SOS Intelligence

6. CVE-2021-34473

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.

https://nvd.nist.gov/vuln/detail/CVE-2021-22005

7. CVE-2021-22005

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

8. CVE-2021-44228

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

9. CVE-2021-21972

https://nvd.nist.gov/vuln/detail/CVE-2021-21972

10. CVE-2023-35719

N/A

https://nvd.nist.gov/vuln/detail/CVE-2023-35719

Flash Alert

Flash Alert – Office zero-day being actively targeted in the wild

by Daniel Collyer

July 14, 2023

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

This was originally sent out to our Flash Alert Subscribers on July 12th. To sign up for this free service, please click here.

Microsoft is actively investigating CVE-2023-36884, an unpatched zero-day vulnerability in their Windows and Office products, amid concerns it is being utilised by nation-state and cybercriminal threat actors to gain remote code execution (RCE) via malicious Office documents.

The zero-day is exploited via specially crafted Office documents, designed to enable RCE. The victim would be required to open the document for the malicious code to execute. However, it is reported that the vulnerability could be exploited without user interaction.

Successful exploitation of this vulnerability could pose a significant risk to data, granting threat actors access to confidential and sensitive information, allowing them to bypass or shut down system protections, and/or deny access to compromised systems

The exploit has been identified to have been utilised in a campaign by APT Storm-0978 (AKA DEV-0978, RomCom), aimed at European and North American government and defence entities.

Microsoft provided the following mitigations for the unpatched zero-day:

Customers who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.
In current attack chains, the use of the Block all Office applications from creating child processes Attack Surface Reduction Rule will prevent the vulnerability from being exploited.
Organisations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, they could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1.:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION

Excel.exe
Graph.exe
MSAccess.exe
MSPub.exe
PowerPoint.exe
Visio.exe
WinProj.exe
WinWord.exe
Wordpad.exe

The Twitter post below, from @UK_Daniel_Card, provides the GUID references for Attack Service Reduction (ASR) rules which can be utilised to increase protection.

Microsoft is actively investigating CVE-2023-36884, an unpatched zero-day vulnerability in their Windows and Office products

https://nvd.nist.gov/vuln/detail/CVE-2023-27997

The SOS Intelligence CVE Chatter Weekly Top Ten – 10 July 2023

by Amir Hadzipasic

July 10, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-27997

2. CVE-2018-9995

CeNova, Night OWL, Novo, Pulnix, QSee, Securus, and TBK Vision DVR devices allow remote attackers to download a file and obtain sensitive credential information via a direct request for the download.rsp URI.

https://nvd.nist.gov/vuln/detail/CVE-2018-9995

3. CVE-2022-40684

An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.

4. CVE-2022-42475

https://nvd.nist.gov/vuln/detail/CVE-2021-36260

5. CVE-2021-36260

TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a “Cookie: uid=admin” header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

6. CVE-2023-3460

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.

https://nvd.nist.gov/vuln/detail/CVE-2023-3460

7. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

8. CVE-2021-34473

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.

https://nvd.nist.gov/vuln/detail/CVE-2012-2459

9. CVE-2012-2459

Unspecified vulnerability in bitcoind and Bitcoin-Qt before 0.4.6, 0.5.x before 0.5.5, 0.6.0.x before 0.6.0.7, and 0.6.x before 0.6.2 allows remote attackers to cause a denial of service (block-processing outage and incorrect block count) via unknown behavior on a Bitcoin network.

10. CVE-2023-3269

N/A

https://nvd.nist.gov/vuln/detail/CVE-2023-3269

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

The SOS Intelligence CVE Chatter Weekly Top Ten – 03 July 2023

by Amir Hadzipasic

July 3, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2021-44228

2. CVE-2016-0041

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka “Windows SMB Information Disclosure Vulnerability.”

https://nvd.nist.gov/vuln/detail/CVE-2016-0041

3. CVE-2020-8516

** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2020-8516

4. CVE-2017-0147

https://nvd.nist.gov/vuln/detail/CVE-2017-0147

5. CVE-2019-1388

An elevation of privilege vulnerability exists in the Windows Certificate Dialog when it does not properly enforce user privileges, aka ‘Windows Certificate Dialog Elevation of Privilege Vulnerability’.

https://nvd.nist.gov/vuln/detail/CVE-2019-1388

6. CVE-2022-0185

A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.

https://nvd.nist.gov/vuln/detail/CVE-2022-0185

7. CVE-2022-37969

Windows Common Log File System Driver Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-37969

8. CVE-2022-27926

The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP: Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. All devices that have enabled SNMP and have not explicitly excluded the affected MIBs or OIDs should be considered vulnerable. Cisco Bug IDs: CSCve54313.

https://nvd.nist.gov/vuln/detail/CVE-2022-27926

9. CVE-2017-6742

https://nvd.nist.gov/vuln/detail/CVE-2017-6742

10. CVE-2022-40684

https://nvd.nist.gov/vuln/detail/CVE-2023-26359

The SOS Intelligence CVE Chatter Weekly Top Ten – 26 June 2023

by Amir Hadzipasic

June 26, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-26359

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

2. CVE-2023-26360

https://nvd.nist.gov/vuln/detail/CVE-2023-26360

3. CVE-2023-29360

Windows TPM Device Driver Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-29360

4. CVE-2021-34473

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.

5. CVE-2022-42475

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

https://nvd.nist.gov/vuln/detail/CVE-2023-32434

6. CVE-2023-32434

Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.

7. CVE-2023-32435

https://nvd.nist.gov/vuln/detail/CVE-2023-32435

8. CVE-2023-29336

Win32k Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-29336

9. CVE-2023-33568

An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company’s entire customer file, prospects, suppliers, and employee information if a contact file exists.

https://nvd.nist.gov/vuln/detail/CVE-2023-33568

10. CVE-2022-38005

Windows Print Spooler Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-38005

https://nvd.nist.gov/vuln/detail/CVE-2023-0386

The SOS Intelligence CVE Chatter Weekly Top Ten – 19 June 2023

by Amir Hadzipasic

June 19, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2023-0386

A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.

2. CVE-2023-26360

https://nvd.nist.gov/vuln/detail/CVE-2023-26360

3. CVE-2023-26359

https://nvd.nist.gov/vuln/detail/CVE-2023-26359

4. CVE-2023-27997

https://nvd.nist.gov/vuln/detail/CVE-2023-27997

5. CVE-2023-29336

Win32k Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-29336

6. CVE-2023-20887

https://nvd.nist.gov/vuln/detail/CVE-2023-20887

7. CVE-2023-31904

savysoda Wifi HD Wireless Disk Drive 11 is vulnerable to Local File Inclusion.

https://nvd.nist.gov/vuln/detail/CVE-2023-31904

8. CVE-2021-32789

woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.

https://nvd.nist.gov/vuln/detail/CVE-2021-32789

9. CVE-2019-13050

Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.

https://nvd.nist.gov/vuln/detail/CVE-2019-13050

10. CVE-2023-34362

In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

https://nvd.nist.gov/vuln/detail/CVE-2023-34362

The SOS Intelligence CVE Chatter Weekly Top Ten – 12 June 2023

by Amir Hadzipasic

June 12, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2022-42475

https://nvd.nist.gov/vuln/detail/CVE-2023-34362

2. CVE-2023-34362

3. CVE-2019-11358

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

https://nvd.nist.gov/vuln/detail/CVE-2019-11358

4. CVE-2015-7358

The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, does not properly validate drive letter symbolic links, which allows local users to mount an encrypted volume over an existing drive letter and gain privileges via an entry in the /GLOBAL?? directory.

https://nvd.nist.gov/vuln/detail/CVE-2015-7358

5. CVE-2023-21823

Windows Graphics Component Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-21823

6. CVE-2015-7359

https://nvd.nist.gov/vuln/detail/CVE-2015-7359

7. CVE-2022-40684

https://nvd.nist.gov/vuln/detail/CVE-2020-7065

8. CVE-2020-7065

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.

9. CVE-2023-28187

net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.

https://nvd.nist.gov/vuln/detail/CVE-2023-28187

10. CVE-2023-2868

A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. This patch was automatically applied to all customer appliances.

https://nvd.nist.gov/vuln/detail/CVE-2023-2868

Ransomware

Clop issue ultimatum and SOS Intelligence quoted on the BBC news site

by Daniel Collyer

June 8, 2023

Joe Tidy, the BBC’s Cyber correspondent has written an interesting piece on the MOVEit hack which we issued a Flash Alert about last week.

A prolific cyber crime gang thought to be based in Russia has issued an ultimatum to victims of a hack that has hit organisations around the world.

The Clop group posted a notice on the dark web warning firms affected by the MOVEit hack to email them before 14 June or stolen data will be published.

More than 100,000 staff at the BBC, British Airways and Boots have been told payroll data may have been taken.
BBC

The post by the Clop group urges victim organisations to send an email to the gang to begin a negotiation on the crew’s darknet portal. Our CEO and Founder, Amir was also quoted after speaking with Joe:

“My take is that they just have so much data that it is difficult for them to get on top of it all. They’re betting that if you know then you will contact them,” says SOS Intelligence CEO Amir Hadžipasić.”
Amir Hadžipasić

The critical, zero-day vulnerability in MOVEit Transfer is being actively targeted by threat actors to facilitate data theft.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch. It allows the users to securely transfer files between consumers and partners using SFTP, SCP, and HTTP-based uploads.

The exploit, as yet unassigned a CVE, is being utilised by the Clop group to facilitate mass downloads of victim company data, now known to be the likes of the BBC, BA and Boots.

What is key, is this is likely to be a third party vulnerability which has led to some of these major organisations to be compromised. Many of the organisations are not direct users of the MOVEit software, but outsourced their payroll services to a third-party called Zellis, which was a victim.

Third party cyberthreats are increasingly important due to the porous nature of relationships between companies and organisations.

We are running a webinar on June 14th at 11am UK time discussing how SOS Intelligence can help with this threat. You can sign up here.

Investigation, Opinion

Flipper Zero: An Introduction to Its Capabilities and Potential Risks

by Daniel Collyer

June 7, 2023

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

What is Flipper Zero?

Flipper Zero is a portable, multi-function device, similar in style to the Tamagotchis of the late-90s. While presenting itself as a cute gaming device, complete with a dolphin mascot, under the covers it is a versatile device that allows the user to interact with access control systems. It can read, copy, and emulate NFC and RFID tags, radio remotes, iButton, and digital access keys.

Development of Flipper Zero began in August 2020 with a Kickstarter campaign to raise funds for research and development. It was developed to build a sleek and versatile device to replace the more unwieldy options already available. The result was a single-case device with multiple features and skills to assist prototyping, hardware research, and penetration testing.

One of the key aspects of Flipper Zero is its commitment to open-source development. Its hardware and firmware are openly available, allowing users to modify and enhance its functionalities according to their specific needs. The open-source nature of Flipper Zero fosters collaboration, knowledge sharing, and continuous improvement within the hacker and security research communities.

Inside Flipper Zero – image credit Flipper Zero

What can it do?

Sub-Ghz radio frequencies

Flipper Zero contains a 433MHz antenna which allows it to access Sub-1 GHz radio frequencies. Its chipset gives it a range of ~50m for targeting wireless devices and access control systems, such as garage doors, boom barriers, IoT sensors, and remote keyless systems.

RFID (125 kHz)

A 125 kHz antenna allows Flipper Zero to read low-frequency proximity cards. Older cards, with no authentication mechanisms, can be stored in memory for later emulation.

NFC

Flipper Zero pairs its RFID capability with a 13.56Mhz NFC module. This provides a high-frequency (HF) alternative which allows the device to read, write and emulate tags

Infrared

Flipper Zero’s infrared transmitter can control electronics, such as TVs, stereo systems, etc. Common TV vendor command sequences are contained in a built-in library which is constantly updated and maintained by the Flipper community. It also functions as a receiver, which can receive signals and store them for later use.

Hardware Hacking

Flipper Zero allows versatility for hardware exploration, firmware flashing, debugging and fuzzing. The device can be utilised to run code or provide control to hardware connected via GPIO. It can function as a regular USB to UART/SPI/I2C/etc adapter.

Bad USB

Flipper Zero can emulate USB slave devices, making it appear as a regular device when attached to a computer, similar to a USB Rubber Ducky. It can be pre-programmed with payloads to execute upon connection or provide functionality for USB stack fuzzing.

iButton

Flipper Zero has a built-in 1-Wire connector with a unique design which allows it to read and probe iButton sockets. This allows it to read keys, store IDs in memory, write IDs and even emulate keys themselves.

Bluetooth

Flipper Zero has a built-in, fully supported, Bluetooth Low Energy module, allowing it to act as a host and peripheral device. A corresponding open-source library provided by the developers gives functionality support to community-made apps.

Open-Source Firmware

The key property of Flipper Zero is its open-source firmware. By making this available to all, the developers have encouraged the modification and extension of the Flipper Zero code. This allows access to all functions and hardware used by Flipper Zero to allow users to generate bespoke tools, for example, homemade dosimeters or carbon dioxide detectors

What are the risks?

As with a vast majority of technical tools and devices of this type, the Flipper Zero is not inherently malicious or illegal. Its abilities make it a useful tool for penetration testing, ethical hacking, and hardware development. However, Amazon has taken the view that the device is a “card skimmer”, and the Brazilian government have been seizing shipments of devices due to its alleged use in criminal activity.

Such a tool is not new to the market. Existing hardware, such as Arduino or Raspberry Pi, has often been utilised to develop hardware for nefarious purposes. The initial hardware itself is by no means illegal, and the same can be said for Flipper Zero. Instead, we have looked at the people using the device.

Using SOS Intelligence’s intelligence platform, we have researched and tracked discussions of Flipper Zero on the Dark Web and across online criminal forums. Using “Flipper Zero” as a keyword, used our Alerts system to identify and flag instances where Flipper Zero is mentioned online.

Our period of monitoring ran from the start of 2023 to June 2023. In that time we generated 158 alerts on the keyword “Flipper Zero”. We have been able to break these down into the following:

Our data shows that, while there has not been much in terms of published development within criminal forums or the dark web, there has been significant interest in what has been posted. Exploit development has been particularly popular within the Russian-language forums. The use of Portuguese in more recent Dark Web posts was noted, and this appears to coincide with the Brazilian Government banning the importation of Flipper Zero.

As the product becomes more widely available and used by the community, we expect to see a rise in the number of posts details exploit development as more people share their work with the community.

Cracked.io

On 16 May 2023, we identified Cracked.io member AKA Fu33y creating the thread “OPEN TESLA CHARGING DOORS MOD WITH FLIPPER ZERO”.

The result was a post containing Anonfiles links to two .sub files. These contained configuration data required to utilise Flipper Zero’s sub-GHz antenna to open the charging doors on Tesla vehicles.

Probing further into AKA Fu33y’s activity, we identified a second post from 16 May 2023 titled “HACKER FIRMWARE FOR FLIPPER ZERO”.

This post provided a link to a GitHub repository where over 250 contributors have customised and improved the Flipper Zero firmware, creating an “Unleashed” variant. The creators of this variant are explicit in their condoning of any illegal activity using Flipper Zero and state that their software is for experimental purposes only. This variant provides a massive expansion to the abilities of Flipper Zero’s inbuilt capabilities, widening the scope for criminal use.

Hackforums

We were able to identify similar activity on Hackforums. User AKA aleff shared their own GitHub repository (my-flipper-shits).

This repository focused on scripts to utilise the BadUSB function. They range from simple pranks, such as rick-rolling, to more exploitative functions, including data exfiltration or malicious code execution.

User AKA Angela White provided instructions on utilising cheap components and open-source software to create a WiFi Dev Board.

Utilising this upgrade, with the mentioned Wifi Marauder software, would turn the Flipper Zero into a device capable of sniffing or attacking WiFi networks.

Exploit.in

Flipper Zero is still relatively new to the market, and supply issues have meant that they have not progressed far into the community as yet. However, as it does, more opportunities will be given to both benevolent and malicious developers to generate custom firmware and code for Flipper Zero. Our alert system has identified user AKA Rain_4, a member of Exploit.in, discussing the BadUSB possibilities of Flipper Zero and providing a basic code for creating a reverse shell for MacOS devices. This highlights how, with only a few lines of code, the Flipper Zero can be utilised to gain access to victim devices (this does of course require Flipper Zero to be connected to the victim device).

Key Takeaways

The device itself: To reiterate, Flipper Zero is not in and of itself a malicious device. It can have multiple benevolent uses and has the potential to be a useful multitool for practical operators in the cyber security industry, such as ethical hackers and penetration testers. However, our data is showing that as the product becomes more widespread and available to the public as a whole, malicious users are generating code, tools and firmware to turn Flipper Zero into something more malicious than maybe its creators intended.

Using SOS Intelligence: What was apparent from the research undertaken, was how SOS Intelligence enabled us to do this in a straight forward and efficient manner. Historically, this kind of deep dive into the more nefarious uses would not have been possible.

Using keywords and phrases and looking into the forums and sites where this kind of thing is routinely discussed was both easy and enjoyable. We’ve worked hard improving the user experience and UI and the feedback from this continues to be incredibly positive.

“In today’s rapidly evolving digital and physical landscape, comprehending emerging threats like FlipperZero is of utmost importance. Robust intelligence coverage, including monitoring adversary communication, enables informed risk-based analysis to understand the implications of this new digital radiofrequency tool. Our publication of article on “Flipper Zero: An Introduction to Its Capabilities and Potential Risks” serves as a valuable guide for defence, equipping stakeholders with insights to navigate this threat through informed analysis and strategic decision-making while demonstrating the capability and ease of use of our platform.”

Amir Hadzipasic, CEO and Founder

If you’d like to learn more, then please click here to book a demo.

References

The SOS Intelligence CVE Chatter Weekly Top Ten – 05 June 2023

by Amir Hadzipasic

June 5, 2023

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

1. CVE-2022-40684

https://nvd.nist.gov/vuln/detail/CVE-2018-13379

2. CVE-2018-13379

An Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

3. CVE-2019-11358

https://nvd.nist.gov/vuln/detail/CVE-2019-11358

4. CVE-2020-6507

Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

https://nvd.nist.gov/vuln/detail/CVE-2020-6507

5. CVE-2023-26359

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

https://nvd.nist.gov/vuln/detail/CVE-2023-26359

6. CVE-2020-8516

https://nvd.nist.gov/vuln/detail/CVE-2020-8516

7. CVE-2023-26360

https://nvd.nist.gov/vuln/detail/CVE-2023-26360

8. CVE-2021-34473

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.