Merlin Labs Memo -- Week of January 9-13

Merlin Labs Memo -- Week of January 9-13

Person holding a smartphone blending into a digital background of 1s and 0s

FCC Focuses on Improving Security Requirements for Wireless Devices

An FCC Commissioner has called on the agency to “modify its equipment authorization process to require device manufacturers to provide software security updates to their wireless devices for a defined period of time.” The commissioner continues to say, “It’s time to turn our attention to the millions of wireless devices in our country that are insecure, not because they’re made by unfriendly state-controlled entities or criminal hackers masquerading as legitimate manufacturers, but rather, because their makers have failed to put sufficient care into making and keeping them secure.” -- Via In Compliance

Our Take: Over the past few years, there has been a massive expansion of the breadth and depth of IT system assets and attributes as operational technologies (OT), Internet of Things (IoT) technologies, Internet of Medical Things (IoMT) technologies, and countless other IP-equipped technologies (referred to collectively as IoXT just for fun) have flooded the pool of Internet-enabled systems and networks. The traditional perimeter has disintegrated, with wireless and mobile devices contributing heavily to its dismantlement. It shouldn’t be surprising then, that a regulatory agency like the FCC is focused on applying the same types of cybersecurity hygiene expectations to wireless/mobile devices that have long been the norm for traditional computing devices. Savvy IT leaders are already well-aware that they must consider wireless devices and non-traditional IT devices in their cybersecurity programs - and dealing with antiquated device hardware and software presents a tough vulnerability hurdle to overcome.

Cybersecurity teams have added IoXT-monitoring tools to security stacks and updated policies and procedures accordingly - with a commitment to cybersecurity hygiene best practices across all IoXT device types, but it isn’t enough. Further evolving the culture in the cybersecurity hygiene industry to include manufacturer accountability for the upkeep of wireless devices is a no-brainer. Regardless of whether the FCC implements new requirements or not, looking to the equipment manufacturers to step up their game and deliver the types of continuous updates and security enhancements we’ve come to expect from traditional IT device manufacturers is something the industry needs to do. While we may never be completely free from adversaries and cybersecurity breaches, there is no reason we should leave a key to the door of our digital homes in the form of a neglected, outdated, and vulnerable wireless device. -- Sarah Hensley

Additional Reading:


ChatGPT logo

ChatGPT: Tool of the Devil, or Just a Tool?

ChatGPT is a tool available online from OpenAI . It’s ostensibly just another chatbot, but this one is different. It can hack code. Leaving aside its ability to generate essays or song lyrics, it’s capable of generating decent, usable code from a set of pre-programming requirement statements. If the code doesn't work exactly as desired, it remembers previous statements and will be able to correct work done to get it right on the next try.

ChatGPT is capable of generating malware scripts. But it’s also capable of generating helpful scripts. Malware forums are creating scripts and sharing them within their communities. Before we shut down ChatGPT as a threat to education, computers, and all that is good in the world, however, we also need to consider how it’s being used by admin and operations staff for creating scripts that automate functions, including security.

Our Take: I’ve got a personal story to share on this. I had a conversation with a friend about ChatGPT making malware and thought that would be the whole of this article. But my friend got inspired to use ChatGPT to help him with a PowerShell script he’d been stuck with for a function he wanted to run in Cisco AMP. In 6 minutes, he got further than the last week on his own. With ChatGPT, he was able to not just get the code he needed, but also learn how to code better from reading over what the tool generated.

So, yes, coders of all stripes are going to use this tool – or another just like it – to either solve their coding issues or to generate code out of nothing more than a few ideas. It empowers anyone to write code, test it, and make fixes based on prior results. Because the question in my title has an “or” in it, the answer is “yes.” We can expect more malware generated with tools like this, but we can also automate more defenses with tools like ChatGPT. We still need a human in the mix to do testing and qualification of the code but think about how many more functions can be better automated with AI coders doing most of the heavy lifting.

We’ll see more stories about automated malware in the days to come. It’s up to us on the blue side of security to get busy on creating training for AI coding for script-hungry security tools. -- Dean Webb

More Reading:


Person in a dark room working on several computer screens

Not Telegram But all the Functions in Someone Else's Hands

ESET researchers identified an active campaign that we have attributed to the StrongPity APT group. Active since November 2021, the campaign has distributed a malicious app through a website impersonating Shagle – a random-video-chat service that provides encrypted communications between strangers.” By using a weaponized version of Telegram , if a “victim grants the malicious StrongPity app accessibility services, one of its modules will also have access to incoming notifications and will be able to exfiltrate communication from 17 apps such as Viber, Skype, Gmail, Messenger as well as Tinder.” -- Via WeLiveSecurity

Our Take: Interestingly, the research goes on to describe how the threat is no longer available and leveraged a sample Telegram license (which has been revoked). It is likely the threat actor had a specific set of targets in mind and the initial attack campaign has completed with unknown results. The license that was used was a short-lived API key that is actively monitored by the Telegram team.

Weaponizing applications like Telegram to provide backend access to private applications pose a direct threat to consumer, corporation, and government users. On the good side, mobile security solutions such as Zimperium would possibly have prevented the infection since it would not have been an official app from the Google Play Store . Ultimately the user should have noticed the requests from Telegram for rights rather than the web only application Shagle.

Bad side? It was a complex infection that could have been a dry run for the python scripts and advanced payloads that were part of the secondary infections with the goal of recording private chats and conversations. -- Jeremy Newberry

Additional Reading:

Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected] . Thank you!??

要查看或添加评论,请登录

Merlin Cyber的更多文章

社区洞察