Blog entry by Les Bell

Les Bell
by Les Bell - Monday, 4 September 2023, 10:10 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Open Source Stealer Catches On Quickly

Black hats everywhere got a very nice present last Christmas with the publication on GitHub of the code for a versatile infostealer called SapphireStealer. It didn't take long for a variety of threat actors to latch on to this gift, downloading it and tinkering with the code to add functionality as well as to add detection-evasion features. By mid-January 2023, modified binaries were being uploaded to public malware repositories, and by now multiple threat actors have adopted SapphireStealer, continuing to adapt and improve its capabilities.

Now, researchers at Cisco Talos have provided an analysis of this increasingly popular black hat tool. Sapphire Stealer was written for the .NET platform and initially offered some basic functionality, such as capturing host information (IP address, hostname, OS and CPU architecture, etc.), screenshots, cached browser credentials and exfiltrating a variety of filetypes under the user's Desktop folder. It specifically targets Chromium-based browsers, killing their processes and then searching for their credential databases before taking a screenshot and creating a zipfile of this data, plus any files it finds.

The data is actually exfiltrated by using the SMTP protocol to send it via mail.ru, using embedded credentials - after all, if you can compile the source code, this eliminates any need for separate configuration files. However, later samples created by other threat actors use a variety of exfiltration methods including a Discord webhook API and Telegram channels, and also target a variety of additional filetypes. The code has also been refactored to make it more efficient.

However, the use of hardcoded SMTP credentials can leak information about the threat actors themselves - the Cisco Talos researchers were able to identify one hacker who rather sloppily seems to have used a personal email account which, matched with other clues in the source, led to his identification as a Russian freelance web developer. Tsk, tsk.

Brumaghin, Edmund, SapphireStealer: Open-source information stealer enables credential and data theft, blog post, 31 August 2023. Available online at https://blog.talosintelligence.com/sapphirestealer-goes-open-source/.

Light Bulbs Leak Credentials

While many smart home devices connect via the Zigbee low-bandwidth mesh network protocol, this involves the use of a gateway between the owner's wifi network and the Zigbee network - an additional expense which some manufacturers try to undercut by putting their devices directly on the 802.11 wi-fi network. This cuts costs, but it means that an attacker can use conventional tools and techniques to attack such devices and then potentially pivot, using them to attack more valuable targets on the wifi network. And this is a real problem because IoT devices are notorious for having vulnerabilities in their firmware, making them an ideal pivot point for attackers.

A classic example comes by courtesy of three researchers at the University of Catania in Italy and Royal Holloway, University of London. In a paper published in the Proceedings of the 20th International Conference on Security and Cryptography, they pretty much demolished the security of the Tp-Link Tapo Smart Wi-Fi Light Bulb, Multicolor (L530E), discovering four very basic vulnerabilities (the kind that would get my cryptography students a sharp comment in assignment feedback).

Like many such devices, the light bulb must first be joined to the user's wi-fi network. On first being powered up, the bulb operates as an access point with its own SSID of Tapo Bulb XXXX, and the user then connects their smartphone to this AP, using the Tapo app to provide the real network SSID and passphrase/key. The problem is that this transaction is almost completely unauthenticated, allowing an attacker to masquerade as a lightbulb and capture the owner's network credentials. This vulnerability garners a CVSS score of 8.8, i.e. high severity.

Such authentication as there is, is based on a keyed hash, which uses a hard-coded 32-bit key - and by capturing just one genuine message exchanged by a bulb with the Tapo app, this can be extracted via a brute-force offline attack in just over a couple of hours. (CVSS score: 7.6, high severity).

The third vulnerability is a classic of its type: the use of AES-238-CBC, i.e. cipher block chaining mode, with the same initialization vector for every message (CVSS score: 4.6, medium severity). And to complete the picture, the protocol is vulnerable to replay attacks, since there is no use of message ID's, timestamps or nonces to ensure message freshness (CVSS score: 5.7, medium severity).

The researchers responsibly disclosed these vulnerabilities to Tp-Link, of course, and the company is working on updated firmware for the bulbs. Meanwhile, the work experience kid or summer intern who wrote the code has presumably signed up for a cryptography class next semester.

But all this serves as a reminder: IoT devices and the vulnerabilities they bring with them can pose a severe risk to other devices on the same network. Placing devices like light bulbs and locks on a Zigbee network behind a gateway adds an extra level of security as well as additional benefits like increased range for external lights.

Binaventura, Davide, Sergio Esposito and Giampaolo Bella, Smart Bulbs can be Hacked to Hack into your Household, Proc 20th Intl. Conf. on Security and Cryptography, pp, 218-229. Available online at https://arxiv.org/abs/2308.09019.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: