πŸ”“ [CyberFacts Weekly - Issue 0x02] The Week of Massive Leaks

Twitch leak (128GB) / Telegraph DB exposed (10TB) / Full iOS 15 decompiled source code / FB/IG/WA disappeared from the Internet / New ESP-persistent UEFI bootkit found / LeakIX 2.0 vs. exposed services / Pandora Papers is the new Panama Papers / SMS-routing service compromised for years / Phrack #70 is out / Apache CVE-2021-41773 patched / SOS.dev pilot to secure OSS / Ransomware gang arrested in Ukraine

I think this week’s featured image by the @archillect AI is very appropriate, given the 3 massive leaks that happened (plus FB/IG/WA downtime, although not due to a security compromise):

  • Twitch (128GB)
  • The Telegraph (10TB)
  • Pandora Papers (11.9M documents)

Plus some leaky Apache Airflow servers exposing credentials of popular services, and iOS 15 decompiled source code dumped online.

On the bright side, The Linux Foundation and Google (which sponsored $1B worth of rewards) has launched a pilot program to reward developers who help open source projects score better (e.g., by contributing fixes, fuzzing harnesses); Apache has released a fix for CVE-2021-42773 (currently exploited in the wild); and LeakIX has announced a game-changing (although a bit controversial) transparent breach-disclosure framework to track unwanted exposed services leaking data, and “pressure” service operators to close or secure them.

With linked content referred or created by: @jonathandata1, @fb_engineering, @ESETresearch, @leak_ix, @ICIJorg, @billtoulas, @BleepinComputer, @IoTInspector, @TheASF, @campuscodi, @Google, @linuxfoundation, @INTERPOL_Cyber, @proofpoint, @NLOKLabs, @_revng, @Claroty, @IntezerLabs, @campuscodi, @trompi, @ProjectZeroBugs, @Certego_IRT, @nohatcon, and @reyammer.



This Week’s Top Picks

#leaks | Twitch Data and Code Base Leaked (alleged “part one” is 128GB)

by sizeof(cat)

A vast portion of Twitch’s code base, if not all of it (although the original file name says part one), has been leaked and is being shared on the Torrent network, with new analyses popping up every day, from the creators' payouts (original site now taken offline), to a selection of their infosec tools (here: archived copy).

Twitch’s official acknowledgement reads as follows:

some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.

Which is a bit too cold and not really informative. I can only vaguely imagine the creators' frustration, as they’re arguably more impacted by this leak than Twitch itself.

#leaks | iOS 15 Decompiled Source Code Published by Researcher

by Jonathan Scott - @jonathandata1

As easy as you read from the title: a mobile hacker has just dropped the full decomplied (non working, but perfectly readable and useful) source code of iOS 15 (and 15.01) on his website. And announced it on Twitter.

#facebook | FB/IG/WA Temporarily Disappeared Because of a Failure in a Routine Maintenance Job on the Backbone Network, which Stopped BGP Advertisments Propagation

by Facebook Engineering - @fb_engineering

[an erroneous router admin command] caused a complete disconnection of our server connections between our data centers and the internet. And that total loss of connection caused a second issue that made things worse.

This wasn’t a DNS issue itself, but failing DNS was the first symptom [Cloudflare had] seen of a larger Facebook outage.

#malware | New UEFI Bootkit that Persists in the EFI System Partition (ESP) Discovered in the Wild

by ESET Research - @ESETresearch

ESET reseaerchers have discovered and analyzed a previously undocumented UEFI bootkit that can persist into the EFI system partition (ESP). When a computer starts up, the UEFI firmware loads and starts files stored on the ESP, so, this is a perfect mechanism for malware persistence (the modern take on MBR malware, in some ways).

Dubbed ESPecter, the researchers wrote that this is

the second real-world case of a UEFI bootkit persisting on the ESP in the form of a patched Windows Boot Manager to be analyzed.

#leak | The Telegraph Notified by LeakIX About a Leaking 10TB Database

by Bill Toulas - @billtoulas for Bleeping Computer - @BleepinComputer

The Telegraph.co.uk has been notified by LeakIX of a 10TB database exposed online. According to the detailed report, it was a production Elastic Search used for logging, likely hosted in Google Cloud Platform (the domain name contains platforms-prod-gcp).

#leak | LeakIX’s Transparent, Game-changing Approach to Breach Disclosure (and Prevention)

by @leak_ix

LeakIX is a fast growing service that takes an agile approach to monitoring exposed services that leak data, by randomly scanning the IP space (leaks are random!), piping exposed service ip-port lists through a series of post-processing steps that enriches each finding with detailed metadata, useful to tell leaks from false positives, and categorize, prioritize each discovered service in various way. LeakIX 2.0 launches a program for voluntary researchers, allowing them to gain points by analyzing and reporting leaks, with points that can be redeemed to access members-only content.

I have a love-hate relationship with LeakIX. While I think it’s fundamental to pursue continuous service monitoring (to the point that I’ve humbly contributed a LeakIX plugin to find exposed Firebase instances), I was a bit surprised to see their approach to disclosing leaks. They use public reports, with very detailed tracking information, including the full cleartext correspondence between the researcher who found the leak and the service operator(s) (see examples here). This is a big step forward and game-changing approach, because it puts real pressure on the operators to minimize exposures and speedup their incident response process to close leaking services. However, the degree of details included in the reports is a bit…ahem…too much for a public page, IMHO.

#leak | Pandora Papers: 11.9 Million (No Longer Secret) Records From 14 Offshore Firms

by International Consortium of Investigative Journalists - @ICIJorg

Remember the Panama Papers? Great! Pandora Papers is another great investigation conducted by the ICIJ to expose the rogue offshore finance industry, adding 11.9 million records to the existing 11.5 millions collected by the Panama Papers.

#telco | SMS-routing Company Syniverse has Been Compromised for Years

by Lorenzo Franceschi-Bicchierai - @lorenzofb for Motherboard - @motherboard

An SMS-routing services used by AT&T, T-Mobile, Verizon, Vodafone, and China Mobile, handling billions of text messages, has disclosed that it has been compromised for years, impacting around 235 of its customers. In addition to SMS routing, the company manages roaming across networks using SS7 and Diameter.

#hacking | Phrack #70 is Out!

by Phrack Staff

5 years after the previous issue, Volume 0x10, Issue 0x46, Phile #0x01 of 0x0f of Phrack is out! I’ve read the introduction and skimmed through the titles. Here are my highlights:

We are all ego-driven […] We expect direct payback from our hacking, in many forms, including reputation. […] It became a symbol of achievement, eliteness, and honor to be published in Phrack.

And then the best part:

Academia noticed the high quality of Phrack papers, started citing them, and basing their offensive and defensive work on them. Did that alienate the underground that Phrack represented for so many years? Yes, we think it did. But the underground also changed.

If you’re interested in the delicate balance between industry vs. academia and the (lack of) recognition of outstandingly good non-peer-reviewed work, read @reyammer’s take on the topic.

Articles that I may find the time to read, one day or another:

#vuln | 10-years Old UPnP Vulnerabilities in Broadcom’s SDK Still Affecting Cisco, DD-WRT, and Linksys Routers

by IoT Inspector - @IoTInspector

Two vulnerabilities in the UPnP implementation (stack and heap based overflow) patched in Broadcom’s SDK in 2011 “resurfaced” in the firmware running on various routers from Cisco, DD-WRT and Linksys, which means that the issue isn’t in the routers' firmware, but in the use of an older, unpatched version of the Broadcom SDK. What’s worse is that there’s no public/tracked disclosure by Broadcom, and thus no CVEs. Despite the messy supply chain and CVEs issued only by the router vendors, with some careful firmware digging, it’s still possible to determine if a firmware includes a vulnerable version of the Broadcome SDK.

#vuln | Apache Partially Patches Path Traversal Vulnerability Actively Exploited in the Wild (CVE-2021-41773)

by Apache - @TheASF via Catalin Cimpanu - @campuscodi

Although my personal mantra recites that “vulnerabilities are a natural part of each engineering artifact," and I also agree with the line of thought that the cyber-security issues (regardless of their extent) are causing more benefit (i.e., profit) than damage, globally, …, well, seeing a path traversal kinda brought me (and many of us!) back a couple of decades. Apache HTTP Server 2.4.51 has partial fixes for this vulnerability.

#opensource | The Linux Foundation + Google Launch Pilot Program to Secure Open Source Software ($1M Sponsorship)

by Google - @Google and The Linux Foundation - @linuxfoundation

The Secure Open Source Rewards pilot program financially rewards developers for enhancing the security of critical open source projects that we all depend on.

I love this! I like to think of it as an extension of Google’s OSS-Fuzz integration reward program, which financially rewards researchers that integrate fuzzing harnesses for relevant, popular open source software.

#arrest | Prolific Ransomware Gang Active since 2020 Arrested in Ukraine

by INTERPOL - @INTERPOL_Cyber via Catalin Cimpanu - @campuscodi

Announced on Oct 4th, the arrests were made on Sep 28th, as a cooperative joint effort involving the French National Gendarmerie, the Ukrainian National Police and the United States Federal Bureau of Investigation (FBI), INTERPOL and Europol.

Also Noteworthy

#healthcare | ICS Medical Advisory for Medtronic MiniMed MMT-500/503 Insuline Pump Remote Controller RF Replay-attack Vulnerability (ICSMA-18-219-02)

by CISA - @CISAgov

Capture-replay attacks of wireless communications can be surprisingly successful in the ICS domain, where it’s easy to encounter proprietary wireless stacks. Fortunately, the risk assessment reveals the real extent of this vulnerability:

Successful exploitation of these vulnerabilities may allow an attacker to replay captured wireless communications and cause an insulin (bolus) delivery. This is only possible when non-default options are configured. Additionally, the pump will annunciate this by providing a physical alert, and the user has the capability to suspend the bolus delivery.

#mobile | TangleBot COVID-themed Malware Campaign Spreads via SMS Targeting US/Canadian Android Users

by Proofpoint - @proofpoint

[Since September 2021] TangleBot is leveraging COVID-19 and electricity-themed lures in its effort to convince users to click on the malicious link and install the malware. [The malicious SMS links target] Android mobile devices and are currently only being sent to US and Canadian users.

#mobile | Fake COVID-19 Android Apps Infected with Spyware, RATs, and Other Malware

by NortonLifeLock Labs - @NLOKLabs

It’s been found that a large percent of COVID-themed apps are actually malware. 19.5% of the analyzed 2,293 apps, found by searching for “covid” or “coronavirus”, turned out to be malicious. US, Italy, and Germany are the countries with the highest fraction of affected users.

#RE | “no contract can prevent you from decompiling software you bought, if your goal is fixing a bug”

via rev.ng - @_revng

#ics | Honeywell Fixes 3 Vulnerabilities in their PKS (CVE-2021-38397, CVE-2021-38395, CVE-2021-38399)

by Claroty’s Team82 - @Claroty

Honeywell has addressed the vulnerabilities and issued an advisory, and ICS-CERT published an independent advisory, ICSA-21-287-04, assigning the highest CVSS score (10.0).

by Intezer - @IntezerLabs

One more on leaky servers this week. Apache Airflow (a task-orchestration framework written in Python) is gaining a lot of attention recently by the developers' communities, mainly because of its flexibility and low entry barrier.

#darkweb | Dark Web Marketplace ‘White House Market’ Shuts Down

by Catalin Cimpanu - @campuscodi

Thanks everybody for your business, trust, support and of course for placing decent amounts of money in our pockets. We may come back some time in the future with a different project or we may not. Meanwhile be on the lookout for phishing or copycats, if it’s not signed by us it’s not us.

Mr_White, WHM administrator

#ransomware | VirusTotal Publishes First Ransomware Activity Report

by Vicente Diaz - @trompi

I don’t like gated content (here’s the direct link to the PDF), but the numbers make this report a must read:

  • Since 2020, users from more than 140 countries have submitted ransomware samples to VirusTotal.
  • During this time, at least 130 different ransomware families have been active.
  • Israel, South Korea, Vietnam, China, Singapore, India, Kazakhstan, Philippines, Iran and the UK are the 10 most affected territories based on the number of submissions to VirusTotal.
  • Activity among the most spread ransomware families comes and goes, but there is a baseline of activity of around 100 not-so-popular ransomware families that never stops.
  • According to our observations, it seems that in most cases attackers prepare fresh new samples for their campaigns.
  • In July 2021 we observed a wave of the new variant of Babuk ransomware.
  • GandCrab was the most active family in early 2020, before its prevalence decreased dramatically in the second half of the year.

I was a bit surprised to see a sudden drop in the number of ransomware sample submissions, which decreased by at least a factor of 3x (if not 4x) after July 2020, with a spike in July 2021 (Kaseya hit by REvil, maybe?).

#airgap | Ethertnet Cables Make Good Antennae to Exfiltrate Data from Air-Gapped Networks

by Mordechai Guri

An antenna is just a cable cut at right (wave)length so that it resonates at the desired frequency, right? Not quite as easy, but that’s the idea. The author shows that by leveraging electro-magnetic emanations of a LAN cable, it’s possible to encode information that can be decoded a few meters away. Mordechai Guri’s research track on air-gap jumping techniques is just impressive. Since 2014 he’s focusing 99% of his research on finding the most creative exfiltration mechanisms (e.g., bliking LED, HDD vibrations, computer or CPU fan) to demonstrate that it’s not only possible, but practical (to some extent) to implement malware that jumps across air-gapped computers.

Tools

Google Project Zero Releases Robust C/C++ Semantic Search Tool to Grep Your Code for (Anti or Any) Patterns

by @ProjectZeroBugs

I tried it: I was impressed by how low the entry barrier and how expressive the query language is:

$ weggli '{
    _ $buf[_];
    memcpy($buf,_,_);
}' ./target/src

I mean, how neat is that!

Dragonfly: A Multi-engine Emulation-based Sandbox Available in Closed Alpha

by Certego - @Certego_IRT

Dragonfly is an automated sandbox, developed by Certego, built over different emulation engines: it allows to customize the entire operating system and the rules used to hunt malware.

Conferences

NoHat 2021 Tickets Almost Sold Out!

This conference is probably one of the most selective venues in Italy, and this is well reflected by the speaker lineup, which includes mostly international speakers among the top researchers in their areas: Fuzzing, vulnerability research, hardware security, mobile security, malware detection, reverse engineering. Check out the program (and attend if you can!). No wonder the tickets are almost all gone!

by @nohatcon

CyberFacts Weekly is a digest of my hand-picked readings from the cyber-security world.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.

If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).

Hope you enjoyed this issue…and see you reading the next one! πŸ™ƒ

Thanks! Cheers, Fede

Federico Maggi
Federico Maggi
Senior Researcher

I enjoy doing research on various cyber-security topics. I work with Trend Micro Research in a global team that focuses on technology and cyber-crime research.