With version 4, GandCrab ransomware has undergone a major overhaul, adding an NSA exploit to help spread and targeting a larger set of systems.
The updated GandCrab ransomware was first discovered earlier this month, but researchers are just now learning the extent of the changes. The code structure of the GandCrab ransomware was completely rewritten. And, according to Kevin Beaumont, a security architect based in the U.K., the malware now uses the EternalBlue National Security Agency (NSA) exploit to target SMB vulnerabilities and spread faster.
“It no longer needs a C2 server (it can operate in airgapped environments, for example) and it now spreads via an SMB exploit – including on XP and Windows Server 2003 (along with modern operating systems),” Beaumont wrote in a blog post. “As far as I’m aware, this is the first ransomware true worm which spreads to XP and 2003 – you may remember much press coverage and speculation about WannaCry and XP, but the reality was the NSA SMB exploit (EternalBlue.exe) never worked against XP targets out of the box.”
Joie Salvio, senior threat researcher at Fortinet, based in Sunnyvale, Calif., found the GandCrab ransomware was being spread to targets via spam email and malicious WordPress sites and noted another major change to the code.
“The biggest change, however, is the switch from using RSA-2048 to the much faster Salsa20 stream cipher to encrypt data, which had also been used by the Petya ransomware in the past,” Salvio wrote in the analysis. “Furthermore, it has done away with connecting to its C2 server before it can encrypt its victims’ file, which means it is now able to encrypt users that are not connected to the Internet.”
However, the GandCrab ransomware appears to specifically target users in Russian-speaking regions. Fortinet found the malware checks the system for use of the Russian keyboard layout before it continues with the infection.
Despite the overhaul of the GandCrab ransomware and the expanded systems being targeted, Beaumont and Salvio both said basic cyber hygiene should be enough to protect users from attack. This includes installing the EternalBlue patch released by Microsoft, keeping antivirus up-to-date and disabling SMB version 1 altogether, which is advice that has been repeated by various outlets, including US-CERT, since the initial WannaCry attacks began.
A group of researchers developed a proof of concept for a variant of the Rowhammer exploit against Android devices and proved that Google’s protections aren’t enough, but one expert said the RAMpage attack is unlikely to pose a real-world threat.
A team of researchers from Vrije Universiteit Amsterdam, the University of California at Santa Barbara, Amrita University of Coimbatore, India and EURECOM — including many of the researchers behind the Drammer PoC attack upon which RAMpage was built — and created both the RAMpage attack against ARM-based Android devices and a practical mitigation, called GuardION.
According to the researchers, the most likely method for attacking a Rowhammer vulnerability on a mobile device is through a direct memory access (DMA) based attack.
As such, they developed the RAMpage attack, “a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses,” researchers wrote in their research paper. “To mitigate Rowhammer exploitation on ARM, we propose GuardION, a lightweight defense that prevents DMA-based attacks — the main attack vector on mobile devices — by isolating DMA buffers with guard rows.”
The researchers said a successful RAMpage attack could allow a malicious app to gain unauthorized access to the device and read secret data from other apps, potentially including “passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.” However, lead researcher Victor van der Veen was careful to note it is unclear how many devices are at risk because of differences in software.
“With RAMpage, we show that the software defenses that were deployed to stop Drammer attacks are not sufficient. This means that the only remaining requirement is having buggy hardware. Since we have seen bit flips on devices with LPDDR2, LPDDR3, and LPDDR4 memory, we state that all these devices may be affected, although it is uncertain how many,” van der Veen wrote via email. “Local access is required. This means that the attacker must find a way to run code (e.g., an app) on the victim’s device. A second requirement is that the device needs to be vulnerable for the Rowhammer bug: it is unclear what percentage of devices expose this issue.”
In a statement, Google downplayed the dangers of the RAMpage attack: “We have worked closely with the team from Vrije Universiteit and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.”
Google also asserted that newer devices include protections against Rowhammer attacks and “the researcher proof of concept for this issue does not work on any currently supported Google Android devices,” though Google did not specify what qualified as a “currently supported Google Android device.”
Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said this could mean “that ‘currently supported devices’ refers to Android builds to which Google still issues security patches, which means that Android Marshmallow (6.0.) and above may not be susceptible” to the RAMpage attack. According to Google’s latest platform numbers, more than 62% of Android devices in the wild are above this threshold.
However, van der Veen thought Google might be referring to its own handsets.
“I believe they hint at the devices that fall under their Android Reward program, which is basically the Pixel and Pixel 2. We did manage to flip bits on a Pixel, and I think that it is likely that there are Pixel phones out there on which the attack will work,” van der Veen wrote. “I don’t see criminals exploiting the Rowhammer bug in a large-scale fashion. It is more likely to be used in a targeted attack. I do think that Google can do a bit more though.”
Arsene agreed that the RAMpage attack does appear “very difficult and unlikely to happen on a mass scale.”
“Attackers would have to know in advance the type of device the target owns, because some manufacturers and OS builds implement different row sizes (e.g. 32KB, 64KB, 128KB), making the attack significantly more complex and less reliable,” Arsene wrote via email. “Google may be right in saying the attack should not be of concern to average users, but it could be used in highly targeted attacks that involve stealthily compromising the device of a high priority individual. For mass exploitation of Android devices there are likely other, less sophisticated methods, for compromise. Attackers will often go for the path of least resistance that involves maximum efficiency and minimum effort to develop and deploy.”
Despite the relatively low likelihood of the RAMpage attack being used in the wild, researchers developed a mitigation based on protecting Google’s ION DMA buffer management APIs, which were originally added to Android 4.0.
“The main reason for which defenses fail in practice is because they aim to protect all sensitive information by making sure that they are not affected by Rowhammer bit flips. Hence, they are either impractical or they miss cases,” the researchers wrote in their paper. “Instead of trying to protect all physical memory, we focus on limiting the capabilities of an attacker’s uncached allocations. This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data.”
Victor van der VeenPhD candidate in the VUSec group at Vrije Universiteit Amsterdam
Van der Veen added via email, “I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts. I think there is also (scientific) value in our breakdown of other proposed mitigation techniques and how they apply to mobile devices, plus our proposed defense, GuardION.”
GuardION may not be real-world ready either though. The researchers noted that Google said the mitigation technique resulted in too much “performance overhead” in apps, but they continue to work with the Android security team “to figure out what a real-world benchmark looks like so that we can hopefully improve our implementation.”
Arsene said “the existence of security research that exploits hardware vulnerabilities does not necessarily mean that users will be more at risk than before.”
“Some of it is purely academic and the practical applications of weaponizing this type research may never become a reality for the masses,” Arsene wrote. “However, users should realize that unpatched, outdated, and unsupported devices and operating systems will always involve significant security risks to their privacy and data.”
A new malware variant reads like the greatest hits of cyberthreats: a cryptojacker using an NSA exploit to scan for IoT devices with hardcoded passwords to spread and distribute the miner. And according to experts, there’s blame to be had on all sides.
Researchers at Fortinet’s FortiGuard Labs have been tracking Python-based malware that uses the EternalRomance National Security Agency (NSA) exploit to spread and install a cryptominer — hence, PyRoMine. And, now, the researchers found a variant that directly targets IoT devices, which they call PyRoMineIoT.
Jasper Manuel, a malware researcher at Fortinet, based in Sunnyvale, Calif., wrote in a blog post that PyRoMine and PyRoMineIoT malware don’t need Python to be installed on the target systems, and PyRoMineIoT uses the EternalRomance NSA exploit to scan for IoT devices that are vulnerable due to using hardcoded passwords. Once PyRoMineIoT infects a device, the malware downloads components, including a Monero cryptominer.
“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem,” Manuel wrote. “We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices.”
Sean Newman, director of product management for Corero Network Security, based in Marlborough, Mass., said enterprises may not need to worry about cryptojackers specifically, because “they have their own specific mission, which has nothing to do with any data or information within an organization which ends up hosting them.”
“But there is the obvious performance impact for any device which does get compromised for this purpose, which could negatively impact the function of IoT devices, for example,” Newman wrote via email. “However, enterprises should really be asking themselves the [following] question: If a hacker can plant malware within my organization to mine cryptocurrency, what other malware can they, or another cybercriminal, plant just as easily?”
Justin Jett, director of audit and compliance for Plixer, based in Kennebunk, Maine, said regardless of the size of the enterprise, “organizations should be concerned with cryptominers.”
“These malicious applications steal valuable resources that are critical to business applications. When allowed to go unabated, vital business applications are unable to perform as required. This means that organizations are losing not only resources, but time and money,” Jett wrote via email. “Every company should use network traffic analytics to see where these cryptominers are spreading. Specifically, in the case of PyRoMineIoT, the malware is actively scanning for IoT devices on the network. Network traffic analytics makes quick work of such security vulnerabilities and can help IT professionals quickly see where the malware has compromised them.”
The NSA connection
While the PyRoMineIoT malware uses an NSA exploit — leaked by the Shadow Brokers — to help it spread and infect more vulnerable devices, experts said the blame for any damage shouldn’t necessarily go to the NSA, because even if the EternalRomance NSA exploit hadn’t been developed by the U.S. government, someone else would have created the attack.
Pat Ciavolella, malware team lead at The Media Trust, based in McLean, Va., said, “Developers are innovative” and would have eventually created something similar to the EternalRomance NSA exploit.
Sean Newmandirector of product management for Corero Network Security
“Part of that innovation comes from being on the lookout for vulnerabilities, which is also how security measures are improved,” Ciavolella wrote via email. “The NSA and any organization that does this type of work needs to exercise tighter control over who has access to their innovations so that they do not fall into the wrong hands. Today’s digital economy isn’t just the Wild West, it’s the Wild ‘Westworld’ — virtually any innovation in the wrong hands can hurt others.”
Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, based in Hawthorne, N.J., said, “Blaming the NSA is easy and far too convenient.”
“IoT vendors must be held to higher standards,” Gumbs wrote via email. “It is not OK to sell interconnected devices to consumers that fail to implement even basic security measures.”
Larry Trowell, principal consultant with Synopsys Software Integrity Group, said the government shares some of the blame for the NSA exploit.
“It’s in every country’s interest to develop systems enabling offensive and defensive strategies to protect individuals and national services,” Trowell wrote via email. “There is no fault in that. If the NSA does have some blame to share in this situation, it is for allowing secrets to be exfiltrated — not in developing them.”
Jett said although the NSA exploit was stolen, “they didn’t create the vulnerabilities that allow for the malware to exploit devices.”
“As such, you can’t hold them responsible for the malware that has emerged from the EternalRomance exploit. Vendors whose products are vulnerable to EternalRomance are responsible for resolving the exploit problem,” Jett wrote. “Additionally, it has been more than a year since the NSA exploits were released, and vendors have created patches. It becomes incumbent on the users to make sure they are properly patching their software and reducing the threat surface for these exploits.”
The U.S. Department of Homeland Security warned of an exploit of the Signaling System 7 protocol that may have targeted American cellphone users.
The Washington Post reported that DHS notified Sen. Ron Wyden (D-Ore.) last week that malicious actors “may have exploited” global cellular networks “to target the communications of American citizens.” The letter has not been made public, but The Washington Postobtained a copy of it and reported that it described surveillance systems that exploit Signaling System 7 (SS7) vulnerabilities. According to the report, the exploit enables intelligence agencies and criminal groups to spy on targets using nothing but their cellphone number.
SS7 is the international telecommunications standard used since the 1970s by telecommunications providers to exchange call routing information in order to set up phone connections. Cellphone providers use SS7 to enable users to send and receive calls as they move from network to network anywhere in the world. The protocol has been criticized by analysts and experts for years because of its vulnerabilities and because it enables spying and data interception.
In a different letter to Ajit Pai, chairman of the Federal Communications Commission, Wyden referenced an “SS7 breach” at a major wireless carrier and criticized the FCC for its inaction regarding SS7 vulnerabilities.
“Although the security failures of SS7 have long been known to the FCC, the agency has failed to address the ongoing threat to national security and to the 95% of Americans who have wireless service,” Wyden wrote.
He explained the SS7 vulnerabilities enable attackers to intercept people’s calls and texts, as well as hack into phones to steal financial information or get location data.
“In a prior letter to me, you dismissed my request for the FCC to use its regulatory authority to force the wireless industry to address the SS7 vulnerabilities,” Wyden wrote to Pai. “You cited the work of the [Communications Security, Reliability and Interoperability Council] as evidence that the FCC is addressing the threat. But neither CSRIC nor the FCC have taken meaningful action to protect hundreds of millions of Americans from potential surveillance by hackers and foreign governments.”
In the letter, Wyden included a call to action for Pai to use the FCC’s “regulatory authority” to address the security issues with SS7 and to disclose information about SS7-related breaches to Wyden by July 9, 2018.
In other news:
The U.S. government ban on using Kaspersky Lab products was upheld this week, and the security company’s lawsuits were dismissed. U.S. District Judge Colleen Kollar-Kotelly dismissed two lawsuits filed by Kaspersky Lab in response to Binding Operational Directive 17-01 and the National Defense Authorization Act (NDAA), both of which banned the company’s products from use in the federal government. Kaspersky argued the ban was unconstitutional and caused undue harm to the company, but Kollar-Kotelly dismissed the argument and said while there may be “adverse consequences” for Kaspersky, the ban is not unconstitutional. Kaspersky Lab has said it will file an appeal of the ruling.
The U.S. House of Representatives advanced a bill that would require law enforcement to get a warrant before collecting data from email providers. The Email Privacy Act was added as an amendment to the NDAA, which is the annual budget for the Department of Defense. The bill passed the House 351-66 and will now move to the Senate for approval. The amendment was authored by Rep. Kevin Yoder (R-Kan.) and is the latest version of the 2016 Email Privacy Act that received unanimous support in the House. If the NDAA passes with this amendment included, it will provide warrant protections to all email, chats and online messages that law enforcement might want or need for investigations. The Electronic Frontier Foundation has been a proponent of email privacy in law, saying, “The emails in your inbox should have the same privacy protections as the papers in your desk.”
The private equity investment firm Thoma Bravo is acquiring a majority share in the security company LogRhythm. LogRhythm offers its users a security information and event management platform that also has user and entity behavior analytics features. The company has been in business for 15 years and has more than 2,500 customers worldwide. “LogRhythm believes it has found an ideal partner in Thoma Bravo,” said LogRhythm’s president and CEO, Andy Grolnick, in a statement. “As we seek to take LogRhythm to the next level and extend our position as the market’s preeminent NextGen SIEM vendor, we feel Thoma Bravo’s cybersecurity domain expertise and track record of helping companies drive growth and innovation will make this a powerful and productive relationship.” The deal is expected to close later in 2018. Thoma Bravo owns the certificate authority company DigiCert, which recently purchased Symantec’s CA operations, and has previously invested in other cybersecurity companies, including SonicWall, SailPoint, Hyland Security, Deltek, Blue Coat Systems, Imprivata, Bomgar, Barracuda Networks, Compuware and SolarWinds.
Security researchers described a proof of concept exploit that affects multiple antivirus products and can lead to a full system takeover.
Florian Bogner, a security researcher based in Vienna, Austria, disclosed the issue and named it AVGater because, as Bogner wrote in his blog post, “every new vulnerability needs its own name and logo.”
Bogner said AVGater works by “manipulating the restore process from the virus quarantine.”
“By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations,” Bogner wrote in his blog post. “By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions.”
According to Bogner, he disclosed the AVGater vulnerability to Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software, and all of those vendors have released patches for affected products.
Bogner did not specifically mention Symantec or McAfee in his post and neither company responded to questions at the time of this article.
Bogner suggested that keeping software up-to-date is a good way to mitigate the risk of AVGater, but also noted there are limitations to the exploit.
“As AVGator can only be exploited if the user is allowed to restore previously quarantined files, I recommend everyone within a corporate environment to block normal users from restoring identified threats,” Bogner wrote. “This is wise in any way.”
Satya Guptafounder and CTO at Virsec
Satya Gupta, founder and CTO at Virsec Systems, an application threat software company based in San Jose, Calif., said AVGater is yet another way an attacker could manipulate “legitimate processes to launch malicious code or scripts.”
“It’s also another nail in the coffin for conventional signature-based antivirus solutions. We’ve known for a while that fileless and memory-based exploits fly under the radar of most AV systems, but now hackers can use AV tools to essentially disable themselves,” Gupta told SearchSecurity. “Hackers are relentless and will inevitably find clever ways to bypass perimeter security. The battle has to move to protecting the integrity of applications for process and memory exploits.”
A security researcher for Google’s Project Zero team has released a proof-of-concept iOS exploit that takes advantage of another Broadcom Wi-Fi issue.
The vulnerability abused by Gal Beniamini, a security researcher for Google Project Zero based in Israel, was found in the same Broadcom BCM4355C0 Wi-Fi chips affected by the Broadpwn flaw, but is separate. Beniamini confirmed the Broadcom flaw (CVE-2017-11120) affects a range of devices, including the Samsung Galaxy S7 Edge and various Wi-Fi routers, but the exploit he released was specifically for the iPhone 7.
Beniamini wrote in his disclosure that the BCM4355C0 SoC with firmware version 18.104.22.168.0.1.56 did not validate a specific field properly and an iOS exploit could allow code execution and more.
“The exploit gains code execution on the Wi-Fi firmware on the iPhone 7,” Beniamini wrote. “Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).”
However, Beniamini’s proof-of-concept iOS exploit requires knowledge of the MAC address of the target device, which may make using this attack in the wild more difficult.
Beniamini said his iOS exploit was tested against the Wi-Fi firmware in iOS 10.2 “but should work on all versions of iOS up to 10.3.3.”
Apple has patched against this iOS exploit in iOS 11 and Google patched the same Broadcom flaw in its September Security Update for Android. Users are urged to update if possible.