Zyxel has an actively exploited vulnerability so patch now, a shut down iphone could be
Zyxel has an actively exploited vulnerability so patch now, a shut down iphone could be

hacked, and a SatComms hack is being blamed on Russia!
hacked, and a SatComms hack is being blamed on Russia!

All that coming up now on ThreatWire.
All that coming up now on ThreatWire.

Greetings!!
Greetings!!

I’m Shannon Morse and this is ThreatWire for May 17 2022 - this is your summary of
I’m Shannon Morse and this is ThreatWire for May 17 2022 - this is your summary of

the threats to our security, privacy and Internet freedom.
the threats to our security, privacy and Internet freedom.

Announcement!
Announcement!

I have a new Patreon perk to share with y’all.
I have a new Patreon perk to share with y’all.

For years I’ve always done 3 stories for free on youtube, and now I’m adding additional
For years I’ve always done 3 stories for free on youtube, and now I’m adding additional

work to my weekly effort to bring you the news and in order to pay for my time, I’m
work to my weekly effort to bring you the news and in order to pay for my time, I’m

including a fourth story as a new perk just for Patrons.
including a fourth story as a new perk just for Patrons.

I appreciate everyone who helps make this show possible because it continues to be ad
I appreciate everyone who helps make this show possible because it continues to be ad

free, we even turn off monetization on youtube, so this is literally the only way this show
free, we even turn off monetization on youtube, so this is literally the only way this show

is funded.
is funded.

So thank you for the support, let’s get started with today’s news.
So thank you for the support, let’s get started with today’s news.

If you own Zyxel networking equipment, a recent vulnerability in their firewall products has
If you own Zyxel networking equipment, a recent vulnerability in their firewall products has

been patched and updating is recommended.
been patched and updating is recommended.

This is a critical vulnerability tracked as CVE 2022-30525, and was originally disclosed
This is a critical vulnerability tracked as CVE 2022-30525, and was originally disclosed

by Rapid7 on April 13 of this year.
by Rapid7 on April 13 of this year.

Zyxel had pushed a silent update out two weeks ago but have now publicly disclosed the vulnerability.
Zyxel had pushed a silent update out two weeks ago but have now publicly disclosed the vulnerability.

In this case, the issue affects several models of networking equipment including the USG
In this case, the issue affects several models of networking equipment including the USG

Flex line, USG, and APT lines with firmware 5.21 or below.
Flex line, USG, and APT lines with firmware 5.21 or below.

The specific products it affects are ones that use firewalls that support Zero Touch
The specific products it affects are ones that use firewalls that support Zero Touch

Provisioning or ZTP.
Provisioning or ZTP.

The affected firmware is ZLD5.00 up through ZLD 5.21 Patch1.
The affected firmware is ZLD5.00 up through ZLD 5.21 Patch1.

Companies use these across the world, with Rapid7 reporting that they’d found 15000
Companies use these across the world, with Rapid7 reporting that they’d found 15000

visible and affected models on Shodan.
visible and affected models on Shodan.

Weirdly, according to their report, Zyxel originally planned to release a patch for
Weirdly, according to their report, Zyxel originally planned to release a patch for

the flaw on June 14, but silently released one ahead of schedule without indicating such
the flaw on June 14, but silently released one ahead of schedule without indicating such

to Rapid7.
to Rapid7.

Rapid7 found out a patch was released, so they publicly disclosed the flaw on May 12.
Rapid7 found out a patch was released, so they publicly disclosed the flaw on May 12.

Zyxel has noted this was because of a miscommunication during the disclosure coordination process.
Zyxel has noted this was because of a miscommunication during the disclosure coordination process.

A Metasploit module as well as a demonstration video are available online and linked in my
A Metasploit module as well as a demonstration video are available online and linked in my

shownotes via Patreon.
shownotes via Patreon.

Since many of these products are usually used in small businesses or corporate networks
Since many of these products are usually used in small businesses or corporate networks

to give employees access to VPNs, email security, SSL inspection, protection against intrusions
to give employees access to VPNs, email security, SSL inspection, protection against intrusions

etc, that means an attacker could gain access to proprietary networks should a product go
etc, that means an attacker could gain access to proprietary networks should a product go

unpatched.
unpatched.

This flaw allows an attacker to gain full access to devices and networks, as it’s
This flaw allows an attacker to gain full access to devices and networks, as it’s

an unauthenticated remote command injection flaw through the HTTP interface.
an unauthenticated remote command injection flaw through the HTTP interface.

Input is passed through unsanitized, allowing an attacker to inject arbitrary commands.
Input is passed through unsanitized, allowing an attacker to inject arbitrary commands.

Last week on Friday, Shadowserver Foundation noticed active attempts to exploit the vulnerability,
Last week on Friday, Shadowserver Foundation noticed active attempts to exploit the vulnerability,

and security researchers have responded by creating scripts that can detect unauthenticated
and security researchers have responded by creating scripts that can detect unauthenticated

remote command injections on Zyxel firewalls and VPN products, like this one from BlueNinja.
remote command injections on Zyxel firewalls and VPN products, like this one from BlueNinja.

If you can’t update to the latest patch, mitigation also includes disabling WAN access
If you can’t update to the latest patch, mitigation also includes disabling WAN access

to the admin web interface.
to the admin web interface.

A brand new attack surface has been found in iOS’s Find My service, which could allow
A brand new attack surface has been found in iOS’s Find My service, which could allow

an attacker to mess with firmware and load malware onto an iPhone’s Bluetooth chipset…
an attacker to mess with firmware and load malware onto an iPhone’s Bluetooth chipset…

while the iPhone is set to OFF.
while the iPhone is set to OFF.

Yes, you heard that right.
Yes, you heard that right.

Bluetooth and other communications chipsets like NFC and UWB or ultrawideband still operate
Bluetooth and other communications chipsets like NFC and UWB or ultrawideband still operate

when the phone is turned off, in a mode called Low Power Mode, which preserves power but
when the phone is turned off, in a mode called Low Power Mode, which preserves power but

still lets things like Find My and Express Card transactions work.
still lets things like Find My and Express Card transactions work.

The drawback is these chips also have access to a secure element or SE, since, according
The drawback is these chips also have access to a secure element or SE, since, according

to researchers with the Secure Mobile Networking Lab at the Technical University of Darmstadt,
to researchers with the Secure Mobile Networking Lab at the Technical University of Darmstadt,

the Bluetooth and UWB chips are hardwired right into the SE on the NFC chip.
the Bluetooth and UWB chips are hardwired right into the SE on the NFC chip.

As such, wireless protocols aren’t shut down completely when your phone is turned
As such, wireless protocols aren’t shut down completely when your phone is turned

off and could be used as an attack surface.
off and could be used as an attack surface.

Devices that are affected include the iPhone 11, 12, and 13, all of which have UWB support.
Devices that are affected include the iPhone 11, 12, and 13, all of which have UWB support.

Bluetooth firmware isn’t signed or encrypted and this issue could be used to infect the
Bluetooth firmware isn’t signed or encrypted and this issue could be used to infect the

chip with malware if an attacker had elevated access.
chip with malware if an attacker had elevated access.

They’d have to be able to access the OS and modify the firmware or do code execution
They’d have to be able to access the OS and modify the firmware or do code execution

over the air.
over the air.

The researchers who discovered this novel issue will present it at WiSec 2022.
The researchers who discovered this novel issue will present it at WiSec 2022.

While the problem has been disclosed to Apple, Apple didn’t respond with any remediation
While the problem has been disclosed to Apple, Apple didn’t respond with any remediation

or mitigation techniques.
or mitigation techniques.

Software or firmware updates wouldn’t fix it since this is a hardware issue.
Software or firmware updates wouldn’t fix it since this is a hardware issue.

Big shoutout to my Hush Puppy perk level patrons for sharing their fur baby or feather baby
Big shoutout to my Hush Puppy perk level patrons for sharing their fur baby or feather baby

photos and for the support.
photos and for the support.

THANK YOU to KnowOneSpecial and Wayward Viking for joining the alliance on Patreon.com/threatwire.
THANK YOU to KnowOneSpecial and Wayward Viking for joining the alliance on Patreon.com/threatwire.

Y’all helped us hit 810 Patreon Alliance members all of whom get access to a fourth
Y’all helped us hit 810 Patreon Alliance members all of whom get access to a fourth

story, check that out if you’re interested.
story, check that out if you’re interested.

Let’s finish out today’s episode with my last top story, about a major Satellite
Let’s finish out today’s episode with my last top story, about a major Satellite

hack that happened a few months ago and was mentioned previously on an episode of threatwire.
hack that happened a few months ago and was mentioned previously on an episode of threatwire.

The Five Eyes countries have formally blamed Russia for being behind a cyberattack on a
The Five Eyes countries have formally blamed Russia for being behind a cyberattack on a

satellite communications provider directly before the military invasion of Ukraine.
satellite communications provider directly before the military invasion of Ukraine.

The attack happened on February 24, one hour before the invasion occurred, and it took
The attack happened on February 24, one hour before the invasion occurred, and it took

down operations of the KA-SAT satellite network which is operating by Viasat.
down operations of the KA-SAT satellite network which is operating by Viasat.

This not only affected Ukraine, but also several European countries by affecting wind farms
This not only affected Ukraine, but also several European countries by affecting wind farms

and internet operations.
and internet operations.

There were communications outages for several countries, not only for users but for public
There were communications outages for several countries, not only for users but for public

authorities and businesses.
authorities and businesses.

Viasat ended up sending out 30,000 modems to customers in order to get them back online
Viasat ended up sending out 30,000 modems to customers in order to get them back online

after their modems were hit.
after their modems were hit.

The countries who formally blamed Russia include Australia, Canada, New Zealand, the UK and
The countries who formally blamed Russia include Australia, Canada, New Zealand, the UK and

the US plus Ukraine and the EU.
the US plus Ukraine and the EU.

According to SentinelOne, the attackers used AcidRain data wiping malware with the intention
According to SentinelOne, the attackers used AcidRain data wiping malware with the intention

of infecting modems with the wiper plus a botnet called VPNFilter, which has been attributed
of infecting modems with the wiper plus a botnet called VPNFilter, which has been attributed

to the Russian cyber group Sandworm.
to the Russian cyber group Sandworm.

Want to see more tech videos from me?
Want to see more tech videos from me?

Check out my youtube channel - youtube.com/ShannonMorse for everything from tech reviews to security
Check out my youtube channel - youtube.com/ShannonMorse for everything from tech reviews to security

tutorials..
tutorials..

And with that, don't forget to like and subscribe to Hak5!
And with that, don't forget to like and subscribe to Hak5!

I'm Shannon Morse, I'll see you on the Internet!
I'm Shannon Morse, I'll see you on the Internet!