Coming a month before WannaCry, Adylkuzz was its precursor and gets the dubious distinction of being the first attack to use the EternalBlue exploit. EternalBlue takes advantage of the SMB vulnerability on TCP port 445 and quickly spreads to other machines.
Another NSA backdoor hacking tool, DoublePulsar, is deployed with it, installing malware that halts SMB networking communication and also blocks infection from any additional malware. Infection is not immediately obvious — users may notice loss of performance and access to shared Windows resources. Next, the deposited malware gathers the public IP address of the victim and downloads remote mining instructions.
One characteristic of Adylkuzz (with DoublePulsar) is once it has infected a machine, it closes the SMB port it used to originally gain access, which prevents competing malware from gaining access the same way. When a test group set up an experiment to see how long it would take for Adylkuzz to find and infect a vulnerable machine connected to the Internet, the time to infection was just 20 minutes.
The Virsec Application Memory Firewall is the first solution to protect memory at the application level. Virsec scrutinizes application process memory to ensure that your applications only behave as intended and aren’t corrupted by memory exploits.
Virsec’s Trusted Execution precisely maps the known and predictable activity of an application, creating an AppMap™. When the application runs, Virsec monitors all system, file, and
memory activity and proactively takes action if the application deviates from its expected activity.
AppSensor is an OWASP project that enables you to build self-defending applications with attacker detection and automated response capabilities
BlackEnergy is an advanced persistent threat (APT) responsible for attacking and shutting down electrical grids in Ukraine in December 2014. Now BlackEnergy has an architecturally similar and more modern successor, GreyEnergy, that’s emerged the Fall of 2018. While it’s showing similarities to its predecessor, so far, it has a different focus. Rather than shutting electrical grids down, GreyEnergy has cyber-espionage as its main objective. (See our blog GreyEnergy Spy APT Mounts Sophisticated Effort Against Critical Infrastructure.)
BlackEnergy’s bad actors, known as Sandworm, evolved into another group now known as the TeleBots. The TeleBots have been linked to the NotPetya attacks last June, as well as another attack on Ukrainian power infrastructure using Industroyer malware in 2016. TeleBots is responsible for additional attacks in Ukraine as well over the last 3 years impacting the financial and supply chain industries.
Dynamic Link Library Injection attack. In computer programming, DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend.
On September 7, 2017, the public learned about the Equifax breach impacted close to 150 million American households. Indictments followed for insider trading related to the breach. In December 2018, Congress released a report after a 14-month investigation revealing that Equifax was responsible for its own breach. They were guilty of multiple security failures in their own security program. (See our blog Congressional investigation into Equifax breach finds multiple security failures https://virsec.com/congressional-investigation-into-equifax-breach-finds-multiple-security-failures/).
Equifax’s lax security played a role, making it easier for bad actors to take advantage of a vulnerability in Apache Struts to gain access. There was some dispute based on the timing of the breach as to whether it was the Apache Struts vulnerability CVE 2017-9805, which wasn’t discovered until July 2017, after Equifax was likely breached. It turned out it was a different CVE responsible for the Equifax breach – CVE 2017-5638 – which went back to March – well before Equifax was breached. By 2017, eight Apache Struts vulnerabilities had been documented in the National Vulnerability Database (NVD).
Glibc is an exploit that targets this Linux library. The glibc DNS client is vulnerable to a stack-based buffer overflow when the library function is used to perform domain-name lookups. The glibc DNS client-side resolver is used to translate domain names as we recognize them, like google.com, into a network IP address. The buffer overflow flaw is triggered when the getaddrinfo() library function that performs domain-name lookups is in use. In that window, hackers can remotely execute malicious code. This leaves nearly all Linux machines vulnerable.
Windows, OS X and Android devices are not vulnerable as they use different libraries. For example, uClibc had a similar bug that was fixed 6-7 years ago.
Havex malware, the primary malware used by Dragonfly, is a remote access Trojanhorse (RAT). A computer infected by RAT malware is remotely controlled. Havex attacks began with spear-phishing campaigns and was also used in watering hole attacks.
The Heartbleed cyber threat is a security bug in the OpenSSL cryptography software library. It creates a serious vulnerability based on a weakness that allows information to be stolen that’s normally protected by the SSL/TLS encryption protocol. An improper input validation happens during the implementation of the Transport Layer Security (TLS) protocol heartbeat extension, the reason for its name. The vulnerability is a buffer over-read, meaning more data can be read than ought to be allowed.
Heartbleed exposes the memory of the systems that should be protected by vulnerable versions of the OpenSSL software to anyone on the Internet. The secret keys that encrypt traffic are compromised, along with user names and passwords. With this, the attackers can eavesdrop and steal data from users, or impersonate them.
Heartbleed is registered in the Common Vulnerabilities and Exposures database as VCE-2014-0160.
Industroyer / Crash Override happened a week before Christmas, 2016, taking down one fifth of Kiev’s total electrical power for one hour. In retrospect, it seemed that was just a trial run. Industroyer is the first known malware specifically designed to attack electrical grids. It’s among others that have targeted industrial control systems – Stuxnet, Havex, BlackEnergy and Triton/Trisis. The attack was automated, allowing attacks to program portions of the attack to run without involvement from operations, including on networks not connected (“airgapped”) from the Internet.
In June of 2016, security researchers published a detailed analysis of the malware. The malware targeted the Siemens Spirotec Digital Relay which, when working normally, gauges the charge in electric grid components and opens circuit breakers if the charge reaches dangerously high levels. Even though Siemens had released a firmware update for this relay in June 2015, many industrial control systems did not apply the patch, perhaps to avoid business disruption, leaving their systems vulnerable. See more from our summary article “Virsec Hack Analysis: Deep Dive into Industroyer (aka Crash Override)” for more information.
Load Fence. Spectre-related; a load fence that serializes load operations and halts speculative execution until all instructions up to the fence have been executed.
Ransomware LockerGoga hit (and is still hitting) industrial and manufacturing firms and causing devastating impact. Later strains of it have been even more damaging than the initial rounds. In some cases, it’s evident the hackers are after money and they have collected some of the bitcoin they demanded. But in other cases, the manifestation of their attack made it impossible for victims to pay ransom. It has almost seemed as though sometimes the hackers made it impossible for victims to even see the ransom note much less respond to it.
LockerGoga has struck several countries, bringing some firms to their knees, and becoming an alarming harbinger to others who haven’t yet been hit. Altran engineering consulting firm in France and Norsk Hydro aluminum manufacturer in Norway have both been struck by LockerGoga, along with Hexion and Momentive. Momentive’s infection caused a global IT outage. FireEye security firm reported they’re aware of several other industrial and manufacturing companies who’ve also been hit, though for now they’re opting not to be named.
Built to do damage, NotPetya still the most devastating malware ever seen
This variant of Petya, another fileless attack, shares some similarities to the original version as well as many differences. NotPetya was designed not to collect ransom but to do as much damage as possible. To date, NotPetya remains the most devastating cyberattack on record, costing an estimated $10 Billion.
EternalBlue, EternalRomance exploits
Like Petya, NotPetya uses the EternalBlue [link to info page about attack tools] exploit along with the EternalRomance [link to info page about attack tools] exploit. Machines lacking the MS17-010 patch for SMB vulnerabilities are still exposed.
NotPetya didn’t have the fast-spreading worm capabilities of WannaCry but because it spread itself locally using Windows utilities, it was able to infect computers that had been patched against vulnerabilities that EternalBlue targeted.
Spectre-Meltdown-related, Google’s fix for Variant 2 of the Meltdown-Spectre bugs
Spectre-related – an exploit that uses the victim’s process memory to leak secret information.
Sharpshooter emerged in the Fall of 2018, hitting up to 87 organizations from October to November, possibly beginning in September. Countries targeted were primarily the US but also other English-speaking organizations in the UK, Canada, Australia, New Zealand, Russian, India and elsewhere. The 87 organizations were infected with the Rising Sun malware that allows hackers to spy on sensitive information, including documents, usernames, network configurations and system settings
A new vulnerability has been found that potentially affects most versions of the Linux and Unix operating systems. Known as the “Bash Bug” or “ShellShock,” the CVE-2014-6271 GNU Bash Remote Code Execution Vulnerability could allow an attacker to gain control over targeted computers if the exploit is successful.
A common component that appears in Linux and Unix presents a vulnerability that affects Bash. Bash is a Unix shell and command language interpreter where users can type commands into a simple text-based window, which the operating system will then run.
Spectre and Meltdown emerged in January of 2018 as a new class of vulnerability the security industry had never encountered before. The initial remedy was supposed to be routine patch applications from the proper prominent vendors in question (Google, Amazon, Microsoft, Apple, Intel and so on). But the first rounds of patches were costly and disruptive and once complete, slowed system performance considerably.
The problem came about in the first place because chip manufacturers found clever ways to improve chip performance. The method is called “speculative execution,” a trick used to enhance performance in almost all modern chips. Speculative execution allows a program to begin using memory and executing instructions before completing the security check to see if the action should be allowed. This sped up performance but inadvertently left backdoor access where processing takes place on the chips.
At least 20 variant attacks have been demonstrated so far, some more dangerous than others. (See our blog 20 Spectre and Meltdown Attacks Demonstrated So Far and Rising: This Class of Threat Continues in 2019, https://virsec.com/20-spectre-and-meltdown-attacks-demonstrated-so-far-and-rising-this-class-of-threat-continues-in-2019/).
An unprecedented attack, now known as Triton or Trisis, was launched in December 2017 on the safety systems of an energy plant in the Middle East. The attack specifically targeted the Triconex industrial safety technology made by Schneider Electric. The group behind the attack has not been identified but given the complexity and sophistication of the attack, it is widely assumed to have been state-sponsored.
Transactional Synchronization Extensions New Instructions – an extension to the x86 instruction set architecture (ISA) that adds hardware transactional memory support, speeding up execution of multi-threaded software through lock elision.
A massive ransomware hit, WannaCry impacted 10,000 companies and 230,000 computers in over 150 countries. Once again, the exploit took advantage of the Microsoft Windows SMB protocol weakness and the dangerous elements behind the WannaCry attack are EternalBlue and DoublePulsar.
EternalBlue is a tool released in The Shadow Broker’s Fifth Leak in April 2017. It’s particularly significant because this tool has been used in multiple exploits—Adylkuzz being the first, followed by WannaCry, UIWIX and NotPetya. EternalBlue is the name of the vulnerability it attacks in the Microsoft Windows OS. WannaCry propagated itself using port 445, the Transmission Control Protocol (TCP).
Microsoft released a critical security patch for Windows XP computers for the vulnerability shortly before the WannaCry ransomware attack circled the globe and those who had applied it were protected from WannaCry. Unfortunately, many companies hadn’t yet applied the patch and thousands of computers froze, their files rendered inaccessible. Instead of a normal screen, an ominous onscreen message appeared asking for about $300 worth of bitcoin.
WannaCry and NotPetya variants continued to strike. A subsequent attack, dubbed Bad Rabbit by its creators, spread across Russia and Ukraine, wreaking havoc with news agencies and transportation. systems.
Whitelisting: Compiling a list of pre-approved names or entities, such as a list of authentic, spam-free email names or a list of legitimate, malware-free IP addresses.