</td>
<td>CloudSorcerer C2</td>
</tr>
</tbody>
</table>
<p><strong>Yara Rules</strong><br />
<pre class="crayon-plain-tag">rule apt_cloudsorcerer {
meta:
description = "Detects CloudSorcerer"
author = "Kaspersky"
copyright = "Kaspersky"
distribution = "DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM"
version = "1.0"
last_modified = "2024-06-06"
hash = "F701fc79578a12513c369d4e36c57224"
strings:
$str1 = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
$str2 = "c:\\windows\\system32\\mspaint.exe"
$str3 = "C:\\Windows\\system32\\msiexec.exe"
$str4 = "\\\\.\\PIPE\\"
condition:
uint16(0) == 0x5A4D and
all of ($str*)
}</pre>
<h2 id="mitre-attck-mapping">MITRE ATT&CK Mapping</h2>
<table width="100%">
<tbody>
<tr>
<td width="33%"><strong>Tactic</strong></td>
<td width="33%" style="padding-left: 0"><strong>Technique</strong></td>
<td width="33%"><strong>Technique Name</strong></td>
</tr>
<tr>
<td rowspan="4">Execution</td>
<td style="padding-left: 0">T1059.009</td>
<td>Command and Scripting Interpreter: Cloud API</td>
</tr>
<tr>
<td>T1559</td>
<td>Inter-Process Communication</td>
</tr>
<tr>
<td>T1053</td>
<td>Scheduled Task/Job</td>
</tr>
<tr>
<td>T1047</td>
<td>Windows Management Instrumentation</td>
</tr>
<tr>
<td rowspan="2">Persistence</td>
<td style="padding-left: 0">T1543</td>
<td>Create or Modify System Process</td>
</tr>
<tr>
<td>T1053</td>
<td>Scheduled Task/Job</td>
</tr>
<tr>
<td rowspan="2">Defense Evasion</td>
<td style="padding-left: 0">T1140</td>
<td>Deobfuscate/Decode Files or Information</td>
</tr>
<tr>
<td>T1112</td>
<td>Modify Registry</td>
</tr>
<tr>
<td rowspan="5">Discovery</td>
<td style="padding-left: 0">T1083</td>
<td>File and Directory Discovery</td>
</tr>
<tr>
<td>T1046</td>
<td>Network Service Discovery</td>
</tr>
<tr>
<td>T1057</td>
<td>Process Discovery</td>
</tr>
<tr>
<td>T1012</td>
<td>Query Registry</td>
</tr>
<tr>
<td>T1082</td>
<td>System Information Discovery</td>
</tr>
<tr>
<td>Collection</td>
<td style="padding-left: 0">T1005</td>
<td>Data from Local System</td>
</tr>
<tr>
<td rowspan="2">Command and Control</td>
<td style="padding-left: 0">T1102</td>
<td>Web Service</td>
</tr>
<tr>
<td>T1568</td>
<td>Dynamic Resolution</td>
</tr>
<tr>
<td rowspan="2">Exfiltration</td>
<td style="padding-left: 0">T1567</td>
<td>Exfiltration Over Web Service</td>
</tr>
<tr>
<td>T1537</td>
<td>Transfer Data to Cloud Account</td>
</tr>
</tbody>
</table>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/03121455/CloudSorcerer-featured.jpg" width="1784" height="1120"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/03121455/CloudSorcerer-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/03121455/CloudSorcerer-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/07/03121455/CloudSorcerer-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Cybersecurity in the SMB space — a growing threat</title>
<link>https://securelist.com/smb-threat-report-2024/113010/</link>
<comments>https://securelist.com/smb-threat-report-2024/113010/#respond</comments>
<dc:creator><![CDATA[Kaspersky]]></dc:creator>
<pubDate>Tue, 25 Jun 2024 10:00:39 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[Facebook]]></category>
<category><![CDATA[Malware Statistics]]></category>
<category><![CDATA[Microsoft Excel]]></category>
<category><![CDATA[Microsoft Exchange]]></category>
<category><![CDATA[Microsoft Office]]></category>
<category><![CDATA[Microsoft Outlook]]></category>
<category><![CDATA[Phishing]]></category>
<category><![CDATA[Phishing websites]]></category>
<category><![CDATA[SMB]]></category>
<category><![CDATA[Spam Letters]]></category>
<category><![CDATA[Trojan]]></category>
<category><![CDATA[Spam and Phishing]]></category>
<category><![CDATA[Windows malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113010</guid>
<description><![CDATA[Kaspersky analysts explain which applications are targeted the most, and how enterprises can protect themselves from phishing and spam.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24090656/SMB-featured-2024-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Small and medium-sized businesses (SMBs) are increasingly targeted by cybercriminals. Despite adopting digital technology for remote work, production, and sales, SMBs often lack robust cybersecurity measures.</p>
<p>SMBs face significant cybersecurity challenges <a href="https://www.weforum.org/agenda/2024/04/cybersecurity-industry-talent-shortage-new-report/#:~:text=The global talent shortage%2C which,in the global cybersecurity industry" target="_blank" rel="noopener">due to limited resources and expertise</a>. The cost of data breaches can cripple operations, making preventive measures essential. This is a growing tendency that continues to pose a challenge for businesses. For example, the UK’s National Cyber Security Centre <a href="https://www.ncsc.gov.uk/files/Threat-report-on-enterprise-connected-devices-web.pdf" target="_blank" rel="noopener">reports</a> that around 50% of SMBs in the UK are likely to experience a cybersecurity breach annually. Addressing cybersecurity requires a multifaceted approach, combining technological solutions with fostering a security-aware culture within the organization.</p>
<h2 id="a-rising-tide-of-cyberthreats">A rising tide of cyberthreats</h2>
<p>Kaspersky presents the findings of its 2024 threat analysis for the SMB space, including real-world examples of attacks.</p>
<p>To get information on the threats facing the SMB sector, Kaspersky analysts cross-referenced selected applications used in the SMB space against Kaspersky Security Network (KSN) telemetry to determine the prevalence of malicious files and unwanted software targeting these programs, as well as the number of users attacked by these files. KSN is a system for processing anonymized cyberthreat-related data shared voluntarily by opted-in Kaspersky users. We included the following programs in our research:</p>
<ul>
<li>Microsoft Excel;</li>
<li>Microsoft Outlook;</li>
<li>Microsoft PowerPoint;</li>
<li>Salesforce;</li>
<li>Microsoft Word;</li>
<li>Microsoft Teams;</li>
<li>QuickBooks;</li>
<li>Microsoft Exchange;</li>
<li>Skype for business;</li>
<li>ClickUp;</li>
<li>Hootsuite;</li>
<li>ZenDesk.</li>
</ul>
<div class="js-infogram-embed" data-id="_/NanDtNbP3tDVpBUKkOGe" data-type="interactive" data-title="01 EN SMB report diagramss" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Percentage of unique files with names that mimic the top 9 legitimate applications, 2023 and 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173416/01-en-smb-report-diagramss.png" target="_blank" rel="noopener">download</a>)</em></p>
<div class="js-infogram-embed" data-id="_/npn6HTBrwlAwZBSXC4I3" data-type="interactive" data-title="02 EN SMB report diagramss" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Percentage of unique users targeted through the top 9 investigated applications, January 1 – April 30, 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173457/02-en-smb-report-diagramss.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>As the graphs above show, for the period from January 1, 2024 to April 30, 2024, the total number of users who encountered malware and unwanted software hiding in or mimicking investigated software products for SMBs was 2,402, with 4,110 unique files distributed under the guise of SMB-related software. It shows an 8% increase as compared to the 2023 findings, which points at an ongoing rise of attacker activity.</p>
<p>The most notable development of unique files with names that mimic legitimate software used to deliver an attack saw Microsoft Excel move up the threat list from fourth to first place between 2023 and 2024. Microsoft Excel has been leveraged by cybercriminals for many years.</p>
<div class="js-infogram-embed" data-id="_/2uQHDcIJXKVqA1QxMO2x" data-type="interactive" data-title="03 EN SMB report diagramss" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Top threat types that affected the SMB sector, 2023 vs 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173524/03-en-smb-report-diagramss.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>The data finds that the overall number of infections in the SMB sector from January 1, 2024 to April 30, 2024, rose to 138,046 against 131,219 in the same period in 2023 – an increase of over 5%.</p>
<p>Trojan attacks remain the most common cyberthreat, which indicates that attackers continue to target SMBs and favor malware over unwanted software. Trojans are particularly dangerous because they mimic legitimate software, which makes them harder to detect and prevent. Their versatility and ability to bypass traditional security measures make them a prevalent and effective tool for cyberattackers. However, the biggest change year-on-year stems from DangerousObject attacks. This is malicious software detected by Kaspersky Cloud Technologies. DangerousObject-class verdicts are a collective of various previously undetected samples. The broad and unspecific nature of this category underscores the complexity and evolving nature of cyberthreats, making it a significant concern for cybersecurity efforts.</p>
<h2 id="phishing">Phishing</h2>
<p>Employee negligence remains a significant vulnerability for SMBs. Human error, often stemming from a lack of cybersecurity awareness, can lead to severe security breaches. Falling for phishing schemes can have catastrophic consequences for businesses.</p>
<p>Phishing attacks are distributed via various channels, including spoofed emails and social media, to fool users into divulging login details or other sensitive data. Attacks like these can be targeted at SMBs, which poses a threat for growing loyalty and securing infrastructures. Our research provides a deeper look at the current climate with a breakdown of examples.</p>
<p>Phishing websites can imitate popular services, corporate portals, online banking platforms, etc. Targets are encouraged to sign in, whereby they inadvertently divulge usernames and passwords to the cybercriminals, or trigger other automated cyberattacks. Or both.</p>
<p>Below is a spoofed site that replicates the login page of a legitimate delivery service that employees use on a regular basis. Harvesting login credentials enables cybercriminals to redirect orders and/or immediately cancel services, and have money refunded and redirected to a new account. A scheme like this can easily go unnoticed over a long period of time without appropriate enterprise cybersecurity mechanisms in place.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113031" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-674x1024.png" alt="" width="674" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-674x1024.png 674w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-197x300.png 197w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-768x1167.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-1011x1536.png 1011w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-230x350.png 230w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-658x1000.png 658w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-184x280.png 184w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01-592x900.png 592w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172901/SMB_report_01.png 1139w" sizes="(max-width: 674px) 100vw, 674px" /></a></p>
<p>In the following example, attackers have spoofed the customer login page of a company that specializes in small business insurance. Armed with this information, the cybercriminals gained access to clients’ accounts, leading to further infiltration and potential theft of sensitive enterprise data.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113032" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02-1024x641.png" alt="" width="1024" height="641" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02-1024x641.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02-300x188.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02-768x481.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02-559x350.png 559w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02-740x463.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02-447x280.png 447w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02-800x501.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172927/SMB_report_02.png 1145w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
<p>In recent years, we’ve been observing a trend of spreading web pages that mimic the most commonly used Microsoft services (Microsoft 365, Outlook, OneDrive, etc.). This tendency, aimed at business users, arises from the widely popular business approach of using a software package for all business purposes, which makes its users more dependent on particular applications and services and thus more susceptible to this attack vector.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113033" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-1024x819.png" alt="" width="1024" height="819" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-1024x819.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-300x240.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-768x614.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-500x400.png 500w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-438x350.png 438w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-740x592.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-350x280.png 350w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03-800x640.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21172951/SMB_report_03.png 1280w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
<h2 id="email">Email</h2>
<p>Email remains one of the most widely used channels for phishing. In the example below, attackers passed themselves off as representatives of a legal entity that needs to sign an agreement with the target organization. The attackers generally use email addresses that are very similar to those used by legitimate companies. Here they used a phishing form that mimics a common enterprise service template.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04.jpeg" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113034" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04-1024x575.jpeg" alt="" width="1024" height="575" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04-1024x575.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04-300x169.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04-768x432.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04-800x450.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04-623x350.jpeg 623w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04-740x416.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04-498x280.jpeg 498w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173033/SMB_report_04.jpeg 1452w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
<h2 id="social-media">Social media</h2>
<p>Cybercriminals can hack or spoof a business’s social media accounts. Doing this enables them to post harmful content, spread false information, and carry out phishing schemes, damaging the business’s reputation and trustworthiness.</p>
<p>A hack like this can result in a loss of followers and customers, which in turn harms sales and revenue. Furthermore, the attackers could use the compromised account to deceive customers into giving away sensitive information, further eroding trust and potentially exposing the business to legal issues.</p>
<p>Imitating and abusing large social media platforms can not only disrupt business operations and cause financial losses, but also result in data leaks and major security breaches. In some cases, attackers <a href="https://www.kaspersky.com/blog/facebook-scam-24-hours-are-left-ro-request-review-see-why/51447/" target="_blank" rel="noopener">use legitimate Facebook infrastructure</a> to compromise corporate social media accounts. We have also found numerous cases of attackers mimicking genuine social media login pages. The following example is related to <a href="https://shop.tiktok.com/business/en" target="_blank" rel="noopener">TikTok Shop</a>, an e-commerce feature of TikTok allowing businesses to sell their products.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113035" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05-1024x734.png" alt="" width="1024" height="734" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05-1024x734.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05-300x215.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05-768x550.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05-488x350.png 488w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05-740x530.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05-391x280.png 391w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05-800x573.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173103/SMB_report_05.png 1133w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
<h2 id="spam">Spam</h2>
<p>We have discovered multiple cases of SMB-oriented spam. Spammers target organizations with what seems like an appealing credit deal or a large one-off discount. The scope of available services is usually typical for SMB needs — tailored branding solutions, advertising products, financial support — although generally such companies are considered unreliable. In the example below, spammers offered a client database for research and marketing purposes.</p>
<p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06.jpeg" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113036" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06-1024x355.jpeg" alt="" width="1024" height="355" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06-1024x355.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06-300x104.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06-768x266.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06-1011x350.jpeg 1011w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06-740x256.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06-809x280.jpeg 809w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06-800x277.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21173134/SMB_report_06.jpeg 1210w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
<h2 id="best-practices-for-asset-protection">Best practices for asset protection</h2>
<p>By investing in end-to-end cybersecurity solutions and promoting vigilance, SMBs can mitigate risks and ensure business continuity. It is no less vital that SMBs educate employees about cyberthreats in addition to implementing robust security measures, such as spam filters, email authentication protocols, and strict verification procedures for financial transactions and sensitive information sharing.</p>
<p>Essential steps toward cyber resilience include recognizing the importance of comprehensive security protocols and periodical updates. Regular security awareness trainings, strong password policies, and multifactor authentication can also help mitigate the risks associated with phishing and scam threats.</p>
<h2 id="cyberprotection-action-plan-for-smbs">Cyberprotection action plan for SMBs</h2>
<ol>
<li>Establish a policy governing access to corporate resources, including email accounts, shared folders, and online documents. Maintain strict control over the number of users who can access critical corporate data, ensure this access list is up to date and revoke permissions when an employee leaves the company. Use cloud access security broker software to manage and monitor employee activities within cloud services and enforce security policies.</li>
<li>Back up essential data regularly so that corporate information stays safe and can be recovered in case of emergency.</li>
<li>Offer transparent guidelines for using external services and resources. Design clear procedures of approval with IT and other responsible roles for specific tasks, such as new software adoption. Include basic cybersecurity rules in succinct staff policies, paying extra attention to safe account and password management, email security, and web browsing. Implement a <a href="https://asap.kaspersky.com/en/" target="_blank" rel="noopener">comprehensive training program</a> to equip employees with the necessary knowledge and practical skills.</li>
<li>Deploy specialized cybersecurity solutions that provide visibility over cloud services, such as <a href="https://www.kaspersky.com/next?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext" target="_blank" rel="noopener">Kaspersky Next</a>.</li>
</ol>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/smb-threat-report-2024/113010/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24090656/SMB-featured-2024-1.jpg" width="1200" height="753"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24090656/SMB-featured-2024-1-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24090656/SMB-featured-2024-1-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24090656/SMB-featured-2024-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>XZ backdoor: Hook analysis</title>
<link>https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/</link>
<comments>https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/#respond</comments>
<dc:creator><![CDATA[Anderson Leite, Sergey Belov]]></dc:creator>
<pubDate>Mon, 24 Jun 2024 10:00:02 +0000</pubDate>
<category><![CDATA[Incidents]]></category>
<category><![CDATA[Backdoor]]></category>
<category><![CDATA[Cyber espionage]]></category>
<category><![CDATA[Linux]]></category>
<category><![CDATA[Malware]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Malware Technologies]]></category>
<category><![CDATA[SSH]]></category>
<category><![CDATA[Targeted attacks]]></category>
<category><![CDATA[XZ]]></category>
<category><![CDATA[APT (Targeted attacks)]]></category>
<category><![CDATA[Unix and macOS malware]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113007</guid>
<description><![CDATA[In this article, we analyze XZ backdoor behavior inside OpenSSH, after it has achieved RSA-related function hook.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24093931/sl-xz-backdoor-featured-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><a href="https://securelist.com/xz-backdoor-story-part-1/112354/" target="_blank" rel="noopener">Part 1: XZ backdoor story – Initial analysis</a><br />
<a href="https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/" target="_blank" rel="noopener">Part 2: Assessing the Y, and How, of the XZ Utils incident (social engineering)</a><br />
<strong>Part 3: XZ backdoor. Hook analysis</strong></p>
<p>In <a href="https://securelist.com/xz-backdoor-story-part-1/112354/">our first article</a><a href="https://securelist.com/xz-backdoor-story-part-1/112354/" target="_blank" rel="noopener"> on the XZ backdoor</a>, we analyzed its code from initial infection to the function hooking it performs. As we mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation. In this article, we will focus on the backdoor’s behavior inside OpenSSH, specifically <a href="https://www.openssh.com/portable.html" target="_blank" rel="noopener">OpenSSH portable</a> version 9.7p1 – the most recent version at this time.</p>
<p>To better understand what’s going on, we recommend you to read Baeldung’s article about <a href="https://www.baeldung.com/linux/ssh-authentication-methods" target="_blank" rel="noopener">SSH authentication methods</a> and <a href="https://jfrog.com/blog/examining-openssh-sandboxing-and-privilege-separation-attack-surface-analysis/#OpenSSH-Privilege-Separation" target="_blank" rel="noopener">JFrog’s article</a> about privilege separation in SSH.</p>
<h2 id="key-findings">Key findings</h2>
<p>Our analysis revealed the following interesting details about the backdoor’s functionality:</p>
<ul>
<li>The attacker set an anti-replay feature to avoid possible capture or hijacking of the backdoor communication.</li>
<li>The backdoor author used a custom steganography technique in the x86 code to hide the public key, a very clever technique to hide the public key.</li>
<li>The backdoor hides its logs of unauthorized connections to the SSH server by hooking the logging function.</li>
<li>The backdoor hooks the password authentication function to allow the attacker to use any username/password to log into the infected server without any further checks. It also does the same for public key authentication.</li>
<li>It has remote code execution capabilities that allow the attacker to execute any system command on the infected server.</li>
</ul>
<h2 id="detailed-analysis">Detailed analysis</h2>
<p>There are three functions that the backdoor attempts to hook, of which <strong>RSA_public_decrypt </strong>is the primary target and <strong>RSA_get0_key</strong> is the secondary. The third function, <strong>EVP_PKEY_set1_RSA</strong>, doesn’t exist in the SSH server version in question. It may be an artifact left over from the tool used for malicious public key generation (this function is used by an independent <em>ssh-keygen</em> tool included in the OpenSSH packet), or it may have been used in a rare or outdated version of the SSH server.</p>
<p>The two target functions in the latest SSH server version are called when the RSA certificate is configured as an SSH authentication method. They first check if an incoming RSA connection uses authentication data (RSA key) as an argument. If so, the backdoor passes it to a common function (called by all hooks) that parses this RSA key and extracts information that is embedded in its modulus part. The backdoor’s main payload function works only once during a client <em>preauth </em>session, when the RSA-based authentication checks are performed.</p>
<div id="attachment_113013" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113013" class="size-large wp-image-113013" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01-1024x446.png" alt="RSA_public_decrypt hook function" width="1024" height="446" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01-1024x446.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01-300x131.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01-768x334.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01-804x350.png 804w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01-740x322.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01-643x280.png 643w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01-800x348.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161103/XZ_backdoor_analysis_part_3_01.png 1376w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113013" class="wp-caption-text">RSA_public_decrypt hook function</p></div>
<p>An attacker must generate a specific RSA key to interact with the backdoored server; the key is used as a container for the attacker’s commands in SSH connections using CA certificates.</p>
<p>The RSA key is represented by a structure in the OpenSSL library that contains the <strong>E </strong>(exponent) and<strong> N </strong>(modulus). The backdoor extracts and processes the RSA modulus, which means that the malicious payload is packed inside the <strong>N </strong>value from the RSA cryptosystem.</p>
<p>The custom RSA modulus must conform to the following format to be processed correctly by the backdoor:</p>
<div id="attachment_113014" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113014" class="size-large wp-image-113014" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-1024x411.png" alt="RSA modulus data structure" width="1024" height="411" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-1024x411.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-300x120.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-768x308.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-1536x616.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-873x350.png 873w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-740x297.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-698x280.png 698w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02-800x321.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161145/XZ_backdoor_analysis_part_3_02.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113014" class="wp-caption-text">RSA modulus data structure</p></div>
<p>There are three fields in the payload header (PartialCommand1, 2 and 3 in the scheme above) that are used to calculate the command type and also act as a form of magic number check. The command type is calculated using the following formula:<strong> PartialCommand3 + (PartialCommand2 * PartialCommand1)</strong>, where the result of the calculation must be a value between 0 and 3:</p>
<div id="attachment_113015" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113015" class="size-large wp-image-113015" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03-1024x256.png" alt="Command type calculation" width="1024" height="256" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03-1024x256.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03-300x75.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03-768x192.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03-1399x350.png 1399w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03-740x185.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03-1119x280.png 1119w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03-800x200.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161230/XZ_backdoor_analysis_part_3_03.png 1419w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113015" class="wp-caption-text">Command type calculation</p></div>
<p>If the calculated check passes, the code proceeds to the payload decryption and payload signature check.</p>
<h2 id="ed448-encrypted-public-key-extraction-x86-based-steganography">ED448-encrypted public key extraction – x86-based steganography</h2>
<p>To decrypt and verify the payload data, the backdoor uses an ED448 public key extracted from the binary.</p>
<p>When we first encountered the key extraction procedure, it looked like the backdoor authors had managed to create code that generated a correct public key before the private key, which should be impossible. Normally, for the Elliptic Curve Algorithm, the private key must be generated first, and then the public key is calculated from it. To solve the mystery of generating the public key from the binary, we analyzed the source code of various cryptographic libraries and came up with nothing. We then analyzed the backdoor code more closely, and found that the keys were generated using a regular procedure. However, the attackers used a custom steganography technique in the x86 code to hide an arbitrary message (in this case, the public key).</p>
<p>The public key information was scattered inside the binary code within specific valid instructions. The method of recovering the key is somewhat similar to the gadget scanning technique in a <a href="https://en.wikipedia.org/wiki/Return-oriented_programming" target="_blank" rel="noopener">return-oriented programming (ROP)</a> binary exploitation scenario. But here the “gadgets” are actually register-register instructions (e.g., <strong><em>mov rdi, rbx</em></strong>), each of which holds one <strong>bit </strong>of information, whose value is either <em>1</em> or <em>0</em>.</p>
<p>To achieve key recovery, some functions, usually at the beginning of the function, call the “key rebuild” algorithm with specific arguments.</p>
<div id="attachment_113016" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161420/XZ_backdoor_analysis_part_3_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113016" class="size-large wp-image-113016" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161420/XZ_backdoor_analysis_part_3_04-1024x240.png" alt="Partial key rebuild function call" width="1024" height="240" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161420/XZ_backdoor_analysis_part_3_04-1024x240.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161420/XZ_backdoor_analysis_part_3_04-300x70.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161420/XZ_backdoor_analysis_part_3_04-768x180.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161420/XZ_backdoor_analysis_part_3_04-740x174.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161420/XZ_backdoor_analysis_part_3_04-800x188.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161420/XZ_backdoor_analysis_part_3_04.png 1082w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113016" class="wp-caption-text">Partial key rebuild function call</p></div>
<p>The arguments used by this algorithm are:</p>
<ul>
<li><strong>BitIndex</strong>: the starting value that holds the current key index to be decoded and also holds which bit should be set initially in the encrypted key bitmap.</li>
<li><strong>Total Instructions</strong>: the number of register-register instructions to scan in the current function.</li>
<li><strong>Key Index</strong>: the specific key index this function will work to reconstruct. This value exists to avoid rescanning the same function if it is called a second time.</li>
</ul>
<div id="attachment_113017" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113017" class="size-large wp-image-113017" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-1024x359.png" alt="Register-register instruction decoding" width="1024" height="359" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-1024x359.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-768x269.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-1536x539.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-998x350.png 998w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-740x260.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-798x280.png 798w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05-800x281.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161500/XZ_backdoor_analysis_part_3_05.png 1842w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113017" class="wp-caption-text">Register-register instruction decoding</p></div>
<p>The key rebuild algorithm scans certain functions of the backdoor from beginning to end looking for register-register instructions. When it finds an instruction, it decodes the ‘BitIndex’ value to extract the correct byte index and bit to be set.</p>
<div id="attachment_113018" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113018" class="size-large wp-image-113018" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-1024x415.png" alt="Encrypted key rebuild code snippet" width="1024" height="415" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-1024x415.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-300x122.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-768x312.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-990x400.png 990w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-863x350.png 863w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-740x300.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-690x280.png 690w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06-800x325.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161529/XZ_backdoor_analysis_part_3_06.png 1028w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113018" class="wp-caption-text">Encrypted key rebuild code snippet</p></div>
<p>The BitIndex value is unpacked to determine the target index in the buffer. It then adds (bitwise <strong>or</strong>) the bit to the current value at that index. As the encrypted public key buffer is initialized with zeros, the rebuilder algorithm will only activate specific bits inside it. It sets the key bit value to 1 if the register-register instruction matches the opcode criteria (image above), or skips it, indicating that this bit value should remain zero. After that, the <em>BitIndex </em>value increases.</p>
<p>The algorithm determines whether the bit should be set or not for each instruction individually, even if the instructions have the same disassembly representation. This is because some instructions can have the same assembly code but different opcodes.</p>
<div id="attachment_113019" style="width: 848px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113019" class="size-full wp-image-113019" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07.png" alt="Public key rebuild algorithm" width="838" height="525" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07.png 838w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07-300x188.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07-768x481.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07-559x350.png 559w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07-740x464.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07-447x280.png 447w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161607/XZ_backdoor_analysis_part_3_07-800x501.png 800w" sizes="(max-width: 838px) 100vw, 838px" /></a><p id="caption-attachment-113019" class="wp-caption-text">Public key rebuild algorithm</p></div>
<p>In general, for each instruction found, the BitIndex is used to reconstruct a specific part of the encrypted key. In total,<strong> 456 </strong>instructions are hunted through the binary execution, and the encrypted public key is rebuilt by the end of this process.</p>
<div id="attachment_113020" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113020" class="size-large wp-image-113020" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-1024x296.png" alt="Key rebuild automation" width="1024" height="296" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-1024x296.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-300x87.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-768x222.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-1536x444.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-1211x350.png 1211w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-740x214.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-969x280.png 969w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08-800x231.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161821/XZ_backdoor_analysis_part_3_08.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113020" class="wp-caption-text">Key rebuild automation</p></div>
<p>In our research, we recreated the entire key rebuilding process that results in the encrypted public key that is later decrypted.</p>
<h2 id="payload-decryption-and-signature-check">Payload decryption and signature check</h2>
<p>The ED448 public key is encrypted using the ChaCha20 algorithm, where the key and nonce are the result of ChaCha20 encryption of a buffer consisting of zeros, with zeros used as the key and nonce.</p>
<p>After decryption, the backdoor takes the first 32 bytes of the public key and uses them as the key to decrypt the payload body, which is also ChaCha20 encrypted.</p>
<div id="attachment_113021" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113021" class="size-large wp-image-113021" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-1024x623.png" alt="Backdoor payload decryption and check diagram" width="1024" height="623" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-1024x623.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-300x183.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-768x467.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-1536x935.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-330x200.png 330w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-575x350.png 575w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-740x450.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-460x280.png 460w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09-800x487.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21161953/XZ_backdoor_analysis_part_3_09.png 1885w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113021" class="wp-caption-text">Backdoor payload decryption and check diagram</p></div>
<h2 id="payload-signature-check">Payload signature check</h2>
<p>The decrypted payload contains the signature of the remaining data in its header. To verify the signature, one must have a private key to sign the payload. In the expected attack scenario, only the backdoor author would have access to sign and send payloads to the infected server.</p>
<p>To verify the integrity and authenticity of the payload, the backdoor again uses the decrypted ED448 public key to confirm that the incoming payload was signed with the attacker’s private key.</p>
<div id="attachment_113022" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113022" class="size-large wp-image-113022" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10-1024x522.png" alt="Payload integrity and authenticity checks" width="1024" height="522" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10-1024x522.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10-300x153.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10-768x392.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10-686x350.png 686w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10-740x377.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10-549x280.png 549w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10-800x408.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162035/XZ_backdoor_analysis_part_3_10.png 1357w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113022" class="wp-caption-text">Payload integrity and authenticity checks</p></div>
<p>It also takes the SHA-256 hash of the server’s public key (taken from the initial SSH connection when the server sends the public key) into the payload signed data and verifies that it matches the currently running server. This is done to prevent replay attacks, where a researcher could capture the backdoor communication and replay the same backdoor command to another server.</p>
<div id="attachment_113023" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113023" class="size-large wp-image-113023" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11-1024x734.png" alt="Anti-replay attack diagram" width="1024" height="734" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11-1024x734.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11-300x215.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11-768x550.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11-488x350.png 488w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11-740x530.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11-391x280.png 391w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11-800x573.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162116/XZ_backdoor_analysis_part_3_11.png 1528w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113023" class="wp-caption-text">Anti-replay attack diagram</p></div>
<p>If all the checks pass, the code proceeds to parse the arguments of the desired backdoor command. The backdoor can execute the commands in two modes, root and non-root, and the execution can vary depending on the privilege level. However, the non-root mode operations don’t appear to be the attacker’s goal, so we’ll describe what the root-mode code does.</p>
<h2 id="backdoor-commands">Backdoor commands</h2>
<p>The command chosen by the attacker depends on the result of the calculation on the header fields. The core backdoor commands essentially allow the attacker to log into the server as root or a regular user and execute some system commands. This section describes what each command does.</p>
<h3 id="bypass-ssh-authentication">Bypass SSH authentication</h3>
<p>Both commands <strong>0</strong> and <strong>1</strong> enable root login on the SSH server if it wasn’t previously enabled. Additionally, they can optionally disable the use of <a href="https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam" target="_blank" rel="noopener">Pluggable Authentication Modules (PAM)</a>. Next, depending on the command, one of two OpenSSH functions can be hooked, the <a href="https://github.com/openssh/openssh-portable/blob/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c/monitor.c#L878" target="_blank" rel="noopener"><em>mm_answer_authpassword</em></a> if the command is <strong>1</strong> or the <a href="https://github.com/openssh/openssh-portable/blob/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c/monitor.c#L1152" target="_blank" rel="noopener"><em>mm_answer_keyallowed</em></a> if the command is <strong>0</strong>.</p>
<div id="attachment_113025" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113025" class="size-large wp-image-113025" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12-1024x730.png" alt="First command core code" width="1024" height="730" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12-1024x730.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12-300x214.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12-768x548.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12-491x350.png 491w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12-740x528.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12-393x280.png 393w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12-800x570.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162226/XZ_backdoor_analysis_part_3_12.png 1139w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113025" class="wp-caption-text">First command core code</p></div>
<p>The <em>mm_answer_authpassword </em>hook allows the attacker to use any username/password to log in to the infected server without any further checks. We’ll describe <em>mm_answer_keyallowed </em>in more detail later.</p>
<h3 id="remote-command-execution-via-system-call">Remote command execution via ‘system’ call</h3>
<p>If the command is <strong>2</strong>, it extracts the command string from the payload data and executes it on the machine using the <em>system </em>function. The attacker can send specific flags in the payload body to specify the user and group ID under which the command should be executed.</p>
<div id="attachment_113026" style="width: 948px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113026" class="size-full wp-image-113026" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13.png" alt="Remote command execution code snippet" width="938" height="524" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13.png 938w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13-300x168.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13-768x429.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13-270x150.png 270w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13-627x350.png 627w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13-740x413.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13-501x280.png 501w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162314/XZ_backdoor_analysis_part_3_13-800x447.png 800w" sizes="(max-width: 938px) 100vw, 938px" /></a><p id="caption-attachment-113026" class="wp-caption-text">Remote command execution code snippet</p></div>
<p>The last backdoor command (3) simply closes the pre-auth session by exiting the Monitor process.</p>
<p>After the main hook function completes, the backdoor replaces the incoming RSA public key with an <strong>empty </strong>one to avoid logging any malicious data from the attacker.</p>
<h3>The <em>mm_answer_keyallowed </em>hook</h3>
<p>If the backdoor command is <strong>0</strong> the <a href="https://github.com/openssh/openssh-portable/blob/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c/monitor.c#L1152" target="_blank" rel="noopener"><em>mm_answer_keyallowed</em></a> function will be hooked. This function is called by the privileged <em>Monitor</em> process when the unprivileged <em>NetworkProcessing</em> sshd process receives the <em>publickey</em> method of the <em>ssh-userauth</em> request, allowing the backdoor to process additional commands at that stage.</p>
<p>In this processing method, similar steps occur: the modulus of the attached to the <em>ssh-userauth</em> request RSA key is extracted, decrypted, and its signature is checked as explained earlier. The possible subcommands are:</p>
<ul>
<li>SubCommand 1:
<ul>
<li>Hook the <em>mm_answer_authpassword</em> function to allow user login requests with any password.</li>
</ul>
</li>
<li>SubCommand 2:
<ul>
<li>Hook the<em> mm_answer_keyverify</em> function to allow authentication with fake keys and store the received backdoor command inside an internal structure. The <em>mm_answer_keyverify</em> hook essentially allows the incoming key to pass through the authentication process without further checks, successfully completing authorization with a fake key.</li>
</ul>
</li>
<li>SubCommand 3:
<ul>
<li>Similar to the system execution method, this command allows the execution of commands using the <em>system </em>function, with the option to choose the group/user ID.</li>
</ul>
</li>
</ul>
<h2 id="log-hiding-capabilities">Log hiding capabilities</h2>
<p>The backdoor can also hide logs that indicate unauthorized connections to the SSH server by hooking the logging function and optionally calling the libc <em>setlogmask(0x80000000),</em> which causes all Syslog messages to be ignored. <em>0x80000000 </em>in the argument actually means setting the log mask to zero, because the zero-mask argument is a <a href="https://manpages.org/setlogmask/3" target="_blank" rel="noopener">reserved value</a> with special meaning.</p>
<p>The hook will also filter out log messages by searching them in the prefix tree, as described in our <a href="https://securelist.com/xz-backdoor-story-part-1/112354/">first </a><a href="https://securelist.com/xz-backdoor-story-part-1/112354/">post about XZ backdoor</a>. Its further behavior depends on which of the targeted messages were found (if any):</p>
<div id="attachment_113027" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113027" class="size-large wp-image-113027" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14-1024x741.png" alt="Log filtering code snippet" width="1024" height="741" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14-1024x741.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14-300x217.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14-768x556.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14-483x350.png 483w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14-740x536.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14-387x280.png 387w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14-800x579.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/21162421/XZ_backdoor_analysis_part_3_14.png 1065w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113027" class="wp-caption-text">Log filtering code snippet</p></div>
<p>The available log filters are:</p>
<table width="100%">
<tbody>
<tr>
<td width="50%"><strong>Log message</strong></td>
<td width="50%"><strong>How it is processed</strong></td>
</tr>
<tr>
<td>“Connection closed by “</td>
<td>Temporarily restores libc’s syslog mask to its default value 255, allowing all syslog messages if it was previously cleared, and allows this message to be logged.<br />
Disables syslog messages again by clearing the log mask</td>
</tr>
<tr>
<td>“Accepted password for ”<br />
“Accepted publickey for “</td>
<td>Replaces these successful connection messages with messages about failed authentication attempts. Also temporarily enables and then disables the syslog mask if it was previously cleared.</td>
</tr>
<tr>
<td>All other log messages</td>
<td>Filtered out (not printed)</td>
</tr>
</tbody>
</table>
<h2 id="conclusion">Conclusion</h2>
<p>After three posts on this backdoor, we can conclude that it is indeed a highly sophisticated threat with many peculiarities. Several highlights make this threat unique, such as the way the public key information is embedded in the binary code itself, complicating the recovery process, and the meticulous preparation of the operation, which involves a long-running <a href="https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/" target="_blank" rel="noopener">social engineering</a> campaign.</p>
<p>It is notable that the group or attacker behind this threat has extensive knowledge of the internals of open-source projects such as SSH and libc, as well as expertise in code/script obfuscation used to <a href="https://securelist.com/xz-backdoor-story-part-1/112354/" target="_blank" rel="noopener">start the infection</a>.</p>
<p>Kaspersky products detect malicious objects associated with the attack as HEUR:Trojan.Script.XZ and Trojan.Shell.XZ. In addition, Kaspersky Endpoint Security for Linux detects malicious code in sshd process memory as MEM:Trojan.Linux.XZ (as part of the Critical Areas Scan task).</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24093931/sl-xz-backdoor-featured-1.jpg" width="2523" height="1584"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24093931/sl-xz-backdoor-featured-1-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24093931/sl-xz-backdoor-featured-1-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/24093931/sl-xz-backdoor-featured-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Analysis of user password strength</title>
<link>https://securelist.com/password-brute-force-time/112984/</link>
<comments>https://securelist.com/password-brute-force-time/112984/#comments</comments>
<dc:creator><![CDATA[Alexey Antonov]]></dc:creator>
<pubDate>Tue, 18 Jun 2024 11:30:32 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[Brute force]]></category>
<category><![CDATA[Cybersecurity]]></category>
<category><![CDATA[Data leaks]]></category>
<category><![CDATA[Passwords]]></category>
<category><![CDATA[Security assessment]]></category>
<category><![CDATA[Cybersecurity]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112984</guid>
<description><![CDATA[Kaspersky experts conducted a study of password resistance to attacks that use brute force and smart guessing techniques.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/18101514/sl-abstract-speedometer-1200x576-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of guessing an eight-character password consisting of same-case English letters and digits, or 36 combinable characters, within just 17 seconds.</p>
<p>Our study of resistance to brute-force attacks found that a large percentage of passwords (59%) can be cracked in under one hour.</p>
<h2 id="how-passwords-are-typically-stored">How passwords are typically stored</h2>
<p>To be able to authenticate users, websites need a way to store login-password pairs and use these to verify data entered by the user. In most cases, passwords are stored as hashes, rather than plaintext, so that attackers cannot use them in the event of a <a href="https://www.bleepingcomputer.com/news/security/dell-api-abused-to-steal-49-million-customer-records-in-data-breach/" target="_blank" rel="noopener">leak</a>. To prevent the password from being guessed with the help of <a href="https://encyclopedia.kaspersky.com/glossary/rainbow-table/" target="_blank" rel="noopener">rainbow tables</a>, a <a href="https://encyclopedia.kaspersky.com/glossary/salt/" target="_blank" rel="noopener">salt</a> is added before hashing.</p>
<p>Although hashes are inherently irreversible, an attacker with access to a leaked database can try to guess the passwords. They would have an unlimited number of attempts, as the database itself has no protection against brute-forcing whatsoever. Ready-made password-guessing tools, such as <a href="https://hashcat.net/hashcat/" target="_blank" rel="noopener">hashcat, can be found online.</a></p>
<h2 id="methodology">Methodology</h2>
<p>Our study looked at 193 million passwords found freely accessible on various dark web sites. Kaspersky does not collect or store user passwords. More details are available <a href="https://www.kaspersky.com/blog/kaspersky-international-password-day-2024/51095/" target="_blank" rel="noopener">here</a> and <a href="https://www.kaspersky.com/blog/how-secure-is-your-password-manager/47034/" target="_blank" rel="noopener">here</a>.</p>
<p>We estimated the time it takes to guess a password from a hash using brute force and various advanced algorithms, such as dictionary attacks and/or enumeration of common character combinations. By dictionary we understand here a list of character combinations frequently used in passwords. They include, but are not limited to real English words.</p>
<h2 id="brute-force-attacks">Brute force attacks</h2>
<p>The brute-force method is still one of the simplest and most straightforward: the computer tries every possible password option until one works. This is not a one-size-fits-all approach: enumeration ignores dictionary passwords, and it is noticeably worse at guessing longer passwords than shorter ones.</p>
<p>We analyzed the brute-forcing speed as applied to the database under review. For clarity, we have divided the passwords in the sample into<em> patterns </em>according to the types of characters they contain.</p>
<ul>
<li><strong>a</strong>: the password contains only lowercase or only uppercase letters.</li>
<li><strong>aA</strong>: the password contains both lowercase and uppercase letters.</li>
<li><strong>0</strong>: the password contains digits.</li>
<li><strong>!</strong>: the password contains special characters.</li>
</ul>
<p>The time it takes to crack a password using the brute-force method depends on the length and the number of character types. The results in the table are calculated for the <a href="https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd" target="_blank" rel="noopener">RTX 4090 GPU</a> and the MD5 hashing algorithm with a salt. The speed of enumeration in this configuration is 164 billion hashes per second. The percentages in the table are rounded.</p>
<table width="100%">
<tbody>
<tr>
<td rowspan="2" width="9%"><strong>Password pattern</strong></td>
<td rowspan="2" width="9%"><strong>Share of passwords of this type in the dataset, %</strong></td>
<td style="text-align: center" colspan="6" width="55%"><strong>Share of brute-forceable passwords (by pattern, %)</strong></td>
<td style="text-align: center" colspan="3" width="27%"><strong>Maximum password length in characters by crack time</strong></td>
</tr>
<tr>
<td width="9%"><strong>< 60 s</strong></td>
<td width="9%"><strong>60 s to 60 min</strong></td>
<td width="9%"><strong>60 min to 24 h</strong></td>
<td width="9%"><strong>24 h to 30 d</strong></td>
<td width="10%"><strong>30 d to 365 d</strong></td>
<td width="9%"><strong>> 365 d</strong></td>
<td width="9%"><strong>24 h to 30 d</strong></td>
<td width="9%"><strong>30 d to 365 d</strong></td>
<td width="9%"><strong>> 365 d</strong></td>
</tr>
<tr>
<td>aA0!</td>
<td>28</td>
<td>0,2</td>
<td>0,4</td>
<td>5</td>
<td>0</td>
<td>9</td>
<td>85</td>
<td>—</td>
<td>9</td>
<td>10</td>
</tr>
<tr>
<td>a0</td>
<td>26</td>
<td>28</td>
<td>13</td>
<td>15</td>
<td>11</td>
<td>10</td>
<td>24</td>
<td>11</td>
<td>12</td>
<td>13</td>
</tr>
<tr>
<td>aA0</td>
<td>24</td>
<td>3</td>
<td>16</td>
<td>11</td>
<td>0</td>
<td>15</td>
<td>55</td>
<td>—</td>
<td>10</td>
<td>11</td>
</tr>
<tr>
<td>a0!</td>
<td>7</td>
<td>2</td>
<td>9</td>
<td>0</td>
<td>14</td>
<td>15</td>
<td>59</td>
<td>9</td>
<td>10</td>
<td>11</td>
</tr>
<tr>
<td>0</td>
<td>6</td>
<td>94</td>
<td>4</td>
<td>2</td>
<td>0</td>
<td>0</td>
<td>0</td>
<td>—</td>
<td>—</td>
<td>—</td>
</tr>
<tr>
<td>a</td>
<td>6</td>
<td>45</td>
<td>13</td>
<td>10</td>
<td>9</td>
<td>6</td>
<td>17</td>
<td>12</td>
<td>13</td>
<td>14</td>
</tr>
<tr>
<td>aA</td>
<td>2</td>
<td>15</td>
<td>22</td>
<td>11</td>
<td>14</td>
<td>0</td>
<td>38</td>
<td>10</td>
<td>—</td>
<td>11</td>
</tr>
<tr>
<td>a!</td>
<td>1</td>
<td>6</td>
<td>9</td>
<td>11</td>
<td>0</td>
<td>11</td>
<td>62</td>
<td>—</td>
<td>10</td>
<td>11</td>
</tr>
<tr>
<td>aA!</td>
<td>0,7</td>
<td>3</td>
<td>2</td>
<td>12</td>
<td>10</td>
<td>0</td>
<td>73</td>
<td>9</td>
<td>—</td>
<td>10</td>
</tr>
<tr>
<td>0!</td>
<td>0,5</td>
<td>10</td>
<td>27</td>
<td>0</td>
<td>18</td>
<td>13</td>
<td>32</td>
<td>10</td>
<td>11</td>
<td>12</td>
</tr>
<tr>
<td>!</td>
<td>0,006</td>
<td>50</td>
<td>9</td>
<td>10</td>
<td>5</td>
<td>6</td>
<td>19</td>
<td>11</td>
<td>12</td>
<td>13</td>
</tr>
</tbody>
</table>
<p>The most popular type of passwords (28%) includes lowercase and uppercase letters, special characters and digits. Most of these passwords in the sample under review are difficult to brute-force. About 5% can be guessed within a day, but 85% of this type of passwords take more than a year to work out. The crack time depends on the length: a password of nine characters can be guessed within a year, but one that contains 10 characters, more than a year.</p>
<p>Passwords that are least resistant to brute-force attacks are the ones that consist of only letters, only digits or only special characters. The sample contained 14% of these. Most of them can be cracked within less than a day. Strong letter-only passwords start at 11 characters. There were no strong digit-only passwords in the sample.</p>
<h2 id="smart-brute-force-attacks">Smart brute-force attacks</h2>
<p>As mentioned above, brute force is a suboptimal password-guessing algorithm. Passwords often <a href="https://securelist.com/password-brute-force-time/112984/" target="_blank" rel="noopener">consist</a> of certain character combinations: words, names, dates, sequences (“12345” or “qwerty”). If you make your brute-force algorithm consider this, you can speed up the process:</p>
<ul>
<li><strong>bruteforce_corr</strong> is an optimized version of the brute-force method. You can use a large sample to measure the frequency of a certain password pattern. Next, you can allocate to each variety a percentage of computational time that corresponds to its real-life frequency. Thus, if there are three patterns, and the first one is used in 50% of cases, and the second and third in 25%, then per minute our computer will spend 30 seconds enumerating pattern one, and 15 seconds enumerating patterns two and three each.</li>
<li><strong>zxcvbn</strong> is an advanced algorithm for <a href="https://github.com/dropbox/zxcvbn" target="_blank" rel="noopener">gauging password strength</a>. The algorithm identifies the pattern the password belongs to, such as “word, three digits” or “special character, dictionary word, digit sequence”. Next, it calculates the number of iterations required for enumerating each element in the pattern. So, if the password contains a dictionary word, finding it will take a number of iterations equal to the size of the dictionary. If a part of the pattern is random, it will have to be brute-forced. You can calculate the total complexity of cracking the password if you know the time it takes to guess each component of the pattern. This method has a limitation: successful enumeration requires specifying a password or assuming a pattern. However, you can find the popularity of patterns by using stolen samples. Then, as with the brute-force option, allocate to the pattern an amount of computational time proportional to its occurrence. We designate this algorithm as “<strong>zxcvbn_corr”.</strong></li>
<li><strong>unogram</strong> is the simplest language algorithm. Rather than requiring a password pattern, it relies on the frequency of each character, calculated from a sample of passwords. The algorithm prioritizes the most popular characters when enumerating. So, to estimate the crack time, it is enough to calculate the probability of the characters appearing in the password.</li>
<li><strong>3gram_seq</strong>, <strong>ngram_seq</strong> are algorithms that calculate the probability of the next character depending on n-1 previous ones. The proposed algorithm starts enumerating one character, and then sequentially adds the next one, while starting with the longest and most frequently occurring n-grams. In the study, we used n-grams ranging from 1 to 10 characters that appear more than 50 times in the password database. The 3gram_seq algorithm is limited to n-grams up to and including three characters long.</li>
<li><strong>3gram_opt_corr, ngram_opt_corr </strong> is an optimized version of n-grams. The previous algorithm generated the password from the beginning by adding one character at a time. However, in some cases, enumeration goes faster if you start from the end, from the middle or from several positions simultaneously. *_<em>opt_*</em> algorithms check the varieties described above for a specific password and select the best one. However, in this case, we need a password pattern that allows us to determine where to start generating from. When adjusted for different patterns, these algorithms are generally slower. Still, they can provide a significant advantage for specific passwords.</li>
</ul>
<p>Also, for each password, we calculated a <strong>best</strong> value: the best crack time among all the algorithms used. This is a hypothetical ideal case. To implement it, you will need to “guess” an appropriate algorithm or simultaneously run each of the aforementioned algorithms on a GPU of its own.</p>
<p>Below are the results of gauging password strength by running the algorithms on an RTX 4090 GPU for MD5 with a salt.</p>
<table width="100%">
<tbody>
<tr>
<td rowspan="2" width="11%"><strong>Crack time</strong></td>
<td style="text-align: center" colspan="8" width="89%"><strong>Percentage of brute-forceable passwords</strong></td>
</tr>
<tr>
<td width="11%"><strong>ngram_seq</strong></td>
<td width="11%"><strong>3gram_seq</strong></td>
<td width="11%"><strong>unogram</strong></td>
<td width="11%"><strong>ngram_opt<br />
_corr</strong></td>
<td width="11%"><strong>3gram_opt<br />
_corr</strong></td>
<td width="11%"><strong>zxcvbn<br />
_corr</strong></td>
<td width="11%"><strong>bruteforce<br />
_corr</strong></td>
<td width="12%"><strong><span style="color: #ff0000">Best</span></strong></td>
</tr>
<tr>
<td><strong>< 60 s</strong></td>
<td>41%</td>
<td>29%</td>
<td>12%</td>
<td>23%</td>
<td>10%</td>
<td>27%</td>
<td>10%</td>
<td><span style="color: #ff0000">45%</span></td>
</tr>
<tr>
<td><strong>60 s to 60 min</strong></td>
<td>14%</td>
<td>16%</td>
<td>12%</td>
<td>15%</td>
<td>12%</td>
<td>15%</td>
<td>10%</td>
<td><span style="color: #ff0000">14%</span></td>
</tr>
<tr>
<td><strong>60 min to 24 h</strong></td>
<td>9%</td>
<td>11%</td>
<td>12%</td>
<td>11%</td>
<td>12%</td>
<td>9%</td>
<td>6%</td>
<td><span style="color: #ff0000">8%</span></td>
</tr>
<tr>
<td><strong>24 h to 30 d</strong></td>
<td>7%</td>
<td>9%</td>
<td>11%</td>
<td>10%</td>
<td>11%</td>
<td>9%</td>
<td>9%</td>
<td><span style="color: #ff0000">6%</span></td>
</tr>
<tr>
<td><strong>30 d to 365 d</strong></td>
<td>4%</td>
<td>5%</td>
<td>7%</td>
<td>6%</td>
<td>8%</td>
<td>6%</td>
<td>10%</td>
<td><span style="color: #ff0000">4%</span></td>
</tr>
<tr>
<td><strong>> 365 d</strong></td>
<td>25%</td>
<td>30%</td>
<td>47%</td>
<td>35%</td>
<td>47%</td>
<td>35%</td>
<td>54%</td>
<td><span style="color: #ff0000">23%</span></td>
</tr>
</tbody>
</table>
<p>The bottom line is, when using the most efficient algorithm, 45% of passwords in the sample under review can be guessed within one minute, 59% within one hour, and 73% within a month. Only 23% of passwords take more than one year to crack.</p>
<p>Importantly, guessing all the passwords in the database will take almost as much time as guessing one of them. During the attack, the hacker checks the database for the hash obtained in the current iteration. If the hash is in the database, the password is marked as cracked, and the algorithm moves on to working on the others.</p>
<h2 id="the-use-of-dictionary-words-reduces-password-strength">The use of dictionary words reduces password strength</h2>
<p>To find which password patterns are most resistant to hacking, we calculated the <strong>best </strong>value for an expanded set of criteria. For this purpose, we created a dictionary of frequently used combinations of four or more characters, and added these to the password pattern list.</p>
<ul>
<li><strong>dict</strong>: the password contains one or more dictionary words.</li>
<li><strong>dict_only</strong>: the password contains only dictionary words.</li>
</ul>
<table width="100%">
<tbody>
<tr>
<td rowspan="2" width="9%"><strong>Password pattern</strong></td>
<td rowspan="2" width="9%"><strong>Share of passwords, %</strong></td>
<td style="text-align: center" colspan="6" width="55%"><strong>Share of passwords that can be cracked with a dictionary attack (by pattern, %)</strong></td>
<td style="text-align: center" colspan="3" width="27%"><strong>Maximum password length in characters by crack time</strong></td>
</tr>
<tr>
<td width="9%"><strong>< 60 s</strong></td>
<td width="9%"><strong>60 s to 60 min</strong></td>
<td width="10%"><strong>60 min to 24 h</strong></td>
<td width="9%"><strong>24 h to 30 d</strong></td>
<td width="9%"><strong>30 d to 365 d</strong></td>
<td width="9%"><strong>> 365 d</strong></td>
<td width="9%"><strong>24 h to 30 d</strong></td>
<td width="9%"><strong>30 d to 365 d</strong></td>
<td width="9%"><strong>> 365 d</strong></td>
</tr>
<tr>
<td>dict_a0</td>
<td>17</td>
<td>63</td>
<td>15</td>
<td>8</td>
<td>5</td>
<td>3</td>
<td>7</td>
<td>10</td>
<td>11</td>
<td>12</td>
</tr>
<tr>
<td>aA0!</td>
<td>14</td>
<td>5</td>
<td>6</td>
<td>5</td>
<td>5</td>
<td>3</td>
<td>76</td>
<td>6</td>
<td>7</td>
<td>8</td>
</tr>
<tr>
<td>dict_aA0</td>
<td>14</td>
<td>51</td>
<td>17</td>
<td>10</td>
<td>7</td>
<td>4</td>
<td>11</td>
<td>9</td>
<td>10</td>
<td>11</td>
</tr>
<tr>
<td>dict_aA0!</td>
<td>14</td>
<td>34</td>
<td>18</td>
<td>12</td>
<td>10</td>
<td>6</td>
<td>20</td>
<td>7</td>
<td>8</td>
<td>8</td>
</tr>
<tr>
<td>a0</td>
<td>10</td>
<td>59</td>
<td>22</td>
<td>6</td>
<td>6</td>
<td>1.8</td>
<td>6</td>
<td>10</td>
<td>11</td>
<td>12</td>
</tr>
<tr>
<td>aA0</td>
<td>10</td>
<td>19</td>
<td>13</td>
<td>13</td>
<td>6</td>
<td>7</td>
<td>42</td>
<td>9</td>
<td>10</td>
<td>11</td>
</tr>
<tr>
<td>0</td>
<td>6</td>
<td>92</td>
<td>5</td>
<td>1.5</td>
<td>1.3</td>
<td>0</td>
<td>0</td>
<td>15</td>
<td>—</td>
<td>—</td>
</tr>
<tr>
<td>dict_a0!</td>
<td>5</td>
<td>44</td>
<td>16</td>
<td>10</td>
<td>8</td>
<td>5</td>
<td>17</td>
<td>9</td>
<td>9</td>
<td>10</td>
</tr>
<tr>
<td>dict_a</td>
<td>4</td>
<td>69</td>
<td>12</td>
<td>6</td>
<td>4</td>
<td>2</td>
<td>6</td>
<td>11</td>
<td>12</td>
<td>13</td>
</tr>
<tr>
<td>a0!</td>
<td>2</td>
<td>31</td>
<td>19</td>
<td>13</td>
<td>9</td>
<td>5</td>
<td>23</td>
<td>9</td>
<td>9</td>
<td>10</td>
</tr>
<tr>
<td>a</td>
<td>1.2</td>
<td>76</td>
<td>7</td>
<td>6</td>
<td>3</td>
<td>3</td>
<td>6</td>
<td>11</td>
<td>12</td>
<td>13</td>
</tr>
<tr>
<td>dict_aA</td>
<td>1.2</td>
<td>56</td>
<td>15</td>
<td>8</td>
<td>6</td>
<td>3</td>
<td>11</td>
<td>9</td>
<td>10</td>
<td>10</td>
</tr>
<tr>
<td>dict_a!</td>
<td>0.8</td>
<td>38</td>
<td>16</td>
<td>10</td>
<td>8</td>
<td>5</td>
<td>23</td>
<td>8</td>
<td>9</td>
<td>10</td>
</tr>
<tr>
<td>aA</td>
<td>0.7</td>
<td>26</td>
<td>10</td>
<td>28</td>
<td>7</td>
<td>2</td>
<td>27</td>
<td>9</td>
<td>10</td>
<td>10</td>
</tr>
<tr>
<td>dict_aA!</td>
<td>0.5</td>
<td>31</td>
<td>17</td>
<td>11</td>
<td>10</td>
<td>6</td>
<td>26</td>
<td>8</td>
<td>9</td>
<td>9</td>
</tr>
<tr>
<td>0!</td>
<td>0.4</td>
<td>53</td>
<td>15</td>
<td>8</td>
<td>7</td>
<td>5</td>
<td>13</td>
<td>9</td>
<td>10</td>
<td>11</td>
</tr>
<tr>
<td>dict_only</td>
<td>0.2</td>
<td>99.99</td>
<td>0.01</td>
<td>0.0002</td>
<td>0.0002</td>
<td>0</td>
<td>0</td>
<td>18</td>
<td>—</td>
<td>—</td>
</tr>
<tr>
<td>dict_0</td>
<td>0.2</td>
<td>89</td>
<td>6</td>
<td>2</td>
<td>2</td>
<td>0</td>
<td>0</td>
<td>15</td>
<td>—</td>
<td>—</td>
</tr>
<tr>
<td>aA!</td>
<td>0.2</td>
<td>11</td>
<td>8</td>
<td>10</td>
<td>16</td>
<td>3</td>
<td>52</td>
<td>8</td>
<td>9</td>
<td>9</td>
</tr>
<tr>
<td>a!</td>
<td>0.1</td>
<td>35</td>
<td>16</td>
<td>10</td>
<td>9</td>
<td>5</td>
<td>25</td>
<td>8</td>
<td>9</td>
<td>10</td>
</tr>
<tr>
<td>dict_0!</td>
<td>0.06</td>
<td>52</td>
<td>13</td>
<td>7</td>
<td>6</td>
<td>4</td>
<td>17</td>
<td>9</td>
<td>10</td>
<td>11</td>
</tr>
<tr>
<td>!</td>
<td>0.006</td>
<td>50</td>
<td>10</td>
<td>6</td>
<td>8</td>
<td>4</td>
<td>20</td>
<td>8</td>
<td>9</td>
<td>10</td>
</tr>
</tbody>
</table>
<p>The majority (57%) of the passwords reviewed contained a dictionary word, which significantly reduced their strength. Half of these can be cracked in less than a minute, and 67% within one hour. Only 12% of dictionary passwords are strong enough and take more than a year to guess. Even when using all recommended character types (uppercase and lowercase letters, digits and special characters), only 20% of these passwords proved resistant to brute-forcing.</p>
<p>It is possible to distinguish several groups among the most popular dictionary sequences found in passwords.</p>
<ul>
<li>Names: “ahmed”, “nguyen”, “kumar”, “kevin”, “daniel”;</li>
<li>Popular words: “forever”, “love”, “google”, “hacker”, “gamer”;</li>
<li>Standard passwords: “password”, “qwerty12345”, “admin”, “12345”, “team”.</li>
</ul>
<p>Non-dictionary passwords comprised 43% of the sample. Some were weak, such as those consisting of same-case letters and digits (10%) or digits only (6%). However, adding all recommended character types (the aA0! pattern) makes 76% of these passwords strong enough.</p>
<h2 id="takeaways">Takeaways</h2>
<p>Modern GPUs are capable of cracking user passwords at a tremendous speed. The simplest brute-force algorithm can crack any password up to eight characters long within less than a day. Smart hacking algorithms can quickly guess even long passwords. These use dictionaries, consider character substitution (“e” to “3”, “1” to “!” or “a” to “@”) and popular combinations (“qwerty”, “12345”, “asdfg”).</p>
<p>This study lets us draw the following conclusions about password strength:</p>
<ul>
<li>Many user passwords are not strong enough: 59% can be guessed within one hour.</li>
<li>Using meaningful words, names and standard character combinations significantly reduces the time it takes to guess the password.</li>
<li>The least secure password is one that consists entirely of digits or words.</li>
</ul>
<p>To protect your accounts from hacking:</p>
<ul>
<li>Remember that the best password is a random, computer-generated one. Many <a href="https://www.kaspersky.com/password-manager" target="_blank" rel="noopener">password managers</a> are capable of generating passwords.</li>
<li>Use <a href="https://www.kaspersky.com/blog/kaspersky-international-password-day-2024/51095/" target="_blank" rel="noopener">mnemonic</a>, rather than meaningful, phrases.</li>
<li>Check your password for resistance to hacking. You can do this with the help of <a href="https://password.kaspersky.com/" target="_blank" rel="noopener">Password Checker</a>, <a href="https://www.kaspersky.com/password-manager" target="_blank" rel="noopener">Kaspersky Password Manager</a> or the <a href="https://lowe.github.io/tryzxcvbn/" target="_blank" rel="noopener">zxcvbn</a></li>
<li>Make sure your passwords are not contained in any leaked databases by going to <a href="https://haveibeenpwned.com/" target="_blank" rel="noopener">haveibeenpwned</a>. Use <a href="https://www.kaspersky.com/premium" target="_blank" rel="noopener">security solutions</a> that alert users about password leaks.</li>
<li>Avoid using the same password for multiple websites. If your passwords are unique, cracking one of them would cause less damage.</li>
</ul>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/password-brute-force-time/112984/feed/</wfw:commentRss>
<slash:comments>3</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/18101514/sl-abstract-speedometer-1200x576-1.jpg" width="1200" height="576"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/18101514/sl-abstract-speedometer-1200x576-1-1024x492.jpg" width="1024" height="492"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/18101514/sl-abstract-speedometer-1200x576-1-300x144.jpg" width="300" height="144"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/18101514/sl-abstract-speedometer-1200x576-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Cinterion EHS5 3G UMTS/HSPA Module Research</title>
<link>https://securelist.com/telit-cinterion-modem-vulnerabilities/112915/</link>
<comments>https://securelist.com/telit-cinterion-modem-vulnerabilities/112915/#respond</comments>
<dc:creator><![CDATA[Kaspersky ICS CERT]]></dc:creator>
<pubDate>Thu, 13 Jun 2024 10:00:22 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[automotive security]]></category>
<category><![CDATA[Connected car]]></category>
<category><![CDATA[Industrial threats]]></category>
<category><![CDATA[Java]]></category>
<category><![CDATA[Modem]]></category>
<category><![CDATA[Security assessment]]></category>
<category><![CDATA[SMS]]></category>
<category><![CDATA[Vulnerabilities]]></category>
<category><![CDATA[Industrial threats]]></category>
<category><![CDATA[Vulnerabilities and exploits]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112915</guid>
<description><![CDATA[We performed the security analysis of a Telit Cinterion modem in course of a bigger project of security assessment of a popular model of a truck and found eight vulnerabilities.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/13095638/sl-abstract-blue-chip-1200x753-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Modems play an important role in enabling connectivity for a wide range of devices. This includes not only traditional mobile devices and household appliances, but also telecommunication systems in vehicles, ATMs and Automated Process Control Systems (APCS).</p>
<p>When integrating the modem, many product developers do not think of protecting their device from a potential modem compromise. As one of the main communication channels for the end device, the modem not only has access to the information flow between the device and the outside world, but also may have almost unlimited access to the most critical systems and resources of the end device. Thus, modem security is a significant matter.</p>
<p>To make the problem worse, when a critical vulnerability is discovered in just one modem model and version, significant time may be required to update all the devices in which it is installed. And some of them may even not have a remote modem updating feature at all, such as a car’s Telematic Control Unit (TCU). In such cases, installing the update typically requires additional effort and expense for the manufacturer of the end product to manually address each vulnerable device or vehicle.</p>
<p>For this reason, a particular modem manufactured by Telit Cinterion caught our interest. We decided to perform the security analysis of the modem in course of a bigger project of analyzing security of a popular model of a truck. When we began our assessment, the only known registered vulnerability was <a href="https://www.cve.org/CVERecord?id=CVE-2020-15858" target="_blank" rel="noopener">CVE-2020-15858</a>, which is described in greater detail <a href="https://threatpost.com/flaw-affecting-millions-iot-devices/158472/" target="_blank" rel="noopener">elsewhere</a>.</p>
<p>The study focused on the EHS5-E series modem, originally manufactured by Thales before the business unit was acquired by Telit. Several modem models from this vendor share similar software and hardware architectures. Therefore, the findings of this study apply to devices across multiple model series:</p>
<ul>
<li>Cinterion BGS5;</li>
<li>Cinterion EHS5/6/7;</li>
<li>Cinterion PDS5/6/8;</li>
<li>Cinterion ELS61/81;</li>
<li>Cinterion PLS62.</li>
</ul>
<h2 id="modem-software-components">Modem software components</h2>
<p>According to the software model, the modem consists of four software components:</p>
<ul>
<li>Firmware (FW);</li>
<li>Application (App);</li>
<li>Java Remote Control (JRC);</li>
<li>Service LWM2M Agent (SLAE).</li>
</ul>
<p>The modem comes along with an SDK for creating software components that execute business logic, known as MIDlets. The firmware (FW) and application (App) components form part of the modem’s low-level code, which includes the operating system and the execution environment for the MIDlets. A MIDlet is a Java application supported by a specialized subsystem, Java ME (Micro Edition), which features a limited set of Java commands. The JRC and SLAE components are special MIDlets developed by the manufacturer.</p>
<p>It is possible to install MIDlets and to configure the security settings for their execution. The following security mechanisms are used for MIDlets:</p>
<ul>
<li>Java bytecode checks during installation (always enabled);</li>
<li>MIDlet digital signatures (configured by the end product developer).</li>
</ul>
<p>By default, only the manufacturer’s certificate is installed on the modem to validate MIDlets with manufacturer-level execution privileges. Installing and configuring certificates for custom MIDlets is the responsibility of the end product developer. This is described in more detail in the EHSx Java User’s Guide.</p>
<h2 id="types-of-midlets">Types of MIDlets</h2>
<p>Based on our analysis, all MIDlets on the modem can be divided into two categories by their privilege level:</p>
<ul>
<li>Manufacturer MIDlets;</li>
<li>User MIDlets (signed / unsigned).</li>
</ul>
<p>Only the JRC and SLAE MIDlets initially belong to the manufacturer level. They have the highest privileges without any code execution restrictions at the Java level.</p>
<p>The second category of privileges is granted to user MIDlets. Their functionality is restricted in relation to file system (FS) operations, GSM module operations, etc. For example, a user MIDlet cannot read the entire modem FS, but the JRC module can.</p>
<p>If a user certificate is installed, only a signed user MIDlet with User Signed privileges will be executed on the modem. In other words, User Signed MIDlets are only used to protect the modem from executing a MIDlet from an illegitimate user, such as an attacker or security researcher.</p>
<h2 id="midlet-installation">MIDlet installation</h2>
<p>MIDlets can be installed both locally and remotely. Local installation of MIDlets is done through the JRC component. Remote installation is possible via a special OTAP mechanism, or in M2M scenarios, via the SLAE component.</p>
<p>Using the modem in an M2M scenario involves creating a personal user account on the manufacturer’s website. This personal account allows the user to perform standard actions with MIDlets on all paired devices, such as installing and uninstalling MIDlets. In our study, we did not analyze the mechanisms of remote M2M installation of MIDlets.</p>
<h3 id="local-installation-via-mes">Local installation via MES</h3>
<p>Local installation is performed via the MES (Module Exchange Suite) communication protocol and special AT commands. The interface itself and AT command processing are implemented in the JRC component. The MES protocol enables interaction with the modem’s user FS (hereinafter referred to as the “UFS”), including writing to or deleting files from the UFS.</p>
<p>Upon installing the driver provided with the SDK, the content of the modem’s UFS, which is mounted at the path ‘///a:/’, becomes accessible. The driver functions as a user add-on over the MES protocol. Although MES formally supports working with any path value except for ‘///a:/’, no other internal paths are known, and attempts to read paths starting with a different root result in an error. This is due to the filtering of query parameters in MES, ensuring that everything not belonging to the ‘a://’ root returns an error, even though the UFS has several valid roots.</p>
<p>Local installation of MIDlets is performed in two steps. First, the MIDlet files (.jar and .jad) must be copied to the modem UFS. Next, the MIDlet is installed on the modem using the <em>AT^SJAM=0</em> AT command. During the execution of this command, the MIDlet files are copied to a part of the modem FS that is inaccessible to the user and are then removed from the UFS. The path to which MIDlets are copied during installation is unknown. This helps ensure the confidentiality of both user and manufacturer MIDlets. An installed MIDlet is launched from its new location in the modem FS. A list of all installed MIDlets can also be extracted using the <em>AT^SJAM</em> command. The image below shows an example of the output of this command.</p>
<div id="attachment_112938" style="width: 993px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11151956/Telit_vulnerabilities_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112938" class="size-full wp-image-112938" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11151956/Telit_vulnerabilities_01.png" alt="Example output of the AT^SJAM command" width="983" height="62" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11151956/Telit_vulnerabilities_01.png 983w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11151956/Telit_vulnerabilities_01-300x19.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11151956/Telit_vulnerabilities_01-768x48.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11151956/Telit_vulnerabilities_01-740x47.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11151956/Telit_vulnerabilities_01-800x50.png 800w" sizes="(max-width: 983px) 100vw, 983px" /></a><p id="caption-attachment-112938" class="wp-caption-text">Example output of the AT^SJAM command</p></div>
<p>The modem documentation states that the <em>javax.microedition.io.file.File.FileConnection</em> connector used to work with the FS filters requests to files with the .jar extension.</p>
<div id="attachment_112940" style="width: 983px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152214/Telit_vulnerabilities_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112940" class="size-full wp-image-112940" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152214/Telit_vulnerabilities_02.png" alt="Snippet from the Cinterion documentation" width="973" height="107" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152214/Telit_vulnerabilities_02.png 973w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152214/Telit_vulnerabilities_02-300x33.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152214/Telit_vulnerabilities_02-768x84.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152214/Telit_vulnerabilities_02-740x81.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152214/Telit_vulnerabilities_02-800x88.png 800w" sizes="(max-width: 973px) 100vw, 973px" /></a><p id="caption-attachment-112940" class="wp-caption-text">Snippet from the Cinterion documentation</p></div>
<p>This behavior was confirmed by a simple test: trying to access files with the .jar extension produced an error.</p>
<div id="attachment_112942" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112942" class="size-full wp-image-112942" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03.png" alt="Attempting to access files with the .jar extension" width="974" height="421" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03-300x130.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03-768x332.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03-810x350.png 810w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03-740x320.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03-648x280.png 648w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152251/Telit_vulnerabilities_03-800x346.png 800w" sizes="(max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-112942" class="wp-caption-text">Attempting to access files with the .jar extension</p></div>
<h3 id="remote-installation-via-otap">Remote installation via OTAP</h3>
<p>In the OTAP protocol, data is transmitted using SMS messages that have special values for the Class and PID fields.</p>
<div id="attachment_112943" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112943" class="size-full wp-image-112943" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04.png" alt="Data transfer in OTAP protocol" width="974" height="437" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04-300x135.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04-768x345.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04-780x350.png 780w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04-740x332.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04-624x280.png 624w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152400/Telit_vulnerabilities_04-800x359.png 800w" sizes="(max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-112943" class="wp-caption-text">Data transfer in OTAP protocol</p></div>
<p>OTAP messages are ASCII text contained within the SMS message body. An example of such a message is shown below.</p>
<div id="attachment_112944" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152518/Telit_vulnerabilities_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112944" class="size-full wp-image-112944" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152518/Telit_vulnerabilities_05.png" alt="Example of an OTAP message" width="974" height="227" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152518/Telit_vulnerabilities_05.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152518/Telit_vulnerabilities_05-300x70.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152518/Telit_vulnerabilities_05-768x179.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152518/Telit_vulnerabilities_05-740x172.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152518/Telit_vulnerabilities_05-800x186.png 800w" sizes="(max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-112944" class="wp-caption-text">Example of an OTAP message</p></div>
<p>OTAP support is provided by the App and JRC components. The process of installing and updating user MIDlets via OTAP requires prior activation of OTAP by the user on the modem. The user may specify additional attributes that will be used for OTAP: JAD File URL, HTTP User, HTTP Password, etc. The process of updating via OTAP is described in detail in the EHSx Java User’s Guide.</p>
<p>If OTAP was not activated beforehand by executing the <em>AT^SJOTAP</em> command, then the received message would not be processed. Activation involves creating a special OTAP settings file <em>OTAP_AtParams.bin</em> in the UFS.</p>
<div id="attachment_112945" style="width: 984px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112945" class="size-full wp-image-112945" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06.png" alt="OTAP activation check" width="974" height="543" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06.png 974w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06-300x167.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06-768x428.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06-270x150.png 270w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06-628x350.png 628w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06-740x413.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06-502x280.png 502w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152556/Telit_vulnerabilities_06-800x446.png 800w" sizes="(max-width: 974px) 100vw, 974px" /></a><p id="caption-attachment-112945" class="wp-caption-text">OTAP activation check</p></div>
<p>Part of the file’s contents created during our tests is shown below.</p>
<div id="attachment_112946" style="width: 1001px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152626/Telit_vulnerabilities_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112946" class="size-full wp-image-112946" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152626/Telit_vulnerabilities_07.png" alt="Example of OTAP_AtParams.bin file contents" width="991" height="307" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152626/Telit_vulnerabilities_07.png 991w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152626/Telit_vulnerabilities_07-300x93.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152626/Telit_vulnerabilities_07-768x238.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152626/Telit_vulnerabilities_07-740x229.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152626/Telit_vulnerabilities_07-904x280.png 904w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152626/Telit_vulnerabilities_07-800x248.png 800w" sizes="(max-width: 991px) 100vw, 991px" /></a><p id="caption-attachment-112946" class="wp-caption-text">Example of OTAP_AtParams.bin file contents</p></div>
<h2 id="debugging-midlets-and-modem-execution">Debugging MIDlets and modem execution</h2>
<p>According to the modem’s official documentation, several interfaces are available to interact with the modem, as shown below.</p>
<div id="attachment_112947" style="width: 638px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152706/Telit_vulnerabilities_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112947" class="size-full wp-image-112947" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152706/Telit_vulnerabilities_08.png" alt="Available modem interfaces" width="628" height="614" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152706/Telit_vulnerabilities_08.png 628w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152706/Telit_vulnerabilities_08-300x293.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152706/Telit_vulnerabilities_08-358x350.png 358w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152706/Telit_vulnerabilities_08-286x280.png 286w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152706/Telit_vulnerabilities_08-50x50.png 50w" sizes="(max-width: 628px) 100vw, 628px" /></a><p id="caption-attachment-112947" class="wp-caption-text">Available modem interfaces</p></div>
<p>From a security researcher’s perspective, a few of the hardware interfaces listed above are of a special interest, specifically ASC0/ASC1 and USB, since they can be used to transmit data between the modem and a host (e.g. PC) through the UART protocol. In the case of USB, the UART interface is emulated.</p>
<p>According to the vendor’s documentation, the UART can be used to communicate with the modem via the AT command interface or to perform step-by-step debugging of an executable MIDlet running on the modem. This is done using the MIDlet debugging subsystem. Interaction with the modem in debug mode takes place through a special PPP connection (dial-up modem emulation). The debugging mechanism is described in detail in the manufacturer’s documentation. The USB interface exposes additional functions in addition to the emulated UART interface, such as the MES interface, which can be used to access the modem’s User File System (UFS) though standard Windows OS mechanisms.</p>
<p>In addition to debugging MIDlets, the modem allows collection of the trace logs of its subsystems, including MIDlets. The <em>AT+TRACE</em> command determines what gets included in the output. An example of a command to enable output of debugging information on the modem is shown below.</p><pre class="crayon-plain-tag">AT+TRACE=,115200,"st=0,pr=1,bt=0,ap=1,db=1,lt=0,li=0"</pre><p>
The command parameters determine which modem subsystems to collect information from. The list of subsystems from which debugging information can be collected is available in the detailed help for this AT command.</p>
<div id="attachment_112948" style="width: 638px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152750/Telit_vulnerabilities_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112948" class="size-full wp-image-112948" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152750/Telit_vulnerabilities_09.png" alt="Detailed help output of the AT+TRACE command" width="628" height="684" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152750/Telit_vulnerabilities_09.png 628w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152750/Telit_vulnerabilities_09-275x300.png 275w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152750/Telit_vulnerabilities_09-321x350.png 321w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152750/Telit_vulnerabilities_09-257x280.png 257w" sizes="(max-width: 628px) 100vw, 628px" /></a><p id="caption-attachment-112948" class="wp-caption-text">Detailed help output of the AT+TRACE command</p></div>
<h2 id="obtaining-the-modem-firmware">Obtaining the modem firmware</h2>
<p>We focused on analyzing both MIDlet and OS security. To achieve this, we developed a research device based on a custom printed circuit board.</p>
<div id="attachment_112949" style="width: 658px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152857/Telit_vulnerabilities_10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112949" class="size-full wp-image-112949" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152857/Telit_vulnerabilities_10.png" alt="Research device" width="648" height="356" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152857/Telit_vulnerabilities_10.png 648w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152857/Telit_vulnerabilities_10-300x165.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152857/Telit_vulnerabilities_10-637x350.png 637w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152857/Telit_vulnerabilities_10-510x280.png 510w" sizes="(max-width: 648px) 100vw, 648px" /></a><p id="caption-attachment-112949" class="wp-caption-text">Research device</p></div>
<p>After analyzing the modem’s hardware components, we identified a NAND memory chip that contains the modem firmware. The firmware was extracted from the chip using the ChipProg universal programmer.</p>
<div id="attachment_112950" style="width: 642px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152926/Telit_vulnerabilities_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112950" class="size-full wp-image-112950" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152926/Telit_vulnerabilities_11.png" alt="Hardware components of the modem" width="632" height="356" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152926/Telit_vulnerabilities_11.png 632w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152926/Telit_vulnerabilities_11-300x169.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152926/Telit_vulnerabilities_11-621x350.png 621w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11152926/Telit_vulnerabilities_11-497x280.png 497w" sizes="(max-width: 632px) 100vw, 632px" /></a><p id="caption-attachment-112950" class="wp-caption-text">Hardware components of the modem</p></div>
<p>There is an additional challenge involved in extracting meaningful data from NAND memory due to its physical structure and wear-leveling algorithms. The data is stored together with the “Spare Area” – special blocks containing error correction codes and other auxiliary information. In addition, a bitwise XOR with a special gamma function may be applied to data to ensure even wear of the memory cells. Refer to the <a href="https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Cinterion-EHS5-whitepaper-En.pdf" target="_blank" rel="noopener">full version of the whitepaper (PDF, 9 MB)</a> for the details regarding the process of reconstructing the NAND flash image.</p>
<p>Thanks to the NAND reconstruction, we were able to identify the UFS and examine its contents. We also succeeded in finding the binary images corresponding to the FW and App software components.</p>
<div id="attachment_112951" style="width: 979px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153016/Telit_vulnerabilities_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112951" class="size-full wp-image-112951" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153016/Telit_vulnerabilities_12.png" alt="FAT FS" width="969" height="256" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153016/Telit_vulnerabilities_12.png 969w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153016/Telit_vulnerabilities_12-300x79.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153016/Telit_vulnerabilities_12-768x203.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153016/Telit_vulnerabilities_12-740x196.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153016/Telit_vulnerabilities_12-800x211.png 800w" sizes="(max-width: 969px) 100vw, 969px" /></a><p id="caption-attachment-112951" class="wp-caption-text">FAT FS</p></div>
<h2 id="analyzing-the-ufs-contents">Analyzing the UFS contents</h2>
<p>After reviewing the contents of the UFS, we found that it contained files and folders hidden from the user and inaccessible through the MES interface, namely <span style="font-size: 80%">.cinterion.internal</span> and <span style="font-size: 80%">.cinterion.service</span>. Access to them was restricted directly in the JRC MIDlet code, filtered by their name prefix. A code snippet from the JRC module that filters access to these folders is shown below.</p>
<div id="attachment_112952" style="width: 516px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153045/Telit_vulnerabilities_13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112952" class="size-full wp-image-112952" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153045/Telit_vulnerabilities_13.png" alt="Example code from the JRC module" width="506" height="108" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153045/Telit_vulnerabilities_13.png 506w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153045/Telit_vulnerabilities_13-300x64.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153045/Telit_vulnerabilities_13-500x108.png 500w" sizes="(max-width: 506px) 100vw, 506px" /></a><p id="caption-attachment-112952" class="wp-caption-text">Example code from the JRC module</p></div>
<p>By further examining the contents of these hidden directories, we determined that all MIDlets (both of user and manufacturer categories) are stored at <span style="font-size: 80%">/sys/.cinterion.internal/java</span>. Each MIDlet is stored as a set of four files with <em>.ss</em>, <em>.ii</em>, <em>.ap</em> and <em>.jar</em> extensions.</p>
<p>After analyzing the contents of the folder containing installed MIDlets, we determined that each MIDlet is renamed during the installation process. To allow the user to run MIDlets by their name, the system keeps the mapping between the original name of the MIDlet and its alias in a simple database stored in the <span style="font-size: 80%">_suites.dat</span> file. For example, by analyzing the binary contents of this file, it is clear that the file named <span style="font-size: 80%">00000003.jar</span> is actually <span style="font-size: 80%">JRC.jar</span>.</p>
<div id="attachment_112953" style="width: 548px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153118/Telit_vulnerabilities_14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112953" class="size-full wp-image-112953" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153118/Telit_vulnerabilities_14.png" alt="Contents of the binary file _suites.dat" width="538" height="478" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153118/Telit_vulnerabilities_14.png 538w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153118/Telit_vulnerabilities_14-300x267.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153118/Telit_vulnerabilities_14-394x350.png 394w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153118/Telit_vulnerabilities_14-315x280.png 315w" sizes="(max-width: 538px) 100vw, 538px" /></a><p id="caption-attachment-112953" class="wp-caption-text">Contents of the binary file _suites.dat</p></div>
<p>The <em>.ap</em> file is a Unicode-converted <em>.jad</em> file. This file contains information about the original name of the MIDlet and the libraries that were used. It may also contain the MIDlet’s digital signature. An example of such a file for a JRC MIDlet is shown below.</p>
<div id="attachment_112954" style="width: 448px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153148/Telit_vulnerabilities_15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112954" class="size-full wp-image-112954" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153148/Telit_vulnerabilities_15.png" alt="Contents of the .ap file for the JRC MIDlet" width="438" height="204" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153148/Telit_vulnerabilities_15.png 438w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153148/Telit_vulnerabilities_15-300x140.png 300w" sizes="(max-width: 438px) 100vw, 438px" /></a><p id="caption-attachment-112954" class="wp-caption-text">Contents of the .ap file for the JRC MIDlet</p></div>
<p>The <em>.ii</em> file contains information about the MIDlet installation path, the permissions assigned during installation, and other information.</p>
<div id="attachment_112955" style="width: 582px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153224/Telit_vulnerabilities_16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112955" class="size-full wp-image-112955" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153224/Telit_vulnerabilities_16.png" alt="Contents of a file with the .ii extension" width="572" height="298" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153224/Telit_vulnerabilities_16.png 572w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153224/Telit_vulnerabilities_16-300x156.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153224/Telit_vulnerabilities_16-537x280.png 537w" sizes="(max-width: 572px) 100vw, 572px" /></a><p id="caption-attachment-112955" class="wp-caption-text">Contents of a file with the .ii extension</p></div>
<p>Finally, the <em>.ss</em> file contains a description of the Java-level permissions available to this MIDlet. An example of the JRC vendor MIDlet permissions description is shown below.</p>
<div id="attachment_112956" style="width: 584px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153249/Telit_vulnerabilities_17.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112956" class="size-full wp-image-112956" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153249/Telit_vulnerabilities_17.png" alt="Example of a JRC vendor MIDlet permissions description" width="574" height="56" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153249/Telit_vulnerabilities_17.png 574w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153249/Telit_vulnerabilities_17-300x29.png 300w" sizes="(max-width: 574px) 100vw, 574px" /></a><p id="caption-attachment-112956" class="wp-caption-text">Example of a JRC vendor MIDlet permissions description</p></div>
<p>It is important to note that this permission set gives unrestricted access to the Java virtual machine’s system classes. The example shown corresponds to the manufacturer level of privileges. Only two MIDlets have such permissions: JRC and SLAE. Any user MIDlet must list in its manifest the classes and methods it needs to access to at runtime. Part of the manifest for our test MIDlet is shown below.</p>
<div id="attachment_112957" style="width: 492px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153320/Telit_vulnerabilities_18.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112957" class="size-full wp-image-112957" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153320/Telit_vulnerabilities_18.png" alt="Example manifest for our test MIDlet" width="482" height="286" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153320/Telit_vulnerabilities_18.png 482w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153320/Telit_vulnerabilities_18-300x178.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153320/Telit_vulnerabilities_18-472x280.png 472w" sizes="(max-width: 482px) 100vw, 482px" /></a><p id="caption-attachment-112957" class="wp-caption-text">Example manifest for our test MIDlet</p></div>
<h2 id="changing-the-security-domain-of-a-user-midlet">Changing the security domain of a user MIDlet</h2>
<p>As mentioned earlier, each installed MIDlet is stored in the modem FS as a set of four files under the path <span style="font-size: 80%">/sys/.cinterion.internal/java</span>. When a MIDlet is started, its security domain is checked using the <em>.ii</em> file. Then, depending on the specified domain, access rights are assigned based on the <em>.ss</em> file. Quite important thing is that there is no verification of the digital signature when launching a MIDlet that has the manufacturer-level security domain.</p>
<p>Since any user MIDlet can use the aforementioned <em>javax.microedition.io.file.FileConnection</em> Java class, the MIDlet’s security permissions and security level can be escalated. A user MIDlet can replace its own <em>.ii</em> and <em>.ss</em> files so that it will start executing in the manufacturer security domain.</p>
<div id="attachment_112958" style="width: 406px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153352/Telit_vulnerabilities_19.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112958" class="size-full wp-image-112958" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153352/Telit_vulnerabilities_19.png" alt="Running our MIDlet for the first time" width="396" height="244" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153352/Telit_vulnerabilities_19.png 396w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153352/Telit_vulnerabilities_19-300x185.png 300w" sizes="(max-width: 396px) 100vw, 396px" /></a><p id="caption-attachment-112958" class="wp-caption-text">Running our MIDlet for the first time</p></div>
<div id="attachment_112959" style="width: 412px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153417/Telit_vulnerabilities_20.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112959" class="size-full wp-image-112959" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153417/Telit_vulnerabilities_20.png" alt="Running our MIDlet for the second time" width="402" height="192" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153417/Telit_vulnerabilities_20.png 402w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153417/Telit_vulnerabilities_20-300x143.png 300w" sizes="(max-width: 402px) 100vw, 402px" /></a><p id="caption-attachment-112959" class="wp-caption-text">Running our MIDlet for the second time</p></div>
<h2 id="ulp-protocol-analysis">ULP protocol analysis</h2>
<p>In addition to the ability to remotely provision and control MIDlets via SMS messages using the OTAP protocol, the modem offers geopositioning feature using <a href="https://www.openmobilealliance.org/release/SUPL/V2_0-20120417-A/OMA-AD-SUPL-V2_0-20120417-A.pdf" target="_blank" rel="noopener">SUPL (Secure User Plane Location) subsystem</a>. This subsystem implements the SUPL specification, which facilitates the exchange of special messages between H-SLP (Home SUPL Location Platform) and SET (SUPL Enabled Terminal). The modem itself is a SET object under the specification. An example of such an exchange is shown below.</p>
<div id="attachment_112960" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112960" class="size-large wp-image-112960" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21-1024x721.png" alt="Interaction via the ULP protocol" width="1024" height="721" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21-1024x721.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21-300x211.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21-768x541.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21-497x350.png 497w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21-740x521.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21-397x280.png 397w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21-800x564.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153451/Telit_vulnerabilities_21.png 1093w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112960" class="wp-caption-text">Interaction via the ULP protocol</p></div>
<p>Messages are exchanged using the ULP (User-plane Location Protocol) binary protocol. In this protocol, data is transmitted in the GSM network via PUSH messages using the WAP protocol stack. A typical ULP message is illustrated by the SUPL INIT message.</p>
<div id="attachment_112962" style="width: 330px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153519/Telit_vulnerabilities_22.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112962" class="size-full wp-image-112962" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153519/Telit_vulnerabilities_22.png" alt="SUPL INIT message" width="320" height="446" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153519/Telit_vulnerabilities_22.png 320w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153519/Telit_vulnerabilities_22-215x300.png 215w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153519/Telit_vulnerabilities_22-251x350.png 251w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153519/Telit_vulnerabilities_22-201x280.png 201w" sizes="(max-width: 320px) 100vw, 320px" /></a><p id="caption-attachment-112962" class="wp-caption-text">SUPL INIT message</p></div>
<p>The ULP protocol supports the ability to fragment the transmitted message allowing transmission of large binary messages via SMS at the PUSH layer of WSP messages. On the SET side, the WSP protocol provides indexing for the fragmented SMS message transmission. The first SUPL message contains the total size of the message to be received, whereas subsequent messages contain data fragments to be concatenated. An example of the structure of these SMS messages is shown below.</p>
<div id="attachment_112964" style="width: 682px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153547/Telit_vulnerabilities_23.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112964" class="size-full wp-image-112964" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153547/Telit_vulnerabilities_23.png" alt="Example of the first SMS message" width="672" height="342" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153547/Telit_vulnerabilities_23.png 672w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153547/Telit_vulnerabilities_23-300x153.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153547/Telit_vulnerabilities_23-550x280.png 550w" sizes="(max-width: 672px) 100vw, 672px" /></a><p id="caption-attachment-112964" class="wp-caption-text">Example of the first SMS message</p></div>
<div id="attachment_112965" style="width: 688px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153610/Telit_vulnerabilities_24.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112965" class="size-full wp-image-112965" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153610/Telit_vulnerabilities_24.png" alt="Example of subsequent SMS messages" width="678" height="262" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153610/Telit_vulnerabilities_24.png 678w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153610/Telit_vulnerabilities_24-300x116.png 300w" sizes="(max-width: 678px) 100vw, 678px" /></a><p id="caption-attachment-112965" class="wp-caption-text">Example of subsequent SMS messages</p></div>
<p>During our analysis of the driver responsible for handling of ULP message fragmentation, we discovered a heap overflow vulnerability.</p>
<p>According to the transmission protocol, the <em>ULPSizeFromPacket</em> (size of the entire ULP packet) and <em>wapTpduLen </em>(size of the received WAP message) variables are calculated independently. That means a received WAP packet of size <em>wapTpduLen </em>will be unconditionally copied to a buffer whose size is <em>ULPSizeFromPacket </em>bytes. This is a classic example of a heap-based buffer overflow.</p>
<div id="attachment_112966" style="width: 818px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153638/Telit_vulnerabilities_25.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112966" class="size-full wp-image-112966" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153638/Telit_vulnerabilities_25.png" alt="Heap-based buffer overflow" width="808" height="119" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153638/Telit_vulnerabilities_25.png 808w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153638/Telit_vulnerabilities_25-300x44.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153638/Telit_vulnerabilities_25-768x113.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153638/Telit_vulnerabilities_25-800x118.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153638/Telit_vulnerabilities_25-740x109.png 740w" sizes="(max-width: 808px) 100vw, 808px" /></a><p id="caption-attachment-112966" class="wp-caption-text">Heap-based buffer overflow</p></div>
<p>After crafting an appropriate SMS message, we managed to generate a heap overflow error, resulting in a hard fault and rebooting the modem. To learn the cause of the reboot, we used the previously mentioned <em>AT+XLOG</em> command.</p>
<div id="attachment_112967" style="width: 648px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153943/Telit_vulnerabilities_26.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112967" class="size-full wp-image-112967" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153943/Telit_vulnerabilities_26.png" alt="Reason for the reboot" width="638" height="513" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153943/Telit_vulnerabilities_26.png 638w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153943/Telit_vulnerabilities_26-300x241.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153943/Telit_vulnerabilities_26-435x350.png 435w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11153943/Telit_vulnerabilities_26-348x280.png 348w" sizes="(max-width: 638px) 100vw, 638px" /></a><p id="caption-attachment-112967" class="wp-caption-text">Reason for the reboot</p></div>
<p>The resulting dump made clear that the R0 register contained data that we controlled. Thus, we confirmed our ability to not only overflow the heap, but also embed our data into executable code.</p>
<p>However, we had no way to get a dump of memory at the moment of the crash. To understand whether the discovered vulnerability is serious or just another non-exploitable BoF, we had to solve the problems of reading/writing the RAM, code execution, and OTAP activation. <a name="_Toc18240209121"></a><a name="_Toc828256132"></a>For details, please refer to the full white paper.</p>
<p>After overcoming many technical difficulties, which are described in detail in the full version of the article, by sending just a few specially-crafted SMS messages, we were able to launch the driver we developed on the modem OS, allowing us to:</p>
<ul>
<li>Allocate memory (<em>malloc</em>);</li>
<li>Release memory (<em>free</em>);</li>
<li>Open / create a file in the UFS (<em>createFile</em>).</li>
</ul>
<p>Using this driver, we managed to create the files needed for OTAP activation, install our own MIDlet on the modem, and assign it maximum manufacturer privileges.</p>
<div id="attachment_112968" style="width: 632px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11154125/Telit_vulnerabilities_27.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112968" class="size-full wp-image-112968" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11154125/Telit_vulnerabilities_27.png" alt="Installing our own MIDlet" width="622" height="179" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11154125/Telit_vulnerabilities_27.png 622w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/11154125/Telit_vulnerabilities_27-300x86.png 300w" sizes="(max-width: 622px) 100vw, 622px" /></a><p id="caption-attachment-112968" class="wp-caption-text">Installing our own MIDlet</p></div>
<h2 id="conclusion">Conclusion</h2>
<p>Though being a special-purpose device, a modern modem implements numerous features and potential user scenarios. In fact, it is a complicated system, both from an architecture and implementation point of view. Due to performance requirements, most of the key features are implemented in low-level languages such as С and Assembler and therefore lack built-in safeguards mitigating potential developers’ mistakes.</p>
<p>In the course of the modem security analysis, we found seven locally exploited vulnerabilities and one remotely exploited vulnerability. The combination of these vulnerabilities could allow an attacker to completely get control over the modem. In our truck’s security audit project, having control of the modem we were able to get our foothold in the telecommunication unit embedding it, and further, to propagate to other truck ECUs ending with getting control over the main vehicle systems, such as the engine, the gearbox, the suspension, the breaks, etc., therefore being able to totally compromise the vehicle safety from remote.</p>
<p>All discovered vulnerabilities have been reported to the vendor. Some of them have not been addressed by the vendor so far as the product support discontinued. And even if the vendor fixed all the vulnerabilities, as we stated at the beginning of the report, in some cases, the modem is integrated in such a way that applying updates would be difficult.</p>
<p>Thus, to counter the threats posed by the found vulnerabilities, Kaspersky recommends:</p>
<ul>
<li>Contact the mobile operator to disable the sending of SMS messages to the device.</li>
<li>Use private APN with carefully configured security settings to limit the impact of any potential exploit.</li>
<li>Enforce application signature verification to prohibit the installation of untrusted MIDlets on the device.</li>
<li>Control physical access to the device at all stages of supplying to protect against the embedding of backdoors.</li>
<li>When developing a new product consider remote modem compromise as a high potential risk and restrict accordingly access from the modem (or the unit embedding it) to other products’ mission-critical components.</li>
</ul>
<p>As for the vendors of the modems and similar devices, to mitigate potential risks at the design stage, Kaspersky recommends:</p>
<ul>
<li>Introduce additional memory access restrictions in the ThreadX operating system, such as using the <a href="https://learn.microsoft.com/en-us/azure/iot/concepts-eclipse-threadx-security-practices#embedded-security-components-memory-protection" target="_blank" rel="noopener">MCU</a> or <a href="https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/threadx-modules/chapter1.md" target="_blank" rel="noopener">Modules</a></li>
<li>Use static code analysis tools to determine if there are any errors in logic or pointer arithmetic.</li>
<li>Perform fuzz testing (“fuzzing”) for the application to find implementation bugs using malformed/semi-malformed data injection in an automated fashion.</li>
<li>Perform code walk-through audits to look for confusing logic and other errors.</li>
<li>Select the development tool stack enforcing security domain separation and promoting a Secure by Design approach such as the one advocated by the Kaspersky OS <a href="https://os.kaspersky.com/technologies/" target="_blank" rel="noopener">developers</a>.</li>
</ul>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/telit-cinterion-modem-vulnerabilities/112915/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/13095638/sl-abstract-blue-chip-1200x753-1.jpg" width="1200" height="753"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/13095638/sl-abstract-blue-chip-1200x753-1-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/13095638/sl-abstract-blue-chip-1200x753-1-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/13095638/sl-abstract-blue-chip-1200x753-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>QR code SQL injection and other vulnerabilities in a popular biometric terminal</title>
<link>https://securelist.com/biometric-terminal-vulnerabilities/112800/</link>
<comments>https://securelist.com/biometric-terminal-vulnerabilities/112800/#respond</comments>
<dc:creator><![CDATA[Georgy Kiguradze]]></dc:creator>
<pubDate>Tue, 11 Jun 2024 08:00:01 +0000</pubDate>
<category><![CDATA[Research]]></category>
<category><![CDATA[Biometric authentication]]></category>
<category><![CDATA[Buffer Overflows]]></category>
<category><![CDATA[Code injection]]></category>
<category><![CDATA[Offensive cybersecurity]]></category>
<category><![CDATA[QR-codes]]></category>
<category><![CDATA[Security assessment]]></category>
<category><![CDATA[SQL injection]]></category>
<category><![CDATA[SSH]]></category>
<category><![CDATA[Vulnerabilities]]></category>
<category><![CDATA[Vulnerabilities and exploits]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112800</guid>
<description><![CDATA[The report analyzes the security properties of a popular biometric access control terminal made by ZKTeco and describes vulnerabilities found in it.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10185255/sl-biometric-terminal-vulnerabilities-featured-image-01-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Biometric scanners offer a unique way to resolve the conflict between security and usability. They help to identify a person by their unique biological characteristics – a fairly reliable process that does not require the user to exert any extra effort. Yet, biometric scanners, as any other tech, have their weaknesses. This article touches on biometric scanner security from the red team’s perspective and uses the example of a popular hybrid terminal model to demonstrate approaches to scanner analysis. These approaches are admittedly fairly well known and applied to analysis of any type of device.</p>
<p>We also talk about the benefits of biometric scanners for access control systems and their role in ensuring a due standard of security given today’s realities. Furthermore, we discuss vulnerabilities in a biometric scanner from a major global vendor that we found while analyzing its level of security. The article will prove useful for both security researchers and architects.</p>
<p>We have notified the vendor about all the vulnerabilities and security issues we found. A CVE entry has been registered for each of the vulnerability types: <a href="https://www.cve.org/CVERecord?id=CVE-2023-3938" target="_blank" rel="noopener">CVE-2023-3938</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2023-3939" target="_blank" rel="noopener">CVE-2023-3939</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2023-3940" target="_blank" rel="noopener">CVE-2023-3940</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2023-3941" target="_blank" rel="noopener">CVE-2023-3941</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2023-3942" target="_blank" rel="noopener">CVE-2023-3942</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2023-3943" target="_blank" rel="noopener">CVE-2023-3943</a>.</p>
<h2 id="a-brief-overview-of-biometric-terminals">A brief overview of biometric terminals</h2>
<p>In a security context, biometric terminals are used for personal identification. They rely on the analysis of unique human physical characteristics, such as fingerprints, voice, facial features, or the iris.</p>
<p>Importantly, though, a biometric terminal is somewhat different from a regular scanner. First, it can both acquire biometric data and validate it. Second, terminals can be connected to other scanners, such as electronic pass readers, or support other authentication methods using built-in hardware.</p>
<p>Their main purpose is to control access to an area or site. As such, they can be used for restricting access to premises that house confidential data, such as a server room or executive office, or to control access to hazardous facilities, such as a nuclear power or chemical plant.</p>
<p>Another application is recording employees’ work hours to improve productivity and reduce the likelihood of successful fraud.</p>
<p>In terms of security, biometric terminals can be said to offer the following benefits:</p>
<ol>
<li>Highly accurate identification: biometric data is unique to each human being, which makes it a reliable way of identity verification.</li>
<li>Secure: biometric data is difficult to forge or copy, which increases system security.</li>
<li>User-friendly: biometric identification does not require subjects to remember passwords or carry access cards.</li>
<li>Efficiency: biometric terminals can process large amounts of data fast to reduce wait times.</li>
</ol>
<p>These devices are not without their downsides, though.</p>
<ol>
<li>Cost: biometric terminals are typically more expensive than traditional access control systems.</li>
<li>Risk of error: although biometric data is unique, in some cases, systems have misidentified individuals who had damaged fingertips, etc.</li>
<li>Privacy: some may have concerns about their biometric data being stored and used without their consent.</li>
<li>Technological limitations: some biometric identification methods (such as face recognition) can be less efficient under low light conditions, when the subject is wearing a mask, etc.</li>
</ol>
<p>Biometric terminals are quite an intriguing target for a pentester. Vulnerabilities in these devices, positioned at the nexus of the physical and network perimeters, pose risks that can be considered when analyzing the security of both these perimeters.</p>
<p>Some of the goals that can be achieved in terms of offensive security are:</p>
<ul>
<li>Authentication bypass and physical access violation</li>
<li>Biometric data leak</li>
<li>Gaining network access to a device and exploiting that to further develop the attack</li>
</ul>
<p>Now that we have defined the biometric terminal, its applications, benefits and downsides, and security analysis objectives associated with it, we can move on to analyzing a specific device.</p>
<h2 id="a-brief-overview-of-the-device-in-question">A brief overview of the device in question.</h2>
<p>The device under review is a hybrid biometric terminal made by ZKTeco. It may come under various names depending on the distributor. You can see its external appearance in the photograph below.</p>
<div id="attachment_112810" style="width: 778px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112810" class="size-large wp-image-112810" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01-768x1024.png" alt="External appearance of the device" width="768" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01-768x1024.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01-225x300.png 225w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01-263x350.png 263w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01-740x987.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01-210x280.png 210w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01-675x900.png 675w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07150941/Biometric_terminal_vulnerabilities_01.png 960w" sizes="(max-width: 768px) 100vw, 768px" /></a><p id="caption-attachment-112810" class="wp-caption-text">External appearance of the device</p></div>
<p>The device has several physical interfaces, supporting four authentication methods: biometric (facial recognition), password, electronic pass, and QR code.</p>
<p>The following physical interfaces are present:</p>
<ul>
<li>RJ45;</li>
<li>RS232;</li>
<li>RS485 (unused);</li>
<li>Wiegand In/Out.</li>
</ul>
<p>A regular (non-privileged) user has few options in terms of interacting with the device: they can only tap one of the two on-screen buttons that you can see in the photograph below.</p>
<div id="attachment_112811" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112811" class="size-large wp-image-112811" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-1024x768.png" alt="Available touchscreen buttons" width="1024" height="768" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-1024x768.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-300x225.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-768x576.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-200x150.png 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-467x350.png 467w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-740x555.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-373x280.png 373w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12-800x600.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151416/Biometric_terminal_vulnerabilities_12.png 1280w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112811" class="wp-caption-text">Available touchscreen buttons</p></div>
<p>Tapping a button brings up a prompt for PIN, which is the user’s unique ID in our case.</p>
<div id="attachment_112812" style="width: 778px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112812" class="size-large wp-image-112812" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23-768x1024.png" alt="User ID input interface" width="768" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23-768x1024.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23-225x300.png 225w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23-263x350.png 263w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23-740x987.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23-210x280.png 210w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23-675x900.png 675w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151509/Biometric_terminal_vulnerabilities_23.png 960w" sizes="(max-width: 768px) 100vw, 768px" /></a><p id="caption-attachment-112812" class="wp-caption-text">User ID input interface</p></div>
<p>If a valid (existing) ID is entered, the screen displays available user-specific authentication options. The example shows a user with the ID 1 and two authentication methods: biometrics and password.</p>
<div id="attachment_112813" style="width: 778px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112813" class="size-large wp-image-112813" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34-768x1024.png" alt="Authentication methods available to the user with the ID 1" width="768" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34-768x1024.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34-225x300.png 225w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34-263x350.png 263w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34-740x987.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34-210x280.png 210w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34-675x900.png 675w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151556/Biometric_terminal_vulnerabilities_34.png 960w" sizes="(max-width: 768px) 100vw, 768px" /></a><p id="caption-attachment-112813" class="wp-caption-text">Authentication methods available to the user with the ID 1</p></div>
<p>That is the extent of what a non-administrator or unauthenticated user can do with the terminal.</p>
<p>The options available to an administrator are more interesting. With administrator privileges, we can control nearly all of the device settings. The image below shows the maximum-access menu.</p>
<div id="attachment_112814" style="width: 778px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112814" class="size-large wp-image-112814" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43-768x1024.png" alt="Administrator's device setup menu" width="768" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43-768x1024.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43-225x300.png 225w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43-263x350.png 263w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43-740x987.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43-210x280.png 210w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43-675x900.png 675w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151658/Biometric_terminal_vulnerabilities_43.png 960w" sizes="(max-width: 768px) 100vw, 768px" /></a><p id="caption-attachment-112814" class="wp-caption-text">Administrator’s device setup menu</p></div>
<p>The administrator menu can be used to add new users, manage their levels of access, and change the network and facial scanner settings. As you will see below, administrator access allows for achieving all of the security analysis objectives listed in the previous section. Getting that level of access requires passing authentication as an administrator.</p>
<h2 id="black-box-analysis">Black box analysis</h2>
<h3 id="circuit-analysis">Circuit analysis</h3>
<p>Our engineering analysis will begin with black box analysis, and namely, circuit analysis. The photograph below shows the circuit board with the following components that we are interested in.</p>
<ol>
<li>SOC (HI 3516 DV300);</li>
<li>RAM (K4B4G16E-BCMA, 4Gb);</li>
<li>Flash memory (THGBMJG6C1LBAI, 8Gb, BGA-153);</li>
<li>UART.</li>
</ol>
<div id="attachment_112815" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112815" class="size-large wp-image-112815" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-1024x617.png" alt="Circuit board" width="1024" height="617" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-1024x617.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-300x181.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-768x463.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-330x200.png 330w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-581x350.png 581w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-740x446.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-465x280.png 465w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44-800x482.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151814/Biometric_terminal_vulnerabilities_44.png 1237w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112815" class="wp-caption-text">Circuit board</p></div>
<p>You may notice that the circuit board has many <a href="https://en.wikipedia.org/wiki/Test_point" target="_blank" rel="noopener">test points</a>. That said, we are only interested in the ones marked with the number 4, as those are the location of a <a href="https://en.wikipedia.org/wiki/Universal_asynchronous_receiver-transmitter" target="_blank" rel="noopener">universal asynchronous receiver-transmitter (UART)</a> that we can use to communicate with the device. The flash memory, marked with the number 3, is of interest as well, as it holds the entire firmware in unencrypted form.</p>
<p>To check that we had recognized the UART correctly, we used an oscilloscope to connect to what we had identified as the TX port through which the device sends data externally.</p>
<div id="attachment_112816" style="width: 778px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112816" class="size-large wp-image-112816" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45-768x1024.png" alt="Oscilloscope connection to UART" width="768" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45-768x1024.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45-225x300.png 225w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45-263x350.png 263w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45-740x987.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45-210x280.png 210w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45-675x900.png 675w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07151858/Biometric_terminal_vulnerabilities_45.png 960w" sizes="(max-width: 768px) 100vw, 768px" /></a><p id="caption-attachment-112816" class="wp-caption-text">Oscilloscope connection to UART</p></div>
<p>After calculating the UART data rate and setting the oscilloscope to that value, we saw that this was indeed a UART, and the device was sending a boot log through it.</p>
<div id="attachment_112817" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112817" class="size-full wp-image-112817" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46.png" alt="Boot log" width="1024" height="630" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46-300x185.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46-768x473.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46-569x350.png 569w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46-740x455.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46-455x280.png 455w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152003/Biometric_terminal_vulnerabilities_46-800x492.png 800w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112817" class="wp-caption-text">Boot log</p></div>
<p>Next, we connected to the UART using a PC, which helped us to view the full boot log and identify the bootloader as U-Boot.</p>
<div id="attachment_112818" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112818" class="size-large wp-image-112818" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-1024x248.png" alt="UART connection from a PC" width="1024" height="248" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-1024x248.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-300x73.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-768x186.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-1536x372.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-1446x350.png 1446w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-740x179.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-1156x280.png 1156w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47-800x194.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152049/Biometric_terminal_vulnerabilities_47.png 1714w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112818" class="wp-caption-text">UART connection from a PC</p></div>
<p>The bootloader configuration prevents any attempts at interrupting startup (bootdelay = -2) or interacting with it in any other way. However, having waited some time after the device booted up, we found that the UART switched to a different baud (bits per second) rate of 115,200 from 57,600 as the device began to send uniform packets, which suggested the use of an unknown protocol.</p>
<div id="attachment_112819" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112819" class="size-full wp-image-112819" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02.png" alt="The unknown protocol as used by the UART" width="1024" height="630" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02-300x185.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02-768x473.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02-569x350.png 569w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02-740x455.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02-455x280.png 455w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152140/Biometric_terminal_vulnerabilities_02-800x492.png 800w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112819" class="wp-caption-text">The unknown protocol as used by the UART</p></div>
<p>Every packet began with a 0x53 0x53 byte, and the fifth byte was always identical to the final one. An online search for these two brought up nothing. Sending similarly formatted packets to the device yielded nothing, either.</p>
<h3 id="network-analysis">Network analysis</h3>
<p>Another type of black box analysis is scanning network ports. We can use Nmap, a publicly available network scanner utility, to see which ports are open, and try to identify the services running on these and their versions. The screenshot below shows the TCP ports open on the biometric terminal.</p>
<div id="attachment_112820" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112820" class="size-large wp-image-112820" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-1024x350.png" alt="Open ports" width="1024" height="350" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-1024x350.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-300x102.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-768x262.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-1536x525.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-1025x350.png 1025w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-740x253.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-820x280.png 820w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03-800x273.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152212/Biometric_terminal_vulnerabilities_03.png 2041w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112820" class="wp-caption-text">Open ports</p></div>
<p>You may notice that the device supports SSH on a non-standard port. In theory, we could connect to that if we get hold of the right credentials. We could potentially extract those from the firmware by using a dictionary attack or brute-forcing the password hash.</p>
<p>Besides, there were two services that could not be identified automatically. The service running on port 6668/TCP was Tuya Server, but we could not find out its purpose. The service running on port 4370/TCP was more interesting as it used the vendor’s proprietary protocol supported by many of its devices. After searching the web for the protocol, we found that there was <a href="https://github.com/adrobinoga/zk-protocol/blob/master/protocol.md" target="_blank" rel="noopener">documentation available</a>, making our analysis much easier.</p>
<div id="attachment_112821" style="width: 972px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152245/Biometric_terminal_vulnerabilities_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112821" class="size-full wp-image-112821" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152245/Biometric_terminal_vulnerabilities_04.png" alt="Searching for the protocol on port 4370/TCP" width="962" height="281" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152245/Biometric_terminal_vulnerabilities_04.png 962w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152245/Biometric_terminal_vulnerabilities_04-300x88.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152245/Biometric_terminal_vulnerabilities_04-768x224.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152245/Biometric_terminal_vulnerabilities_04-740x216.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152245/Biometric_terminal_vulnerabilities_04-959x280.png 959w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152245/Biometric_terminal_vulnerabilities_04-800x234.png 800w" sizes="(max-width: 962px) 100vw, 962px" /></a><p id="caption-attachment-112821" class="wp-caption-text">Searching for the protocol on port 4370/TCP</p></div>
<h3 id="camera-and-qr-code-scanner-analysis">Camera and QR code scanner analysis</h3>
<p>Our overview of the device mentions that it supports QR code authentication. We decided to see what happened if a code we presented to the device contained invalid data that could disrupt the processing logic. We were able to achieve a result by making the device scan a QR code that contained malicious SQL code.</p>
<p>A basic SQL injection resulted in the device recognizing us as a valid user.</p>
<div id="attachment_112868" style="width: 610px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10185517/biometric-terminal-vulnerabilities-demo-01.gif" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112868" class="size-full wp-image-112868" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10185517/biometric-terminal-vulnerabilities-demo-01.gif" alt="Gaining access with the help of an SQL injection" width="600" height="328" /></a><p id="caption-attachment-112868" class="wp-caption-text">Gaining access with the help of an SQL injection</p></div>
<p>We further noticed that making the device scan a QR code containing 1 KB of data or more caused it to go into an emergency reboot, which suggested that some of its components had experienced overflow. More on this in the reverse engineering and firmware analysis section.</p>
<h2 id="getting-and-unpacking-the-firmware">Getting and unpacking the firmware</h2>
<p>The vendor’s website will not let just anyone download the latest version of the firmware. You can download a PDF file containing the update algorithm, but it is protected with a password that we could not find on any public websites.</p>
<p>Therefore, we had two options for obtaining the firmware: removing the flash memory and dumping it with a programmer, or trying to find a copy on the web.</p>
<h3 id="searching-the-web-for-the-firmware">Searching the web for the firmware</h3>
<p>To start searching for the firmware, we needed to find out its name and rough version. We were analyzing an unused device fresh out of the box, so we had administrator access to it. Therefore, we could view the device details and find the current firmware version.</p>
<div id="attachment_112822" style="width: 970px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152441/Biometric_terminal_vulnerabilities_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112822" class="size-full wp-image-112822" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152441/Biometric_terminal_vulnerabilities_05.png" alt="Firmware details as seen in the setup menu" width="960" height="234" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152441/Biometric_terminal_vulnerabilities_05.png 960w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152441/Biometric_terminal_vulnerabilities_05-300x73.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152441/Biometric_terminal_vulnerabilities_05-768x187.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152441/Biometric_terminal_vulnerabilities_05-740x180.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152441/Biometric_terminal_vulnerabilities_05-800x195.png 800w" sizes="(max-width: 960px) 100vw, 960px" /></a><p id="caption-attachment-112822" class="wp-caption-text">Firmware details as seen in the setup menu</p></div>
<p>The version we had was ZAM170-NF-1.8.25-7354-Ver1.0.0. We used that string and parts of it for our web search.</p>
<p>After running some sophisticated Google search queries, we found a few devices on international distributors’ websites that looked a lot like our terminal.</p>
<div id="attachment_112823" style="width: 1012px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112823" class="size-full wp-image-112823" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06.png" alt="A similar device on an international distributor's website" width="1002" height="454" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06.png 1002w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06-300x136.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06-768x348.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06-772x350.png 772w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06-740x335.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06-618x280.png 618w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152617/Biometric_terminal_vulnerabilities_06-800x362.png 800w" sizes="(max-width: 1002px) 100vw, 1002px" /></a><p id="caption-attachment-112823" class="wp-caption-text">A similar device on an international distributor’s website</p></div>
<p>We also found the firmware, albeit it was an earlier version.</p>
<div id="attachment_112824" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152654/Biometric_terminal_vulnerabilities_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112824" class="size-large wp-image-112824" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152654/Biometric_terminal_vulnerabilities_07-1024x110.png" alt="Same-series firmware" width="1024" height="110" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152654/Biometric_terminal_vulnerabilities_07-1024x110.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152654/Biometric_terminal_vulnerabilities_07-300x32.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152654/Biometric_terminal_vulnerabilities_07-768x82.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152654/Biometric_terminal_vulnerabilities_07-740x79.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152654/Biometric_terminal_vulnerabilities_07-800x86.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152654/Biometric_terminal_vulnerabilities_07.png 1131w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112824" class="wp-caption-text">Same-series firmware</p></div>
<p>The firmware was just enough for us to figure out how the update worked. Having downloaded and analyzed the firmware, we found that the update itself was part of a text file to be transformed by specialized software.</p>
<div id="attachment_112825" style="width: 719px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152807/Biometric_terminal_vulnerabilities_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112825" class="size-full wp-image-112825" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152807/Biometric_terminal_vulnerabilities_08.png" alt="Update text file" width="709" height="387" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152807/Biometric_terminal_vulnerabilities_08.png 709w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152807/Biometric_terminal_vulnerabilities_08-300x164.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152807/Biometric_terminal_vulnerabilities_08-641x350.png 641w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152807/Biometric_terminal_vulnerabilities_08-513x280.png 513w" sizes="(max-width: 709px) 100vw, 709px" /></a><p id="caption-attachment-112825" class="wp-caption-text">Update text file</p></div>
<p>The transformation process was not too sophisticated, with the hexadecimal text records contained in the “DataX” variables converted to the byte format to produce firmware.</p>
<div id="attachment_112827" style="width: 643px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152849/Biometric_terminal_vulnerabilities_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112827" class="size-full wp-image-112827" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152849/Biometric_terminal_vulnerabilities_09.png" alt="Update binary" width="633" height="275" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152849/Biometric_terminal_vulnerabilities_09.png 633w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152849/Biometric_terminal_vulnerabilities_09-300x130.png 300w" sizes="(max-width: 633px) 100vw, 633px" /></a><p id="caption-attachment-112827" class="wp-caption-text">Update binary</p></div>
<p>A quick analysis of the file found that it was encrypted. This led us to examine other files in the archive.</p>
<p>A closer inspection revealed that the device supported partial firmware updates that affected only certain libraries and executables. We found a smaller update package like that inside a directory shipped with the firmware archive that we had downloaded from the distributor website.</p>
<div id="attachment_112828" style="width: 796px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152926/Biometric_terminal_vulnerabilities_10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112828" class="size-full wp-image-112828" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152926/Biometric_terminal_vulnerabilities_10.png" alt="Partial update archive" width="786" height="137" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152926/Biometric_terminal_vulnerabilities_10.png 786w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152926/Biometric_terminal_vulnerabilities_10-300x52.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152926/Biometric_terminal_vulnerabilities_10-768x134.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152926/Biometric_terminal_vulnerabilities_10-740x129.png 740w" sizes="(max-width: 786px) 100vw, 786px" /></a><p id="caption-attachment-112828" class="wp-caption-text">Partial update archive</p></div>
<div id="attachment_112829" style="width: 704px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152952/Biometric_terminal_vulnerabilities_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112829" class="size-full wp-image-112829" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152952/Biometric_terminal_vulnerabilities_11.png" alt="Partial update files" width="694" height="262" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152952/Biometric_terminal_vulnerabilities_11.png 694w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07152952/Biometric_terminal_vulnerabilities_11-300x113.png 300w" sizes="(max-width: 694px) 100vw, 694px" /></a><p id="caption-attachment-112829" class="wp-caption-text">Partial update files</p></div>
<p>Through a quick analysis of the “standalonecomm” executable, we found that the file handled requests received on port 4370/TCP. The executable also had firmware update functionality. The handler invoked a “zkfp_ExtractPackage” file extractor function that was external to the executable.</p>
<div id="attachment_112830" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153035/Biometric_terminal_vulnerabilities_13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112830" class="size-large wp-image-112830" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153035/Biometric_terminal_vulnerabilities_13-1024x147.png" alt="Update file extract code" width="1024" height="147" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153035/Biometric_terminal_vulnerabilities_13-1024x147.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153035/Biometric_terminal_vulnerabilities_13-300x43.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153035/Biometric_terminal_vulnerabilities_13-768x111.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153035/Biometric_terminal_vulnerabilities_13-740x106.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153035/Biometric_terminal_vulnerabilities_13-800x115.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153035/Biometric_terminal_vulnerabilities_13.png 1390w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112830" class="wp-caption-text">Update file extract code</p></div>
<div id="attachment_112831" style="width: 1010px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153107/Biometric_terminal_vulnerabilities_14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112831" class="size-full wp-image-112831" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153107/Biometric_terminal_vulnerabilities_14.png" alt="External update image extract function" width="1000" height="62" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153107/Biometric_terminal_vulnerabilities_14.png 1000w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153107/Biometric_terminal_vulnerabilities_14-300x19.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153107/Biometric_terminal_vulnerabilities_14-768x48.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153107/Biometric_terminal_vulnerabilities_14-990x62.png 990w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153107/Biometric_terminal_vulnerabilities_14-740x46.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153107/Biometric_terminal_vulnerabilities_14-800x50.png 800w" sizes="(max-width: 1000px) 100vw, 1000px" /></a><p id="caption-attachment-112831" class="wp-caption-text">External update image extract function</p></div>
<p>We failed to find the function in any of the other update files, so we resorted to searching the web. This took us to a repository that had the function in its header file.</p>
<div id="attachment_112832" style="width: 969px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153157/Biometric_terminal_vulnerabilities_15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112832" class="size-full wp-image-112832" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153157/Biometric_terminal_vulnerabilities_15.png" alt="Searching for the extract function" width="959" height="349" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153157/Biometric_terminal_vulnerabilities_15.png 959w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153157/Biometric_terminal_vulnerabilities_15-300x109.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153157/Biometric_terminal_vulnerabilities_15-768x279.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153157/Biometric_terminal_vulnerabilities_15-740x269.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153157/Biometric_terminal_vulnerabilities_15-769x280.png 769w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153157/Biometric_terminal_vulnerabilities_15-800x291.png 800w" sizes="(max-width: 959px) 100vw, 959px" /></a><p id="caption-attachment-112832" class="wp-caption-text">Searching for the extract function</p></div>
<div id="attachment_112833" style="width: 1032px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112833" class="size-full wp-image-112833" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16.png" alt="The extract function inside the header file" width="1022" height="765" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16.png 1022w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16-300x225.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16-768x575.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16-200x150.png 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16-468x350.png 468w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16-740x554.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16-374x280.png 374w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153238/Biometric_terminal_vulnerabilities_16-800x599.png 800w" sizes="(max-width: 1022px) 100vw, 1022px" /></a><p id="caption-attachment-112833" class="wp-caption-text">The extract function inside the header file</p></div>
<p>We found a library with the function implemented inside the same repository.</p>
<div id="attachment_112834" style="width: 542px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153504/Biometric_terminal_vulnerabilities_17.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112834" class="size-full wp-image-112834" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153504/Biometric_terminal_vulnerabilities_17.png" alt="The library with the extract function inside the repository" width="532" height="58" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153504/Biometric_terminal_vulnerabilities_17.png 532w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153504/Biometric_terminal_vulnerabilities_17-300x33.png 300w" sizes="(max-width: 532px) 100vw, 532px" /></a><p id="caption-attachment-112834" class="wp-caption-text">The library with the extract function inside the repository</p></div>
<div id="attachment_112835" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112835" class="size-large wp-image-112835" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18-1024x122.png" alt="Searching for the extract function inside the library" width="1024" height="122" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18-1024x122.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18-300x36.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18-768x91.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18-1536x182.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18-740x88.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18-800x95.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153540/Biometric_terminal_vulnerabilities_18.png 1550w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112835" class="wp-caption-text">Searching for the extract function inside the library</p></div>
<p>After analyzing the extract function, we found that it was also used for decrypting the firmware. The screenshot below shows the decrypt code.</p>
<div id="attachment_112836" style="width: 581px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153611/Biometric_terminal_vulnerabilities_19.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112836" class="size-full wp-image-112836" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153611/Biometric_terminal_vulnerabilities_19.png" alt="Update file decrypt code" width="571" height="617" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153611/Biometric_terminal_vulnerabilities_19.png 571w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153611/Biometric_terminal_vulnerabilities_19-278x300.png 278w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153611/Biometric_terminal_vulnerabilities_19-324x350.png 324w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153611/Biometric_terminal_vulnerabilities_19-259x280.png 259w" sizes="(max-width: 571px) 100vw, 571px" /></a><p id="caption-attachment-112836" class="wp-caption-text">Update file decrypt code</p></div>
<p>The encryption used XOR with a key consisting of the last 16 bytes of the update file and the file size. It appeared that now we had all the data we needed to generate a key and decrypt the firmware.</p>
<p>Once decrypted, the file turned out to contain an update only for some of the executables, libraries and configuration files.</p>
<div id="attachment_112837" style="width: 509px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153708/Biometric_terminal_vulnerabilities_20.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112837" class="size-full wp-image-112837" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153708/Biometric_terminal_vulnerabilities_20.png" alt="Decrypted update archive" width="499" height="315" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153708/Biometric_terminal_vulnerabilities_20.png 499w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153708/Biometric_terminal_vulnerabilities_20-300x189.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153708/Biometric_terminal_vulnerabilities_20-444x280.png 444w" sizes="(max-width: 499px) 100vw, 499px" /></a><p id="caption-attachment-112837" class="wp-caption-text">Decrypted update archive</p></div>
<p>This was not too much of an issue, as the executable that handled incoming data on port 4370/TCP – the one we were looking for – was among the contents of the downloaded archive. We still wanted the full firmware, so we tried the other option: reading the flash memory.</p>
<h3 id="getting-the-firmware-from-the-flash-memory">Getting the firmware from the flash memory</h3>
<p>As mentioned at the beginning of this section, one could pull a copy of the firmware from the flash memory located on the circuit board.</p>
<div id="attachment_112838" style="width: 234px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153740/Biometric_terminal_vulnerabilities_21.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112838" class="size-full wp-image-112838" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153740/Biometric_terminal_vulnerabilities_21.png" alt="The flash memory on the circuit board" width="224" height="229" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153740/Biometric_terminal_vulnerabilities_21.png 224w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153740/Biometric_terminal_vulnerabilities_21-50x50.png 50w" sizes="(max-width: 224px) 100vw, 224px" /></a><p id="caption-attachment-112838" class="wp-caption-text">The flash memory on the circuit board</p></div>
<p>The memory was an eMMC inside a BGA-153 package that was easy to find a programmer clip for, online. Reading the flash memory gave us a file that contained various sections as shown below.</p>
<div id="attachment_112839" style="width: 361px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153809/Biometric_terminal_vulnerabilities_22.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112839" class="size-full wp-image-112839" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153809/Biometric_terminal_vulnerabilities_22.png" alt="Flash memory structure" width="351" height="546" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153809/Biometric_terminal_vulnerabilities_22.png 351w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153809/Biometric_terminal_vulnerabilities_22-193x300.png 193w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153809/Biometric_terminal_vulnerabilities_22-225x350.png 225w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153809/Biometric_terminal_vulnerabilities_22-180x280.png 180w" sizes="(max-width: 351px) 100vw, 351px" /></a><p id="caption-attachment-112839" class="wp-caption-text">Flash memory structure</p></div>
<p>The section names were generally self-explanatory, but we still ran binwalk, a publicly available utility for data container analysis, to make sure they were correct. The binwalk output is shown below.</p>
<div id="attachment_112840" style="width: 818px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153908/Biometric_terminal_vulnerabilities_24.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112840" class="size-full wp-image-112840" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153908/Biometric_terminal_vulnerabilities_24.png" alt="The binwalk output for the flash memory dump" width="808" height="219" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153908/Biometric_terminal_vulnerabilities_24.png 808w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153908/Biometric_terminal_vulnerabilities_24-300x81.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153908/Biometric_terminal_vulnerabilities_24-768x208.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153908/Biometric_terminal_vulnerabilities_24-740x201.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153908/Biometric_terminal_vulnerabilities_24-800x217.png 800w" sizes="(max-width: 808px) 100vw, 808px" /></a><p id="caption-attachment-112840" class="wp-caption-text">The binwalk output for the flash memory dump</p></div>
<p>Besides all the executables and a Linux kernel, the flash memory contained the credentials of the system’s only two users.</p>
<div id="attachment_112841" style="width: 697px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153941/Biometric_terminal_vulnerabilities_25.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112841" class="size-full wp-image-112841" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153941/Biometric_terminal_vulnerabilities_25.png" alt="The contents of /etc/shadow" width="687" height="174" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153941/Biometric_terminal_vulnerabilities_25.png 687w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07153941/Biometric_terminal_vulnerabilities_25-300x76.png 300w" sizes="(max-width: 687px) 100vw, 687px" /></a><p id="caption-attachment-112841" class="wp-caption-text">The contents of /etc/shadow</p></div>
<p>Assuming the users accessed the device via SSH, we tried brute-forcing the hashes to get their passwords. We successfully obtained the password for the user “zkteco” who indeed had SSH access to the terminal.</p>
<div id="attachment_112842" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112842" class="size-large wp-image-112842" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26-1024x301.png" alt="Logging in with credentials via SSH" width="1024" height="301" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26-1024x301.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26-300x88.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26-768x226.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26-1191x350.png 1191w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26-740x218.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26-952x280.png 952w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26-800x235.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154013/Biometric_terminal_vulnerabilities_26.png 1194w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112842" class="wp-caption-text">Logging in with credentials via SSH</p></div>
<p>Unfortunately, this user did not have the highest privileges, but we still got access to a number of sensitive system files and a list of running services.</p>
<div id="attachment_112843" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112843" class="size-large wp-image-112843" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27-1024x353.png" alt="Executables running on the device" width="1024" height="353" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27-1024x353.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27-300x104.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27-768x265.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27-1014x350.png 1014w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27-740x255.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27-811x280.png 811w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27-800x276.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154048/Biometric_terminal_vulnerabilities_27.png 1301w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112843" class="wp-caption-text">Executables running on the device</p></div>
<p>The main service is named “main”. It controls everything that is displayed on the screen and talks to other necessary services through a service named “hub”. The latter is a message broker of sorts that provides a convenient interface for services to communicate. A further service of interest is “pushcomm”: an HTTP client that sends requests to a server specified in the device configuration. In other words, the client can be used to attack the device if the attacker can make the device talk to a web server that they control. Read on to find out about attacks that can be implemented by using this method. Also, note that all the services are running with the highest privileges, which makes hijacking the device much easier as any vulnerability that allows code or command execution gives the attacker the highest privileges.</p>
<h2 id="analyzing-the-protocol-on-port-4370-tcp">Analyzing the protocol on port 4370/TCP</h2>
<p>We chose the standalonecomm service as the main object for our analysis as it implements the vendor’s proprietary protocol on port 4370/TCP and contains commands of interest to an attacker that may be implemented improperly.</p>
<p>As mentioned at the beginning of this article, protocol documentation is available from a GitHub repository, which significantly simplifies analysis as one can apply the knowledge to disassembled code to find the handler of the command one is interested in.</p>
<p>The protocol structure is fairly simple and typical. A packet consists of a header and a payload. The payload is also divided into a header and data, with the latter largely determined by the command. In some cases, it is a four-byte number, and in others, a string or dataset. A detailed description of the protocol design can be found in the <a href="https://github.com/adrobinoga/zk-protocol/blob/master/protocol.md" target="_blank" rel="noopener">publicly available document repository</a>.</p>
<h3 id="protocol-authentication-and-its-issues">Protocol authentication and its issues</h3>
<p>The protocol’s interesting features include user authentication, which requires knowing the password set on the device. On our device, the password is called “COMKey” and set by the administrator. The password is set to 0 by default, that is, there is no password, and all requests can be run without any authentication.</p>
<p>Besides, COMKey can be an integer from 0 to 999999, so there is a limited number of possible passwords that can be brute-forced over the network. We came across the restriction while analyzing the code that sets the password.</p>
<div id="attachment_112844" style="width: 638px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154126/Biometric_terminal_vulnerabilities_28.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112844" class="size-full wp-image-112844" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154126/Biometric_terminal_vulnerabilities_28.png" alt="COMKey set code" width="628" height="208" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154126/Biometric_terminal_vulnerabilities_28.png 628w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154126/Biometric_terminal_vulnerabilities_28-300x99.png 300w" sizes="(max-width: 628px) 100vw, 628px" /></a><p id="caption-attachment-112844" class="wp-caption-text">COMKey set code</p></div>
<p>The method used for generating a so-called “MAC” (Message Authentication Code) for protocol authentication is not secure enough either. The generation process relies on reversible operations, so if we can monitor traffic on the network, we can recover the password once the client is authenticated successfully. The generation code is shown in the screenshot below.</p>
<div id="attachment_112845" style="width: 621px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154159/Biometric_terminal_vulnerabilities_29.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112845" class="size-full wp-image-112845" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154159/Biometric_terminal_vulnerabilities_29.png" alt="MAC generation code" width="611" height="542" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154159/Biometric_terminal_vulnerabilities_29.png 611w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154159/Biometric_terminal_vulnerabilities_29-300x266.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154159/Biometric_terminal_vulnerabilities_29-395x350.png 395w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154159/Biometric_terminal_vulnerabilities_29-316x280.png 316w" sizes="(max-width: 611px) 100vw, 611px" /></a><p id="caption-attachment-112845" class="wp-caption-text">MAC generation code</p></div>
<p>The SessionId variable is a two-byte value generated by the server and sent to the client, so it can calculate a MAC from the COMKey and return the resulting value to the server.</p>
<p>Another password-related security risk is that the COMKey is stored unencrypted in the device database, so an arbitrary file read vulnerability would let us find it out and authenticate over the protocol. Another possible scenario is logging in via SSH and reading the database to obtain the protocol password without a network brute-force attack.</p>
<p>The diagram below illustrates the protocol authentication mechanism.</p>
<div id="attachment_112846" style="width: 815px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30.jpg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112846" class="size-full wp-image-112846" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30.jpg" alt="Protocol authentication mechanism" width="805" height="728" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30.jpg 805w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30-300x271.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30-768x695.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30-387x350.jpg 387w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30-740x669.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30-310x280.jpg 310w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154311/Biometric_terminal_vulnerabilities_30-800x723.jpg 800w" sizes="(max-width: 805px) 100vw, 805px" /></a><p id="caption-attachment-112846" class="wp-caption-text">Protocol authentication mechanism</p></div>
<p>The client sends a connect command (CMD_CONNECT), and the server returns two bytes that represent a SessionId and are combined with the COMKey to generate a MAC. The client sends the MAC with a CMD_AUTH command, and the server validates that. If the MAC is found to be valid, the server responds with CMD_ACK_OK, and the client is now free to use all available server commands within the current TCP session.</p>
<h3 id="vulnerability-analysis-of-command-handlers">Vulnerability analysis of command handlers</h3>
<p>All commands that become available as a result of successful authentication are handled by one large function with a command ID switcher inside. Below is what its graphic representation looks like.</p>
<div id="attachment_112847" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112847" class="size-large wp-image-112847" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-1024x310.png" alt="A graphic representation of the command handler" width="1024" height="310" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-1024x310.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-300x91.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-768x232.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-1536x465.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-1157x350.png 1157w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-740x224.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-925x280.png 925w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154343/Biometric_terminal_vulnerabilities_31-800x242.png 800w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112847" class="wp-caption-text">A graphic representation of the command handler</p></div>
<p>Analyzing the function does not involve any great complexity: this is only a matter of time and attention.</p>
<p>We immediately singled out commands whose names contained the words “DOWNLOAD”, “UPLOAD”, “DELETE” or “UPDATE” as relevant analysis objects.</p>
<p>For example, CMD_DOWNLOAD_PICTURE downloads a user image. It accepts a file name as an argument, which it does not validate in any way before inserting in the file open function. This allows passing, say, directory traversal characters as a file name to fetch an arbitrary system file. The handler code is shown in the screenshot below.</p>
<div id="attachment_112850" style="width: 812px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112850" class="size-full wp-image-112850" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32.png" alt="Image download handler" width="802" height="440" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32.png 802w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32-300x165.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32-768x421.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32-800x439.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32-638x350.png 638w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32-740x406.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154621/Biometric_terminal_vulnerabilities_32-510x280.png 510w" sizes="(max-width: 802px) 100vw, 802px" /></a><p id="caption-attachment-112850" class="wp-caption-text">Image download handler</p></div>
<p>The command can be used to obtain /etc/shadow, as standalonecomm is running with the highest privileges.</p>
<p>We detected several file read vulnerabilities after finding further commands that passed file names without any filtering. We also found a function that allowed uploading files to arbitrary paths. Given the privileges granted to the service, the function can be leveraged to gain unlimited access to the device.</p>
<p>An analysis of CMD_DELETE_PICTURE revealed the possibility of embedding shell commands due to the name of the image to be deleted being inserted directly into the command, which was then passed to the “system” function.</p>
<div id="attachment_112853" style="width: 673px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154915/Biometric_terminal_vulnerabilities_33.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112853" class="size-full wp-image-112853" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154915/Biometric_terminal_vulnerabilities_33.png" alt="Image delete handler" width="663" height="524" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154915/Biometric_terminal_vulnerabilities_33.png 663w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154915/Biometric_terminal_vulnerabilities_33-300x237.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154915/Biometric_terminal_vulnerabilities_33-443x350.png 443w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154915/Biometric_terminal_vulnerabilities_33-354x280.png 354w" sizes="(max-width: 663px) 100vw, 663px" /></a><p id="caption-attachment-112853" class="wp-caption-text">Image delete handler</p></div>
<p>We wrote PoC scripts to confirm that the vulnerability can be exploited. See below for script output.</p>
<div id="attachment_112854" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154957/Biometric_terminal_vulnerabilities_35.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112854" class="size-large wp-image-112854" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154957/Biometric_terminal_vulnerabilities_35-1024x108.png" alt="PoC script output" width="1024" height="108" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154957/Biometric_terminal_vulnerabilities_35-1024x108.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154957/Biometric_terminal_vulnerabilities_35-300x32.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154957/Biometric_terminal_vulnerabilities_35-768x81.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154957/Biometric_terminal_vulnerabilities_35-740x78.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154957/Biometric_terminal_vulnerabilities_35-800x85.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07154957/Biometric_terminal_vulnerabilities_35.png 1332w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112854" class="wp-caption-text">PoC script output</p></div>
<p>We also found several buffer overflow vulnerabilities associated with the use of insecure strcpy/sprintf functions and a lack of copied buffer size validation in the “memcpy” function. We will use the example of the CMD_CHECKUDISKUPDATEPACKPAGE handler to examine the issue.</p>
<div id="attachment_112855" style="width: 745px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155057/Biometric_terminal_vulnerabilities_36.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112855" class="size-full wp-image-112855" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155057/Biometric_terminal_vulnerabilities_36.png" alt="CMD_CHECKUDISKUPDATEPACKPAGE handler" width="735" height="305" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155057/Biometric_terminal_vulnerabilities_36.png 735w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155057/Biometric_terminal_vulnerabilities_36-300x124.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155057/Biometric_terminal_vulnerabilities_36-675x280.png 675w" sizes="(max-width: 735px) 100vw, 735px" /></a><p id="caption-attachment-112855" class="wp-caption-text">CMD_CHECKUDISKUPDATEPACKPAGE handler</p></div>
<p>The vulnerability stems from the fact that when copying data from a user network packet, the handler uses the packet size specified by the user. The destination buffer is located in the stack and has a size of 1028 bytes. The user specifying a greater data size in the packet results in a buffer overrun. The executable has no stack overflow protection. Malicious actors can exploit the vulnerability to invoke a <a href="https://en.wikipedia.org/wiki/Return-oriented_programming" target="_blank" rel="noopener">ROP chain</a> and execute arbitrary code that opens remote access to the device.</p>
<p>Finally, we discovered SQL injection vulnerabilities virtually everywhere a string value passed by the user inside a network packet was directly inserted into a database query.</p>
<h2 id="pushcomm-analysis">pushcomm analysis</h2>
<p>As mentioned above, the pushcomm service sends requests to a server specified in the device configuration. To set up the server address, the administrator goes to the “COMM” menu and opens “Cloud Server Setting”. The administrator defines an IP address to connect to and a port, also enabling other options as required. The screenshots below show the configuration menu.</p>
<div id="attachment_112856" style="width: 891px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112856" class="size-full wp-image-112856" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37.png" alt="COMM menu" width="881" height="691" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37.png 881w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37-300x235.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37-768x602.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37-446x350.png 446w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37-740x580.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37-357x280.png 357w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155216/Biometric_terminal_vulnerabilities_37-800x627.png 800w" sizes="(max-width: 881px) 100vw, 881px" /></a><p id="caption-attachment-112856" class="wp-caption-text">COMM menu</p></div>
<div id="attachment_112858" style="width: 898px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112858" class="size-full wp-image-112858" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38.png" alt="Cloud Server Setting menu" width="888" height="772" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38.png 888w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38-300x261.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38-768x668.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38-403x350.png 403w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38-740x643.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38-322x280.png 322w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155337/Biometric_terminal_vulnerabilities_38-800x695.png 800w" sizes="(max-width: 888px) 100vw, 888px" /></a><p id="caption-attachment-112858" class="wp-caption-text">Cloud Server Setting menu</p></div>
<p>An analysis of the executable showed that it was prone to the same issues as standalonecomm. However, exploiting the flaws requires spinning up a web server and making the device talk to it. There is more than one way to do this: by changing settings in the database or the admin menu, or via ARP spoofing.</p>
<p>Note that one of the pushcomm commands is named “SHELL”, and it runs any commands on the device.</p>
<div id="attachment_112859" style="width: 718px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155425/Biometric_terminal_vulnerabilities_39.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112859" class="size-full wp-image-112859" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155425/Biometric_terminal_vulnerabilities_39.png" alt="SHELL handler" width="708" height="235" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155425/Biometric_terminal_vulnerabilities_39.png 708w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155425/Biometric_terminal_vulnerabilities_39-300x100.png 300w" sizes="(max-width: 708px) 100vw, 708px" /></a><p id="caption-attachment-112859" class="wp-caption-text">SHELL handler</p></div>
<p>All it takes to execute the command is spinning up a web server and implementing the following handler.</p>
<div id="attachment_112860" style="width: 575px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155502/Biometric_terminal_vulnerabilities_40.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112860" class="size-full wp-image-112860" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155502/Biometric_terminal_vulnerabilities_40.png" alt="Example of a handler to invoke SHELL" width="565" height="216" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155502/Biometric_terminal_vulnerabilities_40.png 565w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155502/Biometric_terminal_vulnerabilities_40-300x115.png 300w" sizes="(max-width: 565px) 100vw, 565px" /></a><p id="caption-attachment-112860" class="wp-caption-text">Example of a handler to invoke SHELL</p></div>
<p>Overall, there is considerable overlap between pushcomm and standalonecomm code, especially in terms of database queries.</p>
<h2 id="qr-code-handler-analysis">QR code handler analysis</h2>
<p>At the beginning of the article, we mentioned that the device authenticated us as a different user when we made it scan a QR code with SQL injection. However, as we analyzed the code, we found that the size of data that a QR code could contain was limited to 20 bytes. This prevents <a href="https://portswigger.net/web-security/sql-injection/union-attacks" target="_blank" rel="noopener">complex UNION and SELECT injections</a> that can be used to obtain arbitrary data from various fields in the database. The database query that was generated when the device scanned our malicious QR code (code with SQL injection in our case) is shown in the screenshot below.</p>
<div id="attachment_112861" style="width: 1028px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155541/Biometric_terminal_vulnerabilities_41.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112861" class="size-full wp-image-112861" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155541/Biometric_terminal_vulnerabilities_41.png" alt="Database query when using the QR code" width="1018" height="109" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155541/Biometric_terminal_vulnerabilities_41.png 1018w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155541/Biometric_terminal_vulnerabilities_41-300x32.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155541/Biometric_terminal_vulnerabilities_41-768x82.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155541/Biometric_terminal_vulnerabilities_41-740x79.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155541/Biometric_terminal_vulnerabilities_41-800x86.png 800w" sizes="(max-width: 1018px) 100vw, 1018px" /></a><p id="caption-attachment-112861" class="wp-caption-text">Database query when using the QR code</p></div>
<p>We also found that we could cause the device reboot by making it scan a QR code that contained a lot of data. Looking at the code, we saw this was due to a piece of code that was waiting on camera data being unable to receive it within a predefined period of two seconds and sending a “reboot” command in response to what it perceived as a malfunction.</p>
<div id="attachment_112863" style="width: 772px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155807/Biometric_terminal_vulnerabilities_42.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112863" class="size-full wp-image-112863" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155807/Biometric_terminal_vulnerabilities_42.png" alt="Camera data wait code" width="762" height="555" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155807/Biometric_terminal_vulnerabilities_42.png 762w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155807/Biometric_terminal_vulnerabilities_42-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155807/Biometric_terminal_vulnerabilities_42-481x350.png 481w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155807/Biometric_terminal_vulnerabilities_42-740x539.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07155807/Biometric_terminal_vulnerabilities_42-384x280.png 384w" sizes="(max-width: 762px) 100vw, 762px" /></a><p id="caption-attachment-112863" class="wp-caption-text">Camera data wait code</p></div>
<h2 id="conclusion">Conclusion</h2>
<p>Biometric devices designed to improve physical security can both offer convenient, useful features and introduce new risks for your IT system. When advanced technology like biometrics is enclosed in a poorly secured device, this all but cancels out the benefits of biometric authentication. Thus, an insufficiently configured terminal becomes vulnerable to simple attacks, making it easy for an intruder to violate the physical security of the organization’s critical areas.</p>
<p>Our analysis of the ZKTeco biometric terminal yielded a total of 24 vulnerabilities. Many of those were similar, stemming from an error in the database wrapper library. We generalized these as “multiple vulnerabilities” and stated the type and cause, arriving at a smaller number of CVEs.</p>
<p>In terms of the cold statistics, the results are as follows:</p>
<ul>
<li>6 SQL injection vulnerabilities;</li>
<li>7 buffer stack overflow vulnerabilities;</li>
<li>5 command injection vulnerabilities;</li>
<li>4 arbitrary file write vulnerabilities;</li>
<li>2 arbitrary file read vulnerabilities.</li>
</ul>
<p>The descriptions of the vulnerabilities we detected are available in the Kaspersky research team’s <a href="https://github.com/klsecservices/Advisories" target="_blank" rel="noopener">GitHub repository</a>.</p>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/biometric-terminal-vulnerabilities/112800/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10185255/sl-biometric-terminal-vulnerabilities-featured-image-01.jpg" width="2523" height="1584"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10185255/sl-biometric-terminal-vulnerabilities-featured-image-01-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10185255/sl-biometric-terminal-vulnerabilities-featured-image-01-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10185255/sl-biometric-terminal-vulnerabilities-featured-image-01-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>Bypassing 2FA with phishing and OTP bots</title>
<link>https://securelist.com/2fa-phishing/112805/</link>
<comments>https://securelist.com/2fa-phishing/112805/#comments</comments>
<dc:creator><![CDATA[Olga Svistunova]]></dc:creator>
<pubDate>Mon, 10 Jun 2024 10:00:04 +0000</pubDate>
<category><![CDATA[Spam and phishing]]></category>
<category><![CDATA[2FA]]></category>
<category><![CDATA[Data theft]]></category>
<category><![CDATA[OTP bots]]></category>
<category><![CDATA[Phishing]]></category>
<category><![CDATA[Phishing kits]]></category>
<category><![CDATA[Spam and Phishing]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112805</guid>
<description><![CDATA[Explaining how scammers use phishing and OTP bots to gain access to accounts protected with 2FA.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10095451/sl-robot_talking_at_smartphone_purple_background-1200x753-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
<p>Two-factor authentication (2FA) is a security feature we have come to expect as standard by 2024. Most of today’s websites offer some form of it, and some of them won’t even let you use their service until you enable 2FA. Individual countries have adopted laws that require certain types of organizations to protect users’ accounts with 2FA.</p>
<p>Unfortunately, its popularity has spurred on the development of many methods to hack or bypass it that keep evolving and adapting to current realities. The particular hack scheme depends on the type of 2FA that it targets. Although there are quite a few 2FA varieties, most implementations rely on one-time passwords (OTPs) that the user can get via a text message, voice call, email message, instant message from the website’s official bot or push notification from a mobile app. These are the kind of codes that most online scammers are after.</p>
<p>Malicious actors can obtain OTPs in a variety of ways including complex, multi-stage hacks. This article examines methods that rely on social engineering, where attackers manipulate the victim into giving away the OTP, and tools that they use to automate the manipulations: so-called OTP bots and administration panels to control <a href="https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/" target="_blank" rel="noopener">phishing kits</a>.</p>
<h2 id="what-is-an-otp-bot">What is an OTP bot?</h2>
<p>The use of OTP bots to bypass 2FA is a relatively recent online scam trend that poses a major threat to both users and online services. An OTP bot is a piece of software programmed to intercept OTPs with the help of social engineering.</p>
<p>A typical scam pattern that uses an OTP bot to steal 2FA codes consists of the following steps:</p>
<ol>
<li>The attacker gets hold of the victim’s credentials and uses these to sign in to their account;</li>
<li>The victim gets an OTP on their phone;</li>
<li>The OTP bot calls the victim and follows a script prepared in advance to talk them into sharing the code;</li>
<li>The victim punches in the verification code on their phone without interrupting the call;</li>
<li>The attacker receives the code through their administration panel or a Telegram bot;</li>
<li>The attacker gains access to the victim’s account by entering the OTP on the website.</li>
</ol>
<p>As you can see, the OTP bot’s key task is to call the victim. It is calls that scammers count on, as verification codes are only valid for a limited time. Whereas a message may stay unanswered for a while, calling the user increases the chances of getting the code. A phone call is also an opportunity to try and produce the desired effect on the victim with the tone of voice.</p>
<p>Bots may have functionality that varies from one script that targets the user of a certain organization to a highly tunable configuration with a wide range of scripts that let scammers replace a whole call center with bots. Bot developers compete by trying to include a maximum of features at a price that reflects the value.</p>
<p>For example, one OTP bot boasts more than a dozen features including 24/7 technical support, scripts in a variety of languages, female as well as male voices available and phone spoofing.</p>
<div id="attachment_112879" style="width: 935px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112879" class="size-full wp-image-112879" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01.png" alt="A list of features offered by a certain OTP bot" width="925" height="813" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01.png 925w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01-300x264.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01-768x675.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01-398x350.png 398w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01-740x650.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01-319x280.png 319w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171521/OTP_bots_01-800x703.png 800w" sizes="(max-width: 925px) 100vw, 925px" /></a><p id="caption-attachment-112879" class="wp-caption-text">A list of features offered by a certain OTP bot</p></div>
<p>OTP bots are typically managed via a special browser-based panel or a Telegram bot. Let’s look at the example of how bots can be run via Telegram.</p>
<ol>
<li>You start by buying a subscription. There are several options depending on the included features. The cheapest plan will set you back 140 US dollars per week, and the most expensive one, 420 US dollars per week. The bot accepts payments in cryptocurrency only.
<div id="attachment_112880" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112880" class="size-large wp-image-112880" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02-1024x715.jpeg" alt="Available OTP bot subscription plans" width="1024" height="715" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02-1024x715.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02-300x209.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02-768x536.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02-501x350.jpeg 501w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02-740x517.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02-401x280.jpeg 401w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02-800x559.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171552/OTP_bots_02.jpeg 1080w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112880" class="wp-caption-text">Available OTP bot subscription plans</p></div></li>
<li>After you have paid for a subscription, you are granted access to set up your first call. You typically do this after you get hold of the victim’s account credentials but before attempting to sign in to their account. First off, the scammer chooses what kind of organization they want the bot to impersonate.<br />
The specimen at hand offers a variety of categories: banks, payment systems, online stores, cloud services, delivery services, cryptoexchanges and email services. While a call from the bank is something the victim might expect, a call from a cloud storage or email provider is not what we’d describe as completely normal. Yet, social engineering can be used to talk the victim into giving away a code provided by any type of organization.<br />
A large number of available categories is admittedly more a marketing gimmick rather than anything else: scammers may feel inclined to pay for an OTP bot that offers more options. Most often, bots are used for bypassing 2FA required by financial organizations.</p>
<div id="attachment_112881" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112881" class="size-large wp-image-112881" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03-1024x966.jpeg" alt="Organization category options" width="1024" height="966" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03-1024x966.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03-300x283.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03-768x725.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03-371x350.jpeg 371w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03-740x698.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03-297x280.jpeg 297w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03-800x755.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171707/OTP_bots_03.jpeg 1080w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112881" class="wp-caption-text">Organization category options</p></div></li>
<li>After selecting a category, you have to manually specify the name of the organization for the bot to impersonate.
<div id="attachment_112882" style="width: 994px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112882" class="size-large wp-image-112882" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04-984x1024.jpeg" alt="Manual entry of the bank name" width="984" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04-984x1024.jpeg 984w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04-288x300.jpeg 288w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04-768x800.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04-336x350.jpeg 336w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04-740x770.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04-269x280.jpeg 269w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04-800x833.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171740/OTP_bots_04.jpeg 1071w" sizes="(max-width: 984px) 100vw, 984px" /></a><p id="caption-attachment-112882" class="wp-caption-text">Manual entry of the bank name</p></div></li>
<li>Next, you need to provide the name of the victim that you want the bot to call. This serves to personalize the call.
<div id="attachment_112883" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112883" class="size-large wp-image-112883" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05-1024x962.jpeg" alt="Manual entry of the victim's name" width="1024" height="962" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05-1024x962.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05-300x282.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05-768x721.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05-373x350.jpeg 373w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05-740x695.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05-298x280.jpeg 298w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05-800x752.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171808/OTP_bots_05.jpeg 1073w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112883" class="wp-caption-text">Manual entry of the victim’s name</p></div></li>
<li>The next step is an essential one: the scammer adds the victim’s phone number to make the call possible.
<div id="attachment_112884" style="width: 932px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112884" class="size-large wp-image-112884" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06-922x1024.jpeg" alt="Manual entry of the victim's phone number" width="922" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06-922x1024.jpeg 922w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06-270x300.jpeg 270w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06-768x853.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06-315x350.jpeg 315w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06-740x822.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06-252x280.jpeg 252w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06-800x889.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171842/OTP_bots_06.jpeg 1035w" sizes="(max-width: 922px) 100vw, 922px" /></a><p id="caption-attachment-112884" class="wp-caption-text">Manual entry of the victim’s phone number</p></div></li>
<li>The scammer has the option to provide the last four digits of the victim’s bank card number if they know what these are. This can help win more trust with the victim. After all, how would the caller know these numbers unless they were a bank employee?
<div id="attachment_112885" style="width: 852px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112885" class="size-large wp-image-112885" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07-842x1024.jpeg" alt="The option to add the last four digits of the victim's card number" width="842" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07-842x1024.jpeg 842w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07-247x300.jpeg 247w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07-768x935.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07-288x350.jpeg 288w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07-740x900.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07-230x280.jpeg 230w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171912/OTP_bots_07.jpeg 964w" sizes="(max-width: 842px) 100vw, 842px" /></a><p id="caption-attachment-112885" class="wp-caption-text">The option to add the last four digits of the victim’s card number</p></div></li>
<li>Once all the details have been filled in, you can customize the call through advanced options.
<div id="attachment_112886" style="width: 725px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112886" class="size-large wp-image-112886" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08-715x1024.jpeg" alt="Advanced call options" width="715" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08-715x1024.jpeg 715w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08-210x300.jpeg 210w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08-768x1100.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08-244x350.jpeg 244w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08-698x1000.jpeg 698w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08-196x280.jpeg 196w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08-629x900.jpeg 629w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07171948/OTP_bots_08.jpeg 894w" sizes="(max-width: 715px) 100vw, 715px" /></a><p id="caption-attachment-112886" class="wp-caption-text">Advanced call options</p></div>
<ul>
<li>You can turn on spoofing, too, but you’ll need the official phone number for the organization that the OTP bot is set up to impersonate. This is the caller ID that will be displayed on the victim’s phone screen when they get the call. The bot uses a random number unless this feature is enabled.
<div id="attachment_112887" style="width: 938px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112887" class="size-large wp-image-112887" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09-928x1024.jpeg" alt="The option to specify the organization's official phone number" width="928" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09-928x1024.jpeg 928w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09-272x300.jpeg 272w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09-768x848.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09-317x350.jpeg 317w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09-740x817.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09-254x280.jpeg 254w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09-800x883.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172023/OTP_bots_09.jpeg 1080w" sizes="(max-width: 928px) 100vw, 928px" /></a><p id="caption-attachment-112887" class="wp-caption-text">The option to specify the organization’s official phone number</p></div></li>
<li>You also can select a language for the bot to use when talking to the victim. The bot lets you choose from 12 languages of different language groups.
<div id="attachment_112888" style="width: 688px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112888" class="size-large wp-image-112888" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10-678x1024.jpeg" alt="Language selection" width="678" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10-678x1024.jpeg 678w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10-199x300.jpeg 199w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10-768x1161.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10-232x350.jpeg 232w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10-662x1000.jpeg 662w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10-185x280.jpeg 185w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10-596x900.jpeg 596w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172054/OTP_bots_10.jpeg 847w" sizes="(max-width: 678px) 100vw, 678px" /></a><p id="caption-attachment-112888" class="wp-caption-text">Language selection</p></div></li>
<li>After the scammer selects a language, the bot offers to choose a voice. All of the voices are AI-generated, and you can choose a female or male one. Six regional varieties are available for English: U.S., British, New Zealand, Australian, Indian and South African.
<div id="attachment_112889" style="width: 228px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172123/OTP_bots_11.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112889" class="size-large wp-image-112889" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172123/OTP_bots_11-218x1024.jpeg" alt="Voice selection" width="218" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172123/OTP_bots_11-218x1024.jpeg 218w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172123/OTP_bots_11-64x300.jpeg 64w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172123/OTP_bots_11-213x1000.jpeg 213w" sizes="(max-width: 218px) 100vw, 218px" /></a><p id="caption-attachment-112889" class="wp-caption-text">Voice selection</p></div></li>
<li>The bot lets you make a test call by entering a disposable number from the attacker’s pool.</li>
<li>The bot is also able to detect if the call is redirected to voice mail. The bot will hang up if it is.</li>
<li>The OTP bot in question supports custom scripts. In other words, the scammer can import their own scripts designed to imitate organizations that are not available among the options offered by the bot. The bot voices these custom scripts while you set up the call.</li>
</ul>
</li>
<li>The last step is making the call with the set options.</li>
</ol>
<h3 id="interesting-options-offered-by-other-otp-bots">Interesting options offered by other OTP bots</h3>
<p>As mentioned above, functionality varies from bot to bot. Besides what we’ve already explored, we have seen several advanced features with other OTP bots, listed below.</p>
<ul>
<li>Sending a text message as a heads-up about the impending call from an employee of a certain company. This is a subtle psychological trick aimed at gaining the victim’s trust: promise and then deliver. Furthermore, a disturbing message might leave the victim waiting anxiously for the call.</li>
<li>Asking for other details during the call, besides the OTP. These may include the card number and expiry date, CVV, PIN, date of birth, social security number, and so on.</li>
</ul>
<h3 id="how-scammers-get-the-victims-credentials">How scammers get the victim’s credentials</h3>
<p>Since the bot is designed for stealing 2FA codes, it only makes sense to employ it if the scammer already has some of the victim’s personal details: the login and password for their account as well as a phone number at least, and their full name, address, bank card details, email address and date of birth at most. Scammers may get this information in several ways:</p>
<ul>
<li>From personal data leaked online;</li>
<li>From datasets purchased on the dark web;</li>
<li>Through phishing websites.</li>
</ul>
<p>Phishing is typically how they get the most up-to-date credentials. Scammers will often want to save time and effort by harvesting as much information as possible during a single attack. We have come across many phishing kits targeting seemingly unrelated types of personal data.</p>
<p>A kit may target a bank, but once the victim enters their login and password, they will be asked to provide their email address and the corresponding password. Equipped with that data and armed with an OTP bot, the scammer may be able to hack at least two of the victim’s accounts, and if the victim uses their email for authenticating with other websites, the scammer can inflict even more damage.</p>
<div id="attachment_112890" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112890" class="size-large wp-image-112890" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12-1024x700.png" alt="A sign-in form that imitates an online bank" width="1024" height="700" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12-1024x700.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12-300x205.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12-768x525.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12-512x350.png 512w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12-740x506.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12-410x280.png 410w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12-800x547.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172155/OTP_bots_12.png 1312w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112890" class="wp-caption-text">A sign-in form that imitates an online bank</p></div>
<div id="attachment_112891" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112891" class="size-large wp-image-112891" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13-1024x689.png" alt="A sign-in form that imitates an email service" width="1024" height="689" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13-1024x689.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13-300x202.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13-768x517.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13-520x350.png 520w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13-740x498.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13-416x280.png 416w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13-800x538.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172219/OTP_bots_13.png 1294w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112891" class="wp-caption-text">A sign-in form that imitates an email service</p></div>
<h2 id="phishing-in-real-time">Phishing in real time</h2>
<p>We have written about <a href="https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/" target="_blank" rel="noopener">phishing kits</a> that can be controlled via administration panels. As 2FA grew in popularity, the creators of phishing kits modified their admin panels by adding the functionality to intercept OTPs. This has enabled scammers to receive their victims’ personal data in real time to immediately use it.</p>
<p>These are multi-stage phishing attacks typically composed of the following steps.</p>
<ol>
<li>The victim receives a message from, say, a bank, requesting that they update their account details. The message contains a link to a phishing website.</li>
<li>The victim opens the link and enters their login and password. The scammer receives this data through Telegram and the administration panel. They try to use these details to sign in to the victim’s account on the official bank website.
<div id="attachment_112892" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112892" class="size-large wp-image-112892" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14-1024x498.png" alt="Phishing site that imitates the online bank sign-in page" width="1024" height="498" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14-1024x498.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14-300x146.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14-768x374.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14-719x350.png 719w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14-740x360.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14-575x280.png 575w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14-800x389.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172251/OTP_bots_14.png 1498w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112892" class="wp-caption-text">Phishing site that imitates the online bank sign-in page</p></div></li>
<li>The bank sends the victim an OTP for additional verification. The scammer uses their admin panel to display an OTP entry form on the phishing site. They will be able to sign in to the victim’s real account once they get that verification code.
<div id="attachment_112893" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112893" class="size-large wp-image-112893" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-1024x513.png" alt="Fake OTP entry form" width="1024" height="513" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-1024x513.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-300x150.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-768x385.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-1200x600.png 1200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-699x350.png 699w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-740x371.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-559x280.png 559w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15-800x401.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172321/OTP_bots_15.png 1286w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112893" class="wp-caption-text">Fake OTP entry form</p></div></li>
<li>The scammer may ask the victim for more details, which they might need for further activities in the victim’s account. Most banks require their clients to provide additional personal details to confirm transactions they detect as suspicious. These details may include the house number, secret word, passport number, and so on.
<div id="attachment_112894" style="width: 502px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172350/OTP_bots_16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112894" class="size-full wp-image-112894" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172350/OTP_bots_16.png" alt="Admin panel options for requesting further personal details" width="492" height="725" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172350/OTP_bots_16.png 492w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172350/OTP_bots_16-204x300.png 204w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172350/OTP_bots_16-238x350.png 238w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172350/OTP_bots_16-190x280.png 190w" sizes="(max-width: 492px) 100vw, 492px" /></a><p id="caption-attachment-112894" class="wp-caption-text">Admin panel options for requesting further personal details</p></div></li>
<li>The scammer then tells the user that their personal details have been confirmed. In reality, the details have been saved in the scammer’s admin panel, and they can immediately use this information to start siphoning off funds from the victim’s account.
<div id="attachment_112895" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112895" class="size-large wp-image-112895" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-1024x286.png" alt="The scammer's admin panel displaying the data received from the victim" width="1024" height="286" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-1024x286.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-300x84.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-768x215.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-1536x430.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-1252x350.png 1252w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-740x207.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-1001x280.png 1001w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17-800x224.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07172419/OTP_bots_17.png 1577w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112895" class="wp-caption-text">The scammer’s admin panel displaying the data received from the victim</p></div></li>
</ol>
<h2 id="statistics">Statistics</h2>
<p>Our bank phishing kit detection statistics can help form an assessment of potential damage done by OTP bots. In May 2024, our products prevented 69,984 attempts at visiting sites generated by this type of phishing kits.</p>
<div class="js-infogram-embed" data-id="_/iA0uc8xZVxFBHS2JqCF5" data-type="interactive" data-title="02 EN-RU-ES OTP bots diagrams" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Detection statistics for phishing kits targeting banks, May 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07232154/02-en-ru-es-otp-bots-diagrams.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>As we researched the subject, we also closely examined 10 multi-purpose phishing kits used for real-time interception of OTPs. In May 2024, our technology detected 1262 phishing pages generated by the kits in question.</p>
<div class="js-infogram-embed" data-id="_/cB2SFH95WORwTZY8FEn1" data-type="interactive" data-title="01 EN-RU-ES OTP bots diagrams" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Detection statistics for multi-purpose phishing kits, May 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/07232127/01-en-ru-es-otp-bots-diagrams.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>The peak level during the first week of the month coincides with a surge in activity by one of the phishing kits.</p>
<h2 id="takeaways">Takeaways</h2>
<p>While 2FA is a popular way of added account protection, it, too, can be bypassed. Scammers steal verification codes by using various techniques and technologies, such as OTP bots and multi-purpose phishing kits that they control in real time with the help of administration panels. In both cases, the user agreeing to enter the one-time code on the phishing page or while on a call with the OTP bot, is the crucial factor when trying to steal the code. To protect your accounts from scammers, follow our best practices as outlined below.</p>
<ul>
<li>Avoid opening links you receive in suspicious email messages. If you need to sign in to your account with the organization, type in the address manually or use a bookmark.</li>
<li>Make sure the website address is correct and contains no typos before you enter your credentials there. Use <a href="https://www.techopedia.com/definition/2469/whois" target="_blank" rel="noopener">Whois</a> to check on the website: if it was registered recently, chances are this is a scam site.</li>
<li>Do not pronounce or punch in the one-time code while you’re on the phone, no matter how convincing the caller sounds. Real banks and other companies never use this method to verify the identity of their clients.</li>
<li>Use a <a href="https://www.kaspersky.com/premium" target="_blank" rel="noopener">reliable security solution</a> that blocks phishing pages.</li>
</ul>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/2fa-phishing/112805/feed/</wfw:commentRss>
<slash:comments>2</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10095451/sl-robot_talking_at_smartphone_purple_background-1200x753-1.jpg" width="1200" height="753"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10095451/sl-robot_talking_at_smartphone_purple_background-1200x753-1-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10095451/sl-robot_talking_at_smartphone_purple_background-1200x753-1-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/06/10095451/sl-robot_talking_at_smartphone_purple_background-1200x753-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
<item>
<title>IT threat evolution in Q1 2024. Mobile statistics</title>
<link>https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/</link>
<comments>https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/#respond</comments>
<dc:creator><![CDATA[Anton Kivva]]></dc:creator>
<pubDate>Mon, 03 Jun 2024 10:00:46 +0000</pubDate>
<category><![CDATA[Malware reports]]></category>
<category><![CDATA[Google Android]]></category>
<category><![CDATA[Malware Descriptions]]></category>
<category><![CDATA[Malware Statistics]]></category>
<category><![CDATA[Mobile Malware]]></category>
<category><![CDATA[Ransomware]]></category>
<category><![CDATA[Trojan Banker]]></category>
<category><![CDATA[Mobile threats]]></category>
<guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112750</guid>
<description><![CDATA[Mobile malware statistics for Q1 2024: most common threats for Android, mobile banking Trojans, and ransomware Trojans.]]></description>
<content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31174622/sl-spider-monster-malware-magenta-1200x675-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><a href="https://securelist.com/it-threat-evolution-q1-2024/112742/" target="_blank" rel="noopener">IT threat evolution Q1 2024</a><br />
<strong>IT threat evolution Q1 2024. Mobile statistics</strong><br />
<a href="https://securelist.com/it-threat-evolution-q1-2024-pc-statistics/112754/" target="_blank" rel="noopener">IT threat evolution Q1 2024. Non-mobile statistics</a></p>
<h2 id="quarterly-figures">Quarterly figures</h2>
<p>According to Kaspersky Security Network, in Q1 2024:</p>
<ul>
<li>10.1 million attacks using malware, adware, or unwanted mobile software were blocked.</li>
<li>The most common threat to mobile devices was adware: 46% of all threats detected.</li>
<li>Over 389,000 malicious installation packages were detected, of which:
<ul>
<li>11,729 packages were related to mobile banking Trojans,</li>
<li>1,990 packages were mobile ransomware Trojans.</li>
</ul>
</li>
</ul>
<h2 id="quarterly-highlights">Quarterly highlights</h2>
<p>The number of attacks using malware, adware, or unwanted software on mobile devices increased compared to the same period last year, but dropped slightly against Q4, to 10,100,510.</p>
<div class="js-infogram-embed" data-id="_/5Sg43u7r5808hNh1S6x4" data-type="interactive" data-title="01 EN-RU-ES Malware report Q1 2024 mobile graphs" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of attacks targeting users of Kaspersky mobile solutions, Q3 2022–Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31160124/01-en-ru-es-malware-report-q1-2024-mobile-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>The rapid growth in the total number of attacks between Q2 and Q4 2023 is primarily attributed to the surge in adware and Trojan activity, which roughly doubled in absolute terms during this period. However, other types of malicious and unwanted apps also increased their activity, so the distribution of threats by type showed no dramatic swings.</p>
<p>In Q1, the number of WhatsApp modification attacks continued to grow. For example, we found Trojan-Spy.AndroidOS.Agent.ahu, a Trojan hidden inside a WhatsApp mod, that steals encrypted messenger databases along with their decryption keys. Another malicious WhatsApp mod, Trojan-Downloader.AndroidOS.Agent.ms, is capable of downloading and installing arbitrary software. According to our statistics, this Trojan came pre-installed on some devices.</p>
<p>We also discovered a <a href="https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/" target="_blank" rel="noopener">noteworthy banking Trojan</a> targeting users in Korea. When installed, it displays a notification claiming the app is unavailable and will be removed:</p>
<div id="attachment_112752" style="width: 453px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/30155817/Malware_report_Q1_2024_mobile.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112752" class="size-full wp-image-112752" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/30155817/Malware_report_Q1_2024_mobile.jpeg" alt="SoumniBot notification stating the app is unavailable" width="443" height="737" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/30155817/Malware_report_Q1_2024_mobile.jpeg 443w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/30155817/Malware_report_Q1_2024_mobile-180x300.jpeg 180w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/30155817/Malware_report_Q1_2024_mobile-210x350.jpeg 210w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/30155817/Malware_report_Q1_2024_mobile-168x280.jpeg 168w" sizes="(max-width: 443px) 100vw, 443px" /></a><p id="caption-attachment-112752" class="wp-caption-text">SoumniBot notification stating the app is unavailable</p></div>
<p>In reality, the app hides its icon and continues to operate in the background, stealing text messages, contacts, photos, and even online banking digital certificates. To conceal the malicious code and hinder analysis, threat actors exploited numerous bugs and flaws in the Android OS code responsible for parsing the app package. This enabled them to create files that successfully install on the device, but cause many analysis tools, including official Google utilities, to go haywire.</p>
<h2 id="mobile-threat-statistics">Mobile threat statistics</h2>
<p>The number of detected samples of Android malware and unwanted software fell in Q4 2023 and climbed again in Q1 2024, reaching 389,178 installation packages.</p>
<div class="js-infogram-embed" data-id="_/mlDRHBbXniBYxLTgOLLt" data-type="interactive" data-title="02 EN-RU-ES Malware report Q1 2024 mobile graphs" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of detected malicious and unwanted installation packages, Q1 2023 – Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31160453/02-en-ru-es-malware-report-q1-2024-mobile-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>The distribution of detected packages by type underwent no significant changes, but the number of Trojan droppers increased noticeably (by 8.76 p.p.). This sharp increase in their share is linked primarily to the activity of the Wroba family, commonly employed to deliver banking Trojans in countries in the Asia-Pacific region.</p>
<div class="js-infogram-embed" data-id="_/XUk8BRbPO5SPJUhaCIUT" data-type="interactive" data-title="03 EN Malware report Q1 2024 mobile graphs" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of detected mobile apps by type, Q4 2023* and Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31160532/03-en-malware-report-q1-2024-mobile-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
<p><em>* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.</em></p>
<p>The most common threats remained adware (46.16%) and RiskTool-type unwanted apps (21.27%). The most prevalent adware families were BrowserAd (28.5% of all adware), Adlo (15.3%), and HiddenAd (12.65%).</p>
<div class="js-infogram-embed" data-id="_/zZIsD5vOshg8mpfkbY5l" data-type="interactive" data-title="04 EN-RU-ES Malware report Q1 2024 mobile graphs" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Share* of users attacked by the given type of malicious or unwanted software out of all targeted users of Kaspersky mobile products (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31160608/04-en-ru-es-malware-report-q1-2024-mobile-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
<p><em>*The sum may exceed 100% if the same users encountered multiple attack types.</em></p>
<p>The HiddenAd (60.5%), Adlo (17.5%), and TimeWaste (7.5%) adware families attacked the most users. At the same time, the Triada adware Trojan, mentioned in our previous report and distributed in WhatsApp mods, accounts for an increasingly large share of attacks by Trojan-type malware (35.7%).</p>
<h2 id="top-20-mobile-malware-programs">Top 20 mobile malware programs</h2>
<p><em>Note that the malware rankings below exclude riskware or potentially unwanted software, such as RiskTool or adware.</em></p>
<table width="100%">
<tbody>
<tr>
<td width="40%"><strong>Verdict</strong></td>
<td width="15%"><strong>%* in Q4 2023</strong></td>
<td width="15%"><strong>%* in Q1 2024</strong></td>
<td width="15%"><strong>Difference in p.p.</strong></td>
<td width="15%"><strong>Change in ranking</strong></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Triada.fd</td>
<td>2.79</td>
<td>10.38</td>
<td><span style="color: #00b050">+7.59</span></td>
<td><span style="color: #00b050">+11</span></td>
</tr>
<tr>
<td>DangerousObject.Multi.Generic.</td>
<td>8.76</td>
<td>9.82</td>
<td><span style="color: #00b050">+1.07</span></td>
<td>0</td>
</tr>
<tr>
<td>Trojan.AndroidOS.Fakemoney.v</td>
<td>6.25</td>
<td>8.60</td>
<td><span style="color: #00b050">+2.35</span></td>
<td><span style="color: #00b050">+1</span></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Boogr.gsh</td>
<td>5.28</td>
<td>6.62</td>
<td><span style="color: #00b050">+1.34</span></td>
<td><span style="color: #00b050">+2</span></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Triada.ga</td>
<td>0.00</td>
<td>5.66</td>
<td><span style="color: #00b050">+5.66</span></td>
<td></td>
</tr>
<tr>
<td>Trojan-Downloader.AndroidOS.Dwphon.a</td>
<td>1.85</td>
<td>5.26</td>
<td><span style="color: #00b050">+3.41</span></td>
<td><span style="color: #00b050">+13</span></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Fakemoney.bj</td>
<td>0.00</td>
<td>4.26</td>
<td><span style="color: #00b050">+4.26</span></td>
<td></td>
</tr>
<tr>
<td>DangerousObject.AndroidOS.GenericML.</td>
<td>1.99</td>
<td>3.83</td>
<td><span style="color: #00b050">+1.84</span></td>
<td><span style="color: #00b050">+9</span></td>
</tr>
<tr>
<td>Trojan-Spy.AndroidOS.SpyNote.bz</td>
<td>1.03</td>
<td>3.52</td>
<td><span style="color: #00b050">+2.48</span></td>
<td><span style="color: #00b050">+18</span></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Sheetfit.d</td>
<td>0.00</td>
<td>2.42</td>
<td><span style="color: #00b050">+2.42</span></td>
<td></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Triada.ex</td>
<td>7.23</td>
<td>2.42</td>
<td><span style="color: #9c0006">-4.81</span></td>
<td><span style="color: #9c0006">-8</span></td>
</tr>
<tr>
<td>Trojan-Downloader.AndroidOS.Agent.mm</td>
<td>3.51</td>
<td>2.12</td>
<td><span style="color: #9c0006">-1.39</span></td>
<td><span style="color: #9c0006">-1</span></td>
</tr>
<tr>
<td>Trojan-Dropper.AndroidOS.Agent.sm</td>
<td>1.08</td>
<td>2.09</td>
<td><span style="color: #00b050">+1.01</span></td>
<td><span style="color: #00b050">+13</span></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Generic.</td>
<td>2.22</td>
<td>2.08</td>
<td><span style="color: #9c0006">-0.14</span></td>
<td><span style="color: #00b050">+2</span></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Piom.baiu</td>
<td>0.80</td>
<td>1.95</td>
<td><span style="color: #00b050">+1.15</span></td>
<td><span style="color: #00b050">+16</span></td>
</tr>
<tr>
<td>Trojan-Dropper.AndroidOS.Badpack.g</td>
<td>2.57</td>
<td>1.87</td>
<td><span style="color: #9c0006">-0.70</span></td>
<td><span style="color: #9c0006">-3</span></td>
</tr>
<tr>
<td>Backdoor.AndroidOS.Mirai.b</td>
<td>5.32</td>
<td>1.76</td>
<td><span style="color: #9c0006">-3.56</span></td>
<td><span style="color: #9c0006">-12</span></td>
</tr>
<tr>
<td>Trojan-Spy.AndroidOS.CanesSpy.a</td>
<td>5.10</td>
<td>1.67</td>
<td><span style="color: #9c0006">-3.42</span></td>
<td><span style="color: #9c0006">-11</span></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Triada.et</td>
<td>3.58</td>
<td>1.66</td>
<td><span style="color: #9c0006">-1.92</span></td>
<td><span style="color: #9c0006">-9</span></td>
</tr>
<tr>
<td>Trojan.AndroidOS.Triada.ey</td>
<td>4.33</td>
<td>1.55</td>
<td><span style="color: #9c0006">-2.79</span></td>
<td><span style="color: #9c0006">-11</span></td>
</tr>
</tbody>
</table>
<p><em>* Unique users who encountered this malware as a percentage of all attacked users of Kaspersky mobile solutions.</em></p>
<p>The generalized cloud verdict DangerousObject.Multi.Generic yielded the top spot in the ranking of the most common malicious apps to the WhatsApp modification Trojan.AndroidOS.Triada.fd. Next comes Fakemoney, a Trojan that scams users out of personal data by promising easy money in return. Interestingly, Dwphon also made it into the Top 20. Pre-installed on some devices, this Trojan collects the personal data of the device owner and can download arbitrary apps without the user’s knowledge.</p>
<h2 id="region-specific-malware">Region-specific malware</h2>
<p>This section describes malware whose activity is concentrated in specific countries.</p>
<table width="100%">
<tbody>
<tr>
<td width="40%"><strong>Verdict</strong></td>
<td width="30%"><strong>Country*</strong></td>
<td width="30%"><strong>%*</strong></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Agent.nw</td>
<td>Turkey</td>
<td>99.79</td>
</tr>
<tr>
<td>Trojan.AndroidOS.Piom.bcqp</td>
<td>Turkey</td>
<td>99.28</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.BrowBot.q</td>
<td>Turkey</td>
<td>99.28</td>
</tr>
<tr>
<td>Trojan-Spy.AndroidOS.SmsThief.wk</td>
<td>India</td>
<td>99.02</td>
</tr>
<tr>
<td>Trojan.AndroidOS.Piom.bbfv</td>
<td>Turkey</td>
<td>98.97</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.BrowBot.a</td>
<td>Turkey</td>
<td>98.81</td>
</tr>
<tr>
<td>Trojan.AndroidOS.Piom.azgy</td>
<td>Brazil</td>
<td>98.69</td>
</tr>
<tr>
<td>HackTool.AndroidOS.FakePay.c</td>
<td>Brazil</td>
<td>98.39</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Coper.b</td>
<td>Turkey</td>
<td>98.28</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.BrowBot.n</td>
<td>Turkey</td>
<td>97.87</td>
</tr>
<tr>
<td>Trojan-SMS.AndroidOS.EvilInst.b</td>
<td>Thailand</td>
<td>97.33</td>
</tr>
<tr>
<td>Backdoor.AndroidOS.Tambir.c</td>
<td>Turkey</td>
<td>97.19</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.BRats.b</td>
<td>Brazil</td>
<td>96.96</td>
</tr>
<tr>
<td>Trojan-Spy.AndroidOS.SmsThief.tt</td>
<td>Iran</td>
<td>96.88</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Rewardsteal.dn</td>
<td>India</td>
<td>96.76</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Rewardsteal.c</td>
<td>India</td>
<td>96.65</td>
</tr>
<tr>
<td>Backdoor.AndroidOS.Tambir.a</td>
<td>Turkey</td>
<td>96.58</td>
</tr>
<tr>
<td>Trojan-Dropper.AndroidOS.Hqwar.hc</td>
<td>Turkey</td>
<td>96.19</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.UdangaSteal.b</td>
<td>Indonesia</td>
<td>96.04</td>
</tr>
<tr>
<td>Backdoor.AndroidOS.Tambir.b</td>
<td>Turkey</td>
<td>95.55</td>
</tr>
<tr>
<td>Trojan-Spy.AndroidOS.SmsThief.vb</td>
<td>Indonesia</td>
<td>95.29</td>
</tr>
</tbody>
</table>
<p><em>* The country where the malware was most active.</em><br />
<em>** Unique users who encountered this Trojan modification in the indicated country as a percentage of all Kaspersky mobile security solution users attacked by the same modification.</em></p>
<p>Turkey continues to be flooded with banking Trojan variants. In particular, users there are targeted by Trojan-Banker.AndroidOS.Agent.nw, which opens VNC access to the device. It’s based on the open-source library droidVNC-NG. Tambir also gives attackers VNC access. In addition, its functionality includes keylogging, stealing texts, contacts, and app lists, as well as sending texts. Besides VNC backdoors, we observed a concentration of BrowBot attacks in Turkey. The primary functionality of that Trojan is stealing texts. As for Piom, it represents a collective verdict created for various malware within the context of our automated systems. Specifically in Turkey, hiding behind this verdict are modifications of the now infamous Godfather banking Trojan.</p>
<p>Two text-stealing Trojans are active in Indonesia: SmsThief.vb and UdangaSteal.b. They are often sent to victims under the guise of wedding invitations.</p>
<p>The spread of FakePay applications is noticeable in Brazil. These applications visually simulate payment but do not actually execute it. Unlike most Trojans, users often intentionally download such apps in order to deceive sellers who accept payment by transfer. BRats is another banking Trojan that continues to be distributed predominantly in Brazil.</p>
<p>Users in Thailand encountered the EvilInst Trojan, which spreads under the guise of games but in fact, just opens a website with cracked games and sends paid texts.</p>
<h2 id="mobile-banking-trojans">Mobile banking Trojans</h2>
<p>The number of new unique installation packages for banking Trojans remains low.</p>
<div class="js-infogram-embed" data-id="_/ZiVUNWYz0eK3jbLQMjc2" data-type="interactive" data-title="05 EN-RU-ES Malware report Q1 2024 mobile graphs" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em> Number of installation packages for mobile banking Trojans detected by Kaspersky, Q1 2023 — Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31160646/05-en-ru-es-malware-report-q1-2024-mobile-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>Nevertheless, the total number of Trojan-Banker attacks continues to grow, with Trojan-Banker even moving up one spot in the distribution structure of malware and unwanted programs by the number of affected users.</p>
<p>Top 10 mobile bankers</p>
<table width="100%">
<tbody>
<tr>
<td width="40%"><strong>Verdict</strong></td>
<td width="15%"><strong>%* in Q4 2203</strong></td>
<td width="15%"><strong>%* in Q1 2024</strong></td>
<td width="15%"><strong>Difference in p.p.</strong></td>
<td width="15%"><strong>Change in ranking</strong></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Agent.eq</td>
<td>27.73</td>
<td>13.39</td>
<td><span style="color: #9c0006">-14.34</span></td>
<td>0</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Coper.b</td>
<td>3.72</td>
<td>12.58</td>
<td><span style="color: #00b050">+8.86</span></td>
<td><span style="color: #00b050">+3</span></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Bian.h</td>
<td>16.06</td>
<td>10.21</td>
<td><span style="color: #9c0006">-5.85</span></td>
<td><span style="color: #9c0006">-1</span></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Mamont.k</td>
<td>2.48</td>
<td>9.18</td>
<td><span style="color: #00b050">+6.70</span></td>
<td><span style="color: #00b050">+5</span></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.UdangaSteal.b</td>
<td>0.00</td>
<td>7.00</td>
<td><span style="color: #00b050">+7.00</span></td>
<td></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Mamont.o</td>
<td>0.00</td>
<td>4.58</td>
<td><span style="color: #00b050">+4.58</span></td>
<td></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Agent.cf</td>
<td>2.79</td>
<td>4.23</td>
<td><span style="color: #00b050">+1.44</span></td>
<td>0</td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Coper.a</td>
<td>0.65</td>
<td>4.21</td>
<td><span style="color: #00b050">+3.56</span></td>
<td><span style="color: #00b050">+19</span></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.Rewardsteal.c</td>
<td>0.55</td>
<td>3.99</td>
<td><span style="color: #00b050">+3.45</span></td>
<td><span style="color: #00b050">+20</span></td>
</tr>
<tr>
<td>Trojan-Banker.AndroidOS.BrowBot.q</td>
<td>0.00</td>
<td>2.53</td>
<td><span style="color: #00b050">+2.53</span></td>
<td></td>
</tr>
</tbody>
</table>
<p><em>* Unique users who encountered this malware as a percentage of all users of Kaspersky mobile security solutions who encountered banking threats.</em></p>
<h2 id="mobile-ransomware-trojans">Mobile ransomware Trojans</h2>
<p>Following a surge in the number of ransomware installation packages in Q4 2023, linked to the emergence of a large number of ransomware from the Rasket family, the number returned to its usual level amid a decrease in Rasket activity. Rasket Trojans are built on Tasker automation scripts, which are designed to automate routine actions on a device but have sufficient functionality to write ransomware.</p>
<div class="js-infogram-embed" data-id="_/raoclmAJCvaAC8w2Tk4Q" data-type="interactive" data-title="06 EN-RU-ES Malware report Q1 2024 mobile graphs" style="min-height:;"></div>
<p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em> Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q1 2023 — Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31160718/06-en-ru-es-malware-report-q1-2024-mobile-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
<p>The same dynamic is reflected in the distribution of attacks for the most active samples: after a sharp rise (to 74% of all ransomware attacks), the share of the Rasket Trojan in Q1 almost halved.</p>
<table width="100%">
<tbody>
<tr>
<td width="40%"><strong>Verdict</strong></td>
<td width="15%"><strong>Prev %</strong></td>
<td width="15%"><strong>New %</strong></td>
<td width="15%"><strong>% diff</strong></td>
<td width="15%"><strong>Pos diff</strong></td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Rasket.a</td>
<td>74.38</td>
<td>37.22</td>
<td><span style="color: #9c0006">-37.16</span></td>
<td>0</td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Pigetrl.a</td>
<td>9.14</td>
<td>15.56</td>
<td><span style="color: #00b050">+6.41</span></td>
<td>0</td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Rkor.eg</td>
<td>5.29</td>
<td>11.59</td>
<td><span style="color: #00b050">+6.30</span></td>
<td>0</td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Svpeng.ac</td>
<td>0.22</td>
<td>11.17</td>
<td><span style="color: #00b050">+10.95</span></td>
<td><span style="color: #00b050">+19</span></td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Congur.cw</td>
<td>0.51</td>
<td>10.96</td>
<td><span style="color: #00b050">+10.45</span></td>
<td><span style="color: #00b050">+2</span></td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Small.cj</td>
<td>0.30</td>
<td>10.49</td>
<td><span style="color: #00b050">+10.19</span></td>
<td><span style="color: #00b050">+9</span></td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Congur.ap</td>
<td>0.28</td>
<td>6.66</td>
<td><span style="color: #00b050">+6.38</span></td>
<td><span style="color: #00b050">+9</span></td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Rkor.ef</td>
<td>2.00</td>
<td>6.40</td>
<td><span style="color: #00b050">+4.40</span></td>
<td><span style="color: #9c0006">-4</span></td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Svpeng.ah</td>
<td>0.12</td>
<td>6.03</td>
<td><span style="color: #00b050">+5.91</span></td>
<td><span style="color: #00b050">+34</span></td>
</tr>
<tr>
<td>Trojan-Ransom.AndroidOS.Svpeng.snt</td>
<td>0.07</td>
<td>5.72</td>
<td><span style="color: #00b050">+5.64</span></td>
<td><span style="color: #00b050">+47</span></td>
</tr>
</tbody>
</table>
]]></content:encoded>
<wfw:commentRss>https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31174622/sl-spider-monster-malware-magenta-1200x675-1.jpg" width="1200" height="675"><media:keywords>full</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31174622/sl-spider-monster-malware-magenta-1200x675-1-1024x576.jpg" width="1024" height="576"><media:keywords>large</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31174622/sl-spider-monster-malware-magenta-1200x675-1-300x169.jpg" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
<media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/31174622/sl-spider-monster-malware-magenta-1200x675-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=http%3A//securelist.com/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=http%3A//securelist.com/feed/

Home · About · News · Docs · Terms