DEV Community: Sam Stepanyan

Detecting Adobe ColdFusion CVE-2023–26360, Atlassian Confluence CVE-2023–22515, and Citrix…

Sam Stepanyan — Sat, 18 Nov 2023 22:03:11 +0000

Detecting Adobe ColdFusion CVE-2023–26360, Atlassian Confluence CVE-2023–22515, and Citrix Netscaler CVE-2023–4966 with OWASP Nettacker(v0.3.2)

On October 31st, 2023, the OWASP Nettacker project team released version 0.3.2 with new modules to scan networks for critical vulnerabilities. The new modules include Adobe ColdFusion CVE-2023–26360, Atlassian Confluence CVE-2023–22515, and Citrix Netscaler CVE-2023–4966.

OWASP Nettackerr is an open-source software written in Python language that helps you perform tasks such as automated penetration testing and automated information gathering. It can run various scans using a variety of methods and generate scan reports (in HTML/TXT/JSON/CSV format) for applications and networks, including discovering open ports, services, bugs, vulnerabilities, misconfigurations, default credentials, subdomains, etc

OWASP Nettacker can be run as a command-line utility (including running as a Docker container), API, Web GUI mode, or as Maltego transforms . It is written in 100% Python and does not rely on launching any external tools .

The new Nettacker modules added in version 0.3.2 are designed to scan networks for the following critical vulnerabilities:

Adobe ColdFusion CVE-2023–26360 is a deserialization of untrusted data vulnerability that could result in arbitrary code execution in the context of the current user .

Atlassian Confluence CVE-2023–22515 is a privilege escalation vulnerability in Confluence Data Center and Server products.

Citrix Netscaler CVE-2023–4966 (aka “CitrixBleed”) is a critical buffer overflow vulnerability that allows for sensitive information disclosure (e.g. session cookies) when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

OWASP Nettacker can also help you find instances of critically vulnerable MOVEit Transfer and Citrix CVE-2023–24488 in your network .

MOVEit Transfer, a widely-used file transfer software, has been affected by multiple critical vulnerabilities in 20231 2 3. These vulnerabilities have led to significant security breaches, affecting numerous organisations and individuals.

MOVEit TRansfer vulnerabilities were exploited by multiple threat actors to gain unauthorized access to MOVEit servers, upload web shells, exfiltrate data, and initiate intrusion lifecycles8. High-profile government, finance, media, aviation, and healthcare organisations were reportedly affected

The fallout from these vulnerabilities has been significant, with the costs tied to the MOVEit file transfer hack continuing to climb. The situation has led to multiple lawsuits against Progress Software, the owner of MOVEit, claiming that poor security led to the vulnerabilities.

It’s important to note that the full scale of the MOVEit attack is still unknown, and more victims may come forward in the future. This series of incidents underscores the importance of robust cybersecurity measures and timely patching of software vulnerabilities.

Example — scanning for MOVEit Transfer vulnerable versions with Nettacker:

python3 nettacker.py -l target_list.txt -m moveit_version_scan

Detecting MS Exchange CVE-2021–26855 vulnerability using OWASP Nettacker

Sam Stepanyan — Wed, 17 Mar 2021 02:17:59 +0000

Detecting Microsoft Exchange CVE-2021–26855 vulnerability using OWASP Nettacker

The whole month of March 2021 has been a crazy one in the world of cybersecurity.

Four zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited by a state-sponsored threat group from China code-named HAFNIUM and these vulnerabilities appear to have been adopted by other cyberattackers in widespread attacks.

According to Microsoft there are currently about 82,000 MS Exchange servers still vulnerable.

The are are 4 vulnerabilities used by these cyberattacks:

CVE-2021–26855 : CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
CVE-2021–26857 : CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
CVE-2021–26858 : CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
CVE-2021–27065 : CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.

If used in an attack chain , all of these vulnerabilities can lead to Remote Code Execution (RCE), server hijacking, backdoors, data theft, and further malware deployment. However it is the first vulnerability in the attack chain:

CVE-2021–26855 which opens doors to all other vulnerabilities — it is the most important one to detect the presence of.

Please Note that Patcheshave been released by Microsoft and a o *ne-click mitigation tool is available * .

Unprotected MS Exchange servers need to urgently be updated before they’re discovered by cybercriminals. How do you know if you have any vulnerable MS Exchange Servers in your network?

In order to patch/apply mitigation to your vulnerable MS Exchange servers you need to be able to find them first! IT Asset inventory is a big problem in information security/cyber security nowadays as it is the devices/services/servers you don’t know about which pose the biggest risk!

OWASP Nettacker — a free and open-source tool from OWASP to the rescue! Since Wednesday 17th March 2021 it has been updated with a module which allows detection of vulnerable Exchange servers. You can launch this tool on your network IP ranges or domain name to discover the vulnerable servers.

DISCLAIMER: OWASP Nettacker is as an offensive security tool for assisting with recon/information gathering/vulnerability scanning/penetration testing tasks. Use it with caution only on networks and servers you own and have permission to scan

Please note that many cybersecurity vendors are currently offering to scan your network for this vulnerability only if you become their subscribers on commercial basis.

Please also note that Microsoft has released a free scanning tool implemented using Powershell here as well as an Nmap Script http-vuln-cve2021–26855.nse . However these tools have certain limitations and require certain skills. If you are not comfortable using these scripts OWASP Nettacker can help. Nettacker even has a docker version and a Web User Interface to help you to scan your network for vulnerabilities for free in the most user-friendly way.

OWASP Nettackerproject can help you address the task of scanning multiple servers for this vulnerability as well as the task of finding the vulnerable servers in your network.

What is OWASP Nettacker? OWASP Nettacker in a nutshell is a Swiss Army Knife for Reconnaissance & Vulnerability Scanning — it is a relatively new OWASP project written in Python consisting of multiple modules which can be used from the single command line (use one or a combination of modules) against a target or a list of targets to perform an information gathering scan or a vulnerability detection scan.

Downloading and running OWASP Nettacker using Python

I usually run OWASP Nettacker on my KALI Linux VM, but because OWASP Nettacker is written in Python it can be run on any Linux/Mac/Windows system — provided you have Python2 or Python3 installed. Nettacker currently supports Python version 2.7, 3.6, 3.7 and 3.8. Some functionality can be broken in Python 3.9 so it is not recommended yet. You can use a tool like pyenv to switch between different versions of Python

You can install OWASP Nettacker by doing a ‘git clone https://github.com/OWASP/Nettacker’ from GitHub and installing the Python dependencies using a single command like this:

git clone [https://github.com/OWASP/Nettacker.git](https://github.com/zdresearch/OWASP-Nettacker.git) && cd Nettacker && pip install -r requirements.txt

If you hit any issues please check the Installation section in the OWASP Nettacker Wiki here:

OWASP/Nettacker

Running a Nettacker Scan from the Command Line

Once OWASP Nettacker is installed change directory to Nettacker:

cd Nettacker

Now you can run the tool using Python specifying that you need the module msexchange_cve_2021_26855_vuln in -m command line switch and your target (IP/IP range/FQDN) in -i like this:

python nettacker.py -i <target> -m msexchange_cve_2021_26855_vuln

to scan a single IP address (xxx.xxx.xxx.xxx):

python nettacker.py -i xxx.xxx.xxx.xxx -m msexchange_cve_2021_26855_vuln

However if you don’t know how many Exchange servers you have and their precise IP addresses you can use OWASP Nettacker to scan a whole IP range (e.g. xxx.xxx.xxx.xxx/24):

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m msexchange_cve_2021_26855_vuln

If you don’t know the IP address ranges of your network but do know that Exchange servers have subdomains (e.g. owa.mycompany.com, exchange.mycompany.com, mail.mycompany.com etc) you can ask Nettacker to enumerate subdomains and test them for MS Exchange vulnerability like this (please note the -s command like switch which instructs Nettacker to discover the subdomains of the domain name listed in the -i ):

python nettacker.py -i mycompany.com -s -m msexchange_cve_2021_26855_vuln

If you have the list of IPs/FQDNs of your networks saved in a file called list.txt (one line per IP or FQDN) you can scan all the servers in your list using the -l command line switch:

python nettacker.py -l list.txt -m msexchange_cve_2021_26855_vuln

If you would like to save the OWASP Nettacker report in JSON format instead of the default HTML format you can specify the report output filename using the -o command line switch (-o report.json) for example

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m msexchange_cve_2021_26855_vuln -o report.json

OWASP Nettacker is also capable of reporting in CSV format which is very handy as it can be opened and processed with Microsoft Excel — simply specify the report output filename with a .csv extension using the -o command line switch ( -o report.csv ) for example

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m msexchange_cve_2021_26855_vuln -o report.csv

It is also possible to run Nettacker using Docker:

Running Nettacker Scan with Docker & WebUI

The easiest way to run Nettacker is with Docker. This way you will avoid installing multiple Python dependencies and resolving library/Python version incompatibilities.

Here is how to do it :

git clone [https://github.com/OWASP/Nettacker.git](https://github.com/zdresearch/OWASP-Nettacker.git) && cd Nettacker
docker-compose up

Wait for docker-compose to finish downloading & building the service.You will see a screen like this:

Grab the API key (copy it) and open your browser and navigate to https://127.0.0.1:5000 (accept security warnings)

You will see the OWASP Nettacker Web UI:

Paste the API Key (you have just copied) into the API Key box on the right and click the ‘Set Session’ button:

Now click on the New Scan button and in the Targets box type the target you want to scan (e.g. an IP range like 10.63.11.0/24) and tick the box for vulnerability msexchange_cve_2021_26855:

Now scroll down and click the Submit button:

Click the ‘Results’ button and wait for the results to appear on the list. You might need to click on the Last Update button several times until the results appears — it might take a few minutes depending on the number of servers Nettacker needs to scan. Click on the results and they will be shown in a table like this:

the image is redacted to protect the identity of not yet patched servers

That’s it! I hope you enjoyed using OWASP Nettacker!

I presented OWASP Nettacker at several conferences — you can find slides and videos on YouTube.

What to do if you’ve already been compromised

The United States Government Cybersecurity and Infrastructure Security Agency has created a victim response guide specifically for the Microsoft Exchange flaw CVE-2021–26855.

The guide, known as CISA Alert AA21–062A, explains how to conduct a forensic analysis to assist remediation efforts.

To respond more efficiently to this current Exchange threat and all future cyber threats, it’s important to have a clear and up-to-date Incident Response Plan (IRP).

To assist with the development of a highly-effective Incident Response Plan, refer to CISA Alert AA20–245A.

Follow me on Twitter: https://twitter.com/securestep9

OWASP, DevSecOps, AppSec & Cloud Security Podcasts

Sam Stepanyan — Mon, 27 Apr 2020 21:36:49 +0000

OWASP, DevSecOps, AppSec & Cloud Security Podcasts

I was recently asked which OWASP/DevSecOps/Application Security/Cloud Security-themed podcasts I listen to.

Here’s the list:

(please note that these podcasts are available on all/most podcasts platforms, in this list I only provide the Google Podcasts links):

Application Security Podcast (produced by Chris Romeo/ Security Journey): https://podcast.securityjourney.com/

OWASP Podcast (now known as DevSecOps Podcast Supported by OWASP — produced by Mark Miller — interview format): https://soundcloud.com/owasp-podcast

BeerSecOps — Podcast About Dev, Sec, Ops, and Everything in Between (run be Steve Giguere/AquaSec - Interview format): https://podcasts.google.com/?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9mMzg2Njg0L3BvZGNhc3QvcnNz

DevSecOps Overflow (produced by Michael Man, interview format) : https://podcasts.google.com/?feed=aHR0cHM6Ly9mZWVkcy5idXp6c3Byb3V0LmNvbS83MzMwNzAucnNz

Absolute AppSec(produced by Ken Johnson and Seth Law, chat with guests) https://podcasts.google.com/?feed=aHR0cHM6Ly9hYnNvbHV0ZWFwcHNlYy5jb20vcnNzLnhtbA

Cloud Security Podcast : https://podcasts.google.com/?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy8xMGZiOTkyOC9wb2RjYXN0L3Jzcw&ved=2ahUKEwiHte_Uu4npAhUShhoKHcTBCLYQ4aUDegQIARAC

The Secure Developer Podcast (produced by Heavybit, interview format): https://podcasts.google.com/?feed=aHR0cHM6Ly93d3cuaGVhdnliaXQuY29tL2NhdGVnb3J5L2xpYnJhcnkvcG9kY2FzdHMvdGhlLXNlY3VyZS1kZXZlbG9wZXIvZmVlZA&ved=0CB0Q27cFahcKEwi4kpi8uonpAhUAAAAAHQAAAAAQBw

DevSecOps Talk Podcast (Mattias Hemmingsson, Julien Bisconti and Andrey Devyatkin chat about latest stuff, and ideas): https://podcasts.google.com/?feed=aHR0cHM6Ly9mZWVkLnBvZGJlYW4uY29tL2RldnNlY29wcy9mZWVkLnhtbA

Detecting Citrix CVE-2019–19781 with OWASP Nettacker

Sam Stepanyan — Sat, 11 Jan 2020 17:23:31 +0000

Citrix CVE-2019–19781 vulnerability is the current hot topic in Information Security circles this week, as exploits for this vulnerability are now publicly available and may allow unauthenticated attackers to obtain direct access to the company’s local network from the Internet. Citrix NetScaler ADC and Gateway products are vulnerable.

According to cybersecurity expert Kevin Beaumont (aka GossiTheDog on Twitter) who runs a network of Citrix ADC honeypots the active exploitation of CVE-2019–19781 started on January 8th, 2020:

https://twitter.com/GossiTheDog/status/1214892555306971138

According to various estimates 40,000–80,000 organisations worldwide might be affected and vulnerable! Which means that hackers might be able to sneak in to your corporate network through the devices which are supposed to be the gatekeepers into your network! Not good.

Citrix have released the mitigation, which is effectively a policy which detects and blocks the attempts to exploit the attack, however there is no proper patch released yet (as of 10th January 2020) which would fix the underlying problem in the software code.

I strongly advise all organisations with NetScaler/ADC to apply the Citrix mitigation immediately to avoid compromise — the steps to mitigate the vulnerability are documented in the following Citrix Support Article :

CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway

However, in order to patch/apply mitigation to your vulnerable Citrix devices you need to be able to find them first ! IT Asset inventory is a big problem in information security/cyber security as it is the devices/services/servers you don’t know about which pose the biggest risk.

OWASP Nettacker project can help you address the task of scanning multiple devices for this vulnerability as well as the task of finding the vulnerable devices in your network.

What is OWASP Nettacker? OWASP Nettacker in a nutshell is a Swiss Army Knife for Reconnaissance & Vulnerability Scanning — it is a relatively new OWASP project written in Python consisting of multiple modules (63 at the time of writing) which can be used from the single command line (use one or a combination of modules) against a target or a list of targets to perform an information gathering scan or a vulnerability detection scan.

Last night I added a new vulnerability detection module to OWASP Nettacker: citrix_cve_2019_19781_vuln making it the 63rd tool in this framework.

I usually run OWASP Nettacker on my KALI Linux VM, but because OWASP Nettacker is written in Python it can be run on any Linux/Mac/Windows system— provided you have Python2 and Python3 installed.

You can install OWASP Nettacker by doing a ‘git clone https://github.com/zdresearch/OWASP-Nettacker’ from GitHub and installing the Python dependencies using a single command like this:

git clone https://github.com/zdresearch/OWASP-Nettacker.git && cd OWASP-Nettacker && pip install -r requirements.txt && python setup.py install

If you hit any issues please check the Installation section in the OWASP Nettacker Wiki here:

zdresearch/OWASP-Nettacker

Once OWASP Nettacker is installed change directory to OWASP-Nettacker:

cd OWASP-Nettacker

Now you can run the tool using Python specifying that you need the module citrix_cve_2019_19781_vuln in -m command line switch and your target (IP/IP range/FQDN) in -i like this:

python nettacker.py -i <target> -m citrix_cve_2019_19781_vuln

to scan a single IP address (xxx.xxx.xxx.xxx):

python nettacker.py -i xxx.xxx.xxx.xxx -m citrix_cve_2019_19781_vuln

However if you don’t know how many Citrix devices you have and their precise IP addresses you can use OWASP Nettacker to scan a whole IP range (e.g. xxx.xxx.xxx.xxx/24):

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m citrix_cve_2019_19781_vuln

If you don’t know the IP address ranges of your network but do know that Citrix devices have subdomains (e.g. remote.mycompany.com, vpn.mycompany.com, access.mycompany.com etc) you can ask Nettacker to enumerate subdomains and test them for Citrix vulnerability like this (please note the -s command like switch which instructs Nettacker to discover the subdomains of the domain name listed in the -i ):

python nettacker.py -i mycompany.com -s -m citrix_cve_2019_19781_vuln

If you have the list of IPs/FQDNs of your Citrix devices saved in a file called list.txt (one line per IP or FQDN) you can scan all the devices in your list using the -l command line switch:

python nettacker.py -l list.txt -m citrix_cve_2019_19781_vuln

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m citrix_cve_2019_19781_vuln -o report.json

...

Follow me on Twitter: https://twitter.com/securestep9

UK Monthly Salary & Tax

Sam Stepanyan — Wed, 06 Nov 2019 22:08:35 +0000

This post is not Cyber Security related. A lot of my friends (who do work in IT and InfoSec/CyberSecurity fields), live in different countries (and are thinking of moving to the UK before the Brexit hits) keep asking me about the levels of salaries and tax in the UK.

I have therefore compiled this little helper table to help them understand how the annual salary in the UK (in tax year 2019–2020) translates into the monthly amount they will get in the bank after tax deductions (this is also known as “take home monthly” pay):

Since I received many thanks from my friends, I think it will be useful for everyone, so publishing this in my blog.

Data source: listentotaxman.com

CyberSecurity/InfoSec/AppSec Meetups/Events in London

Sam Stepanyan — Wed, 13 Feb 2019 02:31:54 +0000

CyberSecurity/InfoSec/AppSec Conferences/Meetups/Events in London

Quite often I am being asked the question: which Cyber Security — themed meetups/events/conferences are happening in London and which ones are worth attending?

First of all as a Chapter Leader of OWASP London Chapter of course I need to mention our OWASP London Chapter Meetups (or “Chapter Meetings”) which have been running regularly in London since 2004!

The very first OWASP London Chapter Meeting took place on Tuesday 19th October 2004 at The George pub near Holborn tube (see http://lists.owasp.org/pipermail/owasp-london/2004-October/000032.html)

The first OWASP London meetup was organised and attended by:

Dinis Cruz (now the CISO of Photobox)
Daniel Cuthbert (now the Global Head of CyberSecurity Research at Santander Bank)
Dafydd Stuttard (now CEO of Portswigger/creator of Burp Scanner / Burp Suite)
Ivan Ristic (the person behind SSL Labs/Qualys/Let’s Encrypt, now at FeistyDuck/Hardenize)
Peter Wood (now CEO of FirstBase)
Gunter Ollman (now the CSO of Microsoft Cloud and AI Security Division, previously the CTO of IOActive)

Now in year 2019 the London chapter meetups attract audience of 200+people ! If you would like to attend our events please follow OWASP London Chapter on:

Twitter : @owasplondon

Facebook : https://www.facebook.com/OWASPLondon

Webpage : https://www.owasp.org/index.php/London

Meetup : https://www.meetup.com/OWASP-London/

LinkedIN : https://www.linkedin.com/company/owasplondon/

CyberSecurity Conferences in London

First of all it is important to list the following major conferences:

SC Congress — https://www.sccongressuk.com More suitable for decision-makers than techies. Free. At ILEC centre annually in February
Cloud Security Expo at Excel https://www.cloudsecurityexpo.com/ this Expo & Conference is co-located with IoT, DevOps,BigData and BlockChain expos. Free to attend, lots of great tech and higher level talks — happens annually in March at Excel Expo Centre. Free.
CRESTCon — http://www.crestcon.co.uk/ Council for Registered Ethical Security Testers (CREST) is the main accreditation body for penetration testing companies and they have their annual conference in London in April at the Royal College of Physicians (Regents Park). Tickets £125-£200
AWS Summit London - https://aws.amazon.com/events/summits/london AWS is the number 1 Cloud Services Provider in the world at the moment and they have their massive Annual AWS Summit conference in London (usually run at Excel Expo Centre in May) with lots of talks and sessions around Cloud technologies and Cloud Security. Free
Information Security Europe (aka InfoSec Europe) at Olympia https://www.infosecurityeurope.com/ — the original Expo & conference which has been running for many years. InfoSec Europe happens annually in June. Free.
BSides London — https://www.securitybsides.org.uk/ Hacker community conference, happens annually in June at the ILEC Centre. Tickets from Free to £50 (Free tickets get sold out very quickly — within minutes). Great technical talks and training workshops from notable security speakers. If you miss tickets to BSides London — don’t despair as Security BSides conferences happen in many places in the UK and all-over the world — just find one in a city close to you (in the UK we have BSides Belfast, BSides Leeds, BSides Manchester, BSides Scotland (Edinburgh).
44CON — https://44con.com/ Local DefCon-style hacking conference. Covers topics such as internet security, IoT, vulnerability discovery, and new exploit techniques. Great technical talks and training workshops from notable security speakers. Tickets: £300-£1300 , but the first day is Free. Happens annually in September
Cyber Security X Europe/ IP Expo Europe -https://ipexpoeurope.com
Free to attend , lots of great technical and higher level talks — happens annually in October at Excel Expo Centre. Free
DevSecCon London — https://www.devseccon.com/ — happens annually in October-November , tickets £200-£300 , lots of great technical talks and training workshops
BlackHat Europe — https://www.blackhat.com/eu-18/ Hacking conference and expo, great hacking talks annually in December at Excel. Tickets £1500-£1900 , however the Expo floor (live demos!) is Free.

CyberSecurity Meetups in London

Meetups are free to attend, but registration is required in advance and is essential, some venues require a form of ID to be admitted to the event.

More Events

Check out these event aggregators:

Google Support and “Legit” Phishing

Sam Stepanyan — Mon, 18 Jun 2018 19:07:04 +0000

Has @Google gone mad? Legit support page asks to upload a photo of my Government-Issued ID and a photo of my credit card! To Google Cloud?? to “Verify” the Cloud account?? Cybercriminals will be thanking Google for this #phishing gift!

Here is the link if you want to try this yourself (real Google Support page, not phishing):

Verify payment information to continue

Of course the problem with this approach is that we have been teaching users in security awareness courses for two decades now that a legit website will never use such behaviour do that to “verify” he account, that’s what phishing website do…

Firefox freezes on chrome://global/content/bindings/textbox.xml

Sam Stepanyan — Fri, 16 Mar 2018 12:55:55 +0000

Got an interesting and unexpected error message today (Mar 16,2018) from Firefox 58 which was running with just the default page — suddenly displayed a popup saying that a script on the following page is running slowly:

chrome://global/content/bindings/textbox.xml

I have found some references on Mozilla Developer site, however this does not look good from QA & testing point of view:

https://developer.mozilla.org/en-US/docs/Mozilla/About_omni.ja_(formerly_omni.jar)

How Samsung Phones Secretly Spy On Your Location

Sam Stepanyan — Thu, 08 Mar 2018 10:09:02 +0000

While working on a mobile application security project for a client, I had to investigate all HTTPS calls made by an app using a “man-in-the-middle” technique essentially pushing all traffic from the test Samsung Galaxy S5 smartphone through an intercepting proxy. And I stumbled upon something really strange.

Every now and then the phone would send a POST request to the following URL:

https://ew.disaster-device.ssp.samsung.com/quloc

What was interesting was in the payload. This was not a usual POST request, it contained the following 45-byte string:

{“lat”:51.5xxxxx,”lon”:-0.1xxxxxx,”dv”:”01"}

which was the phone’s precise location! I obfuscated the exact digits with xxxx in the above example.

So, it appears that Samsung phones periodically “call home” and report their location to Samsung. Why this data collection happens? I will continue to investigate, but wanted to publish this information in case if somebody else comes across this mysterious “disaster-device” URL.

ThreatCrowd shows a bit more information about the target domain and associated subdomains:

https://www.threatcrowd.org/domain.php?domain=ew.disaster-device.ssp.samsung.com