It became a sort of attack vector to simply include malicious qr codes in emails and documents to trick the victim into reading them
- https://cybernews.com/news/massive-phishing-campaign-exploits-qr-codes/
- https://therecord.media/phishing-campaign-used-qr-codes-to-target-energy-firm
- https://www.csoonline.com/article/569957/how-attackers-exploit-qr-codes-and-how-to-mitigate-the-risk.html
The news items above are just a view I have been able to find.
So what can we do?
Well a good start would be to add the capability to XSOAR to detect and read these qr codes, extract the data and the URL (if available) and do what we always do: enrich and respond.
import cv2
def detect_qrcode_image(path):
img = cv2.imread(path)
detect = cv2.QRCodeDetector()
value, points, straight_qrcode = detect.detectAndDecode(img)
if points is not None:
result = { "Detected" : True, "Value" : str(value)}
else:
result = { "Detected" : False}
return CommandResults(
outputs_prefix="QR.Data",
outputs=result
)
def main():
try:
entry_id = demisto.args().get('entry_id')
file_path = demisto.executeCommand("getFilePath", {
"id": entry_id
})[0].get('Contents').get('path')
return_results(detect_qrcode_image(file_path))
except Exception as ex:
demisto.error(traceback.format_exc()) # print the traceback
return_error(f'Failed to execute qrcodereader. Error: {str(ex)}')
if __name__ in ('__main__', '__builtin__', 'builtins'):
main()the above code only needs the demisto/opencv container, at the time of writing the version was 1.0.0.78792
So now we can simply use this code as an automation in our playbooks or playground to extract the value, which will be stored under QR in the context data.
Leave a Reply