Events

AVAR, China and insecure Wi-Fi networks

Hello from Tianjin in China, and the AVAR 2005 conference. We’re 150km from Peking, near the Bohai sea. This year’s conference is the eighth annual event for virus analysts from the Asian region, and it’s one of the highlights of an antivirus researcher’s calendar, together with VB, CARO and EICAR.

This year attendance is good, with leading virus analysts along with IT industry people and government officials. For instance, speakers include Dmitry Gryaznov and Igor Muttik from McAfee, Vesselin Bontchev from Frisk and Eugene from…well, we know where he’s from.

   

There are also speakers from the Chinese Ministry of the Interior, which has done a lot in the past few years to combat cyber crime.

   

Eugene’s presentation was greeted enthusiastically and there were lots of questions. While he was speaking, I started doing a bit of research. I wanted to check out the wireless Internet connections, as well as mobile devices.

I found 3 WiFi-networks straight away. None of them encrypted traffic, but all of them had built-in DHCP servers. In short, all 3 were potentially vulnerable to war drivers. By the way, tomorrow I’m going to scan other WiFi networks in Tianjin and Peking.

Next I took a Bluetooth transmitter with a 100 meter radius and walked around the conference hall scanning for Bluetooth devices in ‘visible to all’ mode. I found plenty:

Overall, I found 9 mobile devices with Bluetooth ‘visible to all’ mode enabled, 8 of them Nokia smartphones. Yes, I know. You’d think that people attending an antivirus conference would know better. In fact, I had been hoping that I wouldn’t find any at all.

The good news is that none of the phones were infected with Cabir. At least, not yet…

AVAR, China and insecure Wi-Fi networks

Your email address will not be published.

 

Reports

Kimsuky’s GoldDragon cluster and its C2 operations

Kimsuky (also known as Thallium, Black Banshee and Velvet Chollima) is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

Subscribe to our weekly e-mails

The hottest research right in your inbox