Show threadKevin Karhan Feb 16

@yura @dps910 @wboss No, just jo!

  • This constellation shouldn't exist to begin with.
    • If it did exist, you should've bought Extended Security Support for it since 2019
  • There's no legitimate excuse to have #TechIlliterates access said systems and being allowed to use the #Internet, save any files or even execute any code on it to begin with.
    • If you can't force the #Users to obey to simple rules, they have no business using said system.
  • There is a literal zoo of #ZeroClickMalware for #Windows7 that Microsoft refuses to combat!
    • The only option I know is some "Write-Protection Driver" like the one used by #hp for their #ThinClients on #WES7 which redirect all writes to a #Ramdisk and refuses to write them on disk before shutdown / reboot!
    • But that doesn't protect against executing malicious code stealing credentials!

You shure you can't migrate the system to a #VM and/or @bunsenlabs and/or passthrough any hardware to it?

  • Cuz unless you use like a "forensic write blocker" adaptor in the middle I see no chance of you winning this at all
    • And even then: No "#Antivirus" (which as 3rd party Kernelhack is just #malware itself!) will be able to fix the fundamental flaws.
    • This includes even some like #Avast that install a #DPI component and #PacketFilter everything by acting as #MITM proxy!
Show threadKevin Karhan Sep 14, 2024
@topher @OpenComputeDesign the worst offender in terms of #security is #iMessage, because it literally includes interpreters/previewers for nonsense like #Photoshop files, making it a worse #bloatware than #SystemD if it was a single executeable with an attack surface greater than #OOXML m, which has bern abused for #ZeroClickMalware like #Pegasus to gain persistent root access!
🛡 H3lium@infosec.exchange/:~# May 2, 2024

Cuttlefish Zero-Click Malware: Stealthy Theft of Cloud Data through Routers

Date: May 1, 2023
CVE: Not specified
Vulnerability Type: Malware
CWE: [[CWE-200]], [[CWE-287]], [[CWE-311]]
Sources: Dark Reading

Issue Summary

Cuttlefish is a newly identified malware that targets enterprise and SOHO routers (Small Office/ Home Office) to steal authentication details without user interaction. Designed by Black Lotus Labs, this zero-click malware infiltrates network equipment to capture data, leveraging DNS and HTTP hijacking to interact with private IP addresses and exfiltrate data via proxy or VPN tunnels. Cuttlefish has been active since at least last July, with its latest campaign running from October through April 2024.

Technical Key findings

Cuttlefish uses a sophisticated method that involves sniffing packets and hijacking DNS and HTTP requests. It deploys via a bash script, gathering data and executing a malicious binary. It monitors network traffic, activating based on predefined rules to target private IP addresses or steal credentials. Researchers found links — specifically, code similarities and embedded build paths — to HiatusRat, thus they believe Cuttlefish also is aligned with the interests of China-based threat actors. To exfiltrate data, the threat actor first creates either a proxy or VPN tunnel back through a compromised router, then uses stolen credentials to access targeted resources," according to the post. "By sending the request through the router, we suspect the actor can evade anomalous sign-in based analytics by using the stolen authentication credentials."

Vulnerable products

SOHO routers and potentially unmonitored enterprise networking equipment.

Impact assessment

The malware could lead to unauthorized data access, long-term persistence within the network, and potential bypass of security measures like EDR and network segmentation.

Patches or workaround

Recommendations include securing router interfaces, updating firmware, changing default credentials, and regularly rebooting routers to clear in-memory malware.

Tags

#Cuttlefish #ZeroClickMalware #RouterSecurity #NetworkHijacking #DataExfiltration

'Cuttlefish' Zero-Click Malware Steals Private Cloud Data

The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses

Tarnkappe.infoJun 22, 2022
📬 NSA verrät, wie man das Smartphone vor Schadsoftware schützt
#Datenschutz #Mobilfunk #MobileDevicesBestPractises #NSA #Schadsoftware #Smartphone #ZeroClickAngriff #ZeroClickMalware https://tarnkappe.info/artikel/mobilfunk/nsa-verraet-wie-man-das-smartphone-vor-schadsoftware-schuetzt-243464.html
NSA verrät, wie man das Smartphone vor Schadsoftware schützt

Die NSA hat Hinweise zum Schutz vor Schadsoftware auf Smartphones veröffentlicht. Manche Tipps sind ganz nützlich, andere wirken eher profan.

Tarnkappe.info