Tag Archives: malware

WannaMine cryptojacker targets unpatched EternalBlue flaw

New research detailed successful cryptojacking attacks by WannaMine malware after almost one year of warnings about this specific cryptominer and more than a year and a half  of warnings about the EternalBlue exploit.

The Cybereason Nocturnus research team and Amit Serper, head of security research for the Boston-based cybersecurity company, discovered a new outbreak of the WannaMine cryptojacker, which the researchers said gains access to computer systems “through an unpatched [Server Message Block, or SMB] service and gains code execution with high privileges” to spread to more systems.

Serper noted in a blog post that neither WannaMine nor the EternalBlue exploit are new, but they are still taking advantage of those unpatched SMB services, even though Microsoft patched against EternalBlue in March 2017.

“Until organizations patch and update their computers, they’ll continue to see attackers use these exploits for a simple reason: they lead to successful campaigns,” Serper wrote in the blog post. “Part of giving the defenders an advantage means making the attacker’s job more difficult by taking steps to boost an organization’s security. Patching vulnerabilities, especially the ones associated with EternalBlue, falls into this category.”

It is fair to say that any unpatched system with SMB exposed to the internet has been compromised repeatedly and is definitely infected with one or more forms of malware.
Jake Williamsfounder and CEO, Rendition Infosec

The EternalBlue exploit was famously part of the Shadow Brokers dump of National Security Agency cyberweapons in April 2017; less than one month later, the WannaCry ransomware was sweeping the globe and infecting unpatched systems. However, that was only the beginning for EternalBlue.

EternalBlue was added into other ransomware, like GandCrab, to help it spread faster. It was morphed into Petya. And there were constant warnings for IT to patch vulnerable systems.

WannaMine was first spotted in October 2017 by Panda Security. And in January 2018, Sophos warned users that WannaMine was still active and preying on unpatched systems. According to researchers at ESET, the EternalBlue exploit saw a spike in use in April 2018.

Jake Williams, founder and CEO of Rendition Infosec, based in Augusta, Ga., said there are many ways threat actors may use EternalBlue in attacks.

“It is fair to say that any unpatched system with SMB exposed to the internet has been compromised repeatedly and is definitely infected with one or more forms of malware,” Williams wrote via Twitter direct message. “Cryptojackers are certainly one risk for these systems. These systems don’t have much power for crypto-mining (most lack dedicated GPUs), but when compromised en-masse they can generate some profit for the attacker. More concerning in some cases are the use of these systems for malware command and control servers and launching points for other attacks.”

Amanda Rousseau talks about computer forensics investigations

Amanda Rousseau, the senior malware researcher at Endgame who is also known as Malware Unicorn,  began her career working for the Department of Defense Cyber Crime Center performing computer forensics investigations before moving into the private sector.

At Black Hat USA 2018, Rousseau talked about her experiences with dead box computer forensics investigations — studying a device after a crime has been committed in order to find evidence — how to de-stress after spending a week reverse engineering malware encryption, and how to tell the difference between code written by a script-kiddie and a nation-state actor.

This interview was edited for length and clarity.

What was your role in computer forensics investigations? 
Amanda Rousseau: When I did forensics, I did criminal investigation. So if there was a murder, if there was domestic terrorism or something like that, they would give me the hard drive and I would analyze it. 
It was very specific; it’s not really intrusions, right? Intrusions are more dynamic. But even when you talk about attribution, I cringe because no one really wants to put their finger on where it came from, exactly. If you get it wrong, you could start a war.

I was never on threat intel, thank goodness. I was mainly doing case-by-case, just looking at a certain thing in malware, writing a report on it, giving it up to someone else so that they can do the groundwork. I was more behind the scenes.

Even now, I feel like it’s my job to take out all of the interesting information for them to put the clues together on there. Because when you think about when an FBI agent, or someone that’s doing the investigation, [they know] much more that I don’t know outside of what I see. I can only give my nonbiased results from what I’ve analyzed. And they can put the clues together themselves.

It takes a team. It takes a team to do that kind of stuff.

When it comes to computer forensics investigations, what were the challenges in ensuring the evidence was accurate? 

If there was a murder, if there was domestic terrorism or something like that, they would give me the hard drive and I would analyze it.
Amanda Rousseausenior malware researcher, Endgame

Rousseau: We had to prove that that person was at the computer at that time. Because there would be incidents where the wife’s husband, boyfriend, or whatever would be at her computer or vice versa. So you really couldn’t put that person at the computer doing that thing. Maybe there was a camera that took a picture that [proved] they were there, or maybe their alibi would prove that they were at the computer. But it’s really hard, even for that tiny moment in time, for dead box forensics
For intrusion forensics, it’s completely different. You can trace the IP [address] to the server, and it’s another jump server, and then you see who owns the server, and then the people on the ground have to go trace who’s at that address who owns the server and you get all the credit card accounts that paid for that server.
What was the most difficult thing that you had to do in dead box cyber forensics investigations?
Rousseau: One difficult thing was when I was learning; it was just a learning curve. All you had to do was do it more and practice. It’s kind of like reversing; the more you do it, the more experience you get and [you] see quicker ways to do things.

I think when I did intrusions investigation, the hardest thing to do was encryption, because you have to sit there and try to identify encryption algorithms backwards. And so you’re sitting there with pen and paper like, ‘OK. This bit gets flipped here.’ And you’re writing the whole algorithm down and trying to visualize it. And then you’d identify, ‘Oh, it’s doing this.’ And that’s like a week’s worth of work. But it’s fun. It’s like a puzzle to me.
A week-long puzzle, though. It sounds taxing.
Rousseau: Yeah. You really have to time-manage your brain. Like, ‘OK, it’s the end of the day. I’ll put my notes down.” Next day, pick it back up, figure it out. 
What’s a good way to decompress when trying to reverse encryption like that? 
Rousseau: You know, it’s funny because there’s a lot of reverse engineers that are runners, or triathletes. So I haven’t done a lot of running this year, but before, I was marathon training. Because you’re sitting there for hours and hours … just staring at code. We forget to stand up and move around and everything. But running was my only way to …
Overcompensate with marathons. 
Rousseau: Yeah, exactly. 

Now, rather than cyber forensics investigations, you’re mainly doing reverse engineering of malware. Can you walk us through that process? 
Rousseau: Pretty much my day-to-day job is looking at malware, taking it apart, writing a detection for it, doing the research. It’s either short term or long term, depending on what the product needs, or what the customer needs at that time, pretty much. 
There’s a process. If you’re looking at thousands of samples, you’ve got to have a way to triage all of that and bubble up the things that are important, or the ones that you should be looking at. Same with the file itself. I don’t want to just start from the beginning. I want to look at a clue and start there. 
A lot of the research that I did for my Black Hat talk was triage analysis. My boss asked me to do 1,000 samples in three days, manual analysis. I’m like, ‘I can do one sample in a few hours, but I don’t know if I can do all 1,000 samples in three days.’ 
So I developed this tool that helped me print out all the stuff that I needed in order to look at samples. I don’t have to look at every single sample, but just the ones that are important because otherwise I would be there forever. 
How do you determine what is important?
Rousseau: In a binary, you have these things called libraries that load — imports, pretty much. And a lot of these imports give you an idea of what the program is doing. So as an indicator, say it is loading user32.dll. What that is, is it could be doing user-related actions on the system. If you load in Winsock, it’s for sockets, right?

All of these different clues as to what libraries are loading, you can kind of get a sense of what it’s actually going to do, even the function that it’s going to call. Because then you kind of build in, ‘OK, well, it’s going to do something to the file system, it’s going to open up a socket and connect out to some IP address. I’m going to have to look for an IP address, I’m going to have to look for some strings creating a file in the file system.’ That kind of stuff.

But in order to that, I need to disassemble it and see when that happens, in what order it happens. Because goodware can do the same thing, but depending on the context — the order — is it doing it all in one function, or is it spread out? Some of those little clues pinpoint the ones that you need to look at. 
And these clues help you understand what kind of malware you’re studying? 
Rousseau: Yeah, and it depends on the motive. If you’re ransomware, you’re going to do encryption; you’re going to do file system activity; you’re going to call out to some onion server for the Bitcoin. If you’re spyware, you’re going to be doing keylogging; you’re going to be accessing the camera; you’re going to be trying to take screenshots of the desktop. So those are all different libraries to look. 
If you’re just a regular Trojan or a remote access Trojan, you’re going to be calling back out to your [command-and-control network]. You’ll receive instructions to do stuff. So if you know what kind of class they are, you’re looking for those indicators to place them into that class of malware. 

Have you seen any trends in the code across different malware types? 
Rousseau: Yeah, it’s funny because with ransomware, there were two main libraries that a lot of the ransomware stemmed off of. It’s kind of like this growing tree of variations of the same code. And because some idiot posted it on GitHub somewhere, all these little 19-year-old to 26-year-olds are playing with this code and making ransomware to make a quick buck. 
The ones that do well are the crimeware people that adopt ransomware and make it more like a business, a little large-scale business. 
Rousseau: Right, right. But when you’re reversing, you can see different code, kind of a mishmash of someone writing it this way and another. It’s like handwriting. You can tell when there’s two different types of handwriting on a page. It’s like that in code for me.

If you look at enough of it you can identify, ‘OK, this is kind of weird. Someone wrote it backwards,’ or that kind of thing. Even with WannaCry, the code for the exploit is completely different than the actual ransomware code. Actual ransomware code is really crappily done, but the exploit code was beautiful. So you know they were kind of mishmashed together. 
Well, the exploit code came from
Rousseau: It was released, yeah, from … Yeah.
I guess we know that the government has really good coders. I guess that’s the key there. 
Rousseau: Yeah, the nation-state stuff, you can tell the level of expertise in that developer because usually, that whole thing will look similar. If it’s one or two guys, maybe it will look different. But the more common malware, they buy that stuff off of black market deployment and it comes in a kit. And these kits, they add on their own pictures or whatever they want in the thing. So it kind of has this variant of this s—– code with whatever s—– code that they add in, pretty much.

X-Agent malware lurked on DNC systems for months after hack

The malware backdoor allegedly implanted by Russian intelligence agents during attacks on the Democratic National Committee remained on systems at least six months after the hack was first discovered.

The indictment of Russian intelligence officers regarding the hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) included many shocking details, including the assertion that the X-Agent malware was still on DNC systems in October 2016.

The timeline of events according to the indictment showed that the Russian threat actors began spearphishing DNC and DCCC staffers in March 2016 and infiltrated DNC and DCCC systems using stolen credentials in April. Between April and June, the hackers installed the X-Agent malware backdoor and other tools and began to steal data.

“Despite the Conspirators’ efforts to hide their activity, beginning in or around May 2016, both the DCCC and DNC became aware that they had been hacked and hired a security company (‘Company 1’) to identify the extent of the intrusions,” investigators wrote in the indictment. “By in or around June 2016, Company 1 took steps to exclude intruders from the networks. Despite these efforts, a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl.net, remained on the DNC network until in or around October 2016.”

The indictment does not mention how or why the X-Agent malware remained on DNC systems. In addition to attempts to remove the hackers and their tools from DNC systems by “Company 1” — assumed to be CrowdStrike, the company publicly known to have been called in to investigate the attack — the indictment noted that the attackers themselves also tried to clean their own tracks.

According to the indictment, the attackers tried to “delete their presence on the DCCC network using the computer program CCleaner” and that the attackers attempted connecting to the X-Agent malware on June 20, 2016, after CrowdStrike had allegedly disabled the backdoor.

Sean Sullivan, security advisor at F-Secure, discounted the possibility that the X-Agent malware might have been left on the DNC systems intentionally in order to track the attackers.

“Malware campaigns such as this use many parts and the goal is to move laterally across the network, collecting admin passwords along the way. Rooting out such infestations is time-consuming incident response work. Shutting down the entire network might have sped up the process, but that would have introduced significant challenges to the DNC’s political campaigns,” Sullivan wrote via email. “The DNC was dealing with a backdoor — so it was possible to continue day-to-day operations while doing incident response. And that sort of work just takes time to get it all.”

Stolen digital certificates used in Plead malware spread

Stolen digital certificates at the center of a new malware campaign made the malicious software appear safe before it stole user passwords.

An espionage group used stolen digital certificates to sign Plead backdoor malware and a password stealer component used in attacks in East Asia, according to Anton Cherepanov, senior malware researcher at ESET. The password stealer targeted Google Chrome, Mozilla Firefox and Internet Explorer browsers, as well as Microsoft Outlook.

Cherepanov determined the certificates were likely stolen because the malware code was signed with the “exact same certificate … used to sign non-malicious D-Link software.”

“Recently, the JPCERT published a thorough analysis of the Plead backdoor, which, according to Trend Micro, is used by the cyberespionage group BlackTech,” Cherepanov wrote in a blog post. “Along with the Plead samples signed with the D-Link certificate, ESET researchers have also identified samples signed using a certificate belonging to a Taiwanese security company named Changing Information Technology Inc. Despite the fact that the Changing Information Technology Inc. certificate was revoked on July ‎4, ‎2017, the BlackTech group is still using it to sign their malicious tools.”

ESET researchers contacted D-Link about the stolen digital certificates, and D-Link revoked the compromised certificate on July 3.

Cherepanov said this case was different from recent issues with compromised SSL certificates because the stolen digital certificates were used to sign malicious files, and “unlike SSL certificates, the code signing certificates can’t be obtained for free.”

“Misusing digital certificates is one of the many ways cybercriminals try to mask their malicious intentions — as the stolen certificates let malware appear like legitimate applications, the malware has a greater chance of sneaking past security measures without raising suspicion,” Cherepanov wrote via email. “This technique also helps attackers to circumvent native/built-in protective measures of the OS based on the validity of these certificates. Also noteworthy, certificates from a Taiwan-based company were stolen and misused by Stuxnet.”

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said “there’s no doubt we’re going to see a lot more of these attacks in the future,” where machine identities and stolen digital certificates are being abused by malicious actors.

“Code signing certificates are a method to ensure the identity of the code developer. Ideally, they verify that the software has been published by a trusted company. They also double-check the software to ensure that it hasn’t degraded, become corrupted, or been tampered with,” Bocek wrote via email. “Because of the power of these certificates, if they fall into the wrong hands they can be the ultimate ‘keys to the kingdom’. Any attacker or developer with malicious intent can obtain a private key for code signing if they really want to. What deters most of them is that they have to register with the [certificate authority] to obtain one, which makes it much easier to identity them if they distribute malicious code. This is why there is a thriving black market for stolen code-signing certificates.”

McAfee details rise in blockchain threats, cryptocurrency attacks

A new McAfee report on blockchain threats shows

malware grew more than 600% in the first

this year.

McAfee’s “Blockchain Threat Report” details the massive increase in

against cryptocurrency owners, exchanges and other companies leveraging blockchain as the value of those cryptocurrencies has surged over the last year. Steve Povolny, head of advanced threat research at McAfee, said the intent of the report is to create a baseline for the industry as it deals with increased blockchain threats that use many of the same attack techniques and methods of the last five to 10 years.

“We’ve seen an explosion in cryptocurrency value recently,” Povolny said. “Hundreds of them were created in a very short time, and now we’re seeing threat actors trying to capitalize on that value.”

While attackers have learned to adopt different attack methods that target both consumers and businesses, according to McAfee researchers, the four major attack vectors include familiar threats like phishing, malware, implementation vulnerabilities

technology. Phishing is the most familiar blockchain attack due to its prevalence and success rate, the researchers wrote. Malware, meanwhile, has exploded over the last year; the report shows the total

samples increased 629% quarter-over-quarter in Q1 of this year. The report also notes that malware developers began to shift from ransomware to cryptocurrency mining in the last six months with “ransomware attacks declining 32% in Q1 2018 from Q4 2017 while coin mining increased by 1,189%.”

Technology attacks, as explained by the researchers, are threats like dictionary attacks that are used against cryptocurrency private keys. Lastly, implementation vulnerabilities refer to flawed deployments of blockchain technology; the report cites examples such as the 2017 attack on blockchain startup Iota, where attackers exploited cryptographic vulnerabilities to created hash collisions and forged signatures, which enabled the hackers to steal coins from users’ digital wallets. Povolny stressed these vulnerabilities are not flaws with blockchain itself, which has proved to be secure so far.

The “Blockchain Threat Report” states, “In most cases, the consumers of blockchain technology are the easiest targets. Due to a widespread start-up mentality, in which security often takes a backseat to growth, cryptocurrency companies often fall in this category.”

Povolny said the issue of security within cryptocurrency and blockchain creates a two-sided problem. The first side revolves around the companies that initially rushed to capitalize on cryptocurrency but didn’t complete basic security checks and risk assessments; those shortcomings, which include a lack of proper access controls,

them easy targets for threat actors, he said. The second side is the financial motivation, as many cryptocurrencies’ values reached all-time highs in late 2017, when Bitcoin was valued at almost $20,000 per coin, thus catching the attention of hackers. This two-sided cryptocurrency problem created a continuous cycle that resulted in the development of wallets and ledgers being built without a complete understanding of security risks or an implementation of security around the programs, McAfee researchers claim.

The report also notes that “recovering from cryptocurrency theft is more difficult and complicated than with most other currencies due to their decentralized nature.” In order to secure a network, a tailored risk assessment should be conducted.

As industries begin to implement their own blockchain technology, users should prepare for continued development of new technologies by cybercriminals to further compromise them, McAfee researchers wrote. However, since there is not a clear understanding of where these risks are,

may be placed in unwarranted blockchain applications. In order to keep cryptocurrency wallets safe, Povolny recommends storing them locally on a computer that lacks network accessibility and notes that we may not see people flock to a currency like this again.

Despite the increase in threats, Povolny said the surge in cryptocurrency startups and blockchain deployments is expected to continue.

PyRoMineIoT cryptojacker uses NSA exploit to spread

A new malware variant reads like the greatest hits of cyberthreats: a cryptojacker using an NSA exploit to scan for IoT devices with hardcoded passwords to spread and distribute the miner. And according to experts, there’s blame to be had on all sides.

Researchers at Fortinet’s FortiGuard Labs have been tracking Python-based malware that uses the EternalRomance National Security Agency (NSA) exploit to spread and install a cryptominer — hence, PyRoMine. And, now, the researchers found a variant that directly targets IoT devices, which they call PyRoMineIoT.

Jasper Manuel, a malware researcher at Fortinet, based in Sunnyvale, Calif., wrote in a blog post that PyRoMine and PyRoMineIoT malware don’t need Python to be installed on the target systems, and PyRoMineIoT uses the EternalRomance NSA exploit to scan for IoT devices that are vulnerable due to using hardcoded passwords. Once PyRoMineIoT infects a device, the malware downloads components, including a Monero cryptominer.

“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem,” Manuel wrote. “We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices.”

Sean Newman, director of product management for Corero Network Security, based in Marlborough, Mass., said enterprises may not need to worry about cryptojackers specifically, because “they have their own specific mission, which has nothing to do with any data or information within an organization which ends up hosting them.”

“But there is the obvious performance impact for any device which does get compromised for this purpose, which could negatively impact the function of IoT devices, for example,” Newman wrote via email. “However, enterprises should really be asking themselves the [following] question: If a hacker can plant malware within my organization to mine cryptocurrency, what other malware can they, or another cybercriminal, plant just as easily?”

Justin Jett, director of audit and compliance for Plixer, based in Kennebunk, Maine, said regardless of the size of the enterprise, “organizations should be concerned with cryptominers.”

“These malicious applications steal valuable resources that are critical to business applications. When allowed to go unabated, vital business applications are unable to perform as required. This means that organizations are losing not only resources, but time and money,” Jett wrote via email. “Every company should use network traffic analytics to see where these cryptominers are spreading. Specifically, in the case of PyRoMineIoT, the malware is actively scanning for IoT devices on the network. Network traffic analytics makes quick work of such security vulnerabilities and can help IT professionals quickly see where the malware has compromised them.”

The NSA connection

While the PyRoMineIoT malware uses an NSA exploit — leaked by the Shadow Brokers — to help it spread and infect more vulnerable devices, experts said the blame for any damage shouldn’t necessarily go to the NSA, because even if the EternalRomance NSA exploit hadn’t been developed by the U.S. government, someone else would have created the attack.

Pat Ciavolella, malware team lead at The Media Trust, based in McLean, Va., said, “Developers are innovative” and would have eventually created something similar to the EternalRomance NSA exploit.

If a hacker can plant malware within my organization to mine cryptocurrency, what other malware can they, or another cybercriminal, plant just as easily?
Sean Newmandirector of product management for Corero Network Security

“Part of that innovation comes from being on the lookout for vulnerabilities, which is also how security measures are improved,” Ciavolella wrote via email. “The NSA and any organization that does this type of work needs to exercise tighter control over who has access to their innovations so that they do not fall into the wrong hands. Today’s digital economy isn’t just the Wild West, it’s the Wild ‘Westworld’ — virtually any innovation in the wrong hands can hurt others.”

Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, based in Hawthorne, N.J., said, “Blaming the NSA is easy and far too convenient.”

“IoT vendors must be held to higher standards,” Gumbs wrote via email. “It is not OK to sell interconnected devices to consumers that fail to implement even basic security measures.”

Larry Trowell, principal consultant with Synopsys Software Integrity Group, said the government shares some of the blame for the NSA exploit.

“It’s in every country’s interest to develop systems enabling offensive and defensive strategies to protect individuals and national services,” Trowell wrote via email. “There is no fault in that. If the NSA does have some blame to share in this situation, it is for allowing secrets to be exfiltrated — not in developing them.”

Jett said although the NSA exploit was stolen, “they didn’t create the vulnerabilities that allow for the malware to exploit devices.”

“As such, you can’t hold them responsible for the malware that has emerged from the EternalRomance exploit. Vendors whose products are vulnerable to EternalRomance are responsible for resolving the exploit problem,” Jett wrote. “Additionally, it has been more than a year since the NSA exploits were released, and vendors have created patches. It becomes incumbent on the users to make sure they are properly patching their software and reducing the threat surface for these exploits.”

Feds issue new alert on North Korean hacking campaigns

The FBI and the Department of Homeland Security released an alert on Tuesday regarding malware campaigns connected to a North Korean hacking group known as Hidden Cobra.

The alert, which includes indicators of compromise (IOCs) such as IP addresses, attributes two malware families to the North Korean government by way of Hidden Cobra: a remote access tool called Joanap and a worm known as Brambul, which spreads via Windows’ Server Message Block (SMB) protocol. Both malware families were first identified by Symantec in 2015 and were observed targeting South Korean organizations. Other cybersecurity vendors later attributed the two malware campaigns to the nation-state hacking group Hidden Cobra, also known as Lazarus Group.

However, Tuesday’s alert, which was issued by US-CERT, marks the first time U.S. authorities publicly attributed the malware families and their activity to North Korean hacking operations.

“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses — listed in this report’s IOC files — to maintain a presence on victims’ networks and enable network exploitation,” US-CERT said. “DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity.”

The alert also claimed that, “according to reporting of trusted third parties,” Joanap and Brambul have likely been used by the North Korean hacking group since at least 2009 to target organizations in various vertical industries across the globe. The FBI and DHS didn’t identify those trusted parties, but the alert cited a 2016 report, titled “Operation Blockbuster Destructive Malware Report,” from security analytics firm Novetta, which detailed malicious activity conducted by the Lazarus Group.

DHS’ National Cybersecurity and Communications Integration Center conducted an analysis of the two malware families, and the U.S. government discovered 87 network nodes that had been compromised by Joanap and were used as infrastructure by Hidden Cobra. According to the US-CERT alert, those network nodes were located in various countries outside the U.S., including China, Brazil, India, Iran and Saudi Arabia.

The FBI and DHS attribution case for Brambul and Joanap represents the latest evidence connecting the North Korean government to high-profile malicious activity, including the 2014 breach of Sony Pictures. Last December, the White House publicly attributed the WannaCry ransomware attack to the North Korean government; prior to the U.S. government’s accusation, several cybersecurity vendors had also connected the WannaCry source code, which also exploited the SMB protocol, with the Brambul malware.

The US-CERT alert also follows tense, back-and-forth negotiations between President Donald Trump and North Korean leader Kim Jong Un regarding a U.S.-North Korea summit. Last week, Trump announced the U.S. was withdrawing from the summit, but talks have reportedly resumed.

VPNFilter malware infects 500,000 devices for massive Russian botnet

On the same day researchers reported a new modular malware system that infected at least half a million networking devices, the FBI seized a key domain that served as backup for the malware’s command and control infrastructure.

The new malware, known as VPNFilter, was found to be infecting small office and home office (SOHO) routers and network-attached storage (NAS) devices from several different vendors. Researchers at Cisco Talos discovered the malware and published their preliminary results before their investigation was complete to give users a better chance at protecting their interests from an attack they believed was sponsored or affiliated with a nation state threat actor.

“Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries,” wrote Cisco Talos threat researcher William Largent in a blog post. “The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols.”

In addition to these threats, the researchers determined that VPNFilter also “has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”

Cisco Talos said the VPNFilter malware “is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.” The first stage of the malware is persistent on the internet of things devices it infects and provides a mechanism for the second stage of the malware to be deployed. Stage two of the VPNFilter malware persists only in memory and can be mitigated by rebooting the affected system, but removing the first stage of the infection is more difficult.

The primary means of delivering stage two of the VPNFilter malware is through IP addresses identified in EXchangable Image File (EXIF) metadata for images stored on the Photobucket website.

Researchers determined that the VPNFilter command and control (C&C) infrastructure used a backup domain, “toknowalI.com,” to deliver the second stage of malware to infected devices if the primary means of identifying the C&C server is unavailable. By sinkholing the botnet C&C server — redirecting traffic from infected botnet devices to the C&C controller — the FBI was able to reduce the threat from the campaign.

Justice Department steps in

Seizure of the domain was put into effect after the U.S. Attorney’s Office for the Western District of Pennsylvania obtained court orders authorizing the FBI to seize the domain used by the VPNFilter malware’s command-and-control infrastructure.

John Demers, assistant attorney general for national security, said in the Justice Department announcement that “This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities.”

The Justice Department attributed the attack to the Sofacy Group, which is also known as APT28, Pawn Storm, Fancy Bear and other aliases.

About the VPNFilter malware

Cisco Talos reported vendors were affected by VPNFilter, including Linksys, MikroTik, NETGEAR and TP-Link SOHO routers and networking equipment as well as QNAP network-attached storage (NAS) devices.

The researchers cited the resemblance of the malware to the BlackEnergy malware that targeted devices in Ukraine in previous campaigns, and indications that the new malware was attacking systems in Ukraine at “an alarming rate” with a C&C infrastructure “dedicated to that country.”

Cisco Talos recommended that device owners reboot their devices, reset them to factory settings, and download and install the most recent patches for the devices. The Justice Department noted that while “devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.”

Cryptomining, ransomware are top malware in 2017

Cryptomining, using tools to hijack a user’s CPU to mine cryptocurrency; ransomware and mobile malware continued to plague enterprises in 2017, according to a top malware report issued by Check Point Software Technologies Ltd.

The report, which investigated the top security issues facing enterprises in the last half of the year, said 20% of organizations were infected by cryptomining malware that in some cases can diminish CPU processing by more than half.

Check Point, based in San Carlos, Calif., also said in its top malware report that attack vectors shifted during the last half of the year, with infections based on the Simple Mail Transfer Protocol eclipsing those on HTTP. The increase — from 55% during the first half of 2017 to 62% after July — reflected the number of skilled hackers targeting vulnerabilities in documents, particularly Microsoft Office.

Mobile attacks, meantime, became more nefarious. The Check Point top malware study found that enterprises are now becoming vulnerable to threats either launched by mobile devices or through mobile malware such as Switcher.

“The second half of 2017 has seen cryptominers take the world by storm to become a favorite monetizing attack vector,” said Maya Horowitz, Check Point’s threat intelligence group manager, in a statement. “While this is not an entirely new malware type, the increasing popularity and value of cryptocurrency has led to a significant increase in the distribution of crypto-mining malware. It’s clear that there is still a lot that organizations need to do to fully protect themselves against attacks.”

Check Point based its second-half top malware report on its ThreatCloud intelligence service, which holds more than 250 million addresses analyzed for bot discovery and 11 million malware signatures.

Broadcom releases SDK for ASICs

Broadcom Ltd. issued an open source software development kit, or SDK, to enable developers to customize their use of Tomahawk switch silicon in their operations.

The first version of the kit, dubbed SDKLT, is based on the BCM56960 Tomahawk switch, used within top-of-rack switches and fabric designs. The open source code is downloadable from GitHub, with the associated logical table APIs available through an Apache 2.0 license, Broadcom said.

The SDKLT uses a logical table approach to simplify how developers add features to the switch silicon. All device physical resources, such as media access control address tables, Layer 3 route tables and other functions, are presented within logical tables instead of proprietary function calls, Broadcom said.

“The SDKLT brings a fresh, state-of-the-art software development approach to the broader community of network software developers where they can now fully and directly control and monitor the rich switch feature set optimized for SDN and cloud use cases,” said Ram Velaga, Broadcom’s senior vice president and general manager of switching products, in a statement.

Broadcom’s move follows a similar initiative by Barefoot Networks, which in 2016 released Tofino, a family of switches that can be customized through P4, an open source consortium with more than 60 members.

F5 launches training for app development

F5 Networks has introduced a new training program aimed at speeding up the time it now takes for enterprises to ramp up new applications and services.

The initiative, called Super-NetOps, is focused on enabling engineers and developers to deliver applications through a service model rather than a traditional, ticket-driven approach, Seattle-based F5 said.

By standardizing critical application services and basing how they’re developed through automated toolchains, F5 said applications can go live within minutes.

“Super-NetOps will help network operations professionals build on their decades of experience deploying, managing, maintaining, and securing applications and equip them to deliver the automation and agility needed by DevOps teams,” said Kara Sprague, F5’s senior vice president and general manager, in a statement.

The online course, which is free, will debut with two modules covering DevOps methodologies and the concepts of automation, orchestration and infrastructure as code. Future modules will include training about agile methodologies, application language frameworks and how to deploy third-party automation toolchains.

Okiru malware puts billions of connected devices at risk

A new variant of the Mirai malware puts ARC processors at risk of being exploited.

The Mirai variant, known as Okiru, is the first malware that is able to infect Argonaut RISC Core (ARC) processors, according to a researcher known as unixfreaxjp at the malware security group MalwareMustDie.

ARC processors are used in a wide range of internet-of-things (IoT) devices, such as cellphones, televisions, cameras and cars.

It’s thought that there are approximately 1.5 billion devices worldwide with ARC processors in them that could be vulnerable to Okiru.

In 2016, Mirai malware was used to create a botnet of 100,000 IoT devices that caused a series of problems, such as shutting down domain name system (DNS) provider Dyn.

However, in a tweet, security researcher Odisseus warned that Okiru could have a bigger impact than Mirai.

“The landscape of Linux IoT infection will change,” Odisseus said.

A Mirai malware variant called Satori, which was uncovered in December 2017, took down hundreds of thousands of Huawei routers. Satori was also sometimes called Okiru, but the two have significant differences, according to Security Affairs’ Pierluigi Paganini.

Okiru’s configuration is different because it “is encrypted in two parts,” but Satori’s is not, Paganini wrote in a blog post. “Also Okiru’s telnet attack login information is a bit longer,” Paganini explained, noting that the login information can be up to 114 credentials, but Satori has a “different and shorter database.”

At the time of this writing, the detection ratio on VirusTotal was 29-58. When Odisseus tweeted about the botnet threat earlier this week, it was only at 5-60.

In other news:

  • Google launched a new tool for enterprise security called G Suite Security Center. The tool will be available to G Suite Enterprise users and is automatically accessible in the admin console. In a blog post, Google stated the three objectives of the security center are to show a “snapshot” of security metrics, to help enterprises stay ahead of security threats and to recommend ways for enterprises to improve their security posture. “We want to make it easy for you to manage your organization’s data security,” Google product managers Chad Tyler and Reena Nadkarni wrote in a blog post. “A big part of this is making sure you and your admins can access a bird’s eye view of your security — and, more importantly, that you can take action based on timely insights.” The security center will consist of a dashboard that shows the security metrics and the “security health” recommendations.
  • A team of researchers discovered a way to hack the Android Pixel phone. The exploit involves combining two separate vulnerabilities. The first, which Google patched in September 2017, is a type confusion flaw in the V8 open source JavaScript engine. The second vulnerability is a privilege escalation flaw in Android’s libgralloc module. Google patched that one in December 2017. However, security researchers were able to exploit both vulnerabilities to inject arbitrary code into the system_server process. All they had to do to make the exploit successful was get the targeted user to click on a malicious link in Chrome. The research team received a total of $100,000 from Google for the find, through both the Android Security Rewards program and the Chrome bug bounty program.
  • The Internet Systems Consortium (ISC) put out a security advisory warning of a vulnerability in the Berkeley Internet Name Domain (BIND) DNS software. The vulnerability, with severity ranked “high,” was remotely exploitable and reportedly caused some DNS servers to crash. “BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named,” ISC said in its advisory. The vulnerability was found in BIND versions 9 and later, but not in earlier versions, so the ISC advised users to upgrade to the latest version. There have been no known active exploits, but the advisory stated that “crashes due to this bug have been reported by multiple parties.”