‘Twas the night before Christmas, and fresh off the LAN The packets were coming fast out of the span. My wireshark was up with my templates in place, In hopes that I’d find an IP I could trace. The smart home was snug in its /28 With a meager allow-list, and a lock on the gate. With a few hours to setup and wrap this year’s catches I’d been charging them up, and applying their patches, When down in the VLAN there’d been such a spike I’d opened the logs to see what it looked like. Away to the dashboard I stumbled and flew; Most days I’m on Red, but tonight, I was Blue. The DST in the headers was a weird bogon range. “Two oh three... zero? You can’t route there... how strange.” When what, to my wondering eyes, should come back But a TCP handshake -- not a RST, but an ACK! A cool sweaty IR-like calm to me came, As the nightmares and malwares, I ruled out by name: “The SPIDERs and PANDAs don’t care about me, It’s not running Windows, so it’s not IcedID… Not Trickbot, not Ryuk, not Buer or Clop, Not Scarab or Locky, no second-stage drop.” A session had opened on port 443, And a download began - not one started by me. I looked back to ensure that the capture was on, And stood by to cut comms once the vandal was gone. But the session closed up just as fast as it came And the download just sat there - “GIFT.BIN” was its name. I’d retrieved a live sample! And without any warning, Had got something fun to unwrap Christmas morning. I checked on the rulesets, configs, and permissions, And rebooted each box for the sake of tradition. I waited for more but there wasn’t a peep, So I finished my wrapping and popped off to sleep. And after the coffee and presents and nog, The matching pajamas, the pickle, the grog, Video calls with our family and friends, Things had settled, so I went to tie up the loose ends. I ran strings right away and my jaw opened wide, For there, unencrypted, a message I spied: “2020’s been awful, with so much that you’ve missed Just to keep others healthy - so you made the Good List! And like all of your friends, I have had to stay distant, But your record’s been stellar, so the elves were insistent. You already have surplus gadgets that light up So I got you this PoC, and a CVE writeup. The binary is an iPhone zero-day, And I’ve left enough out that you’ll have room to play. And once you’ve dissected and filled in the blanks, And disclosed it responsibly, you can cash in my thanks! Thanks for staying inside this year, hunkering down, Thanks for wearing your mask, though you felt like a clown, Thanks for not hoarding groceries, and for learning to cook, Or for trying a language, or reading a book. And following rules from your state and your county. Now warm up your debugger, and cash in that bounty!” This poem was written by J.R Parsons for AT&T Cybersecurity. You can read more of their blogs here
