TechKnow

Author Topic: Recent attacks using ARM modifying BIOS by Cyberwind  (Read 1355 times)

0 Members and 1 Guest are viewing this topic.

Offline cyberwind

  • Site Donor
  • Newbie
  • *
  • Posts: 25
  • Karma: +12/-0
  • Uber-Noobie
  • Tablet / Size / Model: homemade/7/galaxy5
Recent attacks using ARM modifying BIOS by Cyberwind
« on: July 14, 2015, 04:01:44 PM »
I have recorded so many recent attacks using Arm Technology and chipsets that is modifying BIOS Firmware
on Windows using know Backdoors using the password "Password01". Intel incorporates the chipsset to allow Management of Networks using Microsoft System Management Software in the BIOS using the ChipSet Software and password.I have been programming and playing with chips many years. So backdoors and default passwords is the way we started out.

I found one of the sites the firmware had came from a PCAP http://devid.info/. I believe an exe to allow updates from the site was embedded in an attack.
Such as example here. I am running 4 Sourcefires and other IDS detection devices. On my work PC I have attached a Raspberry PI 3 Cell Phone and a credit card machine as a trap. I have attached the screenshot of the bios update. Nice place to put a backdoor c:\windows\assembly\gac_32\VJSharpcodeProvider

Thx for allowing me join..
« Last Edit: July 15, 2015, 09:03:09 AM by HardcoreHacker »

Offline cyberwind

  • Site Donor
  • Newbie
  • *
  • Posts: 25
  • Karma: +12/-0
  • Uber-Noobie
  • Tablet / Size / Model: homemade/7/galaxy5
Re: Intel
« Reply #1 on: July 14, 2015, 04:12:43 PM »
I also found traces of GodMode commands in the pcaps. I am software not hardware so I am stuck on how to troubleshoot. thx

Offline HcH

  • TechKnow Owner, Ethical Hacker
  • Administrator
  • Uber Member
  • *****
  • Posts: 9946
  • Karma: +2285/-111
Re: Intel
« Reply #2 on: July 15, 2015, 08:59:15 AM »
I have recorded so many recent attacks using Arm Technology and chipsets that is modifying BIOS Firmware
on Windows using know Backdoors using the password "Password01". Intel incorporates the chipsset to allow Management of Networks using Microsoft System Management Software in the BIOS using the ChipSet Software and password.I have been programming and playing with chips many years. So backdoors and default passwords is the way we started out.

I found one of the sites the firmware had came from a PCAP http://devid.info/. I believe an exe to allow updates from the site was embedded in an attack.
Such as example here. I am running 4 Sourcefires and other IDS detection devices. On my work PC I have attached a Raspberry PI 3 Cell Phone and a credit card machine as a trap. I have attached the screenshot of the bios update. Nice place to put a backdoor c:\windows\assembly\gac_32\VJSharpcodeProvider

Thx for allowing me join..
Hello Cyberwind,

this is most interesting, I guess it's plausible that default passwords are used for such attack, and considering the low level, it's hard to detect these malicious activities.

That is an interesting trap setup you have there! :android-ninja: :cool-android:

I'm very interested in investigating the link between communication and devid.info, can you send me the PCAP ?

Thanks for this interesting post.

HcH

Offline cyberwind

  • Site Donor
  • Newbie
  • *
  • Posts: 25
  • Karma: +12/-0
  • Uber-Noobie
  • Tablet / Size / Model: homemade/7/galaxy5
Re: Recent attacks using ARM modifying BIOS by Cyberwind
« Reply #3 on: August 08, 2015, 04:29:11 AM »
Sorry I have been so busy I have no logged . I will be more than happy to send you pcap. I also have an attack from a French Server.
it is part of Darknet Darkweb buzz words.

Offline HcH

  • TechKnow Owner, Ethical Hacker
  • Administrator
  • Uber Member
  • *****
  • Posts: 9946
  • Karma: +2285/-111
Re: Recent attacks using ARM modifying BIOS by Cyberwind
« Reply #4 on: August 08, 2015, 02:07:34 PM »
Sorry I have been so busy I have no logged . I will be more than happy to send you pcap. I also have an attack from a French Server.
it is part of Darknet Darkweb buzz words.
Interesting stuff! Just post whenever you're ready.

Cheers,

HcH