FBI Reports On Linux Drovorub Malware

xxxgonzo muviesThe FBI and the NSA released a report on the Russian-based malware that attacks Linux known as Drovorub (PDF) and it is an interesting read. Drovorub uses a kernel module rootkit and allows a remote attacker to control your computer, transfer files, and forward ports. And the kernel module takes extraordinary steps to avoid detection while doing it.

xxxgonzo muviesWhat is perhaps most interesting though, is that the agencies did the leg work to track the malware to its source: the GRU — Russian intelligence. The name Drovorub translates into “woodcutter” and is apparently the name the GRU uses for the program.

A look inside the code shows it is pretty mundane. There’s a server with a JSON configuration file and a MySQL backend. It looks like any other garden-variety piece of code. To bootstrap the client, a hardcoded configuration allows the program to make contact with the server and then creates a configuration file that the kernel module actively hides. Interestingly, part of the configuration is a UUID that contains the MAC address of the server computer.

The rootkit won’t persist if you have UEFI boot fully enabled (although many Linux computers turn UEFI signing off rather than work through the steps to install an OS with it enabled). The malware is easy to spot if you dump raw information from the network, but the kernel module makes it hard to find on the local machine. It hooks many kernel functions so it can hide processes from both the ps command and the /proc filesystem. Other hooks remove file names from directory listings and also hides sockets. The paper describes how to identify the malware and they are especially interested in detection at scale — that is, if you have 1,000 Linux PCs on a network, how do you find which ones have this infection?

This is a modern spy story, but not quite what we’ve come to expect in Bond movies. “Well, Moneypenny, it appears Spectre is using the POCO library to generate UUIDs,” is hard to work into a trailer. We prefer the old days when high-tech spying meant nonlinear junction detectors, hacking Selectrics, moon probe heists, and passive bugging.

This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes

One of the fun things about vulnerability research is that there are so many places for bugs to hide. Modern devices have multiple processors, bits of radio hardware, and millions of lines of code. When [Veronica Kovah] of Dark Mentor LLC decided to start vulnerability research on the Bluetooth Low Energy protocol, she opted to target the link layer itself, rather than the code stack running as part of the main OS. What’s interesting is that the link layer has to process data before any authentication is performed, so if a vulnerability is found here, it’s guaranteed to be pre-authentication. Also of interest, many different devices are likely to share the same BLE chipset, meaning these vulnerabilities will show up on many different devices. [Veronica] shares some great info on how to get started, as well as the details on the vulnerabilities she found, in the PDF whitepaper. (Just a quick note, this link isn’t to the raw PDF, but pulls up a GitHub PDF viewer.) There is also a video presentation of the findings, if that’s more your speed.

The first vuln we’ll look at is CVE-2019-15948, which affects a handful of Texas Instruments BT/BLE chips. The problem is in how BLE advertisement packets are handled. An advertisement packet should always contain a data length of at least six bytes, which is reserved for the sending device address. Part of the packet parsing process is to subtract six from the packet length and do a memcpy using that value as the length. A malicious packet can have a length of less than six, and the result is that the copy length integer underflows, becoming a large value, and overwriting the current stack. To actually turn this into an exploit, a pair of data packets are sent repeatedly, to put malicious code in the place where program execution will jump to.

The second vulnerability of note, CVE-2020-15531 targets a Silicon Labs BLE chip, and uses malformed extended advertisement packets to trigger a buffer overflow. Specifically, the sent message is longer than the specification says it should be. Rather than drop this malformed message, the chip’s firmware processes it, which triggers a buffer overflow. Going a step further, this chip has non-volatile firmware, and it’s possible to modify that firmware permanently. [Veronica] points out that even embedded chips like these should have some sort of secure boot implementation, to prevent these sort of persistent attacks.
Continue reading “This Week In Security: Bluetooth Hacking, NEC Phones, And Malicious Tor Nodes”

Eavesdropping On Satellites For Fun And Profit

Geosynchronous satellites, girdling the Earth from their perches 36,000 km above the equator, are remarkably useful devices. Depending on where they’re parked, they command views of perhaps a third of the globe at a time, making them perfect communications relays. But as [James Pavur] points out in his DEF CON Safe Mode talk, “Whispers Among the Stars”, geosynchronous satellite communication links are often far from secure.

[James], a D. Phil. student in Systems Security at Oxford University, relates that his exploits rely on the wide areas covered by the downlink signals from the satellites, coupled with security as an afterthought, if it was even thought of at all by satellite service providers. This lackadaisical approach let him use little more than a regular digital satellite TV dish and a tuner card for a PC — off-the-shelf stuff that you’d really have to try hard to spend more than $300 on — to tap into sensitive information.

While decoding the digital signals from satellites into something parseable can be done with commercial applications, [James] and his colleagues built a custom tool, GSExtract, to pull data from the often noisy signals coming down from on high. The setup returned an amazing bounty of information, like maritime operators relaying the passport information of crew members from ship to shore, point-of-sale terminal information from cruise ships in the Mediterranean, and in-flight entertainment systems in jet airliners. The last example proved particularly alarming, as it revealed an exploitable connection between the systems dedicated to keeping passengers content and those in the cockpit, which clearly should not be the case.

We found [James’] insights on these weaknesses in satellite communications fascinating, and it’s well worth the 45 minutes to watch the video below and perhaps try these exploits, which amount to side-channel attacks, for yourself.

Continue reading “Eavesdropping On Satellites For Fun And Profit”

Give A Man A Phish, And You Entertain Him For A Day

With millions of phishing attempts happening daily, we’ve probably all had our fair share of coming across one. For the trained or naturally suspicious eye, it’s usually easy to spot them — maybe get a good chuckle out of the ridiculously bad ones along the way — and simply ignore them. Unfortunately, they wouldn’t exist if they weren’t successful enough in the big picture, so it might be a good idea to inform the targeted service about the attempt, in hopes they will notify users to act with caution. And then there’s [Christian Haschek], who decided to have some fun and trying to render the phished data useless by simply flooding it with garbage.

After his wife received a text message from “their bank”, [Christian] took a closer look at the URL it was pointing to, and found your typical copy of the real login form at a slightly misspelled address. As the usual goal is to steal the victim’s credentials, he simply wrote a shell script that sends random generated account numbers and PINs for all eternity via cURL, potentially lowering any value the attackers could get from their attempt.

As the form fields limit the input length of the account number and PIN, he eventually wondered if the server side will do the same, or whether it would crash if longer data is sent to it. Sadly, he’ll never know, because after he modified the script, the site itself returned a 404 and had disappeared.

In the quest against phishing attacks, this should count as a success, but as [Christian] seemed to enjoy himself, he yearned for more and decided to take a look at a similar attempt he saw mentioned earlier on Reddit. Despite targeting the same bank, the server-side implementation was more sophisticated, hinting at a different attack, and he definitely got his money worth this time — but we don’t want to give it all away here.

Rest assured, [Christian Haschek] continues the good fight, whether by annoying attackers as he did with ZIP-bombing random WordPress login attempts or battling child pornography with a Raspberry Pi cluster. Well, unless he’s busy hunting down an unidentified device hooked up in his own network.

(Banner image by Tumisu)

This Week In Security: DEF CON, Intel Leaks, Snapdragon, And A Robot Possessed

Last weekend, DEF CON held their “SAFE MODE” conference: instead of meeting at a physical venue, the entire conference was held online. All the presentations are available on the official DEF CON YouTube channel. We’ll cover a few of the presentations here, and watch out for other articles on HaD with details on the other talks that we found interesting.
Continue reading “This Week In Security: DEF CON, Intel Leaks, Snapdragon, And A Robot Possessed”

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.


Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

This Week In Security: Garmin Ransomware, KeePass , And Twitter Warnings

On July 23, multiple services related to Garmin were taken offline, including their call center and aviation related services. Thanks to information leaked by Garmin employees, we know that this multi-day outage was caused by the Wastedlocker ransomware campaign. After four days, Garmin was able to start the process of restoring the services.

It’s reported that the requested ransom was an eye-watering $10 million. It’s suspected that Garmin actually paid the ransom. A leaked decryptor program confirms that they received the decryption key. The attack was apparently very widespread through Garmin’s network, as it seems that both workstations and public facing servers were impacted. Let’s hope Garmin learned their lesson, and are shoring up their security practices. Continue reading “This Week In Security: Garmin Ransomware, KeePass , And Twitter Warnings”