Category Archives: Security Alert

Zacinlo Rootkit Adware

Zacinlo is an adware trojan that uses rootkit functionality to gain persistence across operating system re-installations.

At the time of publication, Zacinlo is delivered through a seemingly legitimate VPN application. When installed this application instead acts as a proxy and downloader, initiating communications with a command and control server (C2) and retrieving the malware packages.  The rootkit also comes with a self-upgrade feature which helps it to update itself to the latest version of the software.

When installed, Zacinlo’s modules provide it with a wide range of capabilities including advert injection using man-in-the-middle attacks over HTTPS, traffic redirection and installing other malware.

Zacinlo’s main functions appear to be to display advertisements and to run a hidden browser to generate income for the attackers by clicking on more advertisements. It’s also capable of removing competing adware.

The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.

Zacinlo’s rootkit module is also used to prevent or disable processes deemed dangerous to its operation, such as anti-virus programs or security services.

Affected Platforms

  • Microsoft Windows – Versions 7, 8, 8.1 and 10





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Kardon Loader Trojan

Kardon Loader is a malware downloader advertised on underground forums as a paid open beta product. This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.

Kardon Loader appears to be distributed through the popular ‘Pink Panther’s’ botshop, although the total number of infections is low.

Currently, most Kardon Loader instances act as a simple loader, however newer variants include greater functionality including adding or removing applications, file transferal and botnet features. There are also indications that Tor and domain generation algorithm support will be implemented for command and control communications.

Kardon Loader uses HTTP based C2 infrastructure with URL parameters that are base64 encoded.

Hashes

  • fd0dfb173aff74429c6fed55608ee99a24e28f64ae600945e15bf5fce6406aee
  • b1a1deaacec7c8ac43b3dad8888640ed77b2a4d44f661a9e52d557e7833c7a21
  • 3c64d7dbef4b7e0dd81a5076172451334fe9669800c40c895567226f7cb7cdc7

Command and Control URLs

  • Kardon[.]ddns[.]net
  • Jhuynfrkijucdxiu[.]club
  • Kreuzberg[.]ru
  • Cryptdrop[.]xyz






Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Mylobot Botnet

Mylobot is a botnet that targets and takes control of devices running Microsoft Windows.

Mylobot employs a variety of other techniques to evade detection or analysis. When it infects a new host, Mylobot waits for two weeks before contacting Command and Control (C2) servers. It terminates Windows Defender and Windows Update, while attempting to delete other malware which has previously been installed. It can also execute files directly from memory, without them being written to storage media.

It also shuts down and deletes any EXE file running from %APPDATA% folder. That action can cause a loss of data. The main function of the botnet is to take complete control of the user’s computer and damage to the computer depends on the payload the attackers decide to distribute.

Mylobot gives the threat actors full control over infected hosts, and allows them to install additional malware. The C2 servers have been previously linked to the Locky ransomware.After examining the C&C server in use, it turns out that it has been used by other malware campaigns, all of which emanate from the Dark Web – so the threat actors behind Mylobot are likely involved in a range of activities.  With the C&C having been active for two and a half years, it indicates those behind Mylobot have been active for some time, and they use tactics which suggest a well-resourced operation.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Asprox Botnet

First observed in 2008, Asprox is a Windows-based botnet used to perform SQL injection and phishing campaigns.

Asprox is distributed through compromised websites. Previously infected devices are used to scan for sites using Active Server Pages (or .ASPnet) before attempting to gain command execution on the site server using SQL injection. If successful it will inject JavaScript or HTML iFrames on the targeted site to enable drive-by-downloads of Asprox.

Once installed, Asprox will spawn a process to connect to its command and control infrastructure and edit registry entries to maintain persistence. It also contains a secondary backdoor known as Kuluoz (AKA Cidox or Rerdom), which is used to download and install further malware.

Palo Alto Networks released a report stating that in October 2014, Kuluoz, the latest version of the Asprox malware, accounted for approximately 80 percent of all malware sessions recorded by their WildFire threat intelligence service.

Affected Platforms

Microsoft Windows – All versions

Host’s And IP’s To Block

  • 212.61.180[.]100
  • brokenpiano[.]ru/b/opt/b168fc221e5c61d9aef80425
  • hxxp://lowbalance[.]su/
  • hxxp://oldfirefox[.]su/
  • hxxp://irishjuice[.]su/
  • hxxp://everydaypp[.]ru/
  • hxxp://nitmurmansk[.]su/
  • hxxp://brokenpiano[.]ru/
  • hxxp://198[.]154[.]224[.]48:8080/
  • hxxp://65[.]254[.]49[.]118:8080/
  • hxxp://212[.]81[.]134[.]56:1080/
  • hxxp://212[.]81[.]134[.]57:1080/
  • hxxp://174[.]127[.]103[.]45:443/
  • hxxp://198[.]58[.]102[.]172:8080/
  • hxxp://74[.]117[.]158[.]3:443/
  • hxxp://70[.]32[.]94[.]46:8080/
  • hxxp://178[.]207[.]18[.]188:443/
  • hxxp://173[.]255[.]241[.]19:8080/
  • hxxp://194[.]38[.]104[.]218:443/
  • hxxp://162[.]248[.]167[.]184:443/
  • hxxp://65[.]254[.]49[.]116:8080/
  • hxxp://178[.]18[.]18[.]30:443/
  • hxxp://122[.]155[.]167[.]122:8080/
  • hxxp://61[.]90[.]197[.]150:8080/
  • hxxp://27[.]254[.]40[.]105:8080/
  • hxxp://69[.]164[.]221[.]7:443/
  • hxxp://209[.]160[.]65[.]96:8080/
  • hxxp://166[.]78[.]145[.]146:443/
  • hxxp://46[.]28[.]68[.]144:8080/
  • hxxp://162[.]144[.]37[.]28:8080/
  • hxxp://198[.]154[.]216[.]149:8080/
  • hxxp://178[.]21[.]117[.]34:8080/
  • hxxp://162[.]213[.]250[.]124:8080/
  • hxxp://203[.]151[.]23[.]69:8080/
  • hxxp://70[.]32[.]85[.]69:8080/





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Multiple Remote Vulnerabilities In Insteon Hub PubNub

Vulnerabilities discovered by Claudio Bozzato of Cisco Talos

Talos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow.

Overview

 

Insteon Hub is a central controller, which allows an end user to use a smartphone to connect to and manage devices in their home remotely. To enable remote interaction via the internet, Insteon Hub uses an online service called PubNub.
End users install the “Insteon for Hub” application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub software development kit, which allows for bidirectional communication using PubNub’s REST API.
Unless stated otherwise, the vulnerabilities were found in Insteon Hub 2245-222 running firmware version 1012. As of firmware version 1016, these vulnerabilities are fixed, versions previous to this may be vulnerable.

 

TALOS-2017-0483 – Message Handler Multiple Stack Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a stack-based buffer overflow, which overwrites arbitrary data due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

Note. CVE rules require that we assign a separate CVE to each instance of a vulnerability that can be fixed independently.

CVE: CVE-2017-16252 through CVE-2017-16337

Full technical advisory is available.

TALOS-2017-0484 – Message Handler Multiple Global Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a buffer overflow on a global section overwriting arbitrary data, due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-16338, CVE-2017-16339, CVE-2017-16340, CVE-2017-16341, CVE-2017-16342, CVE-2017-16343, CVE-2017-16344, CVE-2017-16345, CVE-2017-16346, CVE-2017-16347

Full technical advisory is available.

TALOS-2017-0485 – Reboot Task Denial Of Service Vulnerability

An exploitable DoS vulnerability exists in the device firmware, which allows an attacker to arbitrarily reboot the device without authentication. An attacker can send an UDP packet to trigger this vulnerability.

CVE: CVE-2017-16348

Full technical advisory is available.

TALOS-2017-0492 – HTTPExecuteGet Firmware Update Information Leak Vulnerability

The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the device’s memory. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14443

Full technical advisory is available.

TALOS-2017-0493 – HTTPExecuteGet Firmware Update URL Parameter Code Execution Vulnerability

The HTTP server implementation incorrectly handles the URL parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, however. By using vulnerability TALOS-2017-0492, it is possible to bypass this protection and achieve code execution. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14444

Full technical advisory is available.

TALOS-2017-0494 – HTTPExecuteGet Firmware Update host Parameter Buffer Overflow Vulnerability

The HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, which in this case, cannot be circumvented. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
CVE: CVE-2017-14445
Full technical advisory is available.

TALOS-2017-0495 – HTTPExecuteGet Parameters Extraction Code Execution Vulnerability

The HTTP server implementation unsafely extracts parameters from the query string, leading to a buffer overflow on the stack. The vulnerability exists because the extraction of the arguments is made without ensuring size constraints. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
CVE: CVE-2017-14446
Full technical advisory is available.

TALOS-2017-0496 – Insteon Hub PubNub “ad” Channel Message Handler Code Execution Vulnerability

An exploitable buffer overflow vulnerability exists in the PubNub message handler for the “ad” channel. A specially crafted command sent through the PubNub service can cause a stack-based buffer overflow, overwriting arbitrary data. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
CVE: CVE-2017-14447
Full technical advisory is available.

TALOS-2017-0502 – Insteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the Hub handles the replies from PubNub, leading to the overwriting of arbitrary data in a global section. The attacker would need to impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.
CVE: CVE-2017-14452, CVE-2017-14453, CVE-2017-14454, CVE-2017-14455




Full technical advisory is available.

TALOS-2018-0511 – Insteon Hub PubNub MPFS Upload Firmware Update Vulnerability

The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker needs to have credentials that will be used to upload an MPFS binary via the “/mpfsupload” HTTP form and, later, upload the firmware via a POST request to “firmware.htm.”
This vulnerability was found on firmware version 1013.
CVE: CVE-2018-3832
Full technical advisory is available.

TALOS-2018-0512 – Insteon Hub PubNub Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn’t check the firmware version that is going to be installed, and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server “cache.insteon.com” and serve any signed firmware image.
CVE: CVE-2018-3833
Full technical advisory is available.

TALOS-2018-0513 – Insteon Hub PubNub Firmware Upgrade Confusion Permanent Denial Of Service Vulnerability

An exploitable permanent DoS vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn’t check the kind of firmware image that is going to be installed, and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent unusable condition. To trigger this vulnerability, an attacker needs to impersonate the remote server “cache.insteon.com” and serve a signed firmware image.
CVE: CVE-2018-3834
Full technical advisory is available.
Above information via – Cisco Talos





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability [CVE-2018-8210]

An exploitable heap corruption exists in the LoadIntegrityInfo function of wimgapi version 10.0.16299.15 (WinBuild.160101.0800). A crafted WIM image can lead to a heap corruption, resulting in direct code execution.

This vulnerability is present in the wimgapi DLL, which is used for performing operations on Windows Imaging Forma (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. There is a vulnerability in the LoadIntegrityInfo function that manifests during the parsing of the WIM file header. A specially crafted WIM file can lead to a heap corruption and remote code execution. The vulnerability triggers even on the simplest operations performed on malformed WIM file because its related to file header parsing.

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

Further details and updates – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8210




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Microsoft OpenType Font Driver Vulnerability [CVE-2015-2426]

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.

When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.

The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.

This issue is known as Microsoft Security Bulletin MS15-078

Further details – https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-078



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

InvisiMole Spyware

This malware can turn the affected computer into a video camera, letting the attackers see and hear what’s going on in the victim’s office or wherever their device may be. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and stealing the victim’s secrets.

At the time of publication, it is unclear how InvisiMole is distributed, although there are unconfirmed reports indicating it is manually delivered to targeted systems. The small number of available samples of the malware – combined with the secrecy with which it has been created and deployed – make it difficult to accurately determine delivery mechanism.

InvisiMole is comprised of two modules, RC2FM and RC2CL, with both being capable of collecting user data. RC2FM, the smaller of the two modules, can record audio from a device’s microphone, extract proxy browser settings and alter system files. The more advanced module, RC2CL, can execute files and commands, manipulate registry keys, disable security services and record audio or video.

ESET detection names

  • Win32/InvisiMole.A
  • Win32/InvisiMole.B
  • Win32/InvisiMole.C
  • Win32/InvisiMole.D
  • Win64/InvisiMole.B
  • Win64/InvisiMole.C
  • Win64/InvisiMole.D

Host based indicators

SHA-1 hashes

5EE6E0410052029EAFA10D1669AE3AA04B508BF9
2FCC87AB226F4A1CC713B13A12421468C82CD586
B6BA65A48FFEB800C29822265190B8EAEA3935B1
C8C4B6BCB4B583BA69663EC3AED8E1E01F310F9F
A5A20BC333F22FD89C34A532680173CBCD287FF8

Files and folders

RC2FM

%APPDATA%\Microsoft\Internet Explorer\Cache\AMB6HER8\
    %volumeSerialNumber%.dat
    content.dat
    cache.dat
    index.dat
%APPDATA%\Microsoft\Internet Explorer\Cache\MX0ROSB1\
    content.dat
    index.dat
    %random%.%ext%
%APPDATA%\Microsoft\Internet Explorer\Cache\index0.dat

RC2CL

Winrar\
    comment.txt
    descript.ion
    Default.SFX
    WinRAR.exe
    main.ico
fl_%timestamp%\strcn%num%\
    fdata.dat
    index.dat
~mrc_%random%.tmp
~src_%random%.tmp
~wbc_%random%.tmp
sc\~sc%random%.tmp
~zlp\zdf_%random%.data
~lcf\tfl_%random%



Registry keys and values

RC2FM

[HKEY_CURRENT_USER\Software\Microsoft\IE\Cache]
"Index"

RC2CL

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Console]
or [HKEY_CURRENT_USER\Software\Microsoft\Direct3D]
"Settings"
"Type"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE]
or [HKEY_CURRENT_USER\Software\Microsoft\Direct3D]
"Common"
"Current"
"ENC"
"FFLT"
"Flag1"
"FlagLF"
"FlagLF2"
"IfData"
"INFO"
"InstallA"
"InstallB"
"LegacyImpersonationNumber"
"LM"
"MachineAccessStateData"
"MachineState 0"
"RPT"
"SP2"
"SP3"
"SettingsMC"
"SettingsSR1"
"SettingsSR2"

Network indicators

InvisiMole’s C&C servers domains

activationstate.sytes[.]net
advstatecheck.sytes[.]net
akamai.sytes[.]net
statbfnl.sytes[.]net
updchecking.sytes[.]net

InvisiMole’s C&C servers IP addresses

46.165.231.85
213.239.220.41
46.165.241.129
46.165.241.153
78.46.35.74
95.215.111.109
185.118.66.163
185.118.67.233
185.156.173.92
46.165.230.241
194.187.249.157




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Olympic Destroyer Malware

A couple of days after the opening ceremony of the Winter Olympics in Pyeongchang, South Korea, news reports came from several people, on the condition of a devastating malware attack on the Olympic infrastructure. A look inside the malware revealed a destructive self-modifying password-stealing self-propagating malicious program, which by any definition sounds pretty bad.

According to media reports, the organizers of the Pyeongchang Olympics confirmed they were investigating a cyberattack that temporarily paralyzed IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.

The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya) and BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection backdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean victims.

In May-June 2018 security researches discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led them to believe that they were looking at the same actor again.

Indicators Of Compromise

File Hashes

9bc365a16c63f25dfddcbe11da042974 Korporativ .doc
da93e6651c5ba3e3e96f4ae2dd763d94 Korporativ_2018.doc
6ccd8133f250d4babefbd66b898739b9 corporativ_2018.doc
abe771f280cdea6e7eaf19a26b1a9488 Scan-2018-03-13.doc.bin
b60da65b8d3627a89481efb23d59713a Corporativ_2018.doc
b94bdb63f0703d32c20f4b2e5500dbbe
bb5e8733a940fedfb1ef6b0e0ec3635c recommandation.doc
97ddc336d7d92b7db17d098ec2ee6092 recommandation.doc
1d0cf431e623b21aeae8f2b8414d2a73 Investigation_file.doc
0e7b32d23fbd6d62a593c234bafa2311 Spiez CONVERGENCE.doc
e2e102291d259f054625cc85318b7ef5 E-Mail-Adressliste_2018.doc
0c6ddc3a722b865cc2d1185e27cef9b8
54b06b05b6b92a8f2ff02fdf47baad0e
4247901eca6d87f5f3af7df8249ea825 nakaz.doc

Domains and IPs

79.142.76[.]40:80/news.php
79.142.76[.]40:8989/login/process.php
79.142.76[.]40:8989/admin/get.php
159.148.186[.]116:80/admin/get.php
159.148.186[.]116:80/login/process.php
159.148.186[.]116:80/news.php
ppgca.ufob.edu[.]br/components/com_finder/helpers/access.log
ppgca.ufob.edu[.]br/components/com_finder/views/default.php
narpaninew.linuxuatwebspiders[.]com/components/com_j2xml/error.log
narpaninew.linuxuatwebspiders[.]com/components/com_contact/controllers/main.php
mysent[.]org/access.log.txt
mysent[.]org/modules/admin.php
5.133.12[.]224:333/admin/get.php




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Node.js HTTP/2 Server Denial of Service Vulnerability

CVE Number – CVE-2018-7161

A vulnerability in the HTTP/2 implementation feature of Node.js could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists when the affected software interacts with an HTTP/2 server in such a way that triggers a cleanup bug where objects are used in native code after they are no longer available. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted node server that provides an HTTP/2 server. An exploit could cause the node server to crash, resulting in a DoS condition.The Node.js Foundation has confirmed the vulnerability and released software updates.

To exploit this vulnerability, an attacker must send a request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Safeguards
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software
  • The Node.js Foundation has released software updates at the following link: Node.js 10.4.1





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.