Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
hackerfantastic.x Profile picture
@hackerfantastic
Jun 11, 2024 7 tweets 5 min read Read on X
Someone left a "secure" Russian phablet on the back of a bus in Salisbury, England. It was running Aurora OS, a so-called "trustphone" device for use by Russian Government and corporations... here's the flash ROM dumps for 4.0.2.249, 4.0.2.82 and 3.2.1.65. mega.nz/file/V3tgEAKJ#…



Image

Image
Image
When generating "secure random" passwords in "SecretKeeper", it's important to always seed random number generator qsrand() with the current time. That way you can easily recover your passwords for sensitive Russian environments in case you were ever logged out of them....
Image
Image
Nobody knew how the devices worked, conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about "trusted" devices too! We'd all have been lost without those. mega.nz/file/0r9D0Z5K#…



Image
Image
Image
Image
The middle-aged ninja turtles tried contacting everyone at Russia's postal service, railway, central bank, government and even the army (who all exclusively use these devices) but sadly owner was never found. Now we should all just enjoy the picturesque screenshots from the ROMs.


Image
Image
Image
Image
If you were struggling to mount the aurora.img dumps, you should use "simg2img" and then use them as loopback devices ensure they are truncated to the correct size with commands such as "truncate -s $((3720544 * 512)) aurora_raw.img" and mount with LVM.
asiatimes.com/2022/05/the-fa…
@janekm I looked up internal photos from FCC ID's of similar chipset devices, with similar screens and specifications, the circuit blocks were found re-used on some devices but found nothing close enough to the W1Z2GS_V1_20191111 design yet.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with hackerfantastic.x

hackerfantastic.x Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hackerfantastic

hackerfantastic.x Profile picture
Mar 7
"Using a device called an IMSI grabber, they planned to intercept the soldiers' mobile phone numbers in order to help the Russians target them when they returned to Ukraine to operate the missile batteries." - the "Little Minions" working for GRU(lmao) arrested in UK. Image
Image
Image
Image
When police raided the hotel as part of an operation, codenamed Skirp, they found it packed with technical equipment including 495 SIM cards, 221 mobile phones, 258 hard drives, 55 visual recording devices, 33 audio devices, 16 radios and 11 drones.
Police spent eight days combing through the property, which was packed to the ceiling with electronic surveillance equipment, including a £120,000 "law enforcement grade" IMSI grabber.
Read 4 tweets
hackerfantastic.x Profile picture
Jun 25, 2024
Buy a stingray device for intercepting cellular traffic, only $100k on eBay 😂 ebay.com/itm/4049333960…
Image
That eBay seller must have gotten his hands on some liquidated government-backed monitoring equipment. This is old equipment but a bargain at $600 - frequency counter, AOR wide-band receiver and numerous antennas for wireless signal detection and monitoring. Used to cost $1000's Image
131? What a coincidence I have the same combination on my luggage.... :P
Image
Image
Read 9 tweets
hackerfantastic.x Profile picture
May 1, 2024
Lennart Poettering intends to replace "sudo" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process.
Image
Image
This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets.
I have only spent a little bit of time digging through the new implementation, I do not see how it is "safer" or more "secure" than existing SUID "sudo" or "su" implementations. It certainly seems to add additional attack surface to Linux as every sudo command is a service.
Read 22 tweets
hackerfantastic.x Profile picture
Jan 2, 2024
Stinger is a Vault7 privilege escalation module from "Fine Dining", the only information is that it is a "UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator" - the video shows my implementation.
I started with only the information above, and tried to work out what this UAC bypass could be. It turns out you can read the process token of an auto-elevated binary (even on Win 11!), ShellExecuteEx returns process handle to high integrity process and you can access its token.
Token hijacking is alot of fun and turns out reading a high IL token from a UAC restricted proc was easy part - I was able to duplicate the token without issue and then elevate thread, even on Windows 11. As pictured - left, low privileged and on right, my high privileged thread.
Image
Image
Read 12 tweets
hackerfantastic.x Profile picture
Dec 30, 2023
This is more likely work of an intelligence agency, not an APT. APT is contractor service organized or reporting to the intelligence agencies of a nation-state or an OCG and does not have the same level of bureaucracy with payload delivery. The selective targeting gives it away.
I do not consider GCHQ or NSA TAO as APT in the traditional sense, they are vastly superior threat when compared to contractor hired by say the FSB to steal western secrets through drive-by downloads. There is cross-over but one is a wide industry threat, the other very specific.
As an industry doing simulated breaches, cyber-enabled intellectual property theft or financially motivated crimes, our strategies and assessment programs are designed to simulate and detect adversary behavior from threat's that you are most likely to face in your industry.
Read 20 tweets
hackerfantastic.x Profile picture
Dec 22, 2023
Here is an example of the CIA's Marble Framework being used in a simple project to obfuscate and de-obfuscate strings. I used AI to re-create missing library and components needed to use the framework in Visual Studio projects, usually handled inside CIA with "EDG Project Wizard"


Image
Image
Image
Image
This shows the complete workflow that an analyst would use when creating malware at the CIA using Marble for string obfuscation. An attacker could essentially now follow leaked wiki instructions to obfuscate their strings in runtimes they create. More: wikileaks.org/ciav7p1/cms/pa…
The leaked framework supports 106 obfuscation methods known as "marbles", with some being generic C based and others C++ based, it introduces three data-types CARBLE, WARBLE and BARBLE for char, wchar and byte respectively. It can be controlled by header defines.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(