What a toy robot can do

The toy robot model that we studied is a kind of hybrid between a smartphone/tablet and a smart-speaker on wheels that enables it to move about. The robot has no limbs, so rolling around the house is its only option to physically interact with its environment.

The robot’s centerpiece is a large touchscreen that can display a control UI, interactive learning apps for kids, and a lively, detailed animated cartoon-like face. Its facial expressions change with context: to their credit the developers did a great job on the robot’s personality.

You can control the robot with voice commands, but some of its features don’t support these, so sometimes you have to catch the robot and poke its face the built-in screen.

In addition to a built-in microphone and a rather loud speaker, the robot has a wide-angle camera placed just above the screen. A key feature touted by the vendor is parents’ ability to video-call their kids right through the robot.

On the front face, about halfway between the screen and the wheels, is an extra optical-object-recognition sensor that helps the robot avoid collisions. Obstacle recognition being totally independent of the main camera, the developers very usefully added a physical shutter that completely covers the latter.

So, if you’re concerned that someone might be peeping at you and/or your child through that camera — sadly not without reason as we’ll learn later — you can simply close the shutter. And in case you’re worried that someone might be eavesdropping on you through the built-in microphone, you can just turn off the robot (and judging by the time it takes to boot back up, this is an honest-to-goodness shutdown — not a sleep mode).

As you’d expect, an app for controlling and monitoring the toy is available for parents to use. And, as you must have guessed by now, it’s all connected to the internet and employs a bunch of cloud services under the hood. If you’re interested in the technical details, you can find these in the full version of the security research, which we’ve published on Securelist.

As usual, the more complex the system — the more likely it is to have security holes, which someone might try to exploit to do something unsavory. And here we’ve reached the key point of this post: after studying the robot closely, we found several serious vulnerabilities.

Unauthorized video calling

The first thing we found during our research was that malicious actors could make video calls to any robot of this kind. The vendor’s server issued video session tokens to anyone who had both the robot ID and the parent ID. The robot’s ID wasn’t hard to brute-force: every toy had a nine-character ID similar to the serial number printed on its body, with the first two characters being the same for every unit. And the parent’s ID could be obtained by sending a request with the robot ID to the manufacturer’s server without any authentication.

Thus, a malicious actor who wanted to call a random child could either try to guess a specific robot’s ID, or play a chat-roulette game by calling random IDs.

Complete parental account hijack

It doesn’t end there. The gullible system let anyone with a robot ID retrieve lots of personal information from the server: IP address, country of residence, kid’s name, gender, age — along with details of the parental account: parent’s email address, phone number, and the code that links the parental app to the robot.

This, in turn, opened the door for a far more hazardous attack: complete parental-account hijack. A malicious actor would only have needed to have taken a few simple steps:

• The first one would have been to log in to the parental account from their own device by using the email address or phone number obtained previously. Authorization required submitting a six-digit one-time code, but login attempts were unlimited so trivial brute-forcing would have done the trick.
• It would only have taken one click to unlink the robot from the true parental account.
• Next would have been linking it to the attacker’s account. Account verification relied on the linking-code mentioned above, and the server would send it to all comers.

A successful attack would have resulted in the parents losing all access to the robot, and recovering it would have required contacting tech support. Even then, the attacker could still have repeated the whole process again, because all they needed was the robot ID, which remained unchanged.

Uploading modified firmware

Finally, as we studied the way that the robot’s various systems functioned, we discovered security issues with the software update process. Update packages came without a digital signature, and the robot installed a specially formatted update archive received from the vendor’s server without running any verifications first.

This opened possibilities for attacking the update server, replacing the archive with a modified one, and uploading malicious firmware that let the attacker execute arbitrary commands with superuser permissions on all robots. In theory, the attackers would then have been able to assume control over the robot’s movements, use the built-in cameras and microphones for spying, make calls to robots, and so on.

How to stay safe

This tale has a happy ending, though. We informed the toy’s developers about the issues we’d discovered, and they took steps to fix them. The vulnerabilities described above have all been fixed.

In closing, here are a few tips on staying safe while using various smart gadgets:

• Remember that all kinds of smart devices — even toys — are typically highly complex digital systems whose developers often fail to ensure secure and reliable storage of user data.
• As you shop for a device, be sure to closely read user feedback and reviews and, ideally, any security reports if you can find them.
• Keep in mind that the mere discovery of vulnerabilities in a device doesn’t make it inferior: issues can be found anywhere. What you need to look for is the vendor’s response: it’s a good sign if any issues have been fixed. It’s not a good thing if the vendor appears not to care.
• To avoid being spied or eavesdropped on by your smart devices, turn them off when you’re not using them, and shutter or tape over the camera.
• Finally, it goes without saying that you should protect all your family members’ devices with a reliable security solution. A toy-robot hack is admittedly an exotic threat — but the likelihood of encountering other types of online threats is still very high these days.

January 2023: LockBit attack on the UK’s Royal Mail

The year kicked off with the LockBit group attacking Royal Mail, the UK’s national postal service. The attack paralyzed international mail delivery, leaving millions of letters and parcels stuck in the company’s system. On top of that, the parcel tracking website, online payment system, and several other services were also crippled; and at the Royal Mail distribution center in Northern Ireland, printers began spewing out copies of the LockBit group’s distinctive orange ransom note.

The LockBit ransom note that printers at the Royal Mail distribution center began printing in earnest. Source

As is commonly the case with modern ransomware attacks, LockBit threatened to post stolen data online unless the ransom was paid. Royal Mail refused to pay up, so the data ended up being published.

February 2023: ESXiArgs attacks VMware ESXi servers worldwide

February saw a massive automated ESXiArgs ransomware attack on organizations through the RCE vulnerability CVE-2021-21974 in VMware ESXi servers. Although VMware released a patch for this vulnerability back in early 2021, the attack left more than 3000 VMware ESXi servers encrypted.

The attack operators demanded just over 2BTC (around $45,000 at the time of the attack). For each individual victim they generated a new Bitcoin wallet and put its address in the ransom note.

Ransom demand from the original version of ESXiArgs ransomware. Source

Just days after the attack began, the cybercriminals unleashed a new strain of the cryptomalware, making it far harder to recover encrypted virtual machines. To make their activities more difficult to trace, they also stopped giving out ransom wallet addresses, prompting victims to make contact through the P2P messenger Tox instead.

March 2023: Clop group widely exploits a zero-day in GoAnywhere MFT

In March 2023, the Clop group began widely exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT (managed file transfer) tool. Clop is well-known for its penchant for exploiting vulnerabilities in such services: in 2020–2021, the group attacked organizations through a hole in Accelon FTA, switching in late 2021 to exploiting a vulnerability in SolarWinds Serv-U.

In total, more than 100 organizations suffered attacks on vulnerable GoAnywhere MFT servers, including Procter & Gamble, the City of Toronto, and Community Health Systems — one of the largest healthcare providers in the U.S.

Map of GoAnywhere MFT servers connected to the internet. Source

April 2023: NCR Aloha POS terminals disabled by BlackCat attack

In April, the ALPHV group (aka BlackCat —  after the ransomware it uses) attacked NCR, a U.S. manufacturer and servicer of ATMs, barcode readers, payment terminals, and other retail and banking equipment.

The ransomware attack shut down the data centers handling the Aloha POS platform — which is used in restaurants, primarily fast food — for several days.

NCR Aloha POS platform disabled by the ALPHV/BlackCat group. Source

Essentially, the platform is a one-stop shop for managing catering operations: from processing payments, taking online orders, and operating a loyalty program, to managing the preparation of dishes in the kitchen and payroll accounting. As a result of the ransomware attack on NCR, many catering establishments were forced to revert to pen and paper.

May 2023: Royal ransomware attack on the City of Dallas

Early May saw a ransomware attack on municipal services in Dallas, Texas — the ninth most populous city in the U.S. Most affected were IT systems and communications of the Dallas Police Department, and printers on the City of Dallas network began churning out ransom notes.

The Royal ransom note printed out through City of Dallas network printers. Source

Later that month, there was another ransomware attack on an urban municipality: the target this time was the City of Augusta in the U.S. state of Georgia, and the perpetrators were the BlackByte group.

June 2023: Clop group launches massive attacks through vulnerability in MOVEit Transfer

In June, the same Clop group responsible for the February attacks on Fortra GoAnywhere MFT began exploiting a vulnerability in another managed file transfer tool — Progress Software’s MOVEit Transfer. This vulnerability, CVE-2023-34362, was disclosed and fixed by Progress on the last day of May, but as usual, not all clients managed to apply the patches quickly enough.

This ransomware attack — one of the largest incidents of the year — affected numerous organizations, including the oil company Shell, the New York City Department of Education, the BBC media corporation, the British pharmacy chain Boots, the Irish airline Aer Lingus, the University of Georgia, and the German printing equipment manufacturer Heidelberger Druckmaschinen.

The Clop website instructs affected companies to contact the group for negotiations. Source

July 2023: University of Hawaii pays ransom to the NoEscape group

In July, the University of Hawaii admitted to paying off ransomwarers. The incident itself occurred a month earlier when all eyes were fixed on the attacks on MOVEit. During that time, a relatively new group going by the name of NoEscape infected one of the university departments, Hawaiian Community College, with ransomware.

Having stolen 65GB of data, the attackers threatened the university with publication. The personal information of 28,000 people was apparently at risk of compromise. It was this fact that convinced the university to pay the ransom to the extortionists.

NoEscape announces the hack of the University of Hawaii on its website. Source

Of note is that university staff had to temporarily shut down IT systems to stop the ransomware from spreading. Although the NoEscape group supplied a decryption key upon payment of the ransom, the restoration of the IT infrastructure was expected to take two months.

August 2023: Rhysida targets the healthcare sector

August was marked by a series of attacks by the Rhysida ransomware group on the healthcare sector. Prospect Medical Holdings (PMH), which operates 16 hospitals and 165 clinics across several American states, was the organization that suffered the most.

The hackers claimed to have stolen 1TB of corporate documents and a 1.3 TB SQL database containing 500,000 social security numbers, passports, driver’s licenses, patient medical records, as well as financial and legal documents. The cybercriminals demanded a 50BTC ransom (then around $1.3 million).

Ransom note from the Rhysida group. Source

September 2023: BlackCat attacks Caesars and MGM casinos

In early September, news broke of a ransomware attack on two of the biggest U.S. hotel and casino chains — Caesars and MGM — in one stroke. Behind the attacks was the ALPHV/BlackCat group, mentioned above in connection with the assault on the NCR Aloha POS platform.

The incident shut down the companies’ entire infrastructure — from hotel check-in systems to slot machines. Interestingly, the victims responded in very different ways. Caesars decided to pay the extortionists $15 million, half of the original $30 million demand.

MGM chose not to pay up, but rather to restore the infrastructure on its own. The recovery process took nine days, during which time the company lost $100 million (its own estimate), of which $10 million was direct costs related to restoring the downed IT systems.

Caesars and MGM own more than half of Las Vegas casinos

October 2023: BianLian group extorts Air Canada

A month later, the BianLian group targeted Canada’s flag carrier, Air Canada. The attackers claim they stole more than 210GB of various information, including employee/supplier data and confidential documents. In particular, the attackers managed to steal information on technical violations and security issues of the airline.

The BianLian website demands a ransom from Air Canada Source

November 2023: LockBit group exploits Citrix Bleed vulnerability

November was remembered for a Citrix Bleed vulnerability exploited by the LockBit group, which we also discussed above. Although patches for this vulnerability were published a month earlier, at the time of the large-scale attack more than 10,000 publicly accessible servers remained vulnerable. This is what the LockBit ransomware took advantage of to breach the systems of several major companies, steal data, and encrypt files.

Among the big-name victims was Boeing, whose stolen data the attackers ended up publishing without waiting for the ransom to be paid. The ransomware also hit the Industrial and Commercial Bank of China (ICBC), the largest commercial bank in the world.

The LockBit website demands a ransom from Boeing

The incident badly hurt the Australian arm of DP World, a major UAE-based logistics company that operates dozens of ports and container terminals worldwide. The attack on DP World Australia’s IT systems massively disrupted its logistics operations, leaving some 30,000 containers stranded in Australian ports.

December 2023: ALPHV/BlackCat infrastructure seized by law enforcement

Toward the end of the year, a joint operation by the FBI, the U.S. Department of Justice, Europol, and law enforcement agencies of several European countries deprived the ALPHV/BlackCat ransomware group of control over its infrastructure. Having hacked it, they quietly observed the cybercriminals’ actions for several months, collecting data decryption keys and aiding BlackCat victims.

In this way, the agencies rid more than 500 organizations worldwide of the ransom threat and saved around $68 million in potential payouts. This was followed in December by a final takeover of the servers, putting an end to BlackCat’s operations.

The joint law enforcement operation to seize ALPHV/BlackCat infrastructure. Source

Various statistics about the ransomware group’s operations were also made public. According to the FBI, during the two years of its activity, ALPHV/BlackCat breached more than a thousand organizations, demanded a total of more than $500 million from victims, and received around $300 million in ransom payments.

How to guard against ransomware attacks

Ransomware attacks are becoming more varied and sophisticated with each passing year, so there isn’t (and can’t be) one killer catch-all tip to prevent incidents. Defense measures must be comprehensive. Focus on the following tasks:

• Train employees in cybersecurity awareness.
• Implement and refine data storage and employee access
• Back up important data regularly and isolate it from the network.
• Install robust protection on all corporate devices.
• Monitor suspicious activity on the corporate network using an Endpoint Detection and Response (EDR)
• Outsource threat search and response to a specialist company if your in-house information security lacks the capability.

An attack they dubbed KeyTrap, which exploits the vulnerability, can disable a DNS server by sending it a single malicious data packet. Read on to find out more about this attack.

How KeyTrap works and what makes it dangerous

The DNSSEC vulnerability has only recently become public knowledge, but it was discovered back in December 2023 and registered as CVE-2023-50387. It was assigned a CVSS 3.1 score of 7.5, and a severity rating of “High”. Complete information about the vulnerability and the attack associated with it is yet to be published.

Here’s how KeyTrap works. The malicious actor sets up a nameserver that responds to requests from caching DNS servers – that is, those which serve client requests directly – with a malicious packet. Next, the attacker has the caching-server request a DNS record from their malicious nameserver. The record sent in response is a cryptographically-signed malicious one. The way the signature is crafted causes the attacked DNS server trying to verify it to run at full CPU capacity for a long period of time.

According to the researchers, a single such malicious packet can freeze the DNS server for anywhere from 170 seconds to 16 hours – depending on the software it runs on. The KeyTrap attack can not only deny access to web content to all clients using the targeted DNS server, but also disrupt various infrastructural services such as spam protection, digital certificate management (PKI), and secure cross-domain routing (RPKI).

The researchers refer to KeyTrap as “the worst attack on DNS ever discovered”. Interestingly enough, the flaws in the signature validation logic making KeyTrap possible were discovered in one of the earliest versions of the DNSSEC specification, published as far back as… 1999. In other words, the vulnerability is about to turn 25!

The origins of KeyTrap can be traced back to RFC-2035, the DNSSEC specification published in 1999

Fending off KeyTrap

The researchers have alerted all DNS server software developers and major public DNS providers. Updates and security advisories to fix CVE-2023-50387 are now available for PowerDNS, NLnet Labs Unbound, and Internet Systems Consortium BIND9. If you are an administrator of a DNS server, it’s high time to install the updates.

Bear in mind, though, that the DNSSEC logic issues that have made KeyTrap possible are fundamental in nature and not easily fixed. Patches released by DNS software developers can only go some way toward solving the problem, as the vulnerability is part of standard, rather than specific implementations. “If we launch [KeyTrap] against a patched resolver, we still get 100 percent CPU usage but it can still respond,” said one of the researchers.

Practical exploitation of the flaw remains a possibility, with the potential result being unpredictable resolver failures. In case this happens, corporate network administrators would do well to prepare a list of backup DNS servers in advance so they can switch as needed to keep the network functioning normally and let users browse the web resources they need unimpeded.

Which systems are affected by CVE-2023-6246?

The Qualys researchers who discovered the vulnerability tested a number of popular Linux-based system installations, and identified several vulnerable systems: Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora Linux versions 37 through 39. However, experts add that other distributions are probably also affected by this vulnerability. CVE-2023-6246 is present in the library version 2.36 and older. The glibc developers fixed the vulnerability in version 2.39 on January 31 – a day after information about it was published.

What is the CVE-2023-6246 vulnerability and where did it come from?

The vulnerability CVE-2023-6246 is related to a dynamic memory buffer overflow and belongs to the LPE (Local Privilege Escalation) class. In simple terms, an attacker who already has user access to a system can use vulnerable function calls to escalate their privileges to the super-user level.

This vulnerability was first added to the library in version 2.37, in August 2022, in an attempt to close the less dangerous vulnerability CVE-2022-39046. Subsequently, the library developers made the same change in version 2.36.

How to stay safe?

First you need to update the glibc library to version 2.39. Since attackers must already have access to the system to exploit this vulnerability (and all LPE vulnerabilities in general), CVE-2023-6246 will most likely be exploited in complex multi-stage attacks. Therefore, we recommend using solutions that can protect Linux as well. For example, our Kaspersky Endpoint Security solution includes the Kaspersky Endpoint Security for Linux application, which combats modern threats to Linux-based systems.

Vulnerability CVE-2024-0204 in GoAnywhere MFT

Let’s start by briefly recounting the story of this vulnerability in GoAnywhere. In fact, Fortra, the company developing this solution, patched this vulnerability back in early December 2023 with the release of GoAnywhere MFT 7.4.1. However, at that time the company chose not to disclose any information about the vulnerability, limiting itself to sending private recommendations to clients.

The essence of the vulnerability is as follows. After a user completes initial setup of GoAnywhere, the product’s internal logic blocks access to the initial account setup page. Then when they attempt to access this page, they’re redirected either to the admin panel (if they’re authenticated as an administrator) or to the authentication page.

However, researchers discovered that an alternative path to the InitialAccountSetup.xhtml file can be used, which the redirection logic does not take into account. In this scenario, GoAnywhere MFT allows anyone to access this page and create a new user account with administrator privileges.

As proof of the attack’s feasibility, the researchers wrote and published a short script that can create admin accounts in vulnerable versions of GoAnywhere MFT. All an attacker needs is to specify a new account name, a password (the only requirement is that it contains at least eight characters, which is interesting in itself), and the path:

Part of the exploit code for the CVE-2024-0204 vulnerability. Highlighted in red is the alternative path to the initial account setup page that enables the creation of users with administrator privileges

In general, this vulnerability closely resembles that discovered in Atlassian Confluence Data Center and Confluence Server a few months ago; there, too, it was possible to create admin accounts in a few simple steps.

Fortra assigned vulnerability CVE-2024-0204 “critical” status, with a CVSS 3.1 score of 9.8 out of 10.

A little context is necessary here. In 2023, the Clop ransomware group already exploited vulnerabilities in Fortra GoAnywhere MFT and also similar products from other developers — Progress MOVEit, Accellion FTA, and SolarWinds Serv-U — to attack hundreds of organizations worldwide. In particular, companies such as Procter & Gamble, Community Health Systems (CHS, one of the largest hospital networks in the U.S.A.), and the municipality of Toronto suffered from the exploitation of the GoAnywhere MFT vulnerability.

How to defend against CVE-2024-0204 exploitation

The obvious way to protect against exploitation of this vulnerability is to update GoAnywhere MFT to version 7.4.1 immediately, which fixes the logic for denying access to the InitialAccountSetup.xhtml page.

If you can’t install the update for some reason, you can try one of two simple workarounds:

• Delete the InitialAccountSetup.xhtml file in the installation folder and restart the service;

or

• Replace InitialAccountSetup.xhtml with a blank file and restart the service.

You should also use an EDR (Endpoint Detection and Response) solution to monitor suspicious activity in the corporate network. If your internal cybersecurity team lacks the skills or resources for this, you can use an external service to continuously hunt for threats to your organization and swiftly respond to them.

Why Polish hackers broke into trains

Around five years ago, Poland’s Koleje Dolnośląskie (KD) rail operator bought 11 Impuls 45WE trains from domestic manufacturer Newag. Fast-forward to recent times, and after five years of heavy use it was time for a service and some maintenance: a rather complex and expensive process that a train has to undergo after clocking up a million kilometers.

To select a workshop to service the trains, KD arranged a tender. Newag was among the bidders, but they lost to Serwis Pojazdów Szynowych (SPS), which underbid them by a significant margin.

However, once SPS was done with servicing the first of the trains, they found that it simply wouldn’t start up any more — despite seeming to be fine both mechanically and electrically. All kinds of diagnostic instruments revealed that the train had zero defects in it, and all the mechanics and electricians that worked on it agreed. No matter: the train simply would not start.

Shortly after, several other trains serviced by SPS — plus another taken to a different shop — ended up in a similar condition. This is when SPS, after trying repeatedly to unravel the mystery, decided to bring in a (white-hat) hacker team.

Inside the driver’s cabin of one of the Newag Impuls trains that were investigated. Source

Manufacturer’s malicious implants and backdoors in the train firmware

The researchers spent several months reverse-engineering, analyzing, and comparing the firmware from the trains that had been bricked and those still running. As a result, they learned how to start up the mysteriously broken-down trains, while at the same time discovering a number of interesting mechanisms embedded in the code by Newag’s software developers.

For example, they found that one of the trains’ computer systems contained code that checked GPS coordinates. If the train spent more than 10 days in any one of certain specified areas, it wouldn’t start anymore. What were those areas? The coordinates were associated with several third-party repair shops. Newag’s own workshops were featured in the code too, but the train lock wasn’t triggered in those, which means they were probably used for testing.

Areas on the map where the trains would be locked. Source

Another mechanism in the code immobilized the train after detecting that the serial number of one of the parts had changed (indicating that this part had been replaced). To mobilize the train again, a predefined combination of keys on the onboard computer in the driver’s cabin had to be pressed.

A further interesting booby trap was found inside one of the trains’ systems. It reported a compressor malfunction if the current day of the month was the 21^st or later, the month was either 11^th or later and the year was 2021 or later. It turned out that November 2021, was the scheduled maintenance date for that particular train. The trigger was miraculously avoided because the train left for maintenance earlier than planned and returned for a service only in January 2022, the 1^st month, which is obviously before 11^th.

Another example: one of the trains was found to contain a device marked “UDP<->CAN Converter”, which was connected to a GSM modem to receive lock status information from the onboard computer.

The most frequently found mechanism — and we should note here that each train had a different set of mechanisms — was designed to lock the train if it remained parked for a certain number of days, which signified maintenance for a train in active service. In total, Dragon Sector investigated 30 Impuls trains operated by KD and other rail carriers. A whopping 24 of them were found to contain malicious implants of some sort.

One of the researchers next to the train. Source

How to protect your systems from malicious implants

This story just goes to show that you can encounter malicious implants in the most unexpected of places and in all kinds of IT systems. So, no matter what kind of project you’re working on, if it contains any third-party code — let alone a whole system based on it — it makes sense to at least run an information security audit before going live.

We will not repeat all the nuts and bolts of this report — you can find technical details in a post on the Securelist blog or you can listen the recording of the talk on the conference’s official website. Here we will briefly describe the main points.

• As we already have written in the beginning of this summer, the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge. This attack did not require any actions from the user at all.
• Our experts were able to detect the attack by monitoring a corporate Wi-Fi network using our own SIEM system Kaspersky Unified Monitoring and Analysis Platform (KUMA).
• The attack employed four zero-day vulnerabilities that affected all iOS devices up to version 16.2: CVE-2023-32434, CVE-2023-32435, CVE-2023-41990 and the aforementioned CVE-2023-38606.
• The obfuscated Triangulation exploit could work both on modern versions of the iPhone and on fairly old models. And if attacking newer iPhones it could bypass Pointer Authentication Code (PAC).
• The CVE-2023-32434 vulnerability used by this exploit, allowed attackers access to the entire physical memory of the device at the user level, both for reading and writing.
• Thanks to the exploitation of all four vulnerabilities, the malware could gain full control over the device and run any malware needed, but instead it launched the IMAgent process and used it to remove all traces of the attack from the device. It also launched the Safari process in the background and redirected it to the attacker’s web page with exploit for Safari.
• This Safari exploit got root rights and launched further stages of attacks (which we already talked about them in our previous publications).
• Vulnerability CVE-2023-38606 allowed bypassing of the built-in memory protection mechanism using undocumented and unused in the firmware processor registers. According to our experts, this hardware function probably was created for debugging or testing purposes, and then for some reason remained enabled.

The only remaining mystery — how exactly did the attackers knew how to use this undocumented function and where did they find information about it at all.

The logo is stored in the code that runs immediately after the computer is turned on, in the so-called UEFI (Unified Extensible Firmware Interface) firmware. It turns out that this logo replacement function opens the way for the device to be seriously compromised — attackers can hack it and subsequently seize control of the system, and this can even be done remotely. The possibility of such an attack — named LogoFAIL — was recently discussed by experts at Binarly. In this article, we’ll try to explain it in simple terms, but let’s first recall the dangers of so-called UEFI bootkits.

UEFI bootkits: malware loaded before the operating system is

Historically, the program run upon turning on a PC was called BIOS (Basic Input/Output System). It was extremely limited in its capabilities, but nevertheless essential — tasked as it was with initializing the computer’s hardware and then transferring control to the operating system loader. Since the late 2000s, BIOS gradually began to be replaced by UEFI — a more sophisticated version of the same basic program but with additional capabilities, including protection against the execution of malicious code.

In particular, UEFI implements the Secure Boot feature, which employs cryptographic algorithms to check the code at each stage of the computer’s booting — from turning it on to loading the operating system. This makes it much more difficult to replace the real OS code with malicious code, for example. But, alas, even these security technologies haven’t completely eliminated the possibility of loading malicious code at an early stage. And if attackers manage to “smuggle” malware or a so-called bootkit into UEFI, the consequences can be extremely serious.

The issue with UEFI bootkits is that they’re extremely difficult to detect from within the operating system. A bootkit can modify system files and run malicious code in an OS with maximum privileges. And the main problem is that it can survive not only a complete reinstall of the operating system, but also replacement of the hard drive. Stashed in the UEFI firmware, a bootkit isn’t dependent on the data stored on the system drive. As a result, bootkits are often used in complex targeted attacks. An example of such an attack is described in this study published by our experts.

So, what do images have to do with it?

Since UEFI has fairly robust protection against the running of malicious code, introducing a Trojan into the boot process isn’t simple. However, as it turns out, it is possible to exploit flaws in UEFI code to execute arbitrary code at this early stage. There was good reason for the Binarly experts to pay attention to the mechanism that allows replacing the factory logo. To display the logo, a program is launched that reads data from the graphic image file and displays this image on the screen. What if we try make this program misbehave?

There are three major UEFI software developers: AMI, Insyde, and Phoenix. Each of them approaches logo processing differently. For example, Insyde has separate image processing programs for different formats — from JPEG to BMP. AMI and Phoenix consolidate the handling of all formats into a single program. Vulnerabilities were discovered in each of them, with a total of twenty-four critical errors. The final result of exploiting one of these errors is shown in this video:

LogoFAIL attack demonstration. Source

It’s all fairly straightforward: attackers can modify the image of the new logo as they please. This includes, for example, setting the logo resolution so that this parameter ends up beyond the limits defined in the handling code. This leads to a calculation error and ultimately results in data being written from the image file into the area for executable data. This data will then be executed with maximum privileges. The video above shows the seemingly harmless result of such a bootkit: a text file is saved to the Windows desktop. However, if malicious code has this level of access, the attacker can perform almost any action in the operating system.

Notably, some computer models from major manufacturers were not susceptible to this attack, and for a very simple reason: replacing the logo in their UEFI is essentially blocked. Among these models are a number of Apple laptops and Dell devices.

Dangerous implications for businesses

Theoretically, this attack can even be carried out remotely: in some cases, it would be enough to inject a specially prepared image into the EFI system partition on the system disk, and it would be processed on the next reboot. The catch is that performing such an operation already requires complete access to the system; that is, any data on the computer should already be available to the attackers. You might wonder then: what’s the point of implementing the LogoFAIL attack? The answer: to ensure that the malicious code survives even if the OS is reinstalled. This kind of persistence is usually highly desired by APT attack operators.

This problem will be resolved gradually by updated UEFI versions that fix errors in the image handlers. However, since not all companies diligently keep up with firmware updates, a huge number of devices will likely remain unprotected. And the list of vulnerable devices includes not only laptops but also some server motherboards. This means that Binarly’s research should be taken very seriously.

The Bluetooth vulnerability allows you to connect a fake keyboard

The essence of the problem is that a vulnerable device can be forced to connect to a fake Bluetooth keyboard without requiring user confirmation — bypassing the operating system’s checks responsible for the Bluetooth protocol. The unauthenticated connection feature is specified in the Bluetooth protocol, and issues with certain implementations of the Bluetooth stack in popular operating systems provide attackers with the opportunity to exploit this mechanism.

The attackers can then use this connection to input commands, allowing them to execute any action as if they were the user — without requiring additional authentication such as a password or biometrics (like a fingerprint or face scan). According to the security researcher Marc Newlin who discovered this vulnerability, no special equipment is needed for a successful attack — just a Linux laptop and a standard Bluetooth adapter.

As you might guess, the attack is inherently limited by the Bluetooth interface: an attacker needs to be in close proximity to the victim. This naturally rules out mass exploitation of the vulnerability in question. However, malicious actors exploiting this vulnerability could still be a worry for specific individuals of special interest to those actors.

Which devices and operating systems are vulnerable?

This vulnerability affects a range of operating systems and several classes of devices based on them — albeit with some variations. Depending on the OS used, devices may be more or less vulnerable.

Android

Android devices were the most thoroughly examined for the presence of the aforementioned vulnerability. Marc Newlin tested seven smartphones with different OS versions — Android 4.2.2, Android 6.0.1, Android 10, Android 11, Android 13, and Android 14 — and found that all of them were vulnerable to the Bluetooth hack. Furthermore, concerning Android, all that’s required for this hack is for Bluetooth to be enabled on the device.

The researcher informed Google of the discovered vulnerability in early August. The company has already released patches for Android versions 11 through 14, and sent them to manufacturers of smartphones and tablets based on this OS. These manufacturers now have the task of creating and distributing the necessary security updates to their customers’ devices.

Of course, these patches must be installed as soon as they become available for devices running on Android 11/12/13/14. Until then, to protect against hacking, it’s advisable to keep Bluetooth turned off. For devices running older Android versions, there’ll be no updates — they’ll remain vulnerable to this attack indefinitely. Thus, the advice to turn Bluetooth off will remain relevant for them until the end of their service life.

MacOS, iPadOS, and iOS

As for Apple’s operating systems, the researcher didn’t have such a wide range of test devices. Nonetheless, he was able to confirm that the vulnerability is present in iOS 16.6, as well as in two versions of macOS — Monterey 12.6.7 (x86) and Ventura 13.3.3 (ARM). It’s safe to assume that in fact a wider range of macOS and iOS versions — as well as related systems like iPadOS, tvOS, and watchOS — are vulnerable to the Bluetooth attack.

Another piece of bad news is that the enhanced security mode introduced by Apple this year — the so-called “Lockdown Mode” — doesn’t protect against attacks exploiting this Bluetooth vulnerability. This applies to both iOS and macOS.

Just in case, we remind you how to properly turn off Bluetooth in iOS and iPadOS: this should be done not through the Control Center but through the Settings

Fortunately, a successful attack on Apple’s operating systems requires an additional condition besides having Bluetooth enabled: the device must be paired with an Apple Magic Keyboard.

This means that Bluetooth attacks primarily pose a threat to Macs and iPads used with a wireless keyboard. The likelihood of an iPhone being hacked through this vulnerability appears to be negligible.

The researcher reported the discovered bug to Apple around the same time as Google, but so far there’s been no information from the company regarding security updates, or a detailed list of vulnerable OS versions.

Linux

This attack also works for BlueZ — the Bluetooth stack included in the official Linux kernel. Mark Newlin confirmed the presence of the Bluetooth vulnerability in Ubuntu Linux versions 18.04, 20.04, 22.04, and 23.10. The bug that made the attack possible was discovered and fixed back in 2020 (CVE-2020-0556). However, this fix was, by default, disabled in most popular Linux distributions, and is only enabled in ChromeOS (according to Google).

The Linux vulnerability discovered by the researcher was assigned the number CVE-2023-45866, and a CVSS v3 score of 7.1 out of 10, according to Red Hat. For successful exploitation of this vulnerability, only one condition needs to be met: the Linux device must be discoverable and connectable through Bluetooth.

The good news is that a patch for this vulnerability in Linux is already available, and we recommend installing it as soon as possible.

In this post, we discuss current threats facing macOS users and how to effectively protect your Mac. To illustrate the fact that viruses for macOS do exist, we’ll look at three recent studies on several malware families that have been published over the past few weeks.

BlueNoroff attacks macOS users and steals cryptocurrency

In late October 2023, our researchers discovered a new macOS Trojan that’s believed to be associated with BlueNoroff, the “commercial wing” of the Lazarus APT group. This subgroup specializes in financial attacks and specifically focuses on two things: firstly, attacks on the SWIFT system — including the notorious heist of the Bangladesh Central Bank — and secondly, stealing cryptocurrencies from organizations and individuals.

The discovered macOS Trojan downloader is distributed within malicious archives. It’s disguised as a PDF document titled “Crypto-assets and their risks for financial stability”, with an icon that mimics a preview of this document.

Cover page of the deceptive PDF that the Trojan downloads and shows to the user when launching the file from an infected archive. Source

Once the user clicks on the Trojan (masquerading as a PDF), a script is executed that actually downloads the corresponding PDF document from the internet and opens it. But, of course, that’s not all that happens. The Trojan’s main task is to download another virus, which gathers information about the infected system, sends it to the C2, and then waits for a command to perform one of two possible actions: self-deletion or saving to a file and executing malicious code sent in response from the server.

Proxy Trojan in pirated software for macOS

In late November 2023, our researchers discovered another malware instance that threatens Mac users — a proxy Trojan, distributed alongside pirated software for macOS. Specifically, this Trojan was added to the PKG files of cracked video editing programs, data recovery tools, network utilities, file converters, and various other software. The full list of infected installers discovered by our experts can be found at the end of the report published on Securelist.

As mentioned earlier, this malware belongs to the category of proxy Trojans — malware that sets up a proxy server on the infected computer, essentially creating a host to redirect internet traffic. Subsequently, cybercriminals can use such infected devices to build a paid network of proxy servers, earning money from those seeking such services.

Alternatively, the Trojan’s owners might directly use the infected computers to carry out criminal activities in the victim’s name — whether it’s attacking websites, companies or other users, or purchasing weapons, drugs or other illegal goods.

Atomic stealer in fake Safari browser updates

Also in November 2023, a new malicious campaign was discovered to spread another Trojan for macOS, known as Atomic and belonging to the category of stealers. This type of malware searches for, extracts, and sends to its creators all kinds of valuable information found on the victim’s computer, particularly data saved in browsers. Logins and passwords, bank card details, crypto wallet keys, and similar sensitive information are of particular value to stealers.

The Atomic Trojan was first discovered and described back in March 2023. What’s new is that now the attackers have started using fake updates for the Safari and Chrome browsers to spread the Atomic Trojan. These updates are downloaded from malicious pages that very convincingly mimic the original Apple and Google websites.

A site with fake Safari browser updates that actually contain the Atomic stealer. Source

Once running on a system, the Atomic Trojan attempts to steal the following information from the victim’s computer:

• cookies
• logins, passwords, and bank card details stored in the browser
• passwords from the macOS password storage system (Keychain)
• files stored on the hard drive
• stored data from over 50 popular cryptocurrency extensions

Zero-day vulnerabilities in macOS

Unfortunately, even if you don’t download any suspicious files, you avoid opening attachments from unknown sources, and generally refrain from clicking on anything suspicious, this doesn’t guarantee your security. It’s important to remember that any software always has vulnerabilities that attackers can exploit to infect a device, and which require little or no active user action. And the macOS operating system is no exception to this rule.

Recently, two zero-day vulnerabilities were discovered in the Safari browser — and according to Apple’s announcement, cybercriminals were already exploiting them by the time they were discovered. By simply luring the victim to a malicious webpage, attackers can infect their device without any additional user action, thereby gaining control over the device and the ability to steal data from it. These vulnerabilities are relevant for all devices using the Safari browser, posing a threat to both iOS/iPadOS users and Mac owners.

This is a common scenario: as Apple’s operating systems share many components, vulnerabilities often apply not just to one of the company’s opertaing systems but to all of them. Thus, it’s a case of Macs being betrayed by the iPhone’s popularity: iOS users are the primary targets, but these vulnerabilities can just as easily be used to attack macOS.

A total of 19 zero-day vulnerabilities were discovered in Apple’s operating systems in 2023 that are known to have been actively exploited by attackers. Of these, 17 affected macOS users — including over a dozen with high-risk status, and one classified as critical.

Zero-day vulnerabilities in macOS, iOS, and iPadOS discovered in 2023, which were actively exploited by cybercriminals

Other threats and how to protect your Mac

What’s important to remember is that there are numerous cyberthreats that don’t depend on the operating system but that can be no less dangerous than malware. In particular, pay attention to the following threats:

• Phishing and fake websites. Phishing emails and websites work the same way for both Windows users and Mac owners. Alas, not all fake emails and websites are easily recognizable, so even experienced users often face the risk of having their login credentials stolen.
• Web threats, including web skimmers. Malware can infect not only the user’s device but also the server it communicates with. For example, attackers often hack poorly protected websites, especially online stores, and install web skimmers on them. These small software modules are designed to intercept and steal bank card data entered by visitors.
• Malicious browser extensions. These small software modules are installed directly into the browser and operate within it, so they don’t depend on the OS being used. Despite being seemingly harmless, extensions can do a lot: read the content of all visited pages, intercept information entered by the user (passwords, card numbers, keys to crypto wallets), and even replace displayed page content.
• Traffic interception and man-in-the-middle (MITM) attacks. Most modern websites use encrypted connections (HTTPS), but you can still sometimes come across HTTP sites where data exchange can be intercepted. Cybercriminals use such interception to launch MITM attacks, presenting users with fake or infected pages instead of legitimate ones.

To protect your device, online service accounts and, most importantly, the valuable information they contain, it’s crucial to use comprehensive protection for both Mac computers and iPhones/iPads. Such protection must be able to counteract the entire range of threats — for example solutions like our Kaspersky Premium, whose effectiveness has been confirmed by numerous awards from independent testing laboratories.