Security Weekly 24: The great IoT harvest is coming, Sofacy attacks security researchers, Bad Rabbit turned out to be a colleague of ExPert
Perhaps this time we were lucky, and we received a timely warning about the upcoming uprising of the “Internet of things”. NewSky Security found in the darknet a forum thread in which the “black hats” relaxedly discussed the concept and implementation of the attack through CVE-2017-8225, which allows you to merge credentials from Chinese cameras from many different vendors. The two most active participants in the discussion eventually gave birth to two scripts.
- The first script searched for devices with CVE-2017-8225 in a very original way – using the Shodan Premium service. The second script follows the list of IP addresses compiled by Shodan and extracts the logins and passwords of administrators from the devices.
The Botnet infecting the IoT devices. It sounds familiar – indeed, just recently, CheckPoint researchers warned of a similar botnet. According to their data, a monster called IoTroop at the time of October 19 has already infected more than a million organizations.
- Unlike the pioneer Mirai, which was thrown on the device, simply by browsing the popular logins and passwords in the dictionary, IoTroop did not limit it to this – it also spreads using vulnerabilities. But the fact that the vulnerability is known does not mean that it is useless – according to the same CheckPoint, 60% of organizations use at least one IoT device with a known vulnerability, whether it’s a security camera, a router or a network storage.
Hackers use the reverse shell method when the device broadcasts an administrator session to the management and control server. On the port, which is listening to the netcat installed there. The same method was found by Checkpoint, in the study of IoTroop, which allows you to link the participants of the discussion to the one million infected offices.
So far, IoTroop has been quietly spreading without active malicious activity. What the bot makers are waiting for is unknown: maybe the forces are growing, or maybe they are looking for a generous customer.
Sofacy attacks security researchers
The Sofacy group, also FancyBear, also APT28, caught the attacks on a very specific group of people – security personnel interested in the CyCon cyber war conference, which is being organized by the Center for Coordinated Cyber Defense and the application of NATO best practices.
The bait file was a Microsoft Word document containing a from the announcement, one-piece from the CyCon site, flavored with a VBA script. This time no exploits, the victim opens the file, and the script is launched, which does not think to go to the Internet. Instead, it goes into the document fields, such as ‘Subject’, ‘Company’, ‘Category’, ‘Hyperlink base’ and ‘Comments’ and extracts from there some kind of a meaningless jumble of characters.
The files are encoded in base64 and split into several parts. The script collects and decodes the file, then writes it to disk as netwf.dat and launches it using rundll32.exe. So, this file is a slightly modified Setup loader, the one that was previously used in the attacks of Sofacy.
The dropper is loads the loading files from the management server – netwf.bat and netwf.dll, and the VBA script puts them into a hidden attribute. The dropper starts the load, and it takes root in the system. It has more than enough: to capture a screen of your display through the GDI API, extract and send data to the server, download and run the files. The motives for this attack are unknown, but the focus on military IS specialists shows that they were interested in intruders, not in a money.
A Bad Rabbit turned out to be a colleague of ExPert
A Bad Rabbit’s extortionist turned out to be a colleague of ExPetr/Not Petya. Our analysts confirmed the connection between the two attacks. First, both have similar hashing algorithms. Secondly, they used the same domains, and the source code, a clear relationship was found.
- To spread the rabbit hackers hacked a number of popular sites around the world and uploaded them to the Trojan. Visitors received an offer to download a new version of FlashPlayer. The victims themselves installed a crypto clock which gives him all the necessary rights, not looking for a request from the UAC
Just like ExPetr, Rabbit retrieved credentials from the Computer memory and crawled further along the local network using WMIC. At the same time, the authors took into account the lesson received in the ExPetr campaign – Bad Rabbit portrays ransomware more convincingly, that is, it encrypts data and sends keys to the server as if it’s really going to decipher something.
It should be noted that the authors of the campaign have become very cautious. Once the security companies started the investigation, the hackers immediately removed the malicious code from all the hacked sites.