Solved

Mitigation against sneakerware

Posted on 2015-02-21
6
76 Views
1 Endorsement
Last Modified: 2016-03-23
Q1:
What are the mitigation measures against the sneaky-ware below?

Q2:
Is AV or IPS more relevant in mitigating against it?

Q3:
is DDoS mitigation (using clean-pipe etc) effective?

=================================================

Super-sneaky malware found in companies worldwide

A shadowy hacking group has infected computers at companies, universities and governments worldwide with the sneakiest malware ever. The mysterious group, which researchers nicknamed "the Equation group," uses malware that's unusually quiet, complex and powerful.

The Equation group also appears to have ties to Stuxnet, the computer worm that sabotaged Iran's nuclear enrichment program in 2010 and was later revealed to be a joint U.S.-Israeli project. Malware attacked Windows computers, Macs and even iPhones.

Security researchers have documented 500 infections by Equation Group and believes that the actual number of victims likely reaches into the tens of thousands because of a self-destruct mechanism built into the malware. They have also reportedly uncovered state-created spyware hidden in the hard drive firmware of more than dozen of the largest manufacturers brands in the industry, including Samsung, Western Digital, Seagate, Maxtor, Toshiba and Hitachi.

These infected hard drives would have given the cyber criminals persistence on victims' computers and allowed them to set up secret data stores on the machines, which is only accessible to the malicious hackers. One of the most sophisticated features of these notorious pieces of hacking tools is the ability to infect not just the files stored on a hard drive, but also the firmware controlling the hard drive itself. The malware is hidden deep within hard drives in such a way that it is difficult to detect or remove it.

The campaign infected tens of thousands of personal computers with one or more of the spying programs in more than 30 countries, with most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

The targets included government and military institutions, telecommunication providers, banks and financial institutions, energy companies, nuclear researchers, mass media organisations, and Islamic activists among others.

Security researchers are calling the malware as the "ancestor" of Stuxnet and Flame, the most sophisticated and powerful threats that were specially designed to spy and sabotage ICS and SCADA systems.

For the original news, kindly go to: http://thehackernews.com/2015/02/hard-drive-firmware-hacking.html

Potential Impact

 

·         Infection of files stored on hard drive as well as firmware

·         Data exfiltration

·         Network mapping

·         Unable to detect and difficult removal  of malware

·         Set up secret data stores on the machines which will only be accessible to malicious hackers
1
Comment
Question by:sunhux
6 Comments
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 80 total points
ID: 40623143
Q1: Up to date AV.  Or you could disable external USB ports but that could impact the functionality of the computer.

Q2: IPS won't really help since the virus or malware is being introduced internally.  Although, I suppose you could have all internal traffic go through IPS as well.  But that seems like a kludge.

Q3: I don't think so as this doesn't appear to be DDOS attack.
0
 
LVL 61

Accepted Solution

by:
btan earned 320 total points
ID: 40623663
(at least to me) sneakerware is just another combination of the malware families with mixture of spyware, RAT, rootkits capabilities - in short, it is can be any stealthy APT type of attack like the equation group shared. They are not the street kiddies or the opportunistic ones just going one single kill of curiosity or  simply towards identity theft.

As in all APT type of group, they focus on very much in depth research, further recon, penetrate into lateral movement in target's internal , quickly surfaced out known vulnerabilities, and exploit based using their "precious" or "customised" zero day exploits (unknown), finally persist with multi-channels to their callback mothership with exfiltrated "goldmine" and more traits information of victim architectures, mgmt plans etc. They are proxy aware and likely to be from cluster of known APT groups and highly likely state sponsored groups based from the "common" pointed ones like US, UK, Russian and China. You can easily see and read on the threat reports esp on Equation from various AV leading  and security research lab providers.


A1: The Equation modus operandi as listed is not simply task, once exploited, it is very hard to detect unless they surfaced anomaly to be detected based on known signature or behaviours from anti-malware or AV at endpoint. The network checker at the boundary and endpoints will be just service and port based which known http or known service will be tunneled and even secured making these checkers blinded. You need more than just their logs but also required raw packet analysis to surface anomaly.

The worry is the deep planting of the BIOS firmware (that can be like in past attacks in Shamoon, Destover, DarkSeoul malware that destroy machine ) and even any technology cannot simply sense that once these bootkit capture the whole OS. I do see clean slate client VM instance to revert back in each reboot as a mean for really easily exposed public terminal. And do also control all ext device interfaces (suceptible to BadUSB, Thundrstrike etc) and enforce application whitelisting to reduce exposure. There is likely to balance off the user experience using this too, so measure your environment risk appetite.


A2: As in A1, it is defence in depth but do not rely just on this which eventually the known signatures can be detected but such APT group has customised ones to break easily traditional defences.

I believe you know about breach detection, network forensic and threat management technology by most of of the network security provider in like Cisco, FireEye, Trend Micro, Bluecoat ... the IOC in the reports from Kaspersky lab will help to kill off the known ones...for now.. payload like be the same but the stager and callback will varied. This will need continuous monitoring and start off early to check against your environment's baseline to surface the anomalous activities early by SIEMS in your SOC (and not simply NOC).


A3: In this case, Equation is not DDoS n/w unlike hacktivists which intent is to bring down or impact reputation public - in short they wanted to shame to the victim as a form of strong reminder of public (or should I say their dissatisfaction). DDoS required huge bot and impact of the ISP too with ranges of 1-2Gbp to more than 30-40Gbps and even 300Gbps above as a real attack. I will see them as smokescreen as eventually the cost factor and returns need to be justify and the underground market is already DDoS as a Service to make it easily to launch the attack based on duration required.

You can find out more like googling those and even this "LizardStresser".. the case of cyber espionage is not similar to cyber sabotage which DDoS is more of the latter while Equation schemes are of the former. The Equation folks wanted stealthiness though DDoS can help to distract the incident responser as required but it is likely another team to perform that on some strategic day when Equation has surface enough intelligence to make further advance to sabotage certain agenda...in their long term strategy..

Cleanpipe is not 100% for DDoS as the application level of attack can bypass this easily. Some ISP added in mechanism to clean even such traffic but I do not see assurance on how SSL traffic can be clean and even then fragments of legit build up of DDoS traffic are unlikely to trigger cleanpipe as cleaning is either removal or replacement of known threat inside the packet - it is not in depth to clean application DDoS when protocol vulnerability are being exploited...it cannot even determine weak cipher...to trigger cleaning when, in fact, there is nothing to clean at the first place
0
 

Author Comment

by:sunhux
ID: 40624056
Thanks;  bear with me, what does the following stands for :
IOC, APT, SIEMS
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 61

Expert Comment

by:btan
ID: 40624114
no worries.
IOC - indicator of compromise
APT - Advanced Persistent threats
SIEMS - Security information & Event Management systems

You can see the Equation from Securelist (Kaspersky lab)
 http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

Also the NSS lab has sharing on next defence technology observations
 https://www.nsslabs.com/blog/nss-research-reveals-ngfw-has-strengthening-role-enterprise
https://www.nsslabs.com/blog/technology-future-bds-market-set-explode
0
 
LVL 6

Assisted Solution

by:Oleksiy Gayda
Oleksiy Gayda earned 100 total points
ID: 40626280
Specifically on the Equation Group's HDD firmware exploit - the scary bit is that it is virtually impossible to detect by scanning (because it exists "below" the OS level and majority of HDD firmware is "write only" by design, as the means of protecting manufacturer's intellectual property, so it cannot be scanned even with specialized tools) and it will survive even drive reformat and OS reinstall.

I suppose that, theoretically, you could wipe the drive then flash its firmware with the manufacturer-provided one, ensuring that Equation firmware is overwritten, but there is no guarantee that it doesn't persist by copying itself back and forth between firmware and drive areas while you're performing each of the clean-up steps.

You can always just whack the drive with a hammer a couple of times, and replace it with a brand new one...
0
 
LVL 61

Assisted Solution

by:btan
btan earned 320 total points
ID: 40627135
indeed bootkit of that sort went beyond into hardware planting and if you follow the NSA catelog, there is similarities to  "IRATEMONK". Equation used two modules belonging to EquationDrug (for use on older Windows operating systems) and GrayFish in same light to reprogram hard drives to give the attackers persistent control over a target machine. I really doubt there is effective means for removing those except not using them and terminating those h/w from further usage.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now