A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇 Let's start with the most simple example. Select a mount namespace that is not used by systemd/init.

Migrate the current shell into that process's mount namespace and mount a tmpfs file system.

Anything that writes the mounted path is concealed from users on the host. (2/7)

Newer variants of the #BPFDoor has an interesting modification made that avoids detections looking for processes with raw sockets. The kernel reports SOCK_DGRAM rather then rather loud "SOCK_RAW". Here we have a sample found in the recent SKT telco breach. (1/20) Perhaps it's only looking for UDP magic packets? Not so fast. Let's look at what changed.

BPF filter is used as before, but the socket is opened with type SOCK_DGRAM, but the protocol is ETH_P_IP.

What's the defined behaviour here?
(2/20)

When pairing your mobile phone to that Wifi / Bluetooth device and it forces you to grant it location permissions, pause for a moment to think who may be the beneficiaries of this information. Case in point:

The Dyson app refuses to pair to their devices such as this fan/heater/air purifier - unless you give in and give them your location data.

This is a premium product at a high price point. Surely they are not monetising this ?

What’s the privacy policy say? …

If you needed yet another reason not to trust VPN providers or proxy services...

Here Facebook partnered with a bunch of companies to have root certificates installed on people's phones so they could intercept other app's traffic.

storage.courtlistener.com/recap/gov.usco…
Here Facebook acquired Onavo and had quite a good run before the spyware got pulled from app stores.

At a $120 million dollar price point it's clear how much value they put on having the ability to intercept user's mobile traffic.

en.wikipedia.org/wiki/Onavo

I recently found two very interesting Linux binaries uploaded to Virustotal.

I call this malware 'GTPDOOR'.

GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵 One version uploaded from 🇨🇳 has zero detections on VT. The other, uploaded from 🇮🇹 has just one detection.

These were uploaded 4 to 5 months ago.

(2/n)

The Chinese APT contractor leak contained a few interesting files; namely:

- CDRs (Call Detail Records)
- LBS (Location Based Services) db records

Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.

Some background: (1/5)🧵 CDRs are primarily used for postpaid billing and reporting purposes. They are generated in various network elements and consolidated in mediation systems.

It's these central databases that are often targeted. Data for a subscriber is generated in many systems:

(2/5)

With the (fake) toothbrush botnet story still fresh, Colgate's connected Bluetooth toothbrush caught my eye on discount at the local supermarket.

"Hi there, let's get to know each other"

Sure, let's do this. What will we learn? (1/n) 👇 Happy to see that the Android app has responsibly requested the minimum permissions for BLE scanning. I kind of was expecting it to request my location for this which it didn't. (2/n)

This invasive Bluetooth car battery monitor was found to be sending the following location data to 🇨🇳

- GPS
- Wifi devices
- Cell phone towers

The Apple and Google app stores said no personal data was collected.

A new update has emerged. Let's see what was changed 👇(1/n) Before we begin the investigation, a coverage map of where these devices have been found across planet earth.

Collected Bluetooth beacon data from reveals they are everywhere. There are likely hundreds of thousands of these roaming about.

(2/n) https://t.co/uOgelr8q3s https://t.co/WWCAzaungnwigle.net
twitter.com/i/web/status/1…

A twitter user mentioned the mobile app for their “smart” wifi connected power plug was requesting their location.

The app has more then 1 million downloads.

Curious, I ordered the ‘Meross’ branded device and it’s just arrived.

What will we find? Let’s dig in ..🧵 Let's see how we can pair with the minimum amount of granted permissions.

Discover "nearby devices" with Bluetooth enabled is a mandatory. It then prompts for precise and approx. location.

Hit deny.

We have to manually connect to the device - it's turned into a wifi AP.… https://t.co/fFQzvrJtLrtwitter.com/i/web/status/1…

A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out.

The Android grid connect app has 500k+ downloads.

Let’s take a quick look! 🧵
(1/n) The app has a feature where it can auto discover your BLE devices. Is locations permission needed here? It depends. From Android API SDK v31 things have improved where fine location is not needed for BLE scanning.

The app is forcing this even though we are on v31.

(2/n)