0:00

Hello and welcome to the Tuesday, May

0:02

16th, 2023 edition of the Sandstone Storm Center's

0:08

Stormcast. My name is Johannes Ulrich

0:10

and today I'm recording from Jacksonville,

0:13

Florida.

0:15

For about four months

0:17

now, Jan has been tracking

0:20

some interesting emails that claim

0:22

to come from Facebook. Of course, they're not

0:24

from Facebook. They're essentially phishing

0:27

emails with a couple of sort of interesting

0:30

artifacts. First of all, the

0:32

from address is just the

0:34

string Facebook, not

0:36

a valid email address, just

0:38

essentially the name. Now typically

0:41

you do have a name and an email address,

0:43

but here the email address part

0:45

is just left blank. Maybe

0:48

this is supposed to help with some

0:50

of the sort of DKIM, SPF like

0:52

filters. And

0:55

the links are also a little bit odd

0:56

in that many of the links are

0:58

mail to links. So if the user clicks on them,

1:00

they're not being sent to a particular

1:03

web page. Instead, the

1:05

email client opens a new window and

1:07

then attempts to send an email. Of

1:10

course, the user still has to actually send the

1:12

email. The email is not sent automatically. Could

1:15

be where the attacker is maybe trying

1:17

to sort of communicate with the victim here,

1:20

maybe hoping the victim would ask for

1:22

help. And then of course, the attacker would

1:24

like to supply that help. But

1:28

what's the

1:28

most interesting part of this otherwise

1:31

not really that super remarkable

1:33

phishing email is that the

1:36

attacker apparently just copy pasted

1:38

a lot of the content from an actual

1:41

Facebook email. Of course, that makes the

1:43

email more plausible, makes it easier

1:45

to actually have the right layout and everything.

1:48

But looks like as part of this, the

1:50

attacker also copied some

1:53

specific unique identifiers

1:57

that are now present

1:58

in the email. which

2:00

may of course help identify the actual

2:03

origin of these phishing emails.

2:06

And yesterday I mentioned that

2:08

Intel released updates

2:11

to the microcode to a range

2:13

of its CPUs. Well,

2:16

part of the note with the

2:18

microcode update was that

2:21

these updates do fix

2:23

a security update for the Intel

2:26

SANA. It

2:28

wasn't really clear what the update

2:31

was really about, so Phoronix did

2:34

publish about it and that's what I mentioned

2:36

yesterday. The register is

2:38

now writing that they actually got a response

2:41

from Intel saying that this

2:44

update does not contain any security

2:46

updates and denote Intel

2:49

SANA. Well, basically NA not

2:52

available means that there

2:54

is no applicable security

2:57

update. A little bit odd, but

3:00

yeah, so security updates for Intel

3:02

SANA, what is really refers

3:04

to is that there is no

3:07

update. Weird way of phrasing it, just

3:09

want to make that clear that this

3:11

is nothing that you sort of need to patch

3:14

because it's a security update.

3:18

And we had in the past numerous cases

3:21

where fake crypto coin

3:23

wallets were being offered

3:26

via various app stores and such in order

3:28

to trick victims to deposit

3:31

their coins in these fake crypto coin

3:33

wallets, which then of course would leak

3:35

secret keys to an attacker.

3:37

Now pulling this off with software

3:40

crypto coin wallets is pretty

3:42

straightforward. It just needs a gullible

3:44

victim here to install your fake

3:47

wallet, but apparently

3:48

attackers are also doing this

3:50

with hardware wallets. The

3:53

target here appears to be Trezor,

3:55

which is a very popular

3:58

hardware wallet where attackers

3:59

are essentially coming up sort of with lookalike

4:02

hardware wallets and then

4:05

trick victims into purchasing

4:07

them. Sadly, they pretty much look identical

4:09

to the real thing. The only way

4:11

you can sort of tell them apart is that

4:14

this particular fake wallet

4:16

used a bootloader version 204 that

4:21

doesn't exist for the real wallet.

4:23

Actually, a changelock at Tracer

4:26

states that they skipped this particular

4:28

version 204

4:29

because it had been

4:32

used for some of these

4:35

fake devices. And the reason

4:37

they look so very close to the real

4:39

thing is that they actually are

4:42

essentially modified real

4:44

Tracer wallets. They just

4:46

had some of the internal components

4:49

replaced.

4:51

And in wallet building news, there is

4:53

a recently patched war on ability in

4:55

TP-Link Archer AX21. It's

4:59

a command injection war on a building that

5:01

is according to 40 guard labs

5:04

now being exploited. That's CVE 2023

5:06

1389. And again, a patch is available. Well, that's it for today.

5:12

Thanks

5:15

for listening and talk to you again

5:17

tomorrow.

5:18

Bye.