Security Weekly 12: Fighter Against WannaCry Arrested in the US, Svpeng Got a Keylogger, Cisco Released Patches to 15 Vulnerabilities
What do we know about Marcus Hutchins? Surprisingly little. Before the story with WannaCry, nothing was heard about it at all, but here it was glorified by the brilliant move with the stop-domain. The guy rummaged in the code of the Trojan, found a self-destruct mechanism when receiving a response from the domain, registered the domain (it cost him just $10) and managed to significantly slow down the epidemic Wanna Cry.
He lives in the UK, works for a company Malwaretech. Judging by his site, Marcus in 2013 reverses the malicious code and publishes good research. Recently launched a public botnet tracker, where you can see the activity of the most famous botnets. In general, the impression of a young, promising “white hat” is created.
- Young talent came to Las Vegas – there are just conferences Black Hat and Defcon. And then it turned out that the guy was waiting in the district court of eastern Wisconsin, and with quite serious accusations on his hands. The indictment contains six items attributable to Marcus. All of them boil down to the fact that Marcus Hutchins, together with an unnamed person, is responsible for the creation and distribution of the banking Trojan Kronos.
- Kronos was noticed in darknet in 2014 when his authors opened pre-order for $ 7000. The price, apparently, was overestimated, since after the release it was sold for $ 3000, and in 2015 it was going for $ 2000. On Youtube, by the way, there is a video advertising Kronos, supposedly filmed by Hutchins’ accomplice.
- Like other Trojans-bankers, Kronos trades in web-injection into the pages of Internet banks. The victim enters his online banking system in order to view his balance or pay for something, and she pins a couple of additional fields on the login page – for example, an answer to a secret question and a PIN from the card. This is in addition to the login and password that Kronos intercepts using the keylogger.
- In Kronos, there is a curious feature – a user-rootkit. It is used to conceal the very fact of infection, but from modern antivirus, so not to hide. Therefore, according to the conclusions of colleagues from IBM, it is necessary for Kronos to protect against other bankers removing from the car the competitors found.
It turns out, according to US law enforcers, it was this that Hutchins earned his living, at least in 2014-2015. As far as the accusations are fair – the court will decide, but on the whole, this story is quite plausible. Not all the “white hats” and their “black” counterparts adhere to their part in principle, some, like “werewolves in epaulets”, are trying to succeed both here and there. However, only one of these sides provides a quiet sleep at night and free movement around the world.
Svpeng Got a Keylogger
One of the mobile bankers, Svpeng, received a new feature. Not to say that the keylogger was something new for the Trojans, but Svpeng did not indulge in such a thing, and in Android-bankers, interception of the keyboard input is not considered necessary. To intercept login, password, and SMS-code it is enough to draw a phishing interface over the interface of the banking application. But the authors of Svpeng, apparently, decided to expand the scope of its application – now it is a little spy in other applications.
Interestingly, for interception of keyboard input, the so-called special features of Android are used – the functions of facilitating work with a smartphone for the disabled.
In addition to data theft, special OS features help the Trojan to acquire the rights of the device administrator, not to let them be taken away from you. Also, Svpeng does not give to grant admin rights to other applications – that is, if the victim later woke up and decided to put the antivirus after infection, it will not help much.
This rubbish spreads through infected sites under the guise of a fake flash player and works up to the newest version of Android inclusive. Better not put, even if the site will promise you a very hot Flash video.
Cisco Released Patches to 15 Vulnerabilities
Cisco is one of the vendors that are actively engaged in the security of their own and a few foreign products. This in itself is commendable and useful for the industry, but in the case of this remarkable company, the popularity of its solutions plays a cruel trick on it. Once Triska is at everyone, everyone is interested in breaking it.
- This time the company patched more than a dozen products at a time. Two of the closed vulnerabilities can cause serious pain in the admin. DOS-vulnerability to VDS (a piece of hardware that supports a virtual infrastructure for video broadcasts) allows, as you might guess, to bring down this very VDS, sending a lot of traffic to it. The tactics are understandable, nothing tricky, but generally it is not necessary to reboot in such conditions. After the patch and will not if you believe Cisco.
- The second car suffered ISE, a system for controlling access to the corporate network. It’s about just getting the rights of super admin to the free woman. The problem lies in the fact that the system incorrectly processes external requests for authorization and confuses policies for external and internal users. The attacker can break into the network from the outside with the name of the external user, which matches the name of the internal user and get its access rights.
- Another, difficult-to-operate, but potentially tasty bug, allows you to change some parameters in the local connection state database (LSA) of the Cisco router. The attacker sends specially designed OSPF LSA type 1 packets, thereby changing the routing table, and potentially intercepts or black hole traffic on some connections. All this works for devices that support the OSPF protocol and does not work with the FSPF protocol.