This Week in Cybersecurity (week ending 10/28/2017)
REAPER Botnet Grows, but its Purpose is Unknown
REAPER is a growing botnet of over one million devices, causing concern in the global cybersecurity community. REAPER infects video cameras and other Internet of Things (IOT) devices, taking advantage of known vulnerabilities in D-Link, Netgear, and AVTech products. REAPER is similar to the Mirai malware that infected IoT devices in late 2016. The infected devices in turn launched a Distributed Denial of Service attack on Dyn DNS in late 2016, knocking out a number of Internet services in the U.S. While the botnet continues to grow, there have been no known attacks so far and it’s unclear how the botnet may be used. (Source: ZDNet.com, 24 October 2017)
Russian APT Attempts to Phish CyCon Participants
CyberWire reports on potential Russian interference in this year’s CyCon conference. Fancy Bear (APT28, or, to name it directly, Russia's GRU) is snuffling around people thinking about attending next month's CyCon conference in Washington, DC. Sponsored jointly by the US Army Cyber Institute and NATO's Cooperative Cyber Defence Centre of Excellence, this year the well-known conference takes "the future of cyber conflict" as its theme. Fancy Bear is phishing for prospective attendees with a baited Word document that carries Seduploader as its payload. Seduploader is a reconnaissance tool useful in determining which targets deserve closer attention. The phishbait document, a cut-and-paste job designed to look like an event flier, is "Conference_on_Cyber_Conflict.doc." Stay away from it and the malicious Visual Basic for Applications (VBA) macro it contains. (The CyberWire, 10/25/2017)
Bad Rabbit Ransomware
Bad Rabbit is a new type of ransomware that is causing concern. Confined so far to Russia and Eastern Europe, it is the third major ransomware this year following WannaCry and NotPetya. Bad Rabbit is delivered via a drive-by attack on unsecure websites. A malware dropper disguised as an Adobe Flash update is downloaded to unsuspecting visitors to infected websites. When they click on the update link, their computer locks up and files are encrypted using DiskCryptor software. A ransom note appears demanding just under $300 in Bitcoin within 40 hours in return for the keys to decrypt the victim’s files. Experts are increasingly convinced that Bad Rabbit is the work of the same threat actors responsible for NotPetya, although Bad Rabbit does not appear to be as sophisticated. Several internet security firms have noticed that the servers and sites BadRabbit's controllers used seem to have shut down after just a few hours of activity. Others have noted that Bad Rabbit, unlike NotPetya, does not appear to use tools stolen from NSA by the still-unidentified Shadow Brokers group. (Source: The CyberWire 10/26/2017 and Wired UK article.
Kaspersky Lab Update
Kaspersky Lab's transparency and charm counteroffensive may have hit a bump. The company acknowledged that its security software did indeed scoop up some NSA tools (from a machine that should never have had them in the first place). They say they promptly deleted the sensitive files. (Source: TheCyberWire, 10/26/2017)
US-CERT Alert on North Korean Botnet Infrastructure
DHS/US-CERT updated an alert from June about North Korea’s HIDDEN COBRA botnet structure. The new alert is TA17-164A. It provides the following overview as well as technical indicators and suggested response guidance.
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. Government partners, DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders detect activity conducted by the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA. Click for more information related to HIDDEN COBRA activity.
Twitter Exec Victimized by Russian Trolls during 2016 Election
According to CyberWire, a Twitter executive was successfully trolled by Russian influence operators in 2016. The exec was induced to retweet positive stories from a bogus Black Lives Matter activist, who in reality was a Russian troll. Observers take the incident as a cautionary tale of how grooming influencers works. (CyberWire, 10/25/2017)