News Wrap: IoT Radio Telnet Backdoor And ‘SimJacker’ Active Exploit

Threatpost editors Tara Seals and Lindsey O’Donnell talk about the top news stories of the week – from leaky databases to SIM card attacks.

Threatpost editors break down the biggest news stories of this week ended Sept. 13, including:

For the full podcast see below, and for direct download click here.

Below is a lightly-edited transcript of this week’s news wrap podcast.

Lindsey O’Donnell: Hi, welcome to the Threatpost news wrap podcast. You’ve got Lindsey O’Donnell here with Threatpost and I’m here today with Tara Seals, editor at Threatpost. Tara, thanks for coming on today.

Tara Seals: Thanks for having me, Lindsey.

LO: Is it already mid-September? I feel like this month is just flying by.

TS: I don’t know where the time has gone. It’s really insane. It feels like we just got back from Black Hat. But that’s not that’s not even the case. That’s crazy.

LO: Right. It’s definitely going by quickly. So this week started off with a bang with that DDoS attack over the weekend that brought down Wikipedia and some other services. And then we had Patch Tuesday. So it’s been a lot, Tara, I know that we’ve both been working starting early on Monday.

TS: Yeah. Well, I know you covered the the World of Warcraft/Wikipedia DDoS attacks which I thought were interesting because you said that they were related, right?

LO: Yeah, that was, sounded like starting on Friday night a bunch of servers went down due to the DDoS attack. And those servers were hosting some Wikipedia projects, and then yes, it was a related attack behind the World of Warcraft Classic, they were also DDoS-ed. So I’m sure that there are a lot of pissed off gamers and then also pissed off people who just wanted to search for things on Wikipedia over the weekend.

TS: Yeah, absolutely. And, it’s impactful too when you start hitting the gamers where it hurts, that’ll end up with reactions, for sure.

LO: Right, especially over the weekend when you want to take some time off and just play but doesn’t sound like that happened.

TS: Yeah, Patch Tuesday was interesting, too. That was the other thing that kind of kicked off our week and I had written a story on that and basically it was pretty quiet, honestly, compared to most Microsoft updates. But the two main things were there were two elevation of privilege vulnerabilities that Microsoft revealed, were actually under active attacks, so they were being exploited as zero days before being publicly announced on Tuesday, but they’re both local privilege escalation flaws. So, even though they’re listed as critical and that it’s definitely an issue and people need to patch them, it definitely could be worse. It’s not like it’s remote code execution or something like that.

LO: They didn’t give too many details about those two zero days did they? I mean, it sounded like they kind of said what they were, but they didn’t give too much detail around what the actual attack consisted of and who the threat actors were behind it.

TS: Yeah, no, it’s true. I mean, they said that both newer and older supported Windows versions are impacted by them. But, you know, in terms of what an actual attack would look like, or what it would take in order to carry out a working exploit, it didn’t really release a whole lot of details.

LO: Speaking of active exploits, Tara, I don’t know if you saw the SimJacker article that I wrote on Thursday, but that was a really unique story that stuck out to me about kind of a big, massive scary attack.

TS: Yeah, well , I mean, I know it’s impacting I think you said a billion users, which is certainly an eye catching headline. What’s that all about?

LO: Yes. So the researchers said that the attack potential could reach a billion users. And that’s because the attack essentially stems from a vulnerability that was discovered on mobile SIM cards. And it’s being actively exploited to track phone owners’ locations or intercept calls, and do all these other malicious actions. And what was disturbing about the attack is that from what the researchers said, all an attacker would need to do would be to send an SMS message to victims who had SIM cards with a specific technology which is called S@T browser. So that’s why they call the attack SIMjacker, because you can essentially hijack these mobile phones that use the SIM cards that have these technologies in them. So the attack itself, it stems from the S@T browser, which is a technology that’s typically used for browsing within the SIM card. And it can be used for things on the phone, like opening your browser, playing ring tones or whatnot. And in regards to the attack itself, so researchers didn’t provide super specific details, and I’m sure that they’re saving the meat of the research for when they present about it at Virus Bulletin, which they will be doing in a few weeks. But from a high level, the attack works by threat actors being able to send messages to victims that use the S@T browser functionality, and that gives them the ability to trigger proactive commands that are sent to the mobile device. So what the messages contain – and and again, this is where they didn’t delve into too much detail – but they would contain a series of SIM kit instructions. And once the SMS message is received by the victim’s SIM card, it would then use the S@T browser library as almost an execution environment and send out kind of a range of commands like surveillance requests. So it would request for the mobile devices’ location. It would also give attackers the ability to intercept calls, or like set off the ringtone, or even send messages. So just a bunch of malicious activities there. And they said that it sounds like this has been exploited over the past two years. And so it sounds like this has just been something that has been massively exploited. And they’re just figuring that out now.

TS: One of the things that I thought was kind of interesting in your story was the fact that you said that a specific private company has been seen exploiting this company that works with governments that want to monitor individuals, which, that’s never a good thing. Did you have any more details on that? Or were they being pretty cagey about that?

LO: So they were very vague about the company. And it was interesting the language that they used throughout the research, I did reach out to the researchers at AdaptiveMobile Security, who are going to be presenting this at Virus Bulletin, to ask them a little bit more to expand a bit more on the threat actor. But yeah, so they would only say in the research that it was, this, as you say, “a specific private company, working with governments to monitor individuals.” They didn’t really go into too much detail further about what that specific company was, which would have been helpful, but I feel like maybe they were pointing to someone, I’d be curious to see if in the future they kind of come out and say who this company is because that’s a pretty serious move.

TS: Absolutely. Well, I’ll be at Virus Bulletin too. So I’m gonna definitely duck into that session and see if there are more details that emerge from that.

LO: Well, yeah, I wonder if they’re going to be if they gave that company some sort of warning or something, and maybe are going to be disclosing the name at Virus Bulletin, it makes me wonder, but definitely something to be looking out for. And one other interesting aspect of the story, too, is that researchers did say, as you mentioned, that this has the potential to impact over a billion mobile phone users globally. So I then went to GSMA and asked them for a comment on this because the researchers had said that they had disclosed the vulnerability to GSMA and GSMA kind of came back and in their statement, they were kind of seeking to downplay almost the impact of the vulnerability. They said that it impacts a small minority of SIM cards, and that it’s has like a limited impact. So I thought that was kind of interesting to given that the researchers said that the S@T browser is used by mobile operators in at least 30 countries whose population adds up to over a billion people. So I hope that that’s something they expand on as well at Virus Bulletin.

TS: Yeah. It sounds like there needs to be some clarification there. For sure. Interesting.

LO: Yeah, definitely. And then one last thing about the story was that in terms of mitigation, they really didn’t offer too much detail there either around what specific mitigation that users could do to prevent this from happening, which, I think they’re probably actively working on that as we speak. But I did find that odd because, this is a case where if you’re hearing about this, you want to be able to go and prevent it from happening. So, what they did say is that you should check if your SIM card uses S@T browser technology deployed in your network and if so whether any S@T browser specific security mechanisms can be applied. So hopefully they also talk a bit more about that in October.

TS: Yeah. Yeah, for sure.

LO: But Tara, you also had a really interesting story too, as well, about IoT radios and a Telnet backdoor that really gained a lot of traction this week, too. Can you kind of expand about that?

TS: Yeah, sure. So the IoT radios are made by a company called Imperial Dabman who this is a company that’s based out of Germany, but they sell the radios globally, through Amazon, via retailers, and also eBay and some of the other aftermarket, marketplaces. So, you know, this is definitely a story that has a lot of has a lot of applicability around the world, including here in the US. And also the radios are used by corporations as well as home users. So you have both an enterprise threat here as well as a consumer threat. So that makes it kind of interesting too. But essentially, what it is, is that the radios had an open port using Telnet that which is a notoriously weak service, easily hacked. But also, in addition to just using Telnet, they also had a hard coded credentials in there that are easily uncovered using brute forcing. So that’s a problem, because that obviously opens up the radio to any remote attacker over the internet who can brute force the password.

LO: I feel like the hardcoded credentials is a classic IoT security issue that we just keep running into again and again. So it almost makes you wonder, how have companies not learned at this point?

TS: I know it really is crazy and some of the some of the comments on the story were pretty interesting. Just first of all, A, why are they still using Telnet, and B, yes the hardcore credentials. And the password in this case was actually just literally the word “password.” So insult to injury, it wasn’t even something moderately hard to guess, you probably wouldn’t even have to run an automated script to be able to brute force that you know what I mean?

LO: So did they outline kind of what a bad actor could do if they took advantage of that backdoor? And also, was this being exploited at all?

TS: Yeah, so basically, an attacker would be able to completely take over the device. And that means that they could add malware to it, they can potentially gain access to the network that it is attached to, the Wi-Fi network, because there’s a way to sniff out the encrypted Wi-Fi password if you already have access to the device itself. You can add the device to a botnet that says to carry out all kinds of massive attacks on others. Or you can also send custom audio streams to compromise devices. So if you wanted to freak somebody out. If you want to deface, say a corporate broadcast or something like that or hijack a corporate broadcast, you would be able to do that through the radios. So you know, there’s a wide range of sort of nefarious things that would be possible with an unpatched device. In terms of exploitation they weren’t sure if this has actually been carried out in the wild, but you know, it certainly this has been an ongoing situation with these IoT radios for some time. So the researchers did say that they suspect that somebody might have uncovered this before they did, but we’re just we’re not sure.

LO: Were the researchers able to get in touch with Imperial Dabman in terms of the security issues? I mean, were there any patches or mitigations at least that were unveiled?

TS: Yeah. So they didn’t say that they were going to discontinue the Telnet altogether, going forward in  new models and then they launched binary patches for existing deployments that you have to install manually. So, you know, unfortunately consumers and IT administrators alike will have to sort of actively go out, download the patch and then apply it.

LO: Uh huh. Well, that’s unfortunate, but at least – I mean, this goes to show how bad IoT security can be – but at least the vendors are doing something and got back to them.

TS: So yeah, it was better response than it has been in other instances, so, you know, but this impacts more than a million different devices, according to the researchers. So it’s not a small footprint. And so, it’s a concern, especially when it’s something that was just so easily avoidable, or maybe should have been caught in quality analysis or something along the way before they deployed these.

LO: You wrote a story that I was just reading about, what was it, almost 200 million records were exposed in, what was it? I think it was belonging to an auto company called DealerLead. It was a database that was exposing car buyer records that was kind of big.

TS: Yeah, no, this was a really interesting story, actually, for a couple of different reasons. So, you know, on the surface, it just seems like it’s just another inadvertent misconfiguration of a cloud bucket – in this case, it was an ElasticSearch database. But what was kind of interesting about it was where the information contained within that database came from, which is basically this network of websites out there that report to offer research on different makes and models of cars, or they offer a way to check local listings to see what’s available for sale, that type of thing. So consumers would go and use these websites. And apparently there were multiple, multiple, multiple websites. They didn’t actually quantify the exact number. I did reach out and ask for that, but I haven’t heard back yet. The intimation was that we’re talking 20 plus websites that all purport to have research information to help prospective car buyers figure out what they want to do, and in the background they’re harvesting all of this information, which includes loan and finance data, vehicle information, the IP addresses and fingerprints for the machines that the website visitors are using, as well as just, standard contact information like email and phone numbers and stuff like that. And so harvesting all of this stuff and sending it off to local dealerships as leads, basically, unbeknownst to the website visitors themselves, they don’t know that they’re presenting their information to be used for marketing or advertising purposes, essentially. So that’s, kind of isn’t – so it’s interesting that it’s a privacy story on a couple of different levels.

LO: Yeah, no, that is interesting. And what was that quote that was in the story, it was like “another day, another misconfigured ElasticSearch server?”

TS: Yeah.

LO: But yeah, I mean, that is kind of an interesting twist there. And that actually reminds me to of a story that I wrote, a similar story, which is that researchers found a database that was insecure that they disclosed this week that belong to a sophisticated criminal network. So I mean, it’s kind of in the same vein there about finding something that leads to something else in terms of privacy or security or in this case, cybercrime.

TS: So, yeah, that was a really interesting story, actually, that you had this misconfigured database that basically was assembled and housed on behalf of a cybercrime organization. That’s just the worm has turned you know what I mean?

LO: And the best part of it all was that the researchers who found that database also found a ransom note in the database, but said that they had extracted the information and were asking for money in return for not releasing the database to the public, so I guess, some other cyber criminals came across the database and not knowing that it was owned by other cybercriminals were trying to beat them to the punch there.

TS: That is great.

LO: Oh, boy, and well, Tara, I think we should probably wrap up here. Thanks so much for coming on to the Threatpost news wrap to talk about some of the biggest stories of the week. I know there was a lot.

TS: Yeah, there was a lot. Thanks so much for having me. It was fun to hash it out. And I’ll talk to you next time.

LO: Yeah, sounds good. And catch us next week on the Threatpost podcast.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles

The State of Secrets Sprawl – Podcast

In this podcast, we dive into the 2022 edition of the State of Secrets Sprawl report with Mackenzie Jackson, developer advocate at GitGuardian. We talk issues that corporations face with public leaks from groups like Lapsus and more, as well as ways for developers to keep their code safe.