Pegasus spyware and MVT

So just for the heck of it I installed MVT (Mobile Verification Toolkit) the other day, which is a piece of software released by Amnesty international to check if you have Pegasus spyware installed on your phone.

If you haven’t read about it Pegasus spyware is some nasty stuff (It’s developed by the Israeli cyberarms firm NSO Group). It seems it was installed on Jamal Khashoggi’s phone (you know that chap who was assassinated by agents of the Saudi government at the Saudi consulate in Istanbul, Turkey). Also today I read that Sheikh Mohammed used spyware on Princess Haya and five associates in an unlawful abuse of power.

In short this Pegasus spyware is so bad, they recommend that if it’s installed on your phone you should get rid of / destroy the phone. Apparently even erasing the phone from scratch has no effect!

The detection software it’s self is command line interface based (So not for the average user) and it took a bit of mucking about to get it to run. Using a debian linux machine from scratch it took an hour or 2 to get the dependencies and settings on the phone sorted so that the computer could fossick about the phone for any trace of the nasty.

Although it’s satisfying to be able to do this – the need to do more to protect your devices sprang to mind – a quick glance thru some of the documentation came up a number of urls a few of which I’ll list.

free247downloads[.]com
urlpush[.]net
get1tn0w.free247downloads[.]com
infospress[.]com
https://d38j2563clgblt.cloudfront[.]net
https://2far1v4lv8.get1tn0w.free247downloads[.]com

There is more in this document that you might like to grep thru.
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/.

Be warned The [.] should be removed to find the current related ip address. Do this with care, and only use command line interface related commands, do not open any of the above in a browser!

Which brings up the issue of if your running your own network and routers. I’d slap some acl’s on these darn things and the related ip address, as it will give you a little more protection against possible infection.

In addition to this, is that this software seems to use a lot of url redirects. So if your concerned this article on how to stop redirects may be worth reading.

https://www.techadvisor.com/how-to/internet/how-block-webpage-redirects-3690103/

Stay safe people. It seems that the Internet is still the wild wild west.

You can find the mvt software here.
https://github.com/mvt-project/mvt

The Darkside

Ransomware, the stuff of your worst nightmares. It seems as if this is getting very serious. The Darkside is a group of hackers that have recently caused a lot of pain. For example in the US the Colonial Pipeline has been shut down – that’s 5,550 miles of pipe for the oil industry. Meanwhile in Washington DC police are also subject to ransomware – they have allegedly offered $100,000 dollars – apparently this was not enough! So not only are they locking up all those machines they are also sifting thru all your data, and exposing that infomation on the net, using it as an extra point of leverage.

As noted in the Kerbs article. “Security firm Emsisoft found that almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020”.

How do you defend against this? So there is a few ways to approach this – one is to air-gap and remove mission critical computers from the internet. Think about it, that payroll machine? That set of servers that run the production plant? Do they really need to be on the internet 24 /7 ? May be you have one cable that you physically connect when and only when you need to (to run OS software and security updates). Maybe you set up a seperate airgaped network for that server and the network of production machines. Silo those machines. 

Anti virus software. Use it but configure it so it doesn’t stop your functionality. This can sometimes feel like a black art, and it’s often hard to get the balance right but it is a good idea for a lot of users. 

Backup your files. You have that latest pitch? Is it backed up? Can you restore it? Do you know how long it would take to re build your server? Those 20 machines that are the core of your company? Knowing this and the cost of the emergency rebuild process is something that you should be on to. 

Get rid of those very old machines! If you have an old machine that’s never been updated it’s a huge risk vector. Spend some time and money now before it costs you big time.

Use your firewall /s! This is a great starting point, if your activley monitoring things use that info – put it back into your firewall. Do you have a mcahine build you maintain? Why not use that firewall info in your machine builds?

What ever you do “Have a plan!” A cyber security plan.

Being able to protect and if necessary re build you network from scratch is one way of beating these crooks – but if you start looking into the detail of what’s involved it’s scary stuff. Stay safe on the interwebs people!

 Related reading – Darkside hack
https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/

https://en.wikipedia.org/wiki/Colonial_Pipeline_cyberattack

https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack

Washington DC Police
https://www.vice.com/en/article/5dbgbk/washington-dc-police-allegedly-offered-dollar100000-to-hackers-to-stop-leak

From my Spells book No1 Tcpdump

So I have a number of journals one of which I call “Spells” ! It’s just a collection of scripts commands etc. But for years now I’ve been thinking about putting together some short snappy articles about each of them – so finally hear we go!

Tcpdump is a “data-network packet analyser computer program”
What does it do? It lets you look at network traffic and see what is coming into and out of your computer.

Typically this can be useful if you want to see what is going on with a particular application (it might be a web server or a mail server – you might want to look at DNS traffic).

Usage is fairly straight forward 

ie “sudo tcpdump” Will give you pretty much everything coming in and going out of the machine. It’s interesting to run this and if you look closely you can get an idea of web page construction – live connectivity all sorts of interesting stuff. But it is sometimes a lot of information (use control command key combination to stop the session).

sudo tcpdump port 53
Will give you an idea of whats going on with regards DNS
If your running a web server “sudo tcpdump port 80” or “sudo tcpdump port 443” will give you a good picture of whats going on.

It’s even useful just to see if the network is up – for example you can bring up a couple of terminal windows
“sudo tcpdump icmp” in one window and “ping 8.8.4.4” in another, will give you feedback like this and indeed prove that your computer is infact on the interweb!

Tcpdump and icmp running in seperate terminal windowss!

If you want to actually capture data to a file try something like this
“sudo tcpdump -s 0 -w dumpfile host 8.8.8.8” and then “ping 8.8.8.8” that will create a packet dump in a format that can be read via tcpdump or something like wireshark if you want to view things in a GUI.
 
Although this is just a basic introduction to packet tracing, tcpdump is the grandaddy of all packet tracers and it’s a good skill to have. 

One word of warning though, is that you should not run tcpdump on a network that is not yours! Ie check if your doing this at work, as in some situations it could be considered not appropriate or verging on hacking. Use with caution!

Cisco people update and Patch NOW!

Cisco Tiki art from logic board
Cisco logic board

Just a quick shout out …. So one of the things that is some times talked about is the problem of the “non heterogeneous” or homogenous networking environment. The illusion that choosing the market dominant product (because everyone else buys it) is the right thing to do …. Anyhow it seems that Cisco is in a bit of bother due to its some what hated buggy protocol CDP. If your a cisco nerd and haven’t caught up on this it might be time to do a bit of serious patching!

Have a look at this wired article
Cisco Flaws Put Millions of Workplace Devices at Risk

And also the Reg have something about it
Tens of millions of Cisco devices vulnerable to CDPwn flaws: Network segmentation blown apart by security bugs

Stay safe on the Interwebs!

Steve