Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Tuesday, May
0:02
16th, 2023 edition of the Sandstone Storm Center's
0:08
Stormcast. My name is Johannes Ulrich
0:10
and today I'm recording from Jacksonville,
0:13
Florida.
0:15
For about four months
0:17
now, Jan has been tracking
0:20
some interesting emails that claim
0:22
to come from Facebook. Of course, they're not
0:24
from Facebook. They're essentially phishing
0:27
emails with a couple of sort of interesting
0:30
artifacts. First of all, the
0:32
from address is just the
0:34
string Facebook, not
0:36
a valid email address, just
0:38
essentially the name. Now typically
0:41
you do have a name and an email address,
0:43
but here the email address part
0:45
is just left blank. Maybe
0:48
this is supposed to help with some
0:50
of the sort of DKIM, SPF like
0:52
filters. And
0:55
the links are also a little bit odd
0:56
in that many of the links are
0:58
mail to links. So if the user clicks on them,
1:00
they're not being sent to a particular
1:03
web page. Instead, the
1:05
email client opens a new window and
1:07
then attempts to send an email. Of
1:10
course, the user still has to actually send the
1:12
email. The email is not sent automatically. Could
1:15
be where the attacker is maybe trying
1:17
to sort of communicate with the victim here,
1:20
maybe hoping the victim would ask for
1:22
help. And then of course, the attacker would
1:24
like to supply that help. But
1:28
what's the
1:28
most interesting part of this otherwise
1:31
not really that super remarkable
1:33
phishing email is that the
1:36
attacker apparently just copy pasted
1:38
a lot of the content from an actual
1:41
Facebook email. Of course, that makes the
1:43
email more plausible, makes it easier
1:45
to actually have the right layout and everything.
1:48
But looks like as part of this, the
1:50
attacker also copied some
1:53
specific unique identifiers
1:57
that are now present
1:58
in the email. which
2:00
may of course help identify the actual
2:03
origin of these phishing emails.
2:06
And yesterday I mentioned that
2:08
Intel released updates
2:11
to the microcode to a range
2:13
of its CPUs. Well,
2:16
part of the note with the
2:18
microcode update was that
2:21
these updates do fix
2:23
a security update for the Intel
2:26
SANA. It
2:28
wasn't really clear what the update
2:31
was really about, so Phoronix did
2:34
publish about it and that's what I mentioned
2:36
yesterday. The register is
2:38
now writing that they actually got a response
2:41
from Intel saying that this
2:44
update does not contain any security
2:46
updates and denote Intel
2:49
SANA. Well, basically NA not
2:52
available means that there
2:54
is no applicable security
2:57
update. A little bit odd, but
3:00
yeah, so security updates for Intel
3:02
SANA, what is really refers
3:04
to is that there is no
3:07
update. Weird way of phrasing it, just
3:09
want to make that clear that this
3:11
is nothing that you sort of need to patch
3:14
because it's a security update.
3:18
And we had in the past numerous cases
3:21
where fake crypto coin
3:23
wallets were being offered
3:26
via various app stores and such in order
3:28
to trick victims to deposit
3:31
their coins in these fake crypto coin
3:33
wallets, which then of course would leak
3:35
secret keys to an attacker.
3:37
Now pulling this off with software
3:40
crypto coin wallets is pretty
3:42
straightforward. It just needs a gullible
3:44
victim here to install your fake
3:47
wallet, but apparently
3:48
attackers are also doing this
3:50
with hardware wallets. The
3:53
target here appears to be Trezor,
3:55
which is a very popular
3:58
hardware wallet where attackers
3:59
are essentially coming up sort of with lookalike
4:02
hardware wallets and then
4:05
trick victims into purchasing
4:07
them. Sadly, they pretty much look identical
4:09
to the real thing. The only way
4:11
you can sort of tell them apart is that
4:14
this particular fake wallet
4:16
used a bootloader version 204 that
4:21
doesn't exist for the real wallet.
4:23
Actually, a changelock at Tracer
4:26
states that they skipped this particular
4:28
version 204
4:29
because it had been
4:32
used for some of these
4:35
fake devices. And the reason
4:37
they look so very close to the real
4:39
thing is that they actually are
4:42
essentially modified real
4:44
Tracer wallets. They just
4:46
had some of the internal components
4:49
replaced.
4:51
And in wallet building news, there is
4:53
a recently patched war on ability in
4:55
TP-Link Archer AX21. It's
4:59
a command injection war on a building that
5:01
is according to 40 guard labs
5:04
now being exploited. That's CVE 2023
5:06
1389. And again, a patch is available. Well, that's it for today.
5:12
Thanks
5:15
for listening and talk to you again
5:17
tomorrow.
5:18
Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More