Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
hacker.house Profile picture
@hackerfantastic
Jun 11, 2024 7 tweets 5 min read Read on X
Scrolly
Someone left a "secure" Russian phablet on the back of a bus in Salisbury, England. It was running Aurora OS, a so-called "trustphone" device for use by Russian Government and corporations... here's the flash ROM dumps for 4.0.2.249, 4.0.2.82 and 3.2.1.65. mega.nz/file/V3tgEAKJ#…



Image

Image
Image
When generating "secure random" passwords in "SecretKeeper", it's important to always seed random number generator qsrand() with the current time. That way you can easily recover your passwords for sensitive Russian environments in case you were ever logged out of them....
Image
Image
Nobody knew how the devices worked, conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about "trusted" devices too! We'd all have been lost without those. mega.nz/file/0r9D0Z5K#…



Image
Image
Image
Image
The middle-aged ninja turtles tried contacting everyone at Russia's postal service, railway, central bank, government and even the army (who all exclusively use these devices) but sadly owner was never found. Now we should all just enjoy the picturesque screenshots from the ROMs.


Image
Image
Image
Image
If you were struggling to mount the aurora.img dumps, you should use "simg2img" and then use them as loopback devices ensure they are truncated to the correct size with commands such as "truncate -s $((3720544 * 512)) aurora_raw.img" and mount with LVM.
asiatimes.com/2022/05/the-fa…
@janekm I looked up internal photos from FCC ID's of similar chipset devices, with similar screens and specifications, the circuit blocks were found re-used on some devices but found nothing close enough to the W1Z2GS_V1_20191111 design yet.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with hacker.house

hacker.house Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hackerfantastic

hacker.house Profile picture
Oct 17, 2025
China having BigIP F5 source code... that's Cisco/Huawei again. What a coup for them. If you do not understand the significance of a foreign nation state having unfettered source code access to the latest F5 load balancers, you don't understand the anything about user scale.
BigIP F5 once had *hardcoded* SSH user's with private keys, you could simply ssh in by default. It has had a history of simply and easy to exploit issues and due to its purpose for managing distributed loads across systems, it frequently has privileged network vantage points.
If China isn't aggressively using this information for espionage, distributing it to Chinese technology companies, contractors and CCP agents for distribution to its state-sanctioned copyright violating global distribution apparatus then someone else did it.
Read 4 tweets
hacker.house Profile picture
Mar 7, 2025
"Using a device called an IMSI grabber, they planned to intercept the soldiers' mobile phone numbers in order to help the Russians target them when they returned to Ukraine to operate the missile batteries." - the "Little Minions" working for GRU(lmao) arrested in UK. Image
Image
Image
Image
When police raided the hotel as part of an operation, codenamed Skirp, they found it packed with technical equipment including 495 SIM cards, 221 mobile phones, 258 hard drives, 55 visual recording devices, 33 audio devices, 16 radios and 11 drones.
Police spent eight days combing through the property, which was packed to the ceiling with electronic surveillance equipment, including a £120,000 "law enforcement grade" IMSI grabber.
Read 4 tweets
hacker.house Profile picture
Jun 25, 2024
Buy a stingray device for intercepting cellular traffic, only $100k on eBay 😂 ebay.com/itm/4049333960…
Image
That eBay seller must have gotten his hands on some liquidated government-backed monitoring equipment. This is old equipment but a bargain at $600 - frequency counter, AOR wide-band receiver and numerous antennas for wireless signal detection and monitoring. Used to cost $1000's Image
131? What a coincidence I have the same combination on my luggage.... :P
Image
Image
Read 9 tweets
hacker.house Profile picture
May 1, 2024
Lennart Poettering intends to replace "sudo" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process.
Image
Image
This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets.
I have only spent a little bit of time digging through the new implementation, I do not see how it is "safer" or more "secure" than existing SUID "sudo" or "su" implementations. It certainly seems to add additional attack surface to Linux as every sudo command is a service.
Read 22 tweets
hacker.house Profile picture
Jan 2, 2024
Stinger is a Vault7 privilege escalation module from "Fine Dining", the only information is that it is a "UAC bypass that obtains the token from an auto-elevated process, modifies it, and reuses it to execute as administrator" - the video shows my implementation.
I started with only the information above, and tried to work out what this UAC bypass could be. It turns out you can read the process token of an auto-elevated binary (even on Win 11!), ShellExecuteEx returns process handle to high integrity process and you can access its token.
Token hijacking is alot of fun and turns out reading a high IL token from a UAC restricted proc was easy part - I was able to duplicate the token without issue and then elevate thread, even on Windows 11. As pictured - left, low privileged and on right, my high privileged thread.
Image
Image
Read 12 tweets
hacker.house Profile picture
Dec 30, 2023
This is more likely work of an intelligence agency, not an APT. APT is contractor service organized or reporting to the intelligence agencies of a nation-state or an OCG and does not have the same level of bureaucracy with payload delivery. The selective targeting gives it away.
I do not consider GCHQ or NSA TAO as APT in the traditional sense, they are vastly superior threat when compared to contractor hired by say the FSB to steal western secrets through drive-by downloads. There is cross-over but one is a wide industry threat, the other very specific.
As an industry doing simulated breaches, cyber-enabled intellectual property theft or financially motivated crimes, our strategies and assessment programs are designed to simulate and detect adversary behavior from threat's that you are most likely to face in your industry.
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(