Reaper Botnet Dwarfs Mirai

Mirai-botnet-diagram-1


By this point everyone and their mother has heard of the botnet dubbed ‘Mirai’, an infamous botnet infrastructure from last year that managed to take down a good chunk of the internet by attacking Dyn, a DNS provider. Well as of this September, weak passwords might have become the least of your worries if you’re like 60% of Check Point’s ThreatCloud covered corporations, and have un-patched vulnerabilities on your network.

Dubbed Reaper, or IOTroop by some, a new IoT botnet is propagating, and shows no sign of slowing down. Today, researchers have ruled out the possibility that Mirai and Reaper are connected, at least on a technical level, due to the superiority that Reaper has displayed in its intrusion and propagation techniques. Whereas Mirai was spread through the exploitation of default passwords across IoT devices, Reaper utilizes a specialized strand of malware that exploits well known vulnerabilities (such as those present in many printers and IoT toasters) to gain entry to a device, and further uses that device to spread itself to others connected.

With near exponential growth, Qihoo 360 Netlab witnessed approximately 2 million newly infected devices waiting to be processed by a C&C server, of which there are several that have thus been identified. The best thing that any concerned corporation or user can do at this point in time, would be to ensure that every machine on their network has updated firmware, and software in an attempt to limit the spread of this variable plague infecting IoT networks worldwide.

Currently, it appears as if we all might be witnessing a ‘calm before the storm’, situation, with this botnet ramping up massively in numbers and, according to Check Point, updating its capabilities on a daily basis. What else can I say but stay safe, and brace for impact, as when this thing hits, it’ll make the Dyn attack look like a birthday party.

– Kenneth Nero

Sources: Here, and Here, also Here

Advertisements

Encryption system used to exploit protected Wifi networks

Everyone knows that they could be a potential target for cyber-crime; as it often appears in the news almost every day. But just how vulnerable is an individual? CERT recently made a statement about how your Wifi network could be exploited if proper precautions are not taken.

On October 16th, 2017, the Computer Emergency Readiness Team made an announcement that addresses the protection of your sensitive information. In short, its advice is to update all your devices when security advancements are available. The reason for this is that a widely used encryption system used on wireless networks can lead to a breach of your credit card information, emails, passwords, etc.

Essentially, the system allows a hacker to gain access to the internet traffic that occurs between computers. Once in, the hacker can manipulate the data that is recovered. Depending on the target’s network configurations, it is even possible for the attacker to inject malware into the network. The unsettling part about this encryption system is that it has the capability of effecting a very wide range of devices including Android, Apple, Linux, and Windows.

Companies such as Intel, Microsoft, Google, and Apple have heeded this advice and have released updates that will help protect people with their devices from this issue.

– Jared Albert

 

Vulnerabilities in systems without updated EFI

Recently there has been a study done. A company by the name of “Duo” has been analyzing the firmware in many models of Apple computers. What they had found is that while the OS may have been up to date, in some cases the computers EFI firmware was not. Duo’s reasoning behind using Apple products was that Apple themselves handle everything, from the software, to the hardware, and everything in between. This is not to say that the issue doesn’t occur on windows systems.

Actually, it might even be worse due to the fact that most windows systems use parts from other manufacturers. This essentially means that unless you update the firmware yourself you probably will not be receiving updates for it. On the other hand an Apple computer is usually set to install EFI firmware updates as the operating system updates. However, the problem has become when that doesn’t happen.

I’ve been going on about EFI and that it probably isn’t being properly updated on the systems, but what is it? EFI, or Extensible Firmware Interface, is a type of firmware. Firmware is a type of software that is fully independent from the operating system and can perform many tasks. The first and foremost job of EFI is to get your system up and running, though it can take on other roles like remote diagnostics to fix problems on a computer without anyone being present at the physical device.

So, what can be done by an attacker if your EFI isn’t up to date? Well, in an Apple system there are a few attacks that come to mind. The first being Thunderstrike. Basically what Thunderstrike allowed an attacker to do was flash a new EFI in place of the current Apple firmware version. This allowed for the attacker to have control of many aspects of the system without the user realizing it or being able to remove it. This mode of attack required physical access to one of the machines thunderbolt ports in order to write the new boot ROM. Later, Thunderstrike 2 came around. This did basically the same thing, except that the attacker could do it remotely.

Who is at risk? On average about 4.2% of the systems Duo analyzed had the wrong EFI version for their respective models. That doesn’t sound like a lot, but given the vast user base of Apple products this is actually quite a lot of systems. It also depends on the model you have. Some are more likely to have the wrong version over others. Duo released a table of Mac models that are likely to not have the correct firmware version.

Mac Model Version Number
iMac iMac7,1; iMac8,1; iMac9,1; iMac10,1
MacBook MacBook5,1; MacBook5,2
MacbookAir MacBookAir2,1
MacBookPro MacBookPro3,1; MacBookPro4,1; MacBookPro5,1; MacBookPro5,2; MacBookPro5,3; MacBookPro5,4
MacPro MacPro3,1; MacPro4,1; MacPro5,1

If your device is listed in this table then it has the potential of not having the correct version of EFI firmware or the firmware may have never been updated at all.

The bottom line is that EFI is just important to keep up to date as our operating systems, but most of us don’t even realize that it’s an issue. It doesn’t generally affect system performance so we generally don’t even think about it. In the world of Apple consumers this shouldn’t be a problem, seeing as the newest updates were supposed to fix the issues of EFI patches not being installed. However if you are on a Windows, Linux, or any other type of system, you may want to update your EFI firmware. In most cases this comes as a BIOS update for your motherboard.

Duo analyzed about 73,000 real world Mac systems, only using systems with updates that had been released within the last three years.

–Brett Segraves

Duo also has their study publicly available in PDF format.
Duo Labs Report: The Apple of Your EFI

Sources:

Duo Apple of your EFI Security Research
Wired: Critical Code in Millions of Macs isn’t getting Apple’s Updates
Info-Security: Many Patched Macs Still Vulnerable Via EFI Issues

A More “Intimate” IoT Issue

As humans get more attached to technology, it appears that we also get more detached from reality and those around us. The meaning of interpersonal relationships gets foggier as our practical need for face-to-face interaction is lost. But the loss of the practicality of it in day-to-day life does not mean that humans do not desire personal relationships. To be more specific, the human desire for a romantic relationship does not dwindle even as our desire to go out and create one does. Some would say that a solution to this issue would be, gently put, robotic escort services.

Whether these robotic prostitutes are for hire or are personally owned is beyond the scope of this discussion. As is whether this is a good direction for humanity to go in. The issue to be discussed is much graver than that.

As the IoT grows more populous with frivolous devices, one cannot help but come across articles stating the dangers of having these devices on the internet. Sure, hacking a toaster can allow you access to someones home network. And yes, a juice press that connects to World Wide Web seems more than a little bit silly. But they are merely pocket change when compared to the possibility of being killed by an IoT device. If during use, one of these sex robots was to be hacked it could be commanded to kill you. If this sounds ridiculous to you, I’m certain that you’re not alone. But Dr. Nick Patterson of Deankin University in Australia will have you know that this is not at ridiculous as it may seem.

“Hackers can hack into a robot or a robotic device and have full control of the connections, arms, legs and other attached tools like in some cases knives or welding devices,” Patterson says. “Often these robots can be upwards of 200 pounds, and very strong. Once a robot is hacked, the hacker has full control and can issue instructions to the robot. The last thing you want is for a hacker to have control over one of these robots. Once hacked they could absolutely be used to perform physical actions for an advantageous scenario or to cause damage.”

While an immediate threat is not thought to be present, it is certainly a consideration one should make before purchasing one of these machines in the future.

-Alan Richman

Sources: Patterson initially gave this information to the Daily Star in the United Kingdom. The given link is to the source with this information containing no graphic, explicit, or sexual imagery.

http://bgr.com/2017/09/11/sex-robot-hack-security-cyborg/

BankBots on the Google Play Store

 

c3452b27c92648ae7f8b3dab2dfee1cd

Image courtesy of SecurityLab.ru. Yes, it’s Russian.

“The Google Play store once again has been invaded with apps carrying BankBot.” The article, written by Bradley Barth for SC Magazine, starts off on a strong note. What catches my attention is the short phrase once again. That, however, is for another time. BankBots are on the rise again, and it’s spread to 160 apps across 27 different countries, according to Barth.

“What is BankBot,” an article on The Merkle, desribes BankBot’s as “Android Banking Trojans.” BankBot is a malicious campaign with an intent to attack us through convenience — banking apps. Once there was a time when the biggest threat to banks were physical robberies and stock market crashes. Nowadays, the Internet of Things is the biggest perpetrator of bank attacks.

With the shift towards total digital domination of our lives, banks have followed suit by developing downloadable apps for ease-of-access banking. Of course, these banks require legitimate credentials for use. BankBots take advantage of this fact, as well as the lack of attention by consumers to develop imitation apps that somehow evade all Google Play Store legitimacy checks. So, how easy is it to get into BankBotting? Buntinx of The Merkle feels as though anyone can get started in the business of malicious banking. Many well-known hacking forums (remaining unnamed for obvious reasons) have multiple easy-to-follow, step-by-step, baby’s-first-BankBot tutorials that anyone can follow, free of charge. Because of this, there isn’t just one type of BankBot; people are taking the base design and creating personalized copies that range in complexity and scope of attacks.

In the months of April, May, and June of 2017, 62 separate long-term BankBot campaigns were discovered and shut-down. This was only the first wave of mass-BankBotting. BankBots were found to be the first malicious banking Trojans able to work their way into many high-security banks, work internationally, bypass Play Store vetting, and have the ability to communicate to web-based backends. These Trojans also have the ability to hijack and intercept SMS messages. Well-known banking Trojans like ZeuZ and EDA2 are beginning to find themselves shadowed by the ability of the BankBot campaign.

This campaign only affects Android users using third-party or non-major banking apps. The only way to protect your banking credentials is using trusted apps and websites (or just stick to iOS).

-Ryan W. Moore, 21 September 2017

Sources:

https://www.scmagazine.com/more-bankbot-apps-sneak-into-google-store-uae-banks-added-to-malwares-targets/article/688379/

https://themerkle.com/what-is-bankbot/