We Couldn't Kick the Unauthorized Devices off the Network.
We see a lot of bizarre things in small business and residential cybersecurity incidents. But this one was interesting.
Here are the strange symptoms we first noticed, before it gets stranger:
Multiple unknown devices connected to customer’s iPhone via Bluetooth
Multiple unknown devices connected to her WiFi network
The Devices are Not Named and their Mac Addresses do Not Resolve to any Manufacturer.
Notice that their names are the same as their MAC Address this can be done via privacy settings or the devices were never named at all.
A MAC Address Search should at least resolve to a hardware manufacturer
They Have Persistent Access and Survived Password Change.
Ok, so change the router password, kick off the devices, and disconnect them from iPhone Bluetooth. Stop sharing your WiFi with neighbors.
Problem Solved Right? Not so much…it gets stranger:
Shortly after the password change the strange unauthorized devices appeared on the WiFi network again
New devices unknown suspicious devices were regularly connecting. They would come and go as they pleased.
The ISP provided WiFi Admin app has an option to kick devices off the network, that Failed too.
This is really strange, after all the Router was Brand New, so it's unlikely that it’s integrity would be compromised. It's also unclear how long the devices were connected to the Wifi network. During the initial investigation we looked at router admin console which is how we discovered unauthorized devices.
Important to note: At this point, we had taken images of her devices, performed forensic analysis, and cleared them for any signs of compromise or malware.
While the Bluetooth Connection is concerning Blue snarfing is still a very difficult attack to carry out against relatively new, updated, iOS and MacOS devices.
So we ran Wireshark, via hardwire connection to the router.
We set the customer up with a burner device that had Wireshark installed, instructed her to run it (click the blue fin) anytime she saw the strange devices on her router. This allowed us to record the WiFi traffic for later analysis. Then our digital forensics analyst analyzed the Packet Captures (PCAPs).
Sure Enough We found the Compromise: Linux/i686
This part gets a bit technical. Skip the next few paragraphs if you want.
When examining this PCAP, there a a few areas which likely indicates suspicious activity. The first area of concern is the reference to the string " Xmdx remote login requested by whitcher." When breaking this down there is a high likelihood that a remote application, user or service is requesting remote access. Without having knowledge of this process, or username this indicates suspicious behavior.
Additionally, when examining the PCAP further, the name of the device generating the traffic was identified as, Linux/i686 UPnP/1,0 DLNADOC/1.50 LGE WebOS TV/Version 0.9.
Research revealed that this specified device is susceptible to a vulnerability formally identified as CVE-2020-12695 also known as CallStranger. According to the Cyber Security firm Sentinel One,“CallStranger allows attackers to bypass DLP [Data Loss Prevention] and network security devices to exfiltrate data, and even scan internal network ports, those that are not otherwise exposed to the internet.” While this is description is more applicable to circumventing security controls in enterprise environments, the vulnerability can be exploited to compromise the device: an old LG smart TV.
But It wasn’t directly connected to the internet, so how was it discovered and exploited?
Given the low severity of a smart TV, the lack of enterprise security and controls and logging on the TV that would yield useful evidence, and the lack of evidence of further compromise of devices within the network, it is very likely this TV was Jailbroken to be used for a Hop Point and/or Botnet, and not a direct threat to the customer, so further investigation and attribution was not a good use of resources. So this part is an educated guess.
*A botnet is a network of compromised devices used to direct large amounts of internet traffic at other networks to take them off line (Distributed Denial of Service or DDoS attack).
*A Hop Point is a compromised device that cyber criminals route traffic through to hide their IP addresses.
The UPnP Router Vector?
As we mentioned, the customer had just switched ISPs and ISP provided routers. ISP routers sometimes come with Universal Plug n’ Play (UPnP) functionality. UPnP allows apps and devices to open and close ports automatically in order to connect with each other. UPnP can also modify router settings to open ports to facilitate the connection of devices outside of a network. So it's possible the TV was directly facing the internet and threat actors identified it in a scan, or they scanned for routers with UPnP and known default credentials which would allow them to connect external devices, or scanned for routers with known default admin credentials and remote access. On ISP routers remote access is usually on by default.
Application Layer Exploit?
Another possibility was the exploit happened on the application layer, the Smart TV connected with a malicious or compromised domain, or the user possibly downloaded a trojan app.
Moral of the Story
Given the other devices (all iOS and MacOS) were not compromised, it's likely the LG TV was part of a botnet, but because of the multiple devices connected the more likely use case of this exploit was a hop point to hide threat actor’s IP addresses from the enterprise networks they were targeting.
The Bluetooth connection was likely because the iOS device was connected to the LG smart TV via Bluetooth, to use as a remote, etc.
Moral of the story, keep your IoT and smart devices up to date, remove/replace when they go end of life and stop receiving updates, and put them on a network separate from the rest of your devices. Most routers make it very easy to set up separate WiFi networks.