Microsoft disrupted a hacking operation linked conducted by Russia-linked APT SEABORGIUM aimed at NATO countries.
The Microsoft Threat Intelligence Center (MSTIC) has disrupted activity by SEABORGIUM (aka ColdRiver, TA446), a Russia-linked threat actor that is behind a persistent hacking campaign targeting people and organizations in NATO countries.
SEABORGIUM has been active since at least 2017, its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. The APT primarily targets NATO countries, but experts also observed campaigns targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine.
The SEABORGIUM group primarily focuses operations on defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education.
The group also targets former intelligence officials, experts in Russian affairs, and Russian citizens abroad.
SEABORGIUM’s campaigns begin with a reconnaissance activity of target individuals, with a focus on identifying their contacts on social networks or the sphere of influence.
“Based on some of the impersonation and targeting observed, we suspect that the threat actor uses social media platforms, personal directories, and general open-source intelligence (OSINT) to supplement their reconnaissance efforts.” reads the post published by Microsoft. “MSTIC, in partnership with LinkedIn, has observed fraudulent profiles attributed to SEABORGIUM being used sporadically for conducting reconnaissance of employees from specific organizations of interest. “
Threat actors used fake identities to contact target individuals and start a conversation with them to build a relationship and trick them into opening an attachment sent via phishing messages
The phishing messages used PDF attachments and in some cases, they included links to file or document hosting services, or to OneDrive accounts hosting the PDF documents.
Upon opening the PDF file, it will display a message stating that the document could not be viewed and that they should click on a button to try again.
Clicking the button, the victim is redirected to a landing page running phishing frameworks, such as EvilGinx, that displays the sign-in page for a legitimate provider and intercept any credentials
After the credentials are captured, the victim is redirected to a website or document to avoid raising suspicion.
Once the attackers have gained access to the targeted email account, they exfiltrate intelligence data (emails and attachments) or set up forwarding rules from victim inboxes to actor-controlled dead drop accounts.
In several cases, SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest.
Microsoft confirmed it has taken action to disrupt SEABORGIUM’s operations by disabling accounts used for surveillance, phishing, and email collection. The IT giant also shared Indicators of compromise (IOCs) for this threat actor, which includes a list of more than sixty domains used by the APT in its phishing campaigns.
The complete list of domains can be found in Microsoft’s advisory, as well as safeguards that network defenders can use to prevent similar attacks.
Defenses include disabling email auto-forwarding in Microsoft 365, using the IOCs to investigate for potential compromise, requiring MFA on all accounts, and for more security, requiring FIDO security keys.
(SecurityAffairs – hacking, NATO)
The post Microsoft disrupts SEABORGIUM ’s ongoing phishing operations appeared first on Security Affairs.
Researchers from threat intelligence firm Cyble reported a surge in attacks targeting virtual network computing (VNC).
Virtual Network Computing (VNC) is a graphical desktop-sharing system that leverages the Remote Frame Buffer (RFB) protocol to control another machine remotely. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network.
Researchers from Cyber looked for VNC exposed over the internet and discovered over 8000 VNC instances with authentication disabled, most of them in China, Sweden, and the United States.
Cyble observed a surge in attacks on the default port for VNC, port 5900, most of them originated from the Netherlands, Russia, and Ukraine. Exposing VNCs to the internet, increases the likelihood of a cyberattack.
Threat actors could use the access through VNC to carry out a broad range of malicious activities, such as deploying ransomware, malware, or spy on the victims.
The researchers discovered multiple Human Machine Interface (HMI) systems, Supervisory Control And Data Acquisition Systems (SCADA), Workstations, etc., connected via VNC and exposed over the internet
Cyble also reported that threat actors are selling access to systems exposed on the Internet via VNC on cybercrime forums.
“Our investigation found that selling, buying, and distributing exposed assets connected via VNCs are frequently on cybercrime forums and markets. A few examples of the same can be seen in the figures below.” Cyble states.
The experts pointed out that even if the count of exposed VNCs is low compared to previous years, some of the exposed VNCs belong to various organizations in the Critical Infrastructures sector such as water treatment plants, manufacturing plants, research facilities, etc.
“Remotely accessing the IT/OT infrastructure assets is pretty handy and has been widely adopted due to the COVID-19 Pandemic and work-from-home policies. However, if organizations do not have the appropriate safety measures and security checks in place, this situation can lead to severe monetary loss for an organization. Leaving VNCs exposed over the internet without any authentication makes it fairly easy for intruders to penetrate the victim’s network and create havoc.” Cyble concludes. “Attackers might also try to exploit the VNC service by using various vulnerabilities and techniques, allowing them to connect with the exposed asset(s).”
(SecurityAffairs – hacking, VNC)
The post VNC instances exposed to Internet pose critical infrastructures at risk appeared first on Security Affairs.
Security researchers from Cleafy reported that the SOVA Android banking malware is back and is rapidly evolving.
The SOVA Android banking trojan was improved, it has a new ransomware feature that encrypts files on Android devices, Cleafy researchers report.
The malware has been active since 2021 and evolves over time. The latest version of the SOVA Trojan, 5.0, targets over 200 banking and cryptocurrency exchange apps.
The authors also enhanced its evasion capabilities.
In March 2022, SOVA authors released version 3.0 which was able to capture 2FA codes and cookies, it also implemented new injections to target applications from multiple banks.
Version 4, which was released in July, unlike previous versions includes several new codes. The most interesting capability is the VNC (virtual network computing).
“Starting from SOVA v4, TAs can obtain screenshots of the infected devices, to retrieve more information from the victims. Furthermore, the malware is also able to record and obtain any sensitive information, as shown in Figure 5. These features, combined with Accessibility services, enable TAs to perform gestures and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g. Oscorp or BRATA).” reads the analysis published by Cleafy. “With SOVA v4, TAs are able to manage multiple commands, such as: screen click, swipe, copy/paste and the capability to show an overlay screen to hide the screen to the victim.”
In SOVA v4, the author has further improved and refactored the cookie stealer mechanism. Another interesting feature updated in SOVA v4 is the protection module, which was designed to protect the malware from the victim’s actions, such as the manual uninstall of the malicious code.
If the user tries to uninstall the malware from the settings or pressing the icon, SOVA is able to intercept these actions and prevent them from abusing the Accessibilities services by returning to the home screen and showing a popup displaying “This app is secured”.
The SOVA v4 also includes a new module designed to target the Binance exchange and the Trust Wallet (official crypto wallet of Binance). The module allows operators to obtain different information, including the balance of the account, the history of the actions performed by the victim, and the seed phrase to access the crypto wallet.
Version 5 was completely refactored and new features and changes were added, including the communications between the malware and the C2 server. Experts noticed that the VNC module has yet to be integrated into the latest version.
The most interesting feature added in SOVA v5 is the ransomware module, which was already announced in the roadmap for September 2021.
The malware encrypts the files inside the infected devices using an AES algorithm and renaming them with the extension “.enc”.
“The ransomware feature is quite interesting as it’s still not a common one in the Android banking trojans landscape. It strongly leverages on the opportunity arises in recent years, as mobile devices became for most people the central storage for personal and business data.” concludes the report. “
With the discovery of SOVA v4 and SOVA v5, we uncovered new evidence about how TAs are constantly improving their malware and the C2 panel, honouring the published roadmap. Although the malware is still under development, it’s ready to carry on fraudulent activities at scale.“
(SecurityAffairs – hacking, SOVA Android banking malware)
The post SOVA Android malware now also encrypts victims’ files appeared first on Security Affairs.
Security Researchers discovered a new PyPI Package designed to drop fileless cryptominer to Linux systems.
Sonatype researchers have discovered a new PyPI package named ‘secretslib‘ that drops fileless cryptominer to the memory of Linux machine systems.
The package describes itself as “secrets matching and verification made easy,” it has a total of 93 downloads since August 6, 2020.
“Sonatype has identified a ‘secretslib’ PyPI package that describes itself as “secrets matching and verification made easy.”” reads the post published by the experts. “On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters.”
The package fetches a Linux executable from a remote server and execute it to drop an ELF file (“memfd“) directly in memory. It is a Monero crypto miner likely created via the ‘memfd_create‘ system call.
“Linux syscalls like ‘memfd_create’ enable programmers to drop “anonymous” files in RAM as opposed to writing the files to disk. Because the intermediate step of outputting the malicious file to the hard drive is skipped, it may not be as easy for antivirus products to proactively catch fileless malware, that now resides in a system’s volatile memory, although the task is certainly not impossible.” continues the analysis. “Moreover, since ‘secretslib’ package deletes ‘tox’ as soon as it runs, and the cryptomining code injected by ‘tox’ resides within the system’s volatile memory (RAM) as opposed to the hard drive, the malicious activity leaves little to no footprint and is quite “invisible” in a forensic sense.”
It is interesting to note that threat actors behind the ‘secretslib’ used the name of an engineer working for Argonne National Laboratory (ANL.gov), an Illinois-based science and engineering research lab operated by UChicago Argonne LLC for the U.S. Department of Energy.
A few days ago, Check Point researchers discovered another ten malicious packages on the Python Package Index (PyPI). The packages install info-stealers that allow threat actors to steal the private data and personal credentials of the developers.
(SecurityAffairs – hacking, PyPI Package)
The post A new PyPI Package was found delivering fileless Linux Malware appeared first on Security Affairs.
China-linked threat actors Iron Tiger backdoored a version of the cross-platform messaging app MiMi to infect systems.
Trend Micro researchers uncovered a new campaign conducted by a China-linked threat actor Iron Tiger that employed a backdoored version of the cross-platform messaging app MiMi Chat App to infect Windows, Mac, and Linux systems.
The Iron Tiger APT (aka Panda Emissary, APT27, Bronze Union, Lucky Mouse, and TG-3390) is active at least since 2010 and targeted organizations in APAC, but since 2013 it is attacking high-technology targets in the US.
Trend Micro experts discovered a server hosting both a HyperBro sample and a malicious Mach-O executable named “rshell.” While HyperBro is a malware family that is associated with APT27 operations, the Mach-O sample appears to be a new malware family targeting the Mac OS platform. The researchers also found samples compiled to infect Linux systems.
“We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.” reads the analysis published by Trend Micro. “Further investigation showed that MiMi chat installers have been compromised to download and install HyperBro samples for the Windows platform and rshell samples for the Mac OS platform.”
The Chinese hackers compromised the installers of the chat application MiMi and the malicious code was used to download and install HyperBro samples for the Windows operating system and rshell for Linux and macOS.
This appears as a supply chain attack because the Iron Tiger APT compromised the server hosting the legitimate installers for this MiMi chat application.
The rshell executable is a standard backdoor that allows operators to collect OS information and send it to the C2 server, receive commands from the C2 server, and send command execution results back to the C2.
The experts noticed that running the DMG installer on a macOS system, the user is displayed several warnings before the backdoored app is installed, such as an alert about an unverified developer.
Both the legitimate and the backdoored versions of the installer were unsigned, this implies that Mac users that want to install MiMi chat were probably used to all these extra steps to finally install it and ignore the warnings.
This is the first time the attackers attempted to target macOS alongside Windows and Linux systems.
Experts found 13 different systems infected by this campaign, eight were compromised with she’ll, six in Taiwan, one in the Philippines, and one being in Taiwan and the Philippines. The remaining ones were infected with HyperBro (four in Taiwan and one in the Philippines).
Below is the timeline of the campaign:
- June 2021: Oldest Linux rshell sample found
- November 2021: Threat actor modified version 2.2.0 of Windows MiMi chat installer to download and execute HyperBro backdoor
- May 2021: Threat actor modified version 2.3.0 of Mac OS MiMi chat installer to download and execute “rshell” backdoor
The analysis also includes a list of Indicators of Compromise (IOCs) for this campaign.
“We attribute this campaign to Iron Tiger for multiple reasons.” concludes the analysis.
(SecurityAffairs – hacking, Iron Tiger)
The post Iron Tiger APT is behind a supply chain attack that employed messaging app MiMi appeared first on Security Affairs.
Flaws in Xiaomi Redmi Note 9T and Redmi Note 11 models could be exploited to disable the mobile payment mechanism and even forge transactions.
Check Point researchers discovered the flaws while analyzing the payment system built into Xiaomi smartphones powered by MediaTek chips.
Trusted execution environment (TEE) is an important component of mobile devices designed to process and store sensitive security information such as cryptographic keys and fingerprints.
TEE protection leverages hardware extensions (such as ARM TrustZone) to secure data in this enclave, even on rooted devices or systems compromised by malware.
The most popular implementations of the TEE are Qualcomm’s Secure Execution Environment (QSEE) and Trustronic’s Kinibi, but most of the devices in the wider Asian market are powered by MediaTek chips, which is less explored by security experts.
The experts explained that on Xiaomi devices, trusted apps are stored in the /vendor/thh/ta directory. The apps are in the format of unencrypted binary file with a specific structure.
Trusted apps of the Kinibi OS have the MCLF format, while Xiaomi uses its own format.
A trusted app can have multiple signatures following the magic fields and the magic fields are the same across all trusted apps on the mobile device.
The researchers noticed that the version control field is omitted in the trusted app’s file format, this means that an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Using this trick, the TEE will load the app transferred by the attacker.
“Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. To prove the issue, we successfully overwrote the thhadmin trusted app on our test device running MIUI Global 188.8.131.52 OS with an old one extracted from another device running MIUI Global 10.4.1.0 OS.” reads the analysis published by Check Point researchers “The old thhadmin app was successfully launched, even though its code is significantly different from the original.”
The experts also found multiple flaws in “thhadmin,” app that could be exploited to leak stored keys or to execute malicious code in the context of the app.
Check Point researchers have analyzed an embedded mobile payment framework, named Tencent Soter, used by Xiaomi devices. This framework provides an API for third-party Android applications to integrate the payment capabilities. Tencent soter allows to verify payment packages transferred between a mobile application and a remote backend server, it is supported by hundreds of millions Android devices.
A heap overflow vulnerability in the soter trusted app could be exploited to trigger a denial-of-service by an Android app that has no permissions to communicate with the TEE directly.
The researchers demonstrated that it is possible to extract the private keys used to sign payment packages by replacing the soter trusted app with an older version affected by an arbitrary read vulnerability. Xiaomi tracked the issue as CVE-2020–14125.
“This vulnerability [CVE-2020–14125] can be exploited to execute a custom code. Xiaomi trusted apps do not have ASLR. There are examples on the Internet of exploiting such a classic heap overflow vulnerability in Kinibi apps. In practice, our goal is to steal one of the soter private keys, not execute the code. The key leak completely compromises the Tencent soter platform, allowing an unauthorized user to sign fake payment packages.” concludes the report.
“To steal a key, we used another arbitrary read vulnerability that exists in the old version of the
soter app (extracted from the MIUI Global 10.4.1.0). As noted, we can downgrade the app on Xiaomi devices.”
Xiaomi addressed the CVE-2020-14125 vulnerability on June 6, 2022.
(SecurityAffairs – hacking, mobile)
The post A flaw in Xiaomi phones using MediaTek Chips could allow to forge transactions appeared first on Security Affairs.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are warning of Zeppelin ransomware attacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint advisory to warn of Zeppelin ransomware attacks.
The Zeppelin ransomware first appeared on the threat landscape in November 2019 when experts from BlackBerry Cylance found a new variant of the Vega RaaS, dubbed Zeppelin.
The ransomware was involved in attacks aimed at technology and healthcare, defense contractors, educational institutions, manufacturers, companies across Europe, the United States, and Canada. At the time of its discovery, Zeppelin was distributed through watering hole attacks in which the PowerShell payloads were hosted on the Pastebin website.
Before deploying the Zeppelin ransomware, threat actors spend a couple of weeks mapping or enumerating the victim network to determine where data of interest is stored. The ransomware can be deployed as a .dll or .exe file or contained within a PowerShell loader.
Zeppelin actors request ransom payments in Bitcoin, they range from several thousand dollars to over a million dollars.
The group uses multiple attack vectors to gain access to victim networks, including RDP exploitation, SonicWall firewall vulnerabilities exploitation, and phishing attacks.
The threat actors also implement a double extortion model, threatening to leak stolen files in case the victims refuse to pay the ransom.
Zeppelin is typically deployed as a .dll or .exe file within a PowerShell loader. To each encrypted file, it appends a randomized nine-digit hexadecimal number as an extension. A ransom note is dropped on the compromised systems, usually on the desktop.
“The FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.” reads the joint advisory.
The US agencies recommend not paying the ransom because there is no guarantee to recover the encrypted files and paying the ransomware will encourage the illegal practice of extortion.
The alert also included Indicators of Compromise (IOC) along with MITRE ATT&CK TECHNIQUES for this threat.
The FBI also encourages organizations to report any interactions with Zeppelin operators, including logs, Bitcoin wallet information, encrypted file samples, and decryptor files.
To mitigate the risks of ransomware attacks, organizations are recommended to define a recovery plan, implement multi-factor authentication, keep all operating systems, software, and firmware up to date, enforce a strong passwords policy, segment networks, disable unused ports and services, audit user accounts and domain controllers, implement a least-privilege access policy, review domain controllers, servers, workstations, and active directories, maintain offline backups of data, and identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
“The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file” concludes the alert.
(SecurityAffairs – hacking, Zeppelin ransomware)
The post CISA, FBI shared a joint advisory to warn of Zeppelin ransomware attacks appeared first on Security Affairs.
Russian hacker group Killnet claims to have launched a DDoS attack on the aerospace and defense giant Lockheed Martin.
The Moscow Times first reported that the Pro-Russia hacker group Killnet is claiming responsibility for a recent DDoS attack that hit the aerospace and defense giant Lockheed Martin.
The Killnet group also claims to have stolen data from a Lockheed Martin employee and threatened to share it.
The group has been active since March, it launched DDoS attacks against governments that expressed support to Ukraine, including Italy, Romania, Moldova, the Czech Republic, Lithuania, Norway, and Latvia.
In a video shared by the group on Telegram, the group claimed to have stolen the personal information of the Lockheed Martin employees, including names, email addresses, phone numbers, and pictures.
The group also shared two spreadsheets containing a message in Russian:
“If you have nothing to do, you can email Lockheed Martin Terrorists – photos and videos of the consequences of their manufactured weapons! Let them realize what they create and what they contribute to.” (Tanslated with Google).
At this time it is impossible to determine the real source of these data. Lockheed Martin is aware of the Killnet claims, but it did not comment on them.
(SecurityAffairs – hacking, Killnet)
Researchers discovered a flaw in three signed third-party UEFI boot loaders that allow bypass of the UEFI Secure Boot feature.
Researchers from hardware security firm Eclypsium have discovered a vulnerability in three signed third-party Unified Extensible Firmware Interface (UEFI) boot loaders that can be exploited to bypass the UEFI Secure Boot feature.
Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”
According to the experts, these three new bootloader vulnerabilities affect most of the devices released over the past 10 years, including x86-64 and ARM-based devices.
“These vulnerabilities could be used by an attacker to easily evade Secure Boot protections and compromise the integrity of the boot process; enabling the attacker to modify the operating system as it loads, install backdoors, and disable operating system security controls.” reads the post published by the experts. “Much like our previous GRUB2 BootHole research, these new vulnerable bootloaders are signed by the Microsoft UEFI Third Party Certificate Authority. By default, this CA is trusted by virtually all traditional Windows and Linux-based systems such as laptops, desktops, servers, tablets, and all-in-one systems.”
Experts pointed out that these bootloaders are signed by the Microsoft UEFI Third Party Certificate Authority, the good news is that the IT giant has already addressed this flaw with the release of Patch Tuesday security updates for August 2020.
The flaws identified by the experts have been rated as:
- CVE-2022-34301 – Eurosoft (UK) Ltd
- CVE-2022-34302 – New Horizon Datasys Inc
- CVE-2022-34303 – CryptoPro Secure Disk for BitLocker
The two CVE-2022-34301 and CVE-2022-34303 are similar in the way they involve signed UEFI shells, the first one the signed shell is esdiags.efi while for the third one (CryptoPro Secure Disk), the shell is Shell_Full.efi.
Threat actors can abuse built-in capabilities such as the ability to read and write to memory, list handles, and map memory, to allow the shell to evade Secure Boot. The experts warn that the exploitation could be easily automated using startup scripts, for this reason, it is likely that threat actors will attempt to exploit it in the wild.
“Exploiting these vulnerabilities requires an attacker to have elevated privileges (Administrator on Windows or root on Linux). However, local privilege escalation is a common problem on both platforms. In particular, Microsoft does not consider UAC-bypass a defendable security boundary and often does not fix reported bypasses, so there are many mechanisms in Windows that can be used to elevate privileges from a non-privileged user to Administrator.” continues the post.
The exploitation of the New Horizon Datasys vulnerability (CVE-2022-34302) is more stealthy, system owners cannot detect the exploitation. The bootloader contains a built-in bypass for Secure Boot that can be exploited to disable the Secure Boot checks while maintaining the Secure Boot on.
“This bypass can further enable even more complex evasions such as disabling security handlers. In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code. The simplicity of exploitation makes it highly likely that adversaries will attempt to exploit this particular vulnerability in the wild.” continues the post.
Experts highlighters that the exploitation of these vulnerabilities requires an attacker to have administrator privileges, which can be achieved in different ways.
“Much like BootHole, these vulnerabilities highlight the challenges of ensuring the boot integrity of devices that rely on a complex supply chain of vendors and code working together,” the post concludes. “these issues highlight how simple vulnerabilities in third-party code can undermine the entire process.”
(SecurityAffairs – hacking, UEFI Secure Boot)
The post Three flaws allow attackers to bypass UEFI Secure Boot feature appeared first on Security Affairs.
The U.S. State Department announced a $10 million reward for information related to five individuals associated with the Conti ransomware gang.
The U.S. State Department announced a $10 million reward for information on five prominent members of the Conti ransomware gang. The government will also reward people that will provide details about Conti and its affiliated groups TrickBot and Wizard Spider.
The reward is covered by the Rewards of Justice program operated by the a U.S. Department of State which offers rewards for information related to threats to homeland security.
According to Wired, which first reported the announcement, the State Department is looking for the members’ physical locations and vacation and travel plans.
This is the first time that the U.S. Government shows the face of a Conti associate, referred to as “Target.”
“Today marks the first time that the US government has publicly identified a Conti operative,” says a State Department official who asked not to be named and did not provide any more information about Target’s identity beyond the picture. “That photo is the first time the US government has ever identified a malicious actor associated with Conti,”
The other members of the Conti gang for which the US Government is offering a reward are referred to as “Tramp,” “Dandis,” “Professor,” and “Reshaev.”
The leaked files revealed that some high-level members of the gang have connections to Russian intelligence.
(SecurityAffairs – hacking, Conti ransomware)
The post The US offers a $10M rewards for info on the Conti ransomware gang’s members appeared first on Security Affairs.
The Department of Homeland Security (DHS) is urging states and localities to beef up security around proprietary devices that connect to the Emergency Alert System — a national public warning system used to deliver important emergency information, such as severe weather and AMBER alerts. The DHS warning came in advance of a workshop to be held this weekend at the DEFCON security conference in Las Vegas, where a security researcher is slated to demonstrate multiple weaknesses in the nationwide alert system.
A Digital Alert Systems EAS encoder/decoder that Pyle said he acquired off eBay in 2019. It had the username and password for the system printed on the machine.
The DHS warning was prompted by security researcher Ken Pyle, a partner at security firm Cybir. Pyle said he started acquiring old EAS equipment off of eBay in 2019, and that he quickly identified a number of serious security vulnerabilities in a device that is broadly used by states and localities to encode and decode EAS alert signals.
“I found all kinds of problems back then, and reported it to the DHS, FBI and the manufacturer,” Pyle said in an interview with KrebsOnSecurity. “But nothing ever happened. I decided I wasn’t going to tell anyone about it yet because I wanted to give people time to fix it.”
Pyle said he took up the research again in earnest after an angry mob stormed the U.S. Capitol on Jan. 6, 2021.
“I was sitting there thinking, ‘Holy shit, someone could start a civil war with this thing,”’ Pyle recalled. “I went back to see if this was still a problem, and it turns out it’s still a very big problem. So I decided that unless someone actually makes this public and talks about it, clearly nothing is going to be done about it.”
The EAS encoder/decoder devices Pyle acquired were made by Lyndonville, NY-based Digital Alert Systems (formerly Monroe Electronics, Inc.), which issued a security advisory this month saying it released patches in 2019 to fix the flaws reported by Pyle, but that some customers are still running outdated versions of the device’s firmware. That may be because the patches were included in version 4 of the firmware for the EAS devices, and many older models apparently do not support the new software.
“The vulnerabilities identified present a potentially serious risk, and we believe both were addressed in software updates issued beginning Oct 2019,” EAS said in a written statement. “We also provided attribution for the researcher’s responsible disclosure, allowing us to rectify the matters before making any public statements. We are aware that some users have not taken corrective actions and updated their software and should immediately take action to update the latest software version to ensure they are not at risk. Anything lower than version 4.1 should be updated immediately. On July 20, 2022, the researcher referred to other potential issues, and we trust the researcher will provide more detail. We will evaluate and work to issue any necessary mitigations as quickly as possible.”
But Pyle said a great many EAS stakeholders are still ignoring basic advice from the manufacturer, such as changing default passwords and placing the devices behind a firewall, not directly exposing them to the Internet, and restricting access only to trusted hosts and networks.
Pyle, in a selfie that is heavily redacted because the EAS device behind him had its user credentials printed on the lid.
Pyle said the biggest threat to the security of the EAS is that an attacker would only need to compromise a single EAS station to send out alerts locally that can be picked up by other EAS systems and retransmitted across the nation.
“The process for alerts is automated in most cases, hence, obtaining access to a device will allow you to pivot around,” he said. “There’s no centralized control of the EAS because these devices are designed such that someone locally can issue an alert, but there’s no central control over whether I am the one person who can send or whatever. If you are a local operator, you can send out nationwide alerts. That’s how easy it is to do this.”
One of the Digital Alert Systems devices Pyle sourced from an electronics recycler earlier this year was non-functioning, but whoever discarded it neglected to wipe the hard drive embedded in the machine. Pyle soon discovered the device contained the private cryptographic keys and other credentials needed to send alerts through Comcast, the nation’s third-largest cable company.
“I can issue and create my own alert here, which has all the valid checks or whatever for being a real alert station,” Pyle said in an interview earlier this month. “I can create a message that will start propagating through the EAS.”
Comcast told KrebsOnSecurity that “a third-party device used to deliver EAS alerts was lost in transit by a trusted shipping provider between two Comcast locations and subsequently obtained by a cybersecurity researcher.
“We’ve conducted a thorough investigation of this matter and have determined that no customer data, and no sensitive Comcast data, were compromised,” Comcast spokesperson David McGuire said.
The company said it also confirmed that the information included on the device can no longer be used to send false messages to Comcast customers or used to compromise devices within Comcast’s network, including EAS devices.
“We are taking steps to further ensure secure transfer of such devices going forward,” McGuire said. “Separately, we have conducted a thorough audit of all EAS devices on our network and confirmed that they are updated with currently available patches and are therefore not vulnerable to recently reported security issues. We’re grateful for the responsible disclosure and to the security research community for continuing to engage and share information with our teams to make our products and technologies ever more secure. Mr. Pyle informed us promptly of his research and worked with us as we took steps to validate his findings and ensure the security of our systems.”
The user interface for an EAS device.
Unauthorized EAS broadcast alerts have happened enough that there is a chronicle of EAS compromises over at fandom.com. Thankfully, most of these incidents have involved fairly obvious hoaxes.
According to the EAS wiki, in February 2013, hackers broke into the EAS networks in Great Falls, Mt. and Marquette, Mich. to broadcast an alert that zombies had risen from their graves in several counties. In Feb. 2017, an EAS station in Indiana also was hacked, with the intruders playing the same “zombies and dead bodies” audio from the 2013 incidents.
“On February 20 and February 21, 2020, Wave Broadband’s EASyCAP equipment was hacked due to the equipment’s default password not being changed,” the Wiki states. “Four alerts were broadcasted, two of which consisted of a Radiological Hazard Warning and a Required Monthly Test playing parts of the Hip Hop song Hot by artist Young Thug.”
In January 2018, Hawaii sent out an alert to cell phones, televisions and radios, warning everyone in the state that a missile was headed their way. It took 38 minutes for Hawaii to let people know the alert was a misfire, and that a draft alert was inadvertently sent. The news video clip below about the 2018 event in Hawaii does a good job of walking through how the EAS works.