IT News

A federal court in Montana has fined a man $9.9 million after he was found responsible for causing thousands of unlawful and malicious spoofed robocalls.

Sometimes there is good news. Well, for almost everybody except for the robocaller who was found guilty of unlawful robocalls to people in states including Florida, Georgia, Idaho, Iowa and Virginia in 2018. The court also imposed an injunction prohibiting any future violations of the Truth in Caller ID Act and Telephone Consumer Protection Act.

Scott Rhodes spoofed his telephone number, so it appeared to his targets that he was calling from a local phone number. If they picked up, they were presented with recorded messages. Those messages included highly inflammatory and disturbing content, often directed at certain communities, that intended to offend or harm the recipients.

Those messages typically addressed tragic and controversial events that took place in the region. Many consumers who received the calls found the calls so disturbing, they submitted complaints to FCC and other law enforcement regarding unwanted and harassing robocalls.

The FCC traced the unlawful spoofed robocalls to Scott Rhodes, a resident of Idaho and Montana, and in January 2021, the FCC imposed a $9,918,000 forfeiture penalty against Rhodes. In September 2021, the Justice Department sued Rhodes in the District of Montana to recover that penalty and obtain an injunction.

In October 2023, the United States moved for summary judgment, and the court subsequently entered an injunction and the full $9,918,000 forfeiture penalty against Rhodes, after concluding based on a de novo review of the evidence that Rhodes committed the violations found by FCC. When a court hears a case as “de novo,” it is deciding the issues without reference to any legal conclusion or assumption made by the previous court to hear the case.

Principal Deputy Assistant Attorney General Brian Boynton, head of the Justice Department’s Civil Division commented:

“The department is committed to protecting consumers from deceptive robocalls. We are very pleased by the court’s judgment, and we will continue working with the FCC and other agency partners to vigorously enforce the telemarketing laws that prohibit these practices.”

Earlier this year we reported that the FCC efforts seem to be paying off, by showing an encouraging decline in robocalls.

Last year, another robocaller made headlines after the FCC issued a $300 million forfeiture to a persistent offender and shut down their operation.

What to do if you answer a robocall

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1. Hang up as soon as you realize that it is an automated robocall.
2. Do not engage with the call at all.
3. Don’t follow any instructions.
4. Avoid giving away any personal information.
5. Report the robocall.
   • If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
   • If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
   • If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your voice being recorded, can be used in scams against you or your loved ones.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

On 14 March, Meta announced it would abandon CrowdTangle, saying the tool will no longer be available after August 14, 2024. While most people have never heard of CrowdTangle, among journalists the tool is considered essential. Its popularity largely depends on the ability to monitor social media activity around important elections.

This makes the timing of the change a bit awkward to say the least. Not just in the US, but in many countries around the world there are major elections in 2024.

Data analysis tool CrowdTangle was created to show publishers which posts on Facebook pages were getting the most engagement. However, researchers and journalists later discovered that monitoring which stories spread most quickly, also provides the means to find the source of disinformation and watch how it spreads.

Meta bought CrowdTangle eight years ago, and the tool helped journalists and researchers learn more about the content on Meta’s platforms, including Facebook and Instagram. It was the first major tool that let the public analyze trends on the social media platforms in real time.

But it also produced negative consequences for Meta. If content performed well, Meta received accusations of promoting that content in its algorithm. In 2021, CrowdTangle underwent some changes and the team that ran it, including founder and CEO Brandon Silverman, was dismantled.

Arguably, the only thing keeping CrowdTangle alive at that point was Article 40 of the European Union’s Digital Services Act, which requires very large platforms and search engines to share publicly available data with researchers and nonprofit groups.

So, in November of 2023, Meta introduced the Meta Content Library as a replacement for CrowdTangle to “help us meet new regulatory requirements, data-sharing and transparency compliance obligations.”

In an interview, Meta’s president of global affairs Nick Clegg said that the Meta Content Library is a better tool for researchers than CrowdTangle in almost every way. For starters, it includes data about reach, which he said offers a better picture of what content on the platform is most popular.

Researchers who have used both CrowdTangle and the Content Library are torn, they say that both tools have their strengths and weaknesses. However, the audience for the Content Library is much more limited: aside from certain fact checkers, journalists won’t have direct access.

In an open letter, Mozilla has called on Meta to keep CrowdTangle functioning until January 2025. At the time of writing, 156 universities, researchers, disinformation trackers, privacy watchers, and other social media followers have signed the request.

They fear that the absence of CrowdTangle will undermine the monitoring of election disinformation in a year that approximately half the world’s population will vote.

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Cyrus, powered by Malwarebytes.

Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn’t affect mobile versions of Firefox.

Windows users that have automatic updates enabled should have the new version available as soon or shortly after they open the browser.

Version number should read 124.0.1 or higher

Other users can update their browser by following these instructions:

• Click the menu button (3 horizontal stripes) at the right side of the Firefox toolbar, go to Help, and select About Firefox. The About Mozilla Firefox window will open.
• Firefox will check for updates automatically. If an update is available, it will be downloaded.
• You will be prompted when the download is complete, then click Restart to update Firefox.

To change the way in which Firefox installs updates, you can:

• Click the menu button (3 horizontal stripes) and select Settings.
• In the General panel, go to the Firefox Updates section.
• Here you can adjust the settings to your liking.

The vulnerabilities

The vulnerabilities were found during the Pwn2Own Vancouver 2024 hacking competition. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in this update are:

CVE-2024-29943: an attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination. This vulnerability affects Firefox < 124.0.1.

An out-of-bounds read or write can occur when a program has access outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution or disclosure of information. This can happen when the size of the data is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data.

CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. Note: This vulnerability affects Desktop Firefox only, it does not affect mobile versions of Firefox. This vulnerability affects Firefox < 124.0.1 and Firefox ESR < 115.9.1.

Firefox ESR (Extended Support Release) is offered for organizations, including schools, universities, businesses, and others who need extended support for mass deployments.

An event handler is a program function that is executed by the application or operating system when an event is executed on the application.

Programming languages are built on the concept of classes and objects to organize programs into simple, reusable pieces of code. A privileged object is a function or piece of code with elevated permissions.

Together, the two vulnerabilities allowed the researcher to achieve a sandbox escape of Firefox. The sandbox is employed to protect against malicious content entering the system through the browser.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Federal US authorities have asked Google for the names, addresses, telephone numbers, and user activity of accounts that watched certain YouTube videos, according to unsealed court documents Forbes has seen.

Of those users that weren’t logged in when they watched those videos between January 1 and 8, 2023, the authorities asked for the IP addresses.

The starting point of one of the investigations is an entity that uses the handle “elonmuskwhm” and is suspected of money laundering by selling Bitcoin for cash. As part of the investigation, agents sent the suspect links to tutorials on YouTube about mapping via drones and augmented reality software.Then they asked YouTube to send them data about the people that watched that video.

But those video tutorials were not private and had been watched over 30,000 times by the time the agents asked YouTube’s parent company Google for information about the viewers.

In another case, related to a bomb threat, the authorities asked for information about the viewers of eight selected live streams. One of those live streams has over 130,000 subscribers.

The police received a threat from an unknown male that there was an explosive placed in a trash can in a public area. When the police went to investigate the matter, they found out their actions were broadcasted through a YouTube live stream camera. Apparently similar events had taken place before, so for good reason law enforcement is after the evildoers.

But asking for data of that many viewers, many of which we can assume to be innocent bystanders, goes against what privacy experts believe to be reasonable. This type of digital dragnets go against the fourth amendment: freedom from unreasonable searches.

Albert Fox-Cahn, executive director at the Surveillance Technology Oversight Project (STOP) said:

“No one should fear a knock at the door from police simply because of what the YouTube algorithm serves up. I’m horrified that the courts are allowing this.”

According to the documents Forbes has seen, the court granted the order but asked Google not to make it public. We don’t currently know if Google complied with the request for information.

Google spokesperson Matt Bryant told Forbes:

“We examine each demand for legal validity, consistent with developing case law, and we routinely push back against over broad or otherwise inappropriate demands for user data, including objecting to some demands entirely.”

STOP condemned the US Department of Justice for securing a bulk warrant to track every YouTube user who watched the completely legal videos about mapping software for drones.

John Davisson, senior counsel at the Electronic Privacy Information Center, told Forbes:

“What we watch online can reveal deeply sensitive information about us—our politics, our passions, our religious beliefs, and much more. It’s fair to expect that law enforcement won’t have access to that information without probable cause. This order turns that assumption on its head.”

Warrants like these turn innocent people into suspects for no other reason than watching a perfectly legal video. The YouTube warrants are similar to geofence warrants, where court issues a search warrant to allow law enforcement to search a database to find all active mobile devices within a particular area.

These warrants turn the fear that certain online searches or your viewing history is going to put you on some kind of list, into reality. It also encourages users to use a VPN for even the most harmless activities and discourages YouTube visitors from logging in.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Skater brand Vans emailed customers last week to tell them about a recent “data incident.”

On December 13, 2023, Vans said it detected unauthorized activities on its IT systems, attributed to “external threat actors.” An investigation revealed that the incident involved some personal information of Vans’ customers. The affected information could include:

• Email address
• Full name
• Phone number
• Billing address
• Shipping address

In certain cases, the affected data may also include order history, total order value, and information about the payment method used for the purchases. Vans notes that the payment method does not specify details like account number, just the method described as “credit card”, “Paypal”, or “bank account payment”, with no additional details attached.

The data incident turned out to be a ransomware attack. In a filing with the Securities and Exchanges Commission (SEC), parent company V.F. Corporation stated the hackers disrupted business operations and stole the personal information of approximately 35.5 million individual consumers.

The attack was claimed by the ALPHV/BlackCat ransomware group. This happened during the period that ALPHV was in a spot of trouble themselves by events eventually leading to faking their own death.  It is unclear whether VF Corporation was able to use the decryptor made available after law enforcement seized control of ALPHV’s infrastructure, even though ALPHV reportedly claimed that the company tried to obtain a decryptor from law enforcement.

Vans says there’s no evidence suggesting any actual impact on any individual consumer whose personal data were part of the affected data set, but it does warn about phishing and fraud attempts which could lead to identity theft.

Data breach tips

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check if your data has been breached

Check if your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

In October 2023, The British Library was attacked by the Rhysida ransomware gang in a devastating cyberattack.

The library, a vast repository of over 170 million items, is still deep in the recovery process, but recently released an eighteen page cyber incident review describing the attack, its impact, the aftermath, and the lessons learned. The report is full of useful information, and well worth a read, even if you’re responsible for security in a much smaller organisation.

The attack and its aftermath is a reminder that big game ransomware remains the preeminent cyberthreat to organisations of all sizes, and the tactics it describes will be familiar to anyone who has read the Big Game Ransomware section of our 2024 State of Malware report.

The ransomware itself was launched on October 28, 2023, but the library believes that the Rhysida group infiltrated its systems at least three days before that. During those three days the group conducted what the library calls “hostile reconnaissance,” and exfiltrated 600GB of data.

The report also describes how the gang “hijacked native utilities” to copy databases. Using tools that are already on a victim’s network (a technique know as Living off the Land) makes it easier for ransomware gangs to avoid detection while they prepare an attack.

However, there are some details about the attack that either add to the body of knowledge, or remind us of things that are easily overlooked, so I’ve picked out some lessons from the report that can probably be usefully applied by any IT team.

1. Complexity helped the attackers

One thing that leaps off the pages of the report is how the library’s complex infrastructure aided the attackers. The report describes the library environment as an “unusually diverse and complex technology estate, including many legacy systems.” Unless you work for a brand new startup, the chances are that you recognise some of your own company network in that description, even if it isn’t as complex as the British Library.

This technical debt prevented the library from complying with security standards, “contributed to the severity of the impact of the attack,” and offered the attackers wider access than they should have had.

Most damaging of all though is the effect that carrying too much complexity has had on the library’s ability to recover:

“Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack. These legacy systems will in many cases need to be migrated to new versions, substantially modified, or even rebuilt from the ground up, either because they are unsupported and therefore cannot be repurchased or restored, or because they simply will not operate on modern servers or with modern security controls.”

It concludes, “there is a clear lesson in ensuring the attack vector is reduced as much as possible by keeping infrastructure and applications current.”

2. Endpoint protection matters

While the issue of complexity crops up again and again in the report, there is another significant finding that’s covered in just a single line—the importance of effective endpoint protection.

As devastating as the attack on the library was, it could have been worse. The attack only succeeded in compromising the organisation’s servers, but its desktops and laptops were spared because they were running a more modern “defensive software” that successfully identified and prevented the attack.

“A different software system successfully identified and prevented the encryption attack from executing on our laptop and desktop estates, but older defensive software on the server estate was unable to resist the attack.”

The clear implication is that if the system that was running on the desktops and laptops had also been running on the servers then the attack would have been thwarted.

As important as monitoring technologies like SIEM, EDR and MDR have become, it remains as true today as it ever has that every endpoint and server, whether they’re Windows, Macs, or Linux machines, needs a next-gen antivirus engine that can detect and stop known threats and block suspicious behaviour, such as malicious encryption.

3. Ransomware is 24/7

The report also mentions another potential opportunity to stop the attack. It describes how “at 01:15 on 26 October 2023, the Library’s IT Security Manager was alerted to possible malicious activity on the Library network.” The IT manager took action, monitored the situation and the escalated the incident the following morning. A subsequent detailed analysis of activity logs, “did not identify any obviously malicious activity.”

Investigations performed after the attack “identified evidence of an external presence on the Library network at 23:29 on Wednesday 25 October 2023,” and that “an unusually high volume of data traffic (440GB) had left the Library’s estate at 1.30am on 28 October.” This suggests that there were further opportunities to detect the attackers’ “hostile reconnaissance.”

We highlight this to demonstrate an important point about how ransomware gangs operate, not to second guess the IT team at the library. It seems that everyone concerned treated the incident very seriously and took appropriate action, and they have our sympathy.

What we want to draw your attention to is that all three incidents happened in the dead of night.

Groups like Rhysida make significant efforts to cover their tracks, and are likely to work at times when their targets are least well staffed. However, even as stealthy as they are, their out-of-hours activities still create opportunities for skilled security staff to detect them. The problem for defenders is that their skilled security staff need to be working at the same time as the attackers.

For many organisations, the only practical way to achieve that is through a Managed Service Provider or a service like Managed Detection and Response (MDR).

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

This week on the Lock and Code podcast…

Few words apply as broadly to the public—yet mean as little—as “home network security.”

For many, a “home network” is an amorphous thing. It exists somewhere between a router, a modem, an outlet, and whatever cable it is that plugs into the wall. But the idea of a “home network” doesn’t need to intimidate, and securing that home network could be simpler than many folks realize.

For starters, a home network can be simply understood as a router—which is the device that provides access to the internet in a home—and the other devices that connect to that router. That includes obvious devices like phones, laptops, and tablets, and it includes “Internet of Things” devices, like a Ring doorbell, a Nest thermostat, and any Amazon Echo device that come pre-packaged with the company’s voice assistant, Alexa. There are also myriad “smart” devices to consider: smartwatches, smart speakers, smart light bulbs, don’t forget the smart fridges.

If it sounds like we’re describing a home network as nothing more than a “list,” that’s because a home network is pretty much just a list. But where securing that list becomes complicated is in all the updates, hardware issues, settings changes, and even scandals that relate to every single device on that list.

Routers, for instance, provide their own security, but over many years, they can lose the support of their manufacturers. IoT devices, depending on the brand, can be made from cheap parts with little concern for user security or privacy. And some devices have scandals plaguing their past—smart doorbells have been hacked and fitness trackers have revealed running routes to the public online.

This shouldn’t be cause for fear. Instead, it should help prove why home network security is so important.

Today, on the Lock and Code podcast with host David Ruiz, we’re speaking with cybersecurity and privacy advocate Carey Parker about securing your home network.

Author of the book Firewalls Don’t Stop Dragons and host to the podcast of the same name, Parker chronicled the typical home network security journey last year and distilled the long process into four simple categories: Scan, simplify, assess, remediate.

In joining the Lock and Code podcast yet again, Parker explains how everyone can begin their home network security path—where to start, what to prioritize, and the risks of putting this work off, while also emphasizing the importance of every home’s router:

Your router is kind of the threshold that protects all the devices inside your house. But, like a vampire, once you invite the vampire across the threshold, all the things inside the house are now up for grabs.

Carey Parker

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• New Go loader pushes Rhadamanthys stealer
• Canada revisits decision to ban Flipper Zero
• Patch Ivanti Standalone Sentry and Ivanti Neurons for ITSM now
• 19 million plaintext passwords exposed by incorrectly configured Firebase instances
• Apex Legends Global Series plagued by hackers
• Tax scammer goes after small business owners and self-employed people
• The ‘AT&T breach’—what you need to know
• Upcoming webinar: How a leading architecture firm approaches cybersecurity
• Social media influencers targeted by identity thieves
• Store manager admits SIM swapping his customers

Stay safe!

Malware loaders (also known as droppers or downloaders) are a popular commodity in the criminal underground. Their primary function is to successfully compromise a machine and deploy one or multiple additional payloads.

A good loader avoids detection and identifies victims as legitimate (i.e. not sandboxes) before pushing other malware. This part is quite critical as the value of a loader is directly tied to the satisfaction of its “customers”.

In this blog post, we describe a malvertising campaign with a loader that was new to us. The program is written in the Go language and uses an interesting technique to deploy its follow-up payload, the Rhadamanthys stealer.

Malicious ad targets system administrators

PuTTY is a very popular SSH and Telnet client for Windows that has been used by IT admins for years. The threat actor bought an ad that claims to be the PuTTY homepage and appeared at the top of the Google search results page, right before the official website.

In this example, the ad looks suspicious simply because the ad snippet shows a domain name (arnaudpairoto[.]com) that is completely unrelated. This is not always the case, and we continue to see many malicious ads that exactly match the impersonated brand.

Fake PuTTY site

The ad URL points to the attacker controlled domain where they can easily defeat security checks by showing a “legitimate” page to visitors that are not real victims. For example, a crawler, sandbox or scanner, will see this half finished blog:

Real victims coming from the US will be redirected to a fake site instead that looks and feels exactly like putty.org. One of the big differences though is the download link.

The malicious payload is downloaded via a 2 step redirection chain which is something we don’t always see.

puttyconnect[.]info/1.php
HTTP/1.1 302 Found
Location: astrosphere[.]world/onserver3.php

astrosphere[.]world/onserver3.php
HTTP/1.1 200 OK
Server: nginx/1.24.0
Content-Type: application/octet-stream
Content-Length: 13198274
Connection: keep-alive
Content-Description: File Transfer
Content-Disposition: attachment; filename="PuTTy.exe"

We believe the astrosphere[.]world server is performing some checks for proxies while also logging the victim’s IP address. This IP address will later be checked before downloading the secondary payload.

That PuTTy.exe is malware, a dropper written in the Go language (version 1.21.0).

Its author may have given it the name “Dropper 1.3“:

Follow-up payload

Upon executing the dropper, there is an IP check for the victim’s public IP address. This is likely done to only continue with users that have gone through the malicious ad and downloaded the malware from the fake site.

zodiacrealm[.]info/api.php?action=check_ip&ip=[IP Address]

If a match is found, the dropper proceeds to retrieve a follow-up payload from another server (192.121.16[.]228:22) as seen in the image below:

To get this data, we see it uses the SSHv2 (Secure Shell 2.0) protocol implemented via OpenSSH on a Ubuntu server. We can only think of using this protocol to make the malware download more covert.

That payload is Rhadamanthys which is executed by the parent process PuTTy.exe:

Malvertising / loader combo

We have seen different types of loaders via malvertising campaigns, including FakeBat which we profiled recently. Given how closely the loader is tied to the malvertising infrastructure it is quite likely that the same threat actor is controlling both. The service they offer to other criminals is one of malware delivery where they take care of the entire deployment process, from ad to loader to final payload.

We reported this campaign to Google. Malwarebytes and ThreatDown users are protected as we detect the fake PuTTY installer as Trojan.Script.GO.

ThreatDown users that have DNS Filtering can enable ad blocking in their console to prevent attacks that originate from malicious ads.

Indicators of Compromise

Decoy ad domain

arnaudpairoto[.]com

Fake site

puttyconnect[.]info

PuTTY

astrosphere[.]world
0caa772186814dbf84856293f102c7538980bcd31b70c1836be236e9fa05c48d

IP check

zodiacrealm[.]info

Rhadamanthys

192.121.16[.]228:22
bea1d58d168b267c27b1028b47bd6ad19e249630abb7c03cfffede8568749203

In February 2024 the Canadian government announced plans to ban the sale of the Flipper Zero, mainly because of its reported use to steal cars.

The Flipper Zero is a portable device that can be used in penetration testing with a focus on wireless devices and access control systems.

If that doesn’t help you understand what it can do, a few examples from the news might help.

Flipper Zero made headlines in October because versions running third-party firmware could be used to crash iPhones running iOS 17 (since resolved in iOS 17.2).

Later, reporters found information that car thieves could use the Flipper Zero to intercept, record, and sometimes mimic the signal of a vehicle’s key fob, and if the car was in a garage, the signal of the garage door opener too.

Importantly, this only works on older car models that use fixed numeric codes for their fobs. Not on cars that use rolling codes, which change the numeric code transmitted from a key fob with each use. As a result, car thieves continued to ignore the Flipper Zero in favour of key fob signal boosters and keyless repeaters which are a lot more powerful.

Oddly enough, the car thieving option was mentioned as the main reason for putting a ban on the Flipper Zero in Canada. Although Canada’s Minister of Innovation, Science, and Industry, François-Philippe Champagne said:

“We are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

Very recently, a group of security researchers presented a series of vulnerabilities in the widely used Dormakaba Saflok electronic RFID locks. This vulnerability impacts over 3 million doors on over 13,000 properties in 131 countries, mostly in hotels.

Reportedly, an attacker only needs to read one keycard from the property to perform the attack against any of its doors. This keycard can be from their own room, or even an expired keycard taken from the express checkout collection box.

Any device capable of reading and writing or emulating MIFARE Classic cards is suitable for this attack. MIFARE is a contactless card technology introduced in 1994. It’s primarly used for transport passes, but its technological capabilities quickly made it one of the most popular smart cards for storing data and providing access control.

One device that can be used for this attack is the Flipper Zero, but an attacker could just as easily use a Proxmark 3 or any NFC capable Android phone.

After an appeal by the security community, Canada now looks like it’s going to move forward with measures to restrict the use of devices like Flipper Zero to legitimate actors only. The specifics will be revealed after deliberation with Canadian companies, online retailers, and the automotive industry.

Conclusions

None of the technology housed within the Flipper Zero is very new, all it does is combine multiple functions into one handheld device. We have never seen any officially confirmed cases of theft using a Flipper Zero. If you want to ban something that helps against car theft, look at keyless repeaters, on the market for a host of car brands and which have no other purpose.

For all the vulnerabilities we described, updates came out that fixed the issues and made the world a safer place, although the patches haven’t been applied everywhere—it’s a lot of work to update all the locks in a hotel, and it’s not feasible to update the fob systems of older cars. Nevertheless, the research by pen testers has led to security improvements, so why would we want to take away their tools?

If we have peaked your interest to buy a Flipper Zero, we urge you to be careful. Due to limited availability there are scammers active that will take your money and send nothing in return.

You can learn more about Flipper Zero by listening to our Lock and Code podcast below. In December 2023, host David Ruiz had a long conversation in with Cooper Quintin, senior public interest technologist with the Electronic Frontier Foundation—and Flipper Zero owner—about what the Flipper Zero can do, what it can’t do, and whether governments should get involved in the regulation of the device.