Whiffy malware stinks after tracking location via Wi-FI

ALSO: Euro chip maker breached, crims plan to undermine cyber insurance, and this week's critical vulnerabilities

Infosec in Brief No one likes malware, but malicious code that tracks your location is particularly unlovable.

Case in point, a new piece of nasty code dubbed "Whiffy Recon" by researchers from Secureworks. First spotted being deployed by the venerable Smoke Loader botnet earlier this month, Secureworks said the malware uses scans of Wi-Fi access points within range of infected machines to geolocate them. 

It's troubling enough that there's malware out there geolocating victims using Wi-Fi data, but Secureworks researchers said they have no idea what, precisely, the malware's operators are doing with that data. 

"Demonstrating access to geolocation information could be used to intimidate victims or pressure them to comply with demands," the researchers said, and noted that the malware appears set up for further development – suggesting these initial deployments could lead to future nefarious activities.

Whiffy is only targeting Windows machines so far, and upon infection immediately checks for the Wireless AutoConfig Service (WLANSVC) that Windows uses to discover and connect to Wi-Fi networks. Once Whiffy knows WLANSVC is present (it doesn't check to see if it's operational) it checks for a file named str-12.bin in the wlan subfolder of the APPDATA folder.

If the file isn't present on the system, Whiffy connects to its command and control server, transmits a random UUID for the infected machine and begins the second step of its infection: Wi-Fi scanning, which it does every 60 seconds.

The scan data is mapped to a JSON structure that's transmitted to the Google Geolocation API, which estimates latitude and longitude based on cell towers and Wi-Fi signals in range of a client. Along with the location, Whiffy also identifies what encryption methods Wi-Fi networks are using, potentially signaling that Whiffy's controllers may be looking to infect nearby networks or machines, too. 

Secureworks warned that organizations looking to limit the reach of the malware should use available controls to restrict access to indicators of compromise such as Whiffy's C2 server IP address, and the URL used to drop the malware. Secureworks's documentation lists those items, and more.

Kroll kracked by SIM swapping attack

Security risk managers at financial advisory and intelligence outfit Kroll got an unpleasant surprise after someone managed to convince T-Mobile to hand over control of a staff member's smartphone.

"On Saturday, August 19, 2023, a cyber threat actor targeted a T-Mobile US account belonging to a Kroll employee in a highly sophisticated 'SIM swapping' attack," the company said in a statement issued last Friday.

"T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee's phone number to the threat actor's phone at their request. As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis."

The accounts are now locked down, Kroll said, with local and federal police on the case. The good news is that if your details were affected in the attack the biz says you will already have been notified. The bad news is the baddies still have your data.

Critical vulnerabilities: A bad week for ICS

The Reg's security squad could not find too many vulnerabilities to report that we haven't already covered elsewhere this week, but a few rather severe flaws in industrial control systems stand out.

  • CVSS 9.8 – Multiple CVEs: Multiple versions of Rockwell Automation's ThinManager ThinServer are improperly validating input, leaving devices vulnerable to an attacker.
  • CVSS 9.6 – Multiple CVEs: A whole slew of vulnerabilities in Hitachi Energy's AFF660 and 665 industrial firewalls leave them vulnerable to availability, integrity and confidentiality compromise.
  • CVSS 9.6 – CVE-2023-3663: CODESYS's CODESYS Development System is insufficiently verifying data authenticity, leaving it open to MITM attacks that execute arbitrary code.
  • CVSS 8.6 – CVE-2022-1737: A large number of Rockwell Automation I/O modules are vulnerable to an out-of-bounds write attack that could cause denial of service

CISA also added three more vulnerabilities to its catalog of known exploited vulnerabilities, so best get patching if any of them may affect your systems.

  • CVSS 9.8 – CVE-2023-26359: Adobe Coldfusion has a nasty deserialization of untrusted data vulnerability (not this one) that it patched in March, yet is still being abused. 
  • CVSS 7.5 – CVE-2023-27532: Veeam backup and replication software contains a bug that allows encrypted credentials to be retrieved from a configuration database. It was also patched in March, but is under active exploit.  

European chip maker admits to data breach

NXP, one of Europe's largest semiconductor manufacturers, has admitted that it experienced a breach in July and is starting to share details of the impact with victims. 

A spokesperson told The Register that the breach impacted NXP's online portal, and involved the spilling of data including name, email address, physical address, phone numbers, employer, job description and communication preferences. 

"Other than [those] pieces of information … no other personal data was impacted," NXP told us.

No information was provided as to the nature of the breach, nor how many customers were affected, and NXP didn't answer specific questions to that end. The firm said it has no reason to believe the data has been misused, but is urging customers to take action regardless. 

"We take the security of personal information very seriously, and we continually monitor and strengthen our IT systems to protect against ever-evolving threats," the manufacturer told us. 

Ransomware gang wants to prove its work is uninsurable

Ransomware actors don't like cyber insurance, because if their target has a policy it can cover the cost of remediation, therefore reducing the incentive to pay a ransom.

One gang has a way around that problem: sharing secrets of its attack techniques to show why its victims aren't eligible for an insurance payout. 

The Snatch ransomware gang made the threat recently in a post shared on X/Twitter by cybersecurity analyst Brett Callow. While Callow blurred the name of the victim, Snatch argued in its post that the victim's bad behavior should mean the Snatch attack against it is uninsurable.  

"The simple carelessness of the company's employees and the greed of the company's management, which spared money for adequate equipment and high professional specialists," the gang said, means "the hack attack on the company and breaches are not an insured event."

"Today we start [to] publish such information on almost all companies mentioned in our blog," Snatch threatened. "The era of making money on insurance is OVER." 

Snatch said that it will gladly talk to insurance agents, and will hand them a full network dump with evidence that cases are uninsurable. That's quite an escalation in the ransomware war – especially if other groups follow suit. ®

More about


Send us news

Other stories you might like