Security Week 43: The Great IoT Reap Is Coming, Like NATO Cyberconf Hackers Flying, Bad Exception Rabbit Ears ExPetr

Repent, for coming! The streets were flooded with mad preachers with apocalyptic posters, an unusually huge bloody moon rises over the horizon at night, and scholars who did not receive the Nobel Prize because of too radical ideas unsuccessfully try to reach the authorities with their shocking discoveries. Something terrible is brewing. It is already close. Well or not.

Perhaps this time we were lucky, and we received a warning in time about the upcoming uprising of the “Internet of things”. NewSky Security found in the darknet a forum thread in which “black hats” relaxedly discussed the concept and implementation of the attack through CVE-2017-8225, which allows merging credentials from Chinese cameras from many different vendors. The two most active participants in the discussion eventually gave birth to two scripts.

The first script searched for devices with CVE-2017-8225 in a very original way - using the service Shodan Premium. The second script follows the list of IP addresses compiled by Shodan and extracts administrator logins and passwords from devices.

Stop! A botnet that infects IoT devices. It sounds familiar - just recently, CheckPoint researchers warned about a similar botnet. According to their data, the monster called IoTroop at the time of October 19, 2017 has already infected more than a million organizations . Not devices. Organizations. Unlike the pioneer Mirai, which was thrown onto the device, just going through the popular logins, passwords in the dictionary, IoTroop was not limited to this - it is distributed using vulnerabilities (mostly already known). But the fact that the vulnerability is known does not mean that it is useless - according to the same CheckPoint, 60% of organizations use at least one IoT device with a known vulnerability, be it a security camera, router or network storage.
')
Where is the connection? In the thread where the black hats talked, among other things, there was a discussion of the difficulties of getting a shell on the device under attack. Hackers use a reverse shell method when a device translates an administrator session to a management and control server. On the port that listens to the netcat installed there. The same method was discovered by Checkpoint, during the study of IoTroop, which allows us to connect the participants in the discussion with the very million of infected offices.

So far, IoTroop has been quietly spreading, not conducting an active malicious activity. What the botovody wait for is unknown: it may be that they are building up strength, and maybe they are looking for a generous customer. One thing is clear - when they turn to action, it will not seem to anyone much.

Sofacy attacks safe researchers

News Research The Sofacy Group, also known as FancyBear, also known as APT28, was caught catching attacks on a very specific group of security people interested in the CyCon warfare conference organized by the Center for Coordinated Cyber ​​Defense and the Application of NATO Best Practices.

The bait file was a Microsoft Word document containing a dish from an announcement drawn from the CyCon site, seasoned with a cunning VBA script. This time there are no exploits, the victim opens the file, and a script is launched that does not even think to surf the Internet. Instead, he climbs into the document fields, such as 'Subject', 'Company', 'Category', 'Hyperlink base' and 'Comments', and extracts some meaningless jumble of characters from there.



In fact, this is not a jumble - this is a file encoded in base64 and divided into several parts. The script collects and decodes the file, then writes it to disk as netwf.dat and launches it with the help of rundll32.exe. So, this file is a slightly modified dropper Seduploader, the same one that was previously used in the attacks of Sofacy.

The dropper, in turn, loads the load files from the management server, netwf.bat and netwf.dll, and the VBA script sets the attribute to them hidden. Dropper starts the load, and that rooted in the system. She knows how to more than enough: capture a picture from the display via the GDI API, extract and send data to the server, download and run files. The motives for this attack are unknown, but the focus on military information security specialists shows that intruders were interested in, most likely, not money.

Of course, Petya! Well, who does not know him ...

News Still, the extortionist Bad Rabbit turned out to be a fellow ExPetr / Not Petya. Our analysts have confirmed the connection between the two attacks. First, both have similar hashing algorithms. Secondly, both there and there used the same domains, and in the source codes a clear relationship was found.

To spread rabbit, hackers hacked a number of popular sites around the world and downloaded a Trojan onto them. Visitors received an offer to download the new version of FlashPlayer (is someone else caught by this?). The victims themselves installed a cryptograph, and they even gave him all the necessary rights, without looking at the call from UAC.


Sites Distributing Bad Rabbit

Just like ExPetr, Rabbit retrieved credentials from the machine’s memory and spread further across the local network using WMIC. At the same time, the authors took into account the lesson learned in the ExPetr campaign - Bad Rabbit portrays the runner-up more convincingly, that is, the honor to honor data encrypts and sends the keys to the server, as if it really is going to decrypt something ...

It is impossible not to notice that the authors of the campaign have become very careful. As soon as the security companies launched an investigation, the hackers immediately removed the malicious code from all the hacked sites.

Antiquities

Family "PC-FLU"

Dangerous resident viruses, standardly infect .COM files when they are launched or opened. Write their TSR-copies at 9A00: xxxx without changing anything in MCB_blocks, which can cause the computer to hang. Apparently, resident antivirus monitors are looking in memory and trying to bypass them. Intercepted int21h

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 42.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.