Posts

IoT Reaper Ransomware

New Ransomware on the loose

IoT Reaper Ransomware

New extremely large Botnet is being built – Nicknamed IoTroop or IoT Reaper

Remember Mira? The worm that prayed on unsecure IoT devices. It managed to spread and gain control using quite a simple method to gain entry – reusing the hard-coded or default password for IoT devices which were well-known by then, and the spreading was done via the EthernalBlue SMB exploit.

Now security researchers at CheckPoint and NetLab360 claim there is a new botnet being formed (called IoTroop or Reaper). This time the methods used to gain unauthorized entry are more sophisticated – no more trying to exploit traditional hardcoded and default password or to brute-force easy passwords, the Reaper malware tries to exploit different known vulnerabilities that IoT and home network devices have (more than 12 different popular vendors including Linksys, Netgear, D-Link, AVTECH and GoAhead have numerous vulnerabilities already discovered, list and links in the related articles below). The Reaper code constantly evolves, the guys behind it seems to add new exploits into the code based on new vulnerabilities being published openly on the Internet.

Another key difference between Mirai and Reaper is that as Mirai was extremely aggressive in scanning and trying to hop between network and infect other systems (which makes it easily detectable by security controls), the Reaper is stealthier in its way of spreading and tries to stay under the radar for as long as possible.

The likelihood of a successful exploit is quite high due to the fact that traditional home users do not tend to pay much attention to security and are very likely not to have patched their devices.

All sources claim this new botnet will be much bigger and stronger than Mirai – The NetLab360 researchers are claiming the C2 communication they see confirms more than 20k bots per control server and they have estimated more than 2 million vulnerable devices out there that are ripe for the infection. There is a great possibility the total number of bots can swell quite heavily in the coming weeks.

What is at stake here? How will this botnet be used?

At this stage, it is still very early to predict how this botnet will be used but most likely DDoS attacks are on the roadmap – the previous smaller Mirai successfully managed to do a DDoS with more than 1Tbps of traffic (both to Dyn internet infrastructure giant which brought down many popular web services down and French hosting company OVH).

IoT general security problems

The problems with IoT is the inherited lack of security (saying inherited because manufactures do not take security into account when building the devices) and the ever-growing number of IoT devices being deployed by users who are not savvy in networking or security best-practices (changing of default passwords, patching, lowering the attack surface). These two large issues combined with the large number of devices out there (the trend is more and more IoT devices to be manufactured and connected online) really poses quite a large security threat to the Internet community.

Some good news:

Different efforts to secure IoT devices are on the roadmap, US lawmakers are trying to pass a legislative action into forcing hardware IoT manufactures to start taking security into account and not spill out junky unsecure devices.

Also, some of the creators and botnet administrators of the Mirai, have now been arrested and expecting trial and effective sentences. This clearly shows there will be consequence for all actions related to running a botnet and malicious cyber behavior, this must be a deterrent for any future black-hats out there.

New ransomware on the loose

Remember WannaCry and Nyatya, aka NotPetya (a variant of Petya) ransomwares. There is a new one around the corner (initial spotting is on the 24th Oct), again spread predominately in the East Europe (Ukraine, Poland, Bulgaria) and Russia but also in Japan, Germany, South Korea and the USA. It is a changed version of NotPetya. It uses usually a drive-by download on hacked sites to trick the user to run a fake Flash Player installer. The horizontal spread within the compromised network this time is NOT based on the EthernalBlue SMB exploit, but Bad Rabbit uses an open tool MimiKatz to try to extract any login credentials on the infected machine and reuse them to spread itself via legit Windows management protocols such as WMI and SMB to other devices. It also uses a hard-coded list with most commonly used passwords to try to brute-force credentials access.

Most current antivirus and endpoint protection software will detect Bad Rabbit and there is a known Windows Registry based vaccination that can prevent a machine from getting infected, but Bad Rabbit shows the ransomware trend is still strong and not likely to quiet down anytime soon.

Relevant articles:

https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/

http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

https://4cornernetworks.com/nyatya-wiper-malware-disguised-ransomware/

https://4cornernetworks.com/wannacry-crypto-virus-outbreak/

https://securelist.com/bad-rabbit-ransomware/82851/

Nyatya Wiper Malware

Nyatya – a Wiper Malware disguised as Ransomware

Nyatya Wiper Malware

A new malware Nyetya (combination of words from Nye Petya, meaning NOT Petya), also known as Petrwrap and GoldenEye has been spreading globally over the last 24 hours.

This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is an evolving space. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

Other popular researchers (links below) say Nyetya is more of a nation (state) attack towards a specific country (Ukraine) that is disguised as ransomware so its true nature would remain hidden in the shadow of recent WannaCry ransomware.

Some Characteristics of Nyetya and why it is different

  1. There is recent research that showed Nyetya, despite having major resemblance to Petya ransomware, in fact does not keep a copy of the encrypted MTL (Master File Table) and MBR (Master Boot Record) that it replaces with the random note. That means that even in the case that the user gets its decryption keys there is nothing to decrypt. This behavior resembles specific type of malware called Wiper Malware. All machines that are infected cannot be recovered. Also, the email for contract with the attackers is now disabled so there is no possibility for getting the decryption keys. Obviously, the attackers have not intended to milk the ransom and get rich for their efforts.
  2. It encrypts the master boot record, which makes the whole system unusable and causes more damage. Previous crypto viruses (ransomware) were encrypting specific file extensions
  3. It does not use a common attack vector from the Internet

It does not infect by scanning ports for vulnerable services, nor uses phishing (mails with crafted content with specific covert malware links), nor file attachments or web sites that host malicious content. Instead the initial way in was via an update in a polular accounting software in Ukraine (called MeDoc). The software was tricked into auto-updating with a malicious file (Perfc.dat). Once it is inside it uses the Eternal Blue (SMBv1) exploit to spread (same as WannaCry) but also two other administrative tools (PSexec and WMI) which in general are valid and legitimate tools used inside a network. The use of these tools would not raise any alarms on network security controls. The malware is capable of stealing the current user’s token and use it to distribute itself to other devices via PSexec (still unclear how it is able to steal the token) or again to steal the current user credentials and use them via WMI.

  1. No external Internet scans

There is no evidence of external scans (from the internet) in order to locate unpatched SMB services. The only scans that the virus conducts are horizontal, once it is inside the protected network. That makes the virus very hard to detect as most organisations do not have visibility within their network for such activity

  1. No Command and Control functionality

The virus does not use C&C so any reputation based security controls cannot detect it. IP addresses/domains reputation is widely used to detect zero-day attacks and to monitor the spread of the virus. That does not seem feasible protection from Nyetya

  1. Special attention has been paid to cleaning up any remaining data and logs

All of these unique characteristics point to the fact that cyber criminals have changed their tactics (after the failure of WannaCry due to the incidental but timely discovery of the killswitch) and want the malware spread to be as stealthy as possible.

Protecting yourself from the attack

A short summary of techniques necessary to protect against the attacks are listed below. These cannot be undertaken in isolation and it is assumed that good security practices are already in place such as disaster recovery strategy as well security control such anti-malware controls.

  1. Patch your systems (MS17-010 should be applied), close off any SMBv1 services (disable)
  2. Do not use admin/elevated privileged accounts for normal users
  3. Monitor your network and endpoints for PSexec and WMI communication and try to establish if that is valid communication (could be based on which one the administrators use and also the time of the day)
  4. Monitor your internal network segments using an IDS/IPS

Which type of network security controls are best suited to discover and prevent malware spread?

While other forms of malware attack may have been stopped by reputation based or email and web security controls, neither would have been effective in this instance. An essential tool in the armoury of security controls is endpoint security such as Cisco AMP for Endpoints, which actively analyse the behaviour of executable files on the system and perform sandboxing.

IDS/IPS network controls are able to catch lateral scans and spread via SMBv1 exploit only if they can see the traffic (actively monitoring traffic on the same logical domain).  The most common IDS/IPS deployment model is on the Internet edge, as this malware does not use external scans or gets distributed via normal Internet related channels (mail and web) these controls are not effective.

Following general security best practises is also beneficial – having backup of important systems/files, having proper application visible monitoring on the network and trying to detect unusual behavior, that of course requires both the tools and the people (analyst).

Used materials:

http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

http://thehackernews.com/2017/06/petya-ransomware-wiper-malware.html

https://www.wired.com/story/petya-ransomware-ukraine/