Insecure Permissions vulnerability in Connectivity Standards Alliance Matter Official SDK v.1.1.0.0 , Nanoleaf Light strip v.3.5.10, Govee LED Strip v.3.00.42, switchBot Hub2 v.1.0-0.8, Phillips hue hub v.1.59.1959097030, and yeelight smart lamp v.1.12.69 allows a remote attacker to cause a denial of service via a crafted script to the KeySetRemove function.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

sumaky opened this issue

Aug 4, 2023

· 0 comments · Fixed by #28524

**Comments**

**Reproduction steps**

**spec reference: 1**1.2.7.4. KeySetRemove Command  
This command SHALL fail with an INVALID\_COMMAND status code back to the initiator if the  
GroupKeySetID being removed is 0, which is the Key Set associated with the Identity Protection Key  
(IPK).

When key-set-remove command is issued with 0x0 ID we should expect INVALID\_COMMAND as status code but we see SUCCESS as the status code  
This issue was found during covering additional negative scenarios for TC-GRPKEY-2.2

Reference log:  
GRPKEY2.2GroupKeySetID0Error.txt

**Bug prevalence**

NA

**GitHub hash of the SDK that was being used**

NA

**Platform**

other

**Platform Version(s)**

NA

**Anything else?**

_No response_

tcarmelveilleux pushed a commit to tcarmelveilleux/connectedhomeip that referenced this issue

Aug 4, 2023

Problem:

- Removing KeySet index 0 is not allowed by spec, but SDK allowed it.
- Checking that we ran without accessing fabric is not done, so
  error is FAILURE instead of UNSUPPORTED\_ACCESS.
- Fixes project-chip#28518

This PR:

- Adds the check and tests against removing fabric index zero
- Improves error reporting for several errors in the cluster
- Combines validation logic for accessing fabric that was missing

Testing:

- Added unit tests and integration tests for additions
  (except for the unsupported access that requires PASE to check)

mergify bot pushed a commit that referenced this issue

Aug 10, 2023

\* Fix KeySetRemove to fail on key set index 0

Problem:

- Removing KeySet index 0 is not allowed by spec, but SDK allowed it.
- Checking that we ran without accessing fabric is not done, so
  error is FAILURE instead of UNSUPPORTED\_ACCESS.
- Fixes #28518

This PR:

- Adds the check and tests against removing fabric index zero
- Improves error reporting for several errors in the cluster
- Combines validation logic for accessing fabric that was missing

Testing:

- Added unit tests and integration tests for additions
  (except for the unsupported access that requires PASE to check)

\* Regen tests with ZAP

\* Restyled by clang-format

\* Remove explicit check for undefined fabric index

\* Fix build

\* Rename ValidateAndGetProviderAndFabric to just GetProviderAndFabric

\* Added back cleanup for VerifyOrDie argument checking

\* Restyle

---------

Co-authored-by: tennessee.carmelveilleux@gmail.com <tennessee@google.com>
Co-authored-by: Restyled.io <commits@restyled.io>
Co-authored-by: Andrei Litvin <andreilitvin@google.com>
Co-authored-by: Andrei Litvin <andy314@gmail.com>

andy31415 added a commit that referenced this issue

Aug 10, 2023

\* Fix KeySetRemove to fail on key set index 0

Problem:

- Removing KeySet index 0 is not allowed by spec, but SDK allowed it.
- Checking that we ran without accessing fabric is not done, so
  error is FAILURE instead of UNSUPPORTED\_ACCESS.
- Fixes #28518

This PR:

- Adds the check and tests against removing fabric index zero
- Improves error reporting for several errors in the cluster
- Combines validation logic for accessing fabric that was missing

Testing:

- Added unit tests and integration tests for additions
  (except for the unsupported access that requires PASE to check)

\* Regen tests with ZAP

\* Restyled by clang-format

\* Remove explicit check for undefined fabric index

\* Fix build

\* Rename ValidateAndGetProviderAndFabric to just GetProviderAndFabric

\* Added back cleanup for VerifyOrDie argument checking

\* Restyle

\* Update based on code review comments

\* Remove two more flight check comments

\* Restyle

\* Fix merge error

---------

Co-authored-by: tennessee.carmelveilleux@gmail.com <tennessee@google.com>
Co-authored-by: Restyled.io <commits@restyled.io>
Co-authored-by: Andrei Litvin <andreilitvin@google.com>

abpoth pushed a commit to abpoth/connectedhomeip that referenced this issue

Aug 15, 2023

\* Fix KeySetRemove to fail on key set index 0

Problem:

- Removing KeySet index 0 is not allowed by spec, but SDK allowed it.
- Checking that we ran without accessing fabric is not done, so
  error is FAILURE instead of UNSUPPORTED\_ACCESS.
- Fixes project-chip#28518

This PR:

- Adds the check and tests against removing fabric index zero
- Improves error reporting for several errors in the cluster
- Combines validation logic for accessing fabric that was missing

Testing:

- Added unit tests and integration tests for additions
  (except for the unsupported access that requires PASE to check)

\* Regen tests with ZAP

\* Restyled by clang-format

\* Remove explicit check for undefined fabric index

\* Fix build

\* Rename ValidateAndGetProviderAndFabric to just GetProviderAndFabric

\* Added back cleanup for VerifyOrDie argument checking

\* Restyle

---------

Co-authored-by: tennessee.carmelveilleux@gmail.com <tennessee@google.com>
Co-authored-by: Restyled.io <commits@restyled.io>
Co-authored-by: Andrei Litvin <andreilitvin@google.com>
Co-authored-by: Andrei Litvin <andy314@gmail.com>

abpoth pushed a commit to abpoth/connectedhomeip that referenced this issue

Aug 15, 2023

\* Fix KeySetRemove to fail on key set index 0

Problem:

- Removing KeySet index 0 is not allowed by spec, but SDK allowed it.
- Checking that we ran without accessing fabric is not done, so
  error is FAILURE instead of UNSUPPORTED\_ACCESS.
- Fixes project-chip#28518

This PR:

- Adds the check and tests against removing fabric index zero
- Improves error reporting for several errors in the cluster
- Combines validation logic for accessing fabric that was missing

Testing:

- Added unit tests and integration tests for additions
  (except for the unsupported access that requires PASE to check)

\* Regen tests with ZAP

\* Restyled by clang-format

\* Remove explicit check for undefined fabric index

\* Fix build

\* Rename ValidateAndGetProviderAndFabric to just GetProviderAndFabric

\* Added back cleanup for VerifyOrDie argument checking

\* Restyle

\* Update based on code review comments

\* Remove two more flight check comments

\* Restyle

\* Fix merge error

---------

Co-authored-by: tennessee.carmelveilleux@gmail.com <tennessee@google.com>
Co-authored-by: Restyled.io <commits@restyled.io>
Co-authored-by: Andrei Litvin <andreilitvin@google.com>

s07641069 pushed a commit to s07641069/connectedhomeip that referenced this issue

Aug 22, 2023

\* Fix KeySetRemove to fail on key set index 0

Problem:

- Removing KeySet index 0 is not allowed by spec, but SDK allowed it.
- Checking that we ran without accessing fabric is not done, so
  error is FAILURE instead of UNSUPPORTED\_ACCESS.
- Fixes project-chip#28518

This PR:

- Adds the check and tests against removing fabric index zero
- Improves error reporting for several errors in the cluster
- Combines validation logic for accessing fabric that was missing

Testing:

- Added unit tests and integration tests for additions
  (except for the unsupported access that requires PASE to check)

\* Regen tests with ZAP

\* Restyled by clang-format

\* Remove explicit check for undefined fabric index

\* Fix build

\* Rename ValidateAndGetProviderAndFabric to just GetProviderAndFabric

\* Added back cleanup for VerifyOrDie argument checking

\* Restyle

---------

Co-authored-by: tennessee.carmelveilleux@gmail.com <tennessee@google.com>
Co-authored-by: Restyled.io <commits@restyled.io>
Co-authored-by: Andrei Litvin <andreilitvin@google.com>
Co-authored-by: Andrei Litvin <andy314@gmail.com>

s07641069 pushed a commit to s07641069/connectedhomeip that referenced this issue

Aug 22, 2023

\* Fix KeySetRemove to fail on key set index 0

Problem:

- Removing KeySet index 0 is not allowed by spec, but SDK allowed it.
- Checking that we ran without accessing fabric is not done, so
  error is FAILURE instead of UNSUPPORTED\_ACCESS.
- Fixes project-chip#28518

This PR:

- Adds the check and tests against removing fabric index zero
- Improves error reporting for several errors in the cluster
- Combines validation logic for accessing fabric that was missing

Testing:

- Added unit tests and integration tests for additions
  (except for the unsupported access that requires PASE to check)

\* Regen tests with ZAP

\* Restyled by clang-format

\* Remove explicit check for undefined fabric index

\* Fix build

\* Rename ValidateAndGetProviderAndFabric to just GetProviderAndFabric

\* Added back cleanup for VerifyOrDie argument checking

\* Restyle

\* Update based on code review comments

\* Remove two more flight check comments

\* Restyle

\* Fix merge error

---------

Co-authored-by: tennessee.carmelveilleux@gmail.com <tennessee@google.com>
Co-authored-by: Restyled.io <commits@restyled.io>
Co-authored-by: Andrei Litvin <andreilitvin@google.com>

1 participant

CVE-2023-42189: [BUG] KeySetRemove Command returns SUCCESS status code when GroupKeySetID 0 is being removed · Issue #28518 · project-chip/connectedhomeip

An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.
The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an

An ad fraud botnet dubbed **PEACHPIT** leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.

The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an Android malware strain called Triada.

"The PEACHPIT botnet's conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS," HUMAN said.

The infections are said to have been realized through a collection of 39 apps that were installed more than 15 million times. Devices fitted with the malware allowed the operators to steal sensitive data, create residential proxy exit peers, and commit ad fraud through the bogus apps.

It's currently not clear how the Android devices are compromised with a firmware backdoor, but evidence points to a hardware supply chain attack.

"Threat actors can also use the backdoored devices to create WhatsApp messaging accounts by stealing one-time passwords from the devices," the company said.

"Additionally, threat actors can use the devices to create Gmail accounts, evading typical bot detection because the account looks like it was created from a normal tablet or smartphone, by a real person."

Details about the criminal enterprise were first documented by Trend Micro in May 2023, attributing it to an adversary it tracks as Lemon Group.

HUMAN said that it identified at least 200 distinct Android device types, including mobile phones, tablets, and CTV products, that have exhibited signs of BADBOX infection, suggesting a widespread operation.

A notable aspect of the ad fraud is the use of counterfeit apps on Android and iOS made available on major app marketplaces such as the Apple App Store and Google Play Store as well as those that are automatically downloaded to backdoored BADBOX devices.

Present within the Android apps is a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and masquerading the ad requests as originating from legitimate apps, a technique previously observed in the case of VASTFLUX.

The fraud prevention firm noted that it worked with Apple and Google to disrupt the operation, adding "the remainder of BADBOX should be considered dormant: the C2 servers powering the BADBOX firmware backdoor infection have been taken down by the threat actors."

What's more, an update pushed out earlier this year has been found to remove the modules powering PEACHPIT on BADBOX-infected devices in response to mitigation measures deployed in November 2022.

That having said, it's suspected the attackers are adjusting their tactics in a likely attempt to circumvent the defenses.

"What makes matters worse is the level of obfuscation the operators went through to go undetected, a sign of their increased sophistication," HUMAN said. "Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

PEACHPIT: Massive Ad Fraud Botnet Powered by Millions of Hacked Android and iOS

By Waqas
The Red Alert App is available on iOS; however, its Android version has been removed for unknown reasons
This is a post from HackRead.com Read the original post: Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App

Pro-Palestinian hackers from AnonGhost apparently managed to hack the Red Alert app, whose sole purpose is to send missile and rocket alerts to Israelis.

In the midst of the ongoing conflict between Israel and Hamas, a group of Pro-Palestinian hackers operating under the moniker **AnonGhost** launched a cyberattack on the RedAlert app, causing chaos among Israeli citizens over the weekend.

Developed by Kobi Snir, an app developer and IoT researcher, the Red Alert App serves a critical purpose by providing real-time alerts whenever rockets, mortars, or missiles are fired into Israel from the Gaza region.

Singapore-based cybersecurity firm Group-IB confirmed the cyberattack. In a brief **tweet**, the company’s threat analysis team revealed that AnonGhost had exploited an API vulnerability within the Red Alert app.

The group successfully intercepted requests, exposing vulnerable servers and APIs, allowing them to employ Python scripts to send spam messages to some Israeli app users. This resulted in users receiving false missile alerts on their smartphones, further worsening the already dire situation in the country.

But the extent of the attack didn’t stop at fake rocket alerts. According to Group-IB’s Threat Intelligence system, AnonGhost also sent fabricated messages regarding a “nuclear bomb” attack on Israel.

One of the announcements from AnonGhost on Telegram boasts about the attack with the following words:

> _“Israel’s RedAlert phone app system hacked by AnonGhost + AG Members. Before this attack happened we have found that there are about 10,000 users online in this chat. All 10k to 20k users in this application will get the same notification.”_

Furthermore, the group claimed that, aside from sending fake alerts and causing hysteria, the impact of this attack also includes disconnecting the user’s phone from the Internet and rendering the phone unusable, forcing the victim to purchase a new one. However, these claims remain unverified at this time.

Hackread.com delved into these claims and discovered a video shared by AnonGhost on their Telegram channel, demonstrating that the group had exploited the RedAlert app to send emergency alerts about fictitious rocket and nuclear bomb attacks.

Source: Hackrad.com

The Red Alert App is available on **iOS**; however, its Android version has been **removed** for unknown reasons

The conflict between Israel and **Hamas** ignited on October 7, 2023, when Hamas fighters launched a surprise attack on Israel, crossing the border from the Gaza Strip into Israeli territory. Hamas reported casualties among Israelis and claimed to have taken dozens of hostages.

Israel, on the other hand, characterized Hamas’ attack as unprovoked and an attempt to annihilate the country. Reuters **reported** that Israel responded with airstrikes on the Gaza Strip, resulting in the deaths of hundreds of Palestinians, including at least 20 children.

While the physical conflict raged on, cyber warfare unfolded in parallel. Pro-Palestinian and Pro-Israeli hacktivist groups engaged in online battles, targeting each other’s infrastructure through activities such as Distributed Denial of Service (DDoS) attacks, data leaks, doxing, and social engineering.

The ongoing conflict continues to have a digital dimension, as **hacktivist groups** on both sides strive to make their voices heard in the cyber realm, further escalating tensions in an already volatile situation.

****_RELATED ARTICLES_****

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Israeli Oil Refinery Giant BAZAN Hit by Fresh Wave of Cyber Attacks
3.  Hackers interrupt Eurovision webcast in Israel with missile attack alert
4.  Hamas hackers posed as women to con IDF into downloading malware
5.  Israel Faces Fresh Wave of Cyberattacks Targeting Critical Infrastructure

Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass Junior 4.0 SQL Injection

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

**eClass IP 2.5 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | b711babfc66671ea5103fe26d521747c60621f2c26be69bc9fb4ef7463b6da31

Download | Favorite | View

**eClass IP 2.5 SQL Injection**

    ====================================================================================================================================| # Title     : eClass IP 2.5 Sql injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-ip/                                                                    |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55&id=161 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55&id=161[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass IP 2.5 SQL Injection

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Monday, October 9, 2023 08:10

At this point in his career, Jaeson Schultz has seen nearly every type of online scam there is to see.

From fake bomb threats at schools, to “sextortion” campaigns, cryptocurrency mining, metaverse and more of the 2010s, to the earliest type of spam emails in the 1990s that promised to protect people from a Y2K meltdown or had the next great penny stock that the recipient needed to jump on asap, Schultz’s security career has spanned more than 25 years now.

At this point, nothing adversaries come up with surprises him, but that doesn’t mean he’s not looking for those surprises.

Schultz, a researcher for the Talos Outreach team focused specifically on email threats and spam, is currently looking to new and emerging technologies and how they play into attackers’ hands, including Web3, the metaverse (including the capital “M” Metaverse from the company Meta), cryptocurrency exchanges and the blockchain.

But his security experience dates back to the early days of email when he took a job with the state government of Nevada performing traditional IT troubleshooting and support. At the time, cybersecurity was not a specialized field, so by working in IT, you already needed to be interested in security, Schultz said.

“At that point, \[cybersecurity\] was more of a hobby for me in the late 80s and early 90s. It wasn’t an established profession, and you couldn’t study it. So, if you were into network administration, you were probably also into security,” he said.

Schultz started pursuing cybersecurity as a hobby, and he even attended some of the first DEF CON conferences, which today is known as one of the largest hacking conferences in the world.

That eventually led him to a job with Brightmail – one of the earliest anti-spam filtering offerings for email — and at the “abuse desk” for another email service provider, where he was tasked with stopping malicious users from sending spam.

At the time, the threats and tactics he saw then were the same as the ones most users get today: They focus heavily on social engineering, trying to trick users into providing personal information, sending money to the attacker or clicking on a malicious link that downloads malware.

Schultz eventually made his way to Cisco through the company’s acquisition of IronPort, which eventually became part of Cisco Talos nearly 10 years ago, where he became part of the Outreach team, conducting more public-facing threat research.

Today, Schultz said attacks are more sophisticated than before thanks to AI language models and years of experience on the attackers’ end. In his earlier career, Schultz said the wildest scam he saw was an email sender claiming to be a time traveler searching for pieces of their time machine, a tactic that (most) users would sniff out quickly in 2023.

“The techniques have evolved over time, but the basic themes have primarily remained the same,” he said.

One of the techniques Schultz is particularly interested in currently is DNS and URL manipulation. He’s written extensively for the Talos blog about how adversaries are using typosquatted domains — attacks in which bad actors use eerily similar URLs to legitimate sites to trick users into visiting an attacker-controlled page. For example, instead of visiting google.com, an attacker may use the domain googie.com in a spam email.

He’s also conducted research into attackers who distort the DNS system. DNS is essentially the backbone of browsing the internet and is what ensures attackers are visiting the page they want to land on — that typing in google.com will take the user to Google.com. Other attackers are using newly released top-level domains like .zip to trick targets into disclosing potentially sensitive files that end in that extension.

Perhaps in one of the more unlikely scenarios, Schultz is also researching how cosmic rays could interfere with network connections and mistakenly send users to the wrong destination.

“I’m completely interested in the creative ways computers can break down,” Schultz jokes.

Many users can feel hopeless when it comes to spam because they’re still getting emails and text messages every day despite the best efforts to research and continued calls to report certain phone numbers, emails or email subjects as spam. But Schultz said he’s driven by the victories he does get along the way.

“There are just so many people out there who are out to commit crimes online. And the number of people who actually get in trouble for committing those crimes is pretty low when you consider how much work goes into cybersecurity,” he said. “It gets under my skin when there are innocent users who get scammed by these people, like what if it was my mom or my grandma? It motivates me to go out there and disrupt their operations.”

Disruption may not even look like directly taking down email servers they’re using or other infrastructure. Even by writing a blog about an actor’s operations or talking to other security researchers at a conference, Schultz said his team’s work can make bad actors’ work more difficult in many ways. Even by just publicly exploiting their tactics, it forces them to change their strategy on the fly.

Schultz’s life doesn’t slow down outside the office, though. He juggles many interests like snow skating during the cooler months. He also owns a home in Ecuador where he likes to get away from the cold at times — Cisco’s work flexibility allows him to work remotely from either location to fit his schedule. Though he did joke his teammates get jealous when he’s working from Ecuador and brings a fresh coconut on a Webex call for a lunchtime drink.

Perhaps his most personal endeavor is running a toy shop in South Lake Tahoe, California with his family. Schultz’s late wife opened the store in 2019 — she wanted to be her own boss after years of having partners in other small business endeavors around the state.

After her death, Schultz said he and his three children wanted to keep the store running so he got more involved on a day-to-day basis. He even gets to put his IT admin hat back on while managing the online storefront and website.

“This was her project, she was always involved in different small businesses around Lake Tahoe, I talked her into buying this toy store so she would be the sole proprietor and not have to answer to anyone else,” Schultz said. “She bought it in 2019, and thankfully it survived the pandemic.”

Since getting more involved at the store, Schultz has gotten into collecting trading cards like Pokemon and the recently released Disney “Lorcana.” Interestingly, he’s interested in collecting real-world goods while the adversaries he typically tracks try to swindle users out of their virtual NFTs.

How looking at decades of spam led Jaeson Schultz from Y2K to the metaverse and cryptocurrency

Categories: News
Tags: Week

Tags:  security

Tags:  October

Tags:  2023

A list of topics we covered in the week of October 2 to October 8, 2023



(Read more...)




The post A week in security (October 2 - October 8) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 2 - October 8)

By Waqas
The Android TV box you recently purchased may be riddled with harmful backdoors.
This is a post from HackRead.com Read the original post: Android TV Boxes Infected with Backdoors, Compromising Home Networks

A new report from the cybersecurity firm Human Security confirms the presence of two backdoors, Badbox and Peachpit, in popular and widely used Android TV boxes.

****_KEY FINDINGS_****

*   **Cybersecurity Firm Human Security has discovered malware on dozens of streaming devices and iOS/Android apps.**

*   **A huge number of Android TV boxes contain malware capable of conducting ad fraud, creating fake accounts, and selling access to home networks.**

*   **Researchers found that the malware they have dubbed Badbox is not only tricky to detect but difficult to remove as well.**

*   **Android TV box users must prefer installing apps from reliable sources and keep their devices up-to-date.**

*   **Human Security has already shared details of its findings with concerned law enforcement agencies.**

In a report published by Human Security’s Satori Threat Intelligence and Research Team on October 4th, 2023, there are signs that 200 different models of Android TV boxes might be containing malware, indicating an organized network of ad fraud behind it.

Researchers analyzed seven Android TV boxes and one tablet and found backdoors installed in all of them. Here are the tested models:

Q9

T95

X88

T95Z

J5-W

T95MAX

X12PLUS 

MXQ Pro 5G

All the devices had a vast and diverse user base comprising schools, businesses, and homes across the US. Another shocking detail is that 80% of the Android TV boxes sold in the US from online retailers contained Badbox.

It is worth noting that, T95 is a known TV Box for carrying pre-installed malware. **In January 2023**, Canadian infrastructure and security systems consultant, Daniel Milisic discovered malware on the T95 TV Box which he bought through Amazon.

**In February 2023**, Malwarebytes researchers confirmed that there are pre-installed malware on this particular TV Box. However, to this date, Amazon continues to sell the malicious T95 TV Box.

Malicious T95 TV Boxes ready to be shipped through Amazon (Screenshot: Hackread.com)

According to Human Security’s CISO Gavin Reid, the network resembles a “Swiss Army knife of doing bad things on the internet.” Gavin **told** Wired that this is a well-organized fraud.

For your information, these boxes use Android Open Source Project (**AOSP**) instead of Google-certified Google TV or Android TV, such as Nvidia Shield or Chromecast. The issue occurs due to AOSP’s open access.

In their **blog post**, researchers noted that Badbox comes preloaded on Android TV devices made in China before being dispatched to resellers. After the devices are plugged in, the malware connects with a C2 server in China.

Further, it fetches a set of instructions that informs it about the malicious activities it has to perform on the device. These **include ad fraud**, creating fake WhatsApp and Gmail accounts, selling access to home networks, and installing remote code.

Badbox backdoor helps install infected apps on devices. It modifies a component of the Android OS, forcing it to execute code and access apps installed on the device. While researching, Human Security found different types of fraud associated with the infected devices, including **residential proxy services** and advertising fraud, and noticed that the group behind this campaign is selling access to home networks.

> _**“The extent of BADBOX’s spread and impact is massive. HUMAN’s Satori team observed at least 74,000 Android-based mobile phones, tablets, and Connected TV boxes worldwide showing signs of BADBOX infection.”**_
> 
> Human Security

According to their **technical report** (PDF), Human Security focused on another malware called PEACHPIT, Badbox’s ad fraud component that can launch spoofed web traffic, hidden ads, and **malvertising** on Android and iOS devices and apps.

Imported library managing ad rendering (Screenshot: Human Security)

Peachpit malware is less harmful than Badbox, though. Researchers identified 39 iOS, Android, and TV box apps containing Peachpit. It is worth noting that Peachpit malware can operate on Android and iOS devices both, whereas Badbox targets Android devices only.

Peachpit is a collection of 39 Android, iOS, and CTV-centric apps, each containing a hardcoded connection to a fake SSP (**supply-side platform**), which adds a piece of JavaScript code into the app’s WebView to obtain details of the device the app is running on before launching the ad.

> _**“PEACHPIT reached a peak of 121,000 infected Android devices and 159,000 infected iOS devices. These devices accounted for an average of 4 billion ad requests a day. No iOS devices were themselves impacted by the BADBOX backdoor; they were targeted only by PEACHPIT apps available for download from many major app marketplaces.”**_
> 
> Human Security

People looking for low-cost streaming devices and TV boxes usually turn to Chinese manufacturers. However, time and again, it has been proven that Chinese Android TV boxes typically come infected with malware.

1.  Amazon Still Selling T95 TV Box with Pre-Installed Malware
2.  Hundreds of Android devices shipped with pre-installed malware
3.  Malware Duo pre-installed on thousands of cheap Android phones
4.  Smart TVs make screenshots every second & send them to the server
5.  Samsung asks users to scan their Smart TVs for malware – Here’s how to

Android TV Boxes Infected with Backdoors, Compromising Home Networks

By Deeba Ahmed
Facebook’s official page was hacked on Facebook after bizarre posts, including demands for the release of ex-Pakistani PM…
This is a post from HackRead.com Read the original post: Facebook’s Official Page Hacked; Demand Release of Pakistani PM Imran Khan

Facebook’s official page was hacked on Facebook after bizarre posts, including demands for the release of ex-Pakistani PM Imran Khan, filled its timeline.

*   **Facebook’s official page was apparently hacked on Friday, 6th October 2023.**

*   **Social media users were shocked to see Facebook posting strange messages.**

*   **One of the many weird messages was the hacker demanding the release of ex-PAK prime minister Imran Khan.**

*   **Mr Khan was arrested in early August 2023.**

*   **Whether it was a prank or the page was actually hacked, it raises serious concerns over the security of Facebook accounts and pages.**

Hacking of user accounts and pages on social media is nothing new. Even high-profile personalities, including politicians and celebrities, have experienced page compromises, with scammers posting messages in their names.

However, a rare event occurred on October 6th, 2023, when Facebook users were stunned to see strange posts emanating from Facebook’s official page. What made these posts truly bizarre was their focus on criticizing the BCCI (Board of Cricket Control India) for not granting visas to Pakistani cricket fans for the ICC World Cup matches.

The highlight of this supposed prank was a post demanding the release of Pakistan’s former Prime Minister, Imran Khan, alongside another post stating, “Release Zuck.”

At 10.40 pm this post appeared on Facebook’s official page: “No idea why I suddenly have access to post stuff on Facebook. Or have I got it completely wrong and I’m not posting as Facebook UK?”

This was followed by another post that read: “Let me take this opportunity to let & know they have completely botched the event by not issuing visas to people who wanted to watch Cricket World Cup in person.”

Here are multiple screenshots shared by an X (previously Twitter) user about the Facebook page hack:

According to reports, several posts appeared before Facebook realized the issue and responded. The social network promptly deleted all the posts and issued an official statement to notify users that the page had been compromised. Simultaneously, the platform launched an investigation into the incident and took steps to enhance the page’s security.

By 11.30 pm, Facebook’s official page was disabled. However, until then, thousands of users had seen these posts.

> Facebooks Facebook page got hacked 🤣 pic.twitter.com/7bshbl6t0k
> 
> — Nath Lewis (@TheNathanLewis) October 6, 2023

In February 2014, an Egyptian hacker managed to remove Mark Zuckerberg’s Facebook timeline cover photo from his account using a private exploit.

We will update our readers as Facebook shares further details on this incident.

Meanwhile, take a moment to reexamine the security of your profile on social media because this incident is a reminder that no platform or organization is safe from cyberattacks. So, users must prefer strong passwords, ideally with 2FA, and avoid using the same password for different accounts.

1.  Facebook glitch sent unintended friend requests to users
2.  NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook Data
3.  Fake Ads Manager Software, Extensions Target Facebook Accounts
4.  Fake ChatGPT and AI pages on Facebook are spreading infostealers
5.  Facebook removes 100s of accounts for spreading iOS, Android malware

Facebook’s Official Page Hacked; Demand Release of Pakistani PM Imran Khan

Plus: Sony confirms a breach of its networks, US federal agents get caught illegally using phone location data, and more.

Does the public have a right to see gruesome photos of animal test subjects taken by a public university?

That question underpins an ongoing court battle between UC Davis and the Physicians Committee for Responsible Medicine, an animal welfare group, which is fighting for the release of photos of dead monkeys used in tests of Elon Musk–owned Neuralink’s brain-chip implants. A WIRED investigation this week revealed the extent to which Neuralink and UC Davis have gone to keep images of the tests secret.

Also this week, an investigation by the Markup, copublished with WIRED, analyzed crime predictions by Geolitica (formerly PredPol) in Plainfield, New Jersey, and found that they accurately predicted crime less than 1 percent of the time. As WIRED previously reported, Geolitica is shutting down at the end of this year and being sold for parts to SoundThinking, maker of the gunshot-detection system ShotSpotter.

Earlier this year, the data-extortion gang Clop exploited a vulnerability in the widely used file-transfer service MOVEit, racking up victims around the globe including major corporations and US government agencies. The full number of victim organizations continues to climb into the thousands, with more than 3.4 million people’s data potentially stolen, making it the biggest hack of 2023.

If you own an inexpensive Android TV streaming box, you may want to toss it into the sea—or recycle it responsibly. New research found that at least eight cheap streaming boxes contained a backdoor that connects the devices with servers in China and is used to commit fraud and other cybercrime. Researchers also found dozens of Android, iOS, and TV box apps that were used for fraudulent behavior. While at least some of the apps have been removed from the app stores, more than 120,000 Android devices and 150,000 iOS devices were impacted.

Speaking of phone security, we detailed how to know when your device will stop getting security updates and how to keep Google from using your data in its generative AI tool, Bard. Finally, we profiled the team at a UK-based nonprofit that’s helping women fight back against digital domestic violence.

That’s not all. Each week we round up the security and privacy news that we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When WIRED first reported that Apple had sent a letter responding to demands from an anti-child-exploitation group called Heat Initiative, we had one big question: What the hell is Heat Initiative? An investigation by the Intercept now provides some clues.

According to the Intercept, the group is funded by “dark-money donors” linked to billionaire Democrats. Sarah Gardner, who leads the group, refused to comment on Heat Initiative’s funding and said she disagrees with Apple’s “privacy-absolutist” approach. The group, which had virtually no online presence when Apple sent that letter, is now waging a high-profile campaign to force the company to do more to scan for child sexual abuse material (CSAM) on users’ devices and iCloud storage, which would likely mean weakening encryption.

After Apple scrapped plans to scan images on users’ devices for CSAM amid widespread backlash, the company focused instead on tools known as Community Safety features for reporting CSAM. It also rolled out encrypted iCloud options. The company says it cannot meet Heat Initiative demands without compromising user privacy and security.

Sony Interactive Entertainment confirmed this week that it is the latest victim of the aforementioned MOVEit breach. The company says it has informed some 6,800 people, including past and current employees, about the breach, which may have exposed Social Security numbers and personal information. Data-extortion gang Clop has claimed responsibility for the breach, which Sony says it detected on June 2. Sony says it is working with cybersecurity experts and law enforcement as part of its investigation into the intrusion.

Agents working for the US Customs and Border Protection, Immigration and Customs Enforcement, and the US Secret Service broke the law by purchasing commercially available phone location data, according to a new report from the US Department of Homeland Security’s inspector general. Privacy and civil liberty advocates have long argued that the purchase of such data, known in the US government as commercial telemetry data (CTD), circumvents Fourth Amendment protections against unreasonable searches and seizures because agents don’t need to obtain a warrant to buy the information. But the inspector general report says the data was illegally accessed because agents failed to conduct a mandated privacy impact assessment before buying CTD.

The US Department of Justice this week unsealed indictments against eight Chinese firms and 12 of their employees, accusing them of producing and distributing chemicals needed for the production of fentanyl, a deadly opioid, in the United States. The employees and companies were also sanctioned by the US Treasury Department, cutting them off from US financial institutions. According to the DOJ, the companies “tend to use cryptocurrency transactions to conceal their identities and the location and movement of their funds.”

“We have identified and blocked over a dozen virtual currency wallets associated with these actors,” Treasury deputy secretary Wally Adeyemo said during a press conference on October 3. “The blocked wallets, which received millions of USD funds over hundreds of deposits, illustrate the scope and scale of the operation targeted today.”

Tag

#ios