Week in security with Tony Anscombe

ESET researchers describe the ins and outs of a zero-day exploit that has been used for a highly targeted attack and reveal the name of the threat actor that deployed it

In a pair of articles this week, ESET researchers describe the ins and outs of a zero-day exploit that has been used for a highly targeted attack in Eastern Europe, and also reveal the name of the threat actor that deployed it. In yet another research effort, ESET experts analyze a malicious campaign that distributes a backdoor via torrents, using South Korean TV content as the bait.

Cybercrime seen to be getting worse: The time to act is now

What mounting public concern about falling victim to cybercrime says about government and corporate efforts at cybercrime deterrence

Is the risk of becoming a victim of cybercrime increasing? Most people in North America and Europe think it is, based on the surveys that I’ve been looking at. Earlier this year the European Union published the results of its latest consumer survey on internet security in which 87% of internet users agreed that the risk of becoming a victim of cybercrime is increasing (see the Resources link below for details of EBS480: Special Eurobarometer 480: Europeans’ attitudes towards Internet security).

Facts and figures

ESET recorded similar concern in a North American survey that asked the same question in roughly the same timeframe. In the US, 87% of respondents agreed that the risk of becoming a victim of cybercrime was increasing. Canadian respondents were slightly less pessimistic at 83% (sample sizes: 2,500 and 1,000 respectively.)

These findings have to be worrying news for companies whose business models rely on public trust in the internet. They should also concern politicians and the government, including law enforcement agencies. The survey findings strongly suggest that government efforts at cybercrime deterrence have not given the public much cause for hope.

Clearly, fear of crimes like identity theft and misgivings about data privacy loom large in many countries and some people are reducing or adjusting their use of online technology as a result. The following graph charts responses to the question: Has concern about security issues made you change the way you use the Internet in any of the following ways? (The EU data are from EBS480 fieldwork in October and November, 2018. US and Canada data are from ESET’s fieldwork in July and August, 2018.)

The number of people who are self-limiting their exploration of the internet has to be bad news for companies trying to start businesses online; and while the percentage of people limiting their online shopping and banking is a lot lower, it should still concern the retail and financial services sectors.

When ESET asked Americans about a variety of concerns related to online banking and shopping, 70% of those surveyed indicated that they are worried about the misuse of personal data supplied online. The EU study found a lower level of concern (43%), but this varied widely within the EU – from 32% in Austria and Poland to 50% in Croatia and 62% in Cyprus.

As you can see, roughly two thirds of respondents (66%) in North America expressed concern about the security of online payments. Again, this could be interpreted as a call to online merchants to step up their security efforts and demonstrate that they take the security of online transactions seriously.

To help assess privacy concerns related to use of the internet, the EU and ESET surveys asked respondents if they agreed or disagreed with this statement: I am concerned that my online personal information is not kept secure by websites. Sadly, one third of US respondents said that they totally agreed, compared to one in four Canadians. The percentage that agreed totally or tended to agree was 80% in the US, 72% in Canada, and 77% in the EU. That EU result is up from 70% in 2013, which is not a good sign.

The survey also asked people if they agreed with this statement: I am concerned that my online personal information is not kept secure by public authorities. Unfortunately, more than three quarters of US respondents (76%) either tended to agree or totally agreed, versus two thirds in Canada. In the EU, 68% of internet users share this concern, up from 64% in 2013.

Given the extent to which companies and government agencies have come to rely on the internet as a tool for communication and interaction with the public, these numbers should be worrying. If the public doubts the ability of organizations to protect personal data from exposure, those organizations may find it much harder than expected to realize net gains from further digital transformation, such as the Internet of Things, machine learning, artificial intelligent, big data, self-driving vehicles, and 5G.

What can we say?

Cybersecurity is concerned with the protection of digital technologies – technologies upon which our world is now heavily dependent – against criminals and other entities who seek to abuse those technologies for their own selfish ends. Public support for efforts to reduce cybercrime is critical to society’s efforts to preserve the benefits of digital technologies. That is why it is so important to know what the public thinks about cybercrime and cybersecurity, the safety of online activities, and the privacy of personal data shared with companies or government agencies.

So why don’t the governments of the world do a better job of researching these things? My take is that the cost of such research strikes many politicians as too high, but that strikes me as extremely short-sighted, given what is at stake, and how much surveys like those reviewed here can teach us. Consider the lost opportunities for retailers and financial firms that were revealed: by digging deeper into the demographics of this distrust, a savvy company could craft targeted marketing to improve engagement with customers who are nervous about online activity because of cybercrime.

Maybe industry lobbyists should be pushing for more of these studies given that they reveal valuable business intelligence. For example, the current numbers suggest that marketing strategies which rely on people giving up data online may be facing stronger headwind if cybersecurity does not improve. Conversely, these statistics might prove useful to Chief Information Security Officers (CISOs) and Chief Privacy Officers (CPOs) as they argue the case for greater emphasis on cybersecurity within their organizations.

Clearly, these surveys show that more needs to be done to deter cybercrime. Given the extent – revealed by these surveys – that cybercrime is impeding progress and threatening the promised benefits of the next wave of digital transformation, concerted action by government agencies and

Buhtrap group uses zero‑day in latest espionage campaigns

ESET research reveals notorious crime group also conducting espionage campaigns for the past five years

The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia. However, since late 2015, we have witnessed an interesting change in its traditional targets. From a pure criminal group perpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia.

Throughout our tracking, we’ve seen this group deploy its main backdoor as well as other tools against various victims, but June 2019 was the first time we saw the Buhtrap group use a zero-day exploit as part of a campaign. In that case, we observed Buhtrap using a local privilege escalation exploit, CVE-2019-1132, against one of its victims.

The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.

This blog post covers the evolution of Buhtrap from a financial crime to an espionage mindset.

History

The timeline in Figure 1 highlights some of the most important developments in Buhtrap activity.

Figure 1. Important events in Buhtrap timeline

It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions.

Although new tools have been added to their arsenal and updates applied to older ones, the tactics, techniques and procedures (TTPs) used in the different Buhtrap campaigns have not changed dramatically over all these years. They still make extensive use of NSIS installers as droppers and these are mainly delivered through malicious documents. Also, several of their tools are signed with valid code-signing certificates and abuse a known, legitimate application to side-load their malicious payloads.

The documents employed to deliver the malicious payloads often come with benign decoy documents to avoid raising suspicions if the victim opens them. The analysis of these decoy documents provides clues about who the targets might be. When Buhtrap was targeting businesses, the decoy documents would typically be contracts or invoices. Figure 2 is a typical example of a generic invoice the group used in a campaign in 2014.

Figure 2. Decoy document used in campaigns against Russian businesses

When the group’s focus shifted to banks, the decoy documents were related to banking system regulations or advisories from FinCERT, an organization created by the Russian government to provide help and guidance to its financial institutions (such as the example in Figure 3).

Figure 3. Decoy document used in campaigns against Russian financial institutions

Hence, when we first saw decoy documents related to government operations, we immediately started to track these new campaigns. One of the first malicious samples showing such a change was noticed in December 2015. It downloaded an NSIS installer whose role was to install the main Buhtrap backdoor, but the decoy document – seen in Figure 4 – was intriguing.

Figure 4. Decoy document used in campaigns against governmental organizations

The URL in the text is revealing. It is very similar to the State Migration Service of Ukraine website, dmsu.gov.ua. The text, in Ukrainian, asks employees to provide their contact information, especially their email addresses. It also tries to convince them to click on the malicious domain included in the text.

This was the first of many malicious samples used by the Buhtrap group to target government institutions we encountered. Another, more recent decoy document that we believe was also distributed by the Buhtrap group is seen in Figure 5 – a document which would appeal to a very different set of people, but still government related.

Figure 5. Decoy documents used in campaigns against governmental organizations

Analysis of the targeted campaigns leading to zero-day usage

The tools used in the espionage campaigns were very similar to those used against businesses and financial institutions. One of the first malicious samples that we analyzed targeted governmental organizations was a sample with SHA-1 hash 2F2640720CCE2F83CA2F0633330F13651384DD6A. This NSIS installer downloads the regular package containing the Buhtrap backdoor and displays the decoy document shown in Figure 4.

Since then, we’ve seen several different campaigns against governmental organizations coming from this group. In these, they were routinely using vulnerabilities to elevate their privileges in order to install their malware. We’ve seen them exploit old vulnerabilities such as CVE-2015-2387. However, they were always known vulnerabilities. The zero-day they used recently was part of the same pattern: using it so that they could run their malware with the highest privileges.

Throughout the years, packages with different functionalities appeared. Recently, we found two new packages that are worth describing as they deviate from the typical toolset.

Legacy backdoor with a twist – E0F3557EA9F2BA4F7074CAA0D0CF3B187C4472FF

This document contains a malicious macro that, when enabled, drops an NSIS installer whose task is to prepare installation of the main backdoor. However, this NSIS installer is very different from the earlier versions used by this group. It is much simpler and is only used to set the persistence and launch two malicious modules embedded within it.

The first module, called “grabber” by its author, is a standalone password stealer. It tries to harvest passwords from mail clients, browsers, etc., and sends them to a C&C server. This module was also detected as part of the campaign using the zero-day. This module uses standard Windows APIs to communicate with its C&C server.

Figure 6. Grabber module network capabilities

The second module is something that we have come to expect from Buhtrap operators: an NSIS installer containing a legitimate application that will be abused to side load the Buhtrap main backdoor. The legitimate application that is abused in this case is AVZ, a free anti-virus scanner.

Meterpreter and DNS tunneling – C17C335B7DDB5C8979444EC36AB668AE8E4E0A72

This document contains a malicious macro that, when enabled, drops an NSIS installer whose task is to prepare installation of the main backdoor. Part of the installation process is to set up firewall rules to allow the malicious component to communicate with the C&C server. Next is a command example the NSIS installer uses to set up these rules:

cmd.exe /c netsh advfirewall firewall add rule name=”Realtek HD Audio Update Utility” dir=in action=allow program=”<path>RtlUpd.exe” enable=yes profile=any

However, the final payload is something that we have never seen associated with Buhtrap. Encrypted in its body are two payloads. The first one is a very small shellcode downloader, while the second one is Metasploit’s Meterpreter. Meterpreter is a reverse shell that grants its operators full access to the compromised system.

The Meterpreter reverse shell actually uses DNS tunnelling to communicate with its C&C server by using a module similar to what is described here. Detecting DNS tunnelling can be difficult for defenders, since all malicious traffic is done via the DNS protocol, as opposed to the more regular TCP protocol. Below is a snippet of the initial communication of this malicious module.

7812.reg0.4621.toor.win10.ipv6-microsoft[.]org
7812.reg0.5173.toor.win10.ipv6-microsoft[.]org
7812.reg0.5204.toor.win10.ipv6-microsoft[.]org
7812.reg0.5267.toor.win10.ipv6-microsoft[.]org
7812.reg0.5314.toor.win10.ipv6-microsoft[.]org
7812.reg0.5361.toor.win10.ipv6-microsoft[.]org
[…]

The C&C server domain name in this example is impersonating Microsoft. In fact, the attackers registered different domain names for these campaigns, most of them abusing Microsoft brands in one way or another.

Conclusion

While we do not know why this group has suddenly shifted targets, it is a good example of the increasingly blurred lines between pure espionage groups and those primarily involved in crimeware activities. In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward.

Indicators of Compromise (IoCs)

ESET detection names

VBA/TrojanDropper.Agent.ABM
VBA/TrojanDropper.Agent.AGK
Win32/Spy.Buhtrap.W
Win32/Spy.Buhtrap.AK
Win32/RiskWare.Meterpreter.G

Malware samples

Main packages SHA-1

2F2640720CCE2F83CA2F0633330F13651384DD6A
E0F3557EA9F2BA4F7074CAA0D0CF3B187C4472FF
C17C335B7DDB5C8979444EC36AB668AE8E4E0A72

Grabber SHA-1

9c3434ebdf29e5a4762afb610ea59714d8be2392

C&C servers

https://hdfilm-seyret[.]com/help/index.php
https://redmond.corp-microsoft[.]com/help/index.php
dns://win10.ipv6-microsoft[.]org
https://services-glbdns2[.]com/FIGm6uJx0MhjJ2ImOVurJQTs0rRv5Ef2UGoSc
https://secure-telemetry[.]net/wp-login.php

Certificates

Company name Fingerprint
YUVA-TRAVEL 5e662e84b62ca6bdf6d050a1a4f5db6b28fbb7c5
SET&CO LIMITED b25def9ac34f31b84062a8e8626b2f0ef589921f
Tactic ID Name Description
Execution T1204 User execution The user must run the executable.
T1106 Execution through API Executes additional malware through CreateProcess.
T1059 Command-Line Interface Some packages provide Meterpreter shell access.
Persistence T1053 Scheduled Task Some of the packages create a scheduled task to be executed periodically.
Defense evasion T1116 Code Signing Some of the samples are signed.
Credential Access T1056 Input Capture Backdoor contains a keylogger.
T1111 Two-Factor Authentication Interception Backdoor actively searches for a connected smart card.
Collection T1115 Clipboard Data Backdoor logs clipboard content.
Exfiltration T1020 Automated Exfiltration Log files are automatically exfiltrated.
T1022 Data Encrypted Data sent to C&C is encrypted.
T1041 Exfiltration Over Command and Control Channel Exfiltrated data is sent to a server.
Command and Control T1043 Commonly Used Port Communicates with a server using HTTPS.
T1071 Standard Application Layer Protocol HTTPS is used.
T1094 Custom Command and Control Protocol Meterpreter is using DNS tunneling to communicate.
T1105 Remote File Copy Backdoor can download and execute file from C&C server.

11 Jul 2019 – 11:30AM

Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks

ESET research discovers a zero-day exploit that takes advantage of a local privilege escalation vulnerability in Windows

In June 2019, ESET researchers identified a zero-day exploit being used in a highly targeted attack in Eastern Europe.

The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.

The vulnerability affects the following Windows versions:

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1

This blog post focuses on the technical details of the vulnerability and its exploitation. Another post, tomorrow, will delve into the malware sample and its broader implications.

Exploitation

As with a number of other Microsoft Windows win32k.sys vulnerabilities disclosed in recent years, this exploit uses popup menu objects. For example, the Sednit group’s local privilege escalation exploit that we analyzed in 2017 used menu objects and techniques very similar to the current exploit.

This exploit creates two windows; one for the first stage and another one for the second stage of the exploitation. For the first window, it creates popup menu objects and appends menu items using the CreatePopupMenu and AppendMenu functions. In addition, the exploit sets up WH_CALLWNDPROC and EVENT_SYSTEM_MENUPOPUPSTART hooks.

Then the exploit displays a menu using the TrackPopupMenu function. At this point the code hooked to EVENT_SYSTEM_MENUPOPUPSTART gets executed. This code attempts to open as the first available item in the menu, by sending a sequence of MN_SELECTITEM, MN_SELECTFIRSTVALIDITEM and MN_OPENHIERARCHY messages to the menu.

The next step is very important for triggering this vulnerability. The exploit must catch the moment in time when the initial menu is already created, but the sub-menu is only about to be created. For that, the exploit has code that handles the WM_NCCREATE message in the WH_CALLWNDPROC hook. When the exploit code detects the system is in this state, it sends MN_CANCELMENUS (0x1E6) message to the first menu, which cancels that menu. However, its sub-menu is still about to be created.

Now if we check this sub-menu object in kernel mode, we would see that tagPOPUPMENU‑>ppopupmenuRoot equals 0. This state allows the attacker to use that element in this kernel structure as a NULL pointer dereference. The exploit allocates a new page at address 0x0 and this address will be treated as a tagPOPUPMENU object (see Figure 1) by the kernel.

Figure 1. The tagPOPUPMENU kernel structure

At this point, the attackers use the second window. The main exploit goal is to flip the bServerSideWindowProc bit in the tagWND structure of the second window. This causes the execution of a WndProc procedure in kernel mode.

To perform that, attackers leak the kernel memory address of the tagWND structure of the second window by calling the non-exported HMValidateHandle function in the user32.dll library. Then the exploit crafts a fake tagPOPUPMENU object at the NULL page and sends a MN_BUTTONDOWN message to a sub-menu.

After that, the kernel will eventually execute the win32k!xxxMNOpenHierarchy function.

Figure 2. Disassembled code of the win32k!xxxMNOpenHierarchy function

This function passes a crafted object at the NULL page to win32k!HMAssignmentLock. The bServerSideWindowProc bit is set inside the win32k!HMDestroyUnlockedObject function, which is located a few calls deeper inside win32k!HMAssignmentLock.

Figure 3. Disassembled code of the win32k!HMDestroyUnlockedObject function

Everything is done! Now the exploit can send a specific message to the second window in order to execute WndProc in kernel mode.

As a final step, the exploit replaces the token of the current process with the system token.

The published patch, among others, added a check for a NULL pointer in win32k!xxxMNOpenHierarchy function.

Figure 4. Code differences between two win32k.sys versions – original (left) and patched (right)

Conclusion

The exploit only works against older versions of Windows, because since Windows 8 a user process is not allowed to map the NULL page. Microsoft back-ported this mitigation to Windows 7 for x64-based systems.

People who still use Windows 7 for 32-bit systems Service Pack 1 should consider updating to newer operating systems, since extended support of Windows 7 Service Pack 1 ends on January 14th, 2020. Which means that Windows 7 users won’t receive critical security updates. Thus, vulnerabilities like this one will stay unpatched forever.

SHA-1 hash ESET detection name
CBC93A9DD769DEE98FFE1F43A4F5CADAF568E321 Win32/Exploit.CVE-2019-1132.A

10 Jul 2019 – 11:30AM

UK’s data watchdog hands out two mega-fines for breaches

The times they have a-changed since the ICO could only slap fines worth a fraction of the current amounts

British Airways and Marriott Starwood are facing massive fines in the United Kingdom for cyber-incidents that compromised the personal data of their customers.

Yesterday, the UK’s Information Commissioner’s Office (ICO) unveiled its intention to slap a fine of £183.4 million (roughly US$230 million) on the air carrier for a breach last year that compromised the personal data of half a million of its customers.

And today, the data watchdog revealed a similar plan for the hotel chain – a fine worth £99.2 million (around US$123 million) in response to a breach that exposed 383 million guest records.

Both penalties are for alleged violations of the European Union’s General Data Protection Regulation (GDPR). The penalty for British Airways is the first that the ICO intends to impose under the new legal regime and by far the highest that the data protection regulator has ever levied.

No. 1

As we also reported in September 2018, hundreds of thousands of the air carrier’s customers had their credit card details stolen last summer. As the full scope of the damage became clear, the range of compromised data grew to include more data, “including log in, payment card, and travel booking details as well name and address information”. The victim tally was also revised upwards to 500,000 people.

“This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers,” said the ICO after an extensive investigation, blaming the breach on the company’s “poor security arrangements”.

Said Information Commissioner Elizabeth Denham: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has already announced that it intends to “take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.

No. 2

Another day, another penalty, this time for an incident that hit one of the world’s largest hotel chains, exposing various personal data contained in hundreds of millions of guest records globally. The ICO, which put the number of exposed records at 339 million, said that some 30 million of them related to residents of 31 countries in the European Economic Area (EEA).

In this breach, disclosed in November 2018, an unauthorized party had accessed the reservations database since as far back as 2014. The compromised data included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For a subset of the victims, passport numbers, payment card numbers and payment card expiration dates were also pilfered.

Marriot Starwood has also already announced plans to appeal the ICO’s move.

Past vs. present

Either of the fines puts any penalty ever handed out by the ICO before to shame. Last July, for example, the ICO fined Facebook £500,000 (then equivalent to US$663,000) over the Cambridge Analytica scandal that saw the personal data of millions of users harvested without their knowledge. Still, it was the maximum allowed before GDPR came into force.

Meanwhile, fines imposed under GDPR can be as high as €20 million (US$22.4 million) or 4 percent of a company’s total worldwide annual turnover in the preceding financial year, whichever is greater. According to The Guardian, the proposed penalty for British Airways is equivalent to around 1.5 percent of the company’s global turnover last year. For Marriott, the fine would represent some 3 percent of the company’s global revenue in 2018, wrote TechCrunch.

9 Jul 2019 – 07:19PM

Malicious campaign targets South Korean users with backdoor-laced torrents

ESET researchers have discovered a malicious campaign distributing a backdoor via torrents, with Korean TV content used as a lure

Fans of Korean TV should be on the lookout for an ongoing campaign spreading malware via torrent sites, using South Korean movies and TV shows as a guise. The malware allows the attacker to connect the compromised computer to a botnet and control it remotely.

The malware is a modified version of a publicly available backdoor named GoBot2. The modifications to the source code are mainly South Korea-specific evasion techniques, which are described in detail in this blogpost. Due to the campaign’s clear focus on South Korea, we have dubbed this Win64/GoBot2 variant GoBotKR.

According to ESET telemetry, GoBotKR has been active since March 2018. The detections are in the hundreds, with South Korea being the most affected (80%), followed by China (10%) and Taiwan (5%).

GoBotKR has been spreading via South Korean and Chinese torrent sites, masquerading as Korean movies and TV shows, as well as some games.

The attackers behind this campaign try to trick users into executing the malware by booby-trapping the contents of the torrents with malicious files that have deceptive filenames, extensions and icons. Our analysis shows that the torrents using a movie/TV show disguise generally contain the following types of files:

  1. The expected MP4 file
  2. A malicious executable masked as a PMA archive file with a filename mimicking various codec installers
  3. A malicious LNK file with a filename and icon mimicking the expected video file

Figure 1 shows examples of torrent contents from this malicious campaign.

Figure 1. Contents of some torrents delivering the malware (the MP4 video is not displayed on the second screenshot); the malware is executed by an LNK file with a deceptive filename and icon

So how exactly do users get compromised?

Directly opening the intended MP4 file will not result in any malicious action. The catch here is that the MP4 file is often hidden in a different directory, and users might encounter the malicious LNK file mimicking it first. Further increasing the chance of users falling for the lure is the fact that the extension of the LNK file is normally not displayed when viewed in Windows Explorer, as seen in the second screenshot in Figure 1, in the file with the Korean name.

Clicking on the deceptive LNK file executes the malware. However, it also opens the intended file (in this case a video), giving victims little reason to suspect something has gone wrong.

Renaming the malicious EXE file to a PMA file is also likely done to prevent raising suspicion of potential victims. We have also seen this technique using games as a lure, and with filenames and extensions relevant to gaming.

During our investigation, we have seen the following filenames being used for the malicious executables: starcodec.pma, WedCodec.pma and Codec.pma (movie/TV show disguise) and leak.dll (game disguise). The name “starcodec” mimics the legitimate Korean codec pack Starcodec.

GoBotKR was built on the basis of a backdoor named GoBot2, the source code of which has been publicly available since March 2017. Both the original and the modified version are written in GoLang, also known as Go. While still relatively rare for malware, new variants of GoLang malware are emerging, likely due to the challenges posed to analysts with the bulky nature of its compiled executables.

The functionality of GoBotKR largely overlaps with the published GoBot2 source code, with only minimal modifications. Overall, the malware is not particularly complex technically, and the implementation is rather straightforward. Most features are implemented with the use of GoLang libraries, and by executing Windows commands (such as cmd, ipconfig, netsh, shutdown, start, systeminfo, taskkill, ver, whoami, and wmic), and third-party utilities such as BitTorrent and uTorrent clients.

Collected information

Ultimately, the actors behind GoBotKR are building a network of bots that can then be used to perform DDoS attacks of various kinds (e.g. SYN Flood, UDP Flood, or Slowloris). Therefore, after being executed, GoBotKR first collects system information about the compromised computer, including network configuration, OS version information, CPU and GPU versions. In particular, it collects a list of installed antivirus software.

This information is sent to a C&C server, which helps the attackers determine which bots should be used in the respective attacks. All C&C servers that we extracted from the analyzed malware samples are hosted in South Korea and registered by the same person.

Bot commands

Once communication with the C&C server is established, the server instructs the compromised computer with backdoor commands. GoBotKR supports fairly standard botnet functions, which mostly serve three main purposes:

  • allowing misuse of the compromised computer
  • allowing the botnet operators to control, or further extend, the botnet
  • evading detection or hiding from the user

These are the supported commands:

  • carry out a DDoS attack on a specified victim
  • access a URL
  • execute a file, a command, a script
  • update, terminate or uninstall itself
  • shutdown/reboot/log off the computer
  • change homepage in IE
  • change desktop background
  • seed torrents
  • copy itself to connected removable media, and setup AutoRun function
  • copy itself to public folders of cloud storage services (Dropbox, OneDrive, Google Drive)
  • run a reverse proxy server
  • run an HTTP server
  • change firewall settings, edit hosts file, open a port
  • enable/disable Task Manager
  • enable/disable Windows registry editors
  • enable/disable Command Prompt
  • kill a process
  • hide a process window

Of particular interest are two commands – seeding torrents and DDoS capability.

The “seed torrents” command allows the attackers to misuse the victimized machines for seeding arbitrary files using the BitTorrent and uTorrent programs, even if these are not already installed on the system. This may be used as a mechanism to distribute the malware further.

The “carry out a DDoS attack” command lets attackers abuse the victim’s network bandwidth to block the availability of targeted services, such as websites. According to our analysis, this is most likely the main purpose of the GoBotKR botnet.

In this section, we explore the evasion techniques used by the GoBotKR backdoor. While many techniques were already present in the publicly available source code, the authors of GoBotKR further expanded them with South Korea-specific features. This shows us that the attackers customized the malware for a specific audience, while taking extra effort to remain undetected in their campaign.

Techniques taken from GoBot2

The following detection evasion and anti-analysis techniques used by GoBotKR have been adopted from GoBot2 source code:

  • The malware installs two instances of itself on the system. The second instance (watchdog) monitors whether the first instance is still active and reinstalls it if it has been removed from the system.
  • The malware employs antivirus bypass techniques (it allocates large chunks of memory and delays execution of the malicious payload to prevent antivirus engines from emulating the code due to resource constraints).
  • The malware can detect selected security and analytical tools, such as debuggers. If detected, it terminates itself.
  • The malware terminates itself if IP information of the victim suggests one of several blacklisted organizations (e.g. Amazon, BitDefender, Cisco, ESET). It uses external legitimate websites for querying IP information and searches for hardcoded strings in this information (e.g. “cloud”, “Cisco”, “Microsoft”), rather than using API functions.
  • The malware terminates itself if its file name consists of 32 hexadecimal characters, which prevents the payload from being executed in some automated sandboxes.

South Korea-specific modifications in GoBotKR

The authors of GoBotKR added three new evasion techniques, related to their focus on South Korea:

  • As explained in the previous section, the malware uses IP information of the compromised computer to detect whether it is running in one of the blacklisted organizations. In GoBot2, the IP address of the victim is determined by accessing Amazon Web Services or dnsDynamic and parsing the reply.
    In the samples of GoBotKR we analyzed, these URLs are replaced with South Korean online platforms Naver and Daum.
  • GoBotKR features a new evasion technique that scans running processes on the compromised system to detect selected antivirus products (listed in Table 1). If any of the products are detected, the malware terminates itself and removes some traces of its activity from the host. The list of detected processes includes products by AhnLab, a South Korean security company.
Process name substring Associated company/product
V3Lite AhnLab, V3 Internet Security
V3Clinic AhnLab, V3 Internet Security
RwVnSvc AhnLab Anti-Ransomware Tool
Ksde Kaspersky
kavsvc Kaspersky
avp Kaspersky
Avast Avast
McUICnt McAfee
360 360 Total Security
kxe Kingsoft Antivirus
kwsprotect Kingsoft Internet Security
BitDefender BitDefender
Avira Avira
ByteFence ByteFence

Table 1. List of security products detected by GoBotKR

  • The malware tries to detect analytical tools running on the system. It terminates itself if any of them are detected. The list is internally named “ahnNames”, which might be another reference to AhnLab.

Figure 2. The malware’s blacklist of running processes is internally named “ahnNames”

In addition to the AhnLab references, the defensive techniques described in the second and third points were added into the source code as a file named AhnLab.go, according to the metadata we obtained from the malware.

Because the malware is spreading via torrents, a lot of the samples are broken or incomplete. We were, however, able to recover C&C servers and internal version information.

Since the malware was first seen, we have detected samples with internal versions 2.0, 2.3, 2.4, and 2.5. Each of these versions comes with some minor technical improvements or differences in implementation. The versioning differs from that used in the GoBot2 source code, where an internal name “ArchDuke” is used.

Table 2 lists the different versions of GoBotKR detected by ESET systems from May 2018 to the time of writing. The timeline features the malware’s internal versioning and detection dates, as PE timestamps have been cleared from the samples.

First seen Internal version Functionality linked to South Korea C&C server
May 2018 2.0 No https://jtbcsupport[.]site:7777/
Jul 2018 2.0 Yes https://jtbcsupport[.]site:7777/
Aug 2018 2.0 Yes https://higamebit[.]com:6446/
Sep 2018 2.3 Yes https://kingdomain[.]site:6556/
Sep 2018 2.3 Yes https://bitgamego[.]com:6446/
Sep 2018 2.3 Yes https://higamebit[.]com:6446/
Sep 2018 2.3 Yes https://helloking[.]site:6446/
Jan 2019 2.4 Yes https://kingdomain[.]site:6556/
Jan 2019 2.5 Yes https://kingdomain[.]site:6556/

Table 2. GoBotKR version timeline

As seen in the table, the first malware samples detected in May 2018 were not yet customized for South Korean targets and were thus almost identical to the GoBot2 source code. However, we were able to link them to newer samples because they used the same C&C server.

If you suspect you might have fallen victim to this malware campaign, we recommend you scan your computer with a reliable security solution. ESET products detect and block this malware under the detection name Win64/GoBot2. You can use ESET’s Free Online Scanner to check your computer for the presence of this threat and remove anything that is detected. Existing ESET customers are protected automatically.

Pirated content distributed via torrent sites is a well-known vector for spreading all kinds of malware. To steer clear of similar attacks in the future, stick to official sources when downloading content. Before launching downloaded files, pay attention to whether their extensions match the intended filetypes. To keep your computer protected, we advise you to patch regularly and use reputable security software.

ESET detection name

Win64/GoBot2

C&C servers

jtbcsupport[.]site
kingdomain[.]site
higamebit[.]com
bitgamego[.]com
helloking[.]site

SHA-1

Note that some malware samples may be corrupted due to the nature of its distribution mechanism (torrents).

Version 2.0

038C69021F4091F0B1BE3F059FCDC1C4FA8885D2
092A4F085A01E0D61418114726B9F9EF9F4683C3
11953296BBC2B26303DED2F92FB8677BD8320326
11BF60CC2B8AC0321635834820460824D76965DE
275EE3BD90996EF54DB5931CBDF35B059D379E0E
424215E74EA64FC3A55FE9C94B74AFC4EA593699
4899912880FF7B881145B72A415C7662625E062E
6560BD68CD0CA0402AB28D8ABE52909EB2BA1E10
6A58E32DFF59BAEE432E5D351EAD7C7CB939CCB7
6BE3A40D89DDCDCFA37926A29CE5BCC5FF182D12
77EAE50B8C424338C2987D6DFF52CE0F0BBBD98F
A04EB443942DD3906A883119429BF09A3601B3E0
A61D72BA8AE6A216F1D5013A05CEA8D4F96E81E1
B60DA1F89313751FAA21DD394D6D862CC8C2DBE4
B7CEAE53118890011B695E358633CCD35E8CD577
BDBA27E525D6DC698C1CF90B07F4FB85956E9C28
C31955C4D3C38591BBC8A2089F23B5558146267B
D688A58001E41A8CA22EABCA309DA9FCD2910CB3
DD18D7B0ADE5E65EFDE920C9261E8890B4105B75
E0046D91BED1B3A09243C43760599DC9D8F99953
E00F1BB85A277A8C1ED081642EF76413B2FF7EA9
EA968D757281E6BB5D9334E7F2C9ECDA69EA15A9
F9C40789C780174F6BB377AE46F49B94E402AE77
FFF263FA9E16F7945BCE21D0F6C11C75DAA241D8

Version 2.3

018927A35B2CEC08D5493CB75BAA62D6956D0109
063C462E98453AD6E4091A5AB35613CAF19DF415
082A026BD14F69AF46641ABF20520B3D2D0D6E6A
084A7E6B7DD955554FCED021DF58458C7E66EBB2
097248EB38277DA879F5D606179C746DB6BB2C54
0DBA9DDBBB12FA4FE22CD4EE16EF8DCC73B7D295
0E9D0C1A82DFB53DF9BB8B75D3A90B2236704498
0F4BB3FC6771D306565E1002B3327A9F2AED92AF
14129424593DC8B1865F491A9CA92BE753B2A7F0
16703AE741257EAF2EC76E097D17F379E3FCB29D
1BE6DB3F30B41A8777819C9D04056923C74E052E
1C4FDDDBB8402D3A1E70E5DCD4C0187C6F55ABA3
1F966B8540CF9716640DF39FA0B97FBA62200C1F
1FCE2D1735C226DC688EC191B18EF773D0B51830
2145B398927E056AFEA963CCEE39D60760F4FD21
2172B67E6E17944C74468634C1BB52269187D633
227198CB1BB02601E6E707892DC50CB9F11D1C62
25E43D900CD7AA89A209F97CC8B1E718B2E98F6B
2B0D9C7D0D9C847822283EBCB7D4E650A5DC8104
2C4B970778D8F4441EB93DA34A279E7A678E370A
2F6320819D541AE804873EA5AD3E93C0B21028F3
2F635862C92A31CE39F87262D77FC022810F40D3
31AE67F632FC6B278BD6D50D298585BF53A844DB
3356BFD26189533E8E77BFC6E59A5ED25F6BE1E2
354D5135660292C9D4DD5C394ECAAC5DC3719D8A
37902317F4B751C80C4404F6FC6A831602B9B540
3918E9F79C154F6031DA52A21F1F7477715B28BC
3B0B403BAFC72FD86EEC6474886AA7233083888F
3DD1A7A8533676FD471C69AD39DCEE0FBBE7E1FD
4186AECA8B229B51EFD559E7B839E669374673AD
426D064FDBB9AFB694F67F37942BBBD0C2E4AD69
42C4F415580B0EB17E139E92A2DA111BF6CCAF7F
446C3F1EFB3A44FEA98F23AEBBC925DD0C330BE6
4596E0D116A511E204A57877538EA26D174E269E
46D398B78C2DFF0118100B6507F049E867E5195F
4709995AC0FB5F32129AAD235755A8BEB9B355ED
47918740BA72FD3857F209069D6674AF8EFD411B
49A56E7A0BCF3538555078BFFA7DDBB60ADF0DDE
4C3D825798056EEF7E3FE33BDA777F9E70D4E7D4
4F4781B24879DF51652DF3FB24F156F76F78B376
4F6E7EA69CD44E5065EAD8655BC4105375D33A06
5B96C0349C07D6B37F1D3EC9F792CB5848FC48C6
5CD88B03821C3B84D7397D166233A15C0041B38B
5D93972D0352DF08DC06FF5AF120B328654B272F
5E7BEB4E8A35B234D263DDE0AED33C6C9A0D1D57
60CA70EDA899EE58AD419F513F5FB279B89C87A4
60D3445A6A15C8396356AC6F9807965A8E7BFA67
60F638CAD3116DB2FE580C31800A66836D534986
64FC3A6B5F0FA745D66DC66ED2FBC75A7C71C747
660C360B3DF4354FDAFA6454B7E19588FFE296E1
6D90CC4FF3A7F91FDFD904E73CDE3351F14EA828
6FC19EB46CAFC1A18F99119EB7353DE116F1BDFD
718957E417194A6EBD3B55C77AB3EB405E30257B
734F33BCDBF062DDEA90B2B89AF5DC4F0B292594
7688C3DCD43605BDC5E3AED03F6D87E18AEAC9AC
779366C5B356383A2286441EB84140C13000510C
7CD7334FC7CE9701A7C4FE091CC3EC01D07363D9
7DF8023457D50FF9F66CDB4C914206A163BD1713
7F95715B0BF80B7BBECC757D613084D76334101C
830F1387DFEC3D7F8D5678EED8A7C45C76B5DBE6
8368E9DEAE2F880D37232E57240CA893472C8BD3
8AFECBF940273C979D01856E1332EFF6EFE24D09
900E1C9666EECACA47DD59D908EED5480CF92953
9166AB0420C9223F23AC5C4EC5503F75505E5770
94D723C409EF4C4308113F3DBB3CB7E1084C3E12
966B722D6180AC774CFF51CFD20A1C1B966E3F43
98826BC207F1914867572561B4E0643DBE8FD8E4
9DD65F76AAF739AEF7EB9D4601ED366B3B48B121
9E6E772E41F452ED695310BCFA2B88429F12100A
9EDA0E8C2F0EDE283DC1457E4967002BDF3D376F
A9A0A33466B54A5617F986F6B160E10C5B8D81DA
AEF7725E9B945C7BCCCD7A23B1C1C1E40EEAC774
B052FC4D36F40C225397127EFB31628E8B96DC48
B563B60ED58C99199CCAB44496F858A5D42E54E7
B56A6FB4EC95793407752294782EF914EF497C8F
B57736D4F14F4E157D23C14E627A817A03C2DE24
B703848F4BC390E3E9516E3E4C746AD7C616FF96
B8F46453C1E5C03DAD1C07AB8705BE3E4F4224D2
BB7438119A8A2F79CF06BDAA14D8CACA57E05B17
BB89551AA131832395B1589C0E25D3F013A22A24
BCD2027681DD5628F0741B79B1D7C2AC4573D8E2
BD3859586D4C1701498EEFD05BB2E016848CE95D
BF42743314770340DDB5C80F22F39C6E07F74252
BFCB367868E4CFBA880E41B37241E089382F424C
C0B5CE4D03AED769DCCD5BA2BB5296C7D9F55F68
C13BED8DADA964EBF2A88786715FF83F0A1A8BCA
CBA77FE9FA0759AE0CD073D3B126F73BEB340814
CC98D9E90B7DA6E314434A246653B718ABF72FBB
CD880876565DF58EAFC033C0D207E2B2613F8C0D
CE1B68F65E2CC9A060996E58101B80C907C63377
D1D603E24FD82B6BE32B99A25A86F6CD46F3A8AF
D7423A1F56FFF460031419856FE4F7C557E1A2BF
D8ACB99F04A5EC3E355B947885E02977D6C37AF0
DA6603AC6CB47A3C448CB232EB0116BD62C7B7E4
DD1E3544F8363517556A91EBA40E85EE3638528E
DE5F6E4F559BD9FD716271AA35AFF961DF620B84
DEEC9543303C8211AD2C781F4AA936EFC191F64F
DFF022EC8223676E0D792DD126EE91B0D3059C4C
E22D6F80F0FA05446D3AF7D57EB920BA89DBEE9E
E31ABA7D0BBE49F7E66BD04379BC4837A7C91E46
E3204213E526C6ED3F8BE49D8E493DB5E92EC52A
E51519CF8C9522B4266D7CFC7125AF111DB259E7
E6AB36FE3BBDE63B28BFDF27D8890048FEA1E66D
E95A1D9E57821EBA66B421A587A014EB297DE69F
EA2BB07BB8AD5BFE1F0E92AD7B64D960600924C9
EBB140CDF75386E0FA7746910EB6596323184A7F
EDFA500254F315407783F302E85A27D8C802E4F8
EE8198049EBE16E2BA86163361FE4B5F7768FA2E
F0C6B2DEAB37A6BF78E4DF66FC4DD538F5658F6A
F15ED7BE791A2DD2446A7EF5DF748ACB474C0E98
F3DD44C8FC41D466685D8F3B9D3EA59C479230B6
F8353AB3D4D6575FD68BE1ECCF6446A5100925C9
FA22EB25A1FCBD26D5E6B88B464B61BCC4B303C2
FAEE079AABB92B4C887BA3FBEE4D1D63732D72A3
FD37E55481C7941B420950B0979586BDE2BA6B8A
FFD169CBB8E6DC9F1465AC82DDDC4C99AB59C619

Version 2.4

896FB40BACBF8B51A06AAF49523DE720D1C21D53
A997A5316D4936F70CDF697DF7E65796CE11B607

Version 2.5

27ED3426EA5DB2843B312E476FFFCF41BA4FDD31
C4074FCC7A600707ADCAF3DD5C0931E6CBF01B48

Registry values

The registry key used by GoBotKR is a subkey under [HKCUSOFTWARE] with a variable name from a hardcoded list, mostly mimicking legitimate software names.

The following registry values are used:

ID
INSTALL
NAME
VERSION
REMASTER
LAST
WATCHDOC

Tactic ID Name Description
Initial Access T1189 Drive-by Compromise GoBotKR has been distributed through torrent file-sharing websites to South Korean victims, using games or Korean movie/TV series as a lure.
Execution T1059 Command-Line Interface GoBotKR uses cmd.exe to execute commands.
T1064 Scripting GoBotKR can download and execute scripts .
T1204 User Execution GoBotKR makes their malware look like the torrent content that the user intended to download, in order to entice a user to click on it.
Persistence T1060 Registry Run Keys / Startup Folder GoBotKR installs itself under registry run keys to establish persistence.
T1053 Scheduled Task GoBotKR schedules a task that adds a registry run key to establish malware persistence.
Privilege Escalation T1088 Bypass User Account Control GoBotKR attempts to bypass UAC using Registry Hijacking.
Defense Evasion T1140 Deobfuscate/Decode Files or Information GoBotKR has used base64 to obfuscate strings, commands and files.
T1089 Disabling Security Tools GoBotKR may use netsh to add local firewall rule exceptions.
T1158 Hidden Files and Directories GoBotKR stores itself in a file with Hidden and System attributes.
T1070 Indicator Removal on Host GoBotKR removes the Zone identifier from the ADS (Alternate Data Streams) of the file, to conceal the fact the file has been downloaded from the internet.
T1036 Masquerading GoBotKR uses filenames and registry key names associated with legitimate software.
T1112 Modify Registry GoBotKR stores its configuration data in registry keys.

GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt.

T1027 Obfuscated Files or Information GoBotKR uses base64 to obfuscate strings, commands and files.
T1108 Redundant Access GoBotKR installs a second copy of itself on the system, which monitors and reinstalls the primary copy if it has been removed.
T1497 Virtualization/Sandbox Evasion GoBotKR performs several checks on the compromised machine to avoid being emulated or executed in a sandbox.
Discovery T1063 Security Software Discovery GoBotKR checks for processes associated with security products and debugging tools, and terminates itself if any are detected. It can enumerate installed antivirus software using the wmic command.
T1082 System Information Discovery GoBotKR uses wmic, systeminfo and ver commands to collect information about the system and the installed software.
T1016 System Network Configuration Discovery GoBotKR uses netsh and ipconfig to collect information about the network configuration. It has used Naver and Daum portals to obtain the client IP address.
T1033 System Owner/User Discovery GoBotKR uses whoami to obtain information about the victimized user. It runs tests to determine the privilege level of the compromised user.
T1124 System Time Discovery GoBotKR can obtain the date and time of the compromised system.
Lateral Movement T1105 Remote File Copy GoBotKR attempts to copy itself into public folders of cloud storage services (Google Drive, Dropbox, OneDrive).

It is also able to spread itself by instructing the compromised machine to seed torrents with the malicious file.

T1091 Replication Through Removable Media GoBotKR can drop itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.
Collection T1113 Screen Capture GoBotKR is capable of capturing screenshots.
Command and Control T1090 Connection Proxy GoBotKR can be used as a proxy server.
T1132 Data Encoding The communication with the C&C server is base64 encoded.
T1105 Remote File Copy GoBotKR can download additional files and update itself.
T1071 Standard Application Layer Protocol GoBotKR uses HTTP or HTTPS for C&C.
T1065 Uncommonly Used Port GoBotKR uses non-standard ports, such as 6446, 6556 and 7777, for C&C.
Impact T1499 Endpoint Denial of Service GoBotKR has been used to execute endpoint DDoS attacks – for example, TCP Flood or SYN Flood.
T1498 Network Denial of Service GoBotKR has been used to execute network DDoS.
T1496 Resource Hijacking GoBotKR can use the compromised computer’s network bandwidth to seed torrents or execute DDoS.

8 Jul 2019 – 11:30AM

Week in security with Tony Anscombe

Chinese smart home solutions provider Orvibo has leaked two billion logs from devices managed via its cloud platform, exposing sensitive information about their users

Chinese smart home solutions provider Orvibo has leaked two billion logs from devices managed via its cloud platform, exposing sensitive information about the devices’ users. The UK’s National Health Service, which was badly hit by WannaCryptor two years ago, remains vulnerable to similarly crippling incidents. A former Equifax executive goes to jail for insider trading related to the massive data breach that hit the credit bureau in 2017. All this – and more – on WeLiveSecurity.

NHS warned to act now to keep hackers at bay

A trifecta of issues impact the organization’s cyber-resilience and conspire to put it in the firing line of cyberattacks

Two years after being badly hobbled by the WannaCryptor outbreak, the United Kingdom’s National Health Service (NHS) still has a lot of work to do to avoid another crippling cyber-incident, according to a white paper from the Institute of Global Health Innovation at Imperial College London.

A trio of problems – outdated computer systems, underinvestment in cybersecurity, and a shortage of cybersecurity awareness and skills – put the institution and the safety of its patients at risk. The white paper was presented at the House of Lords yesterday.

“A cyberattack on a hospital’s computer system can leave medical staff unable to access important patient details – such as blood test results or X-rays, meaning they are unable to offer appropriate and timely care. It can also prevent life-saving medical equipment or devices from working properly, and in some cases lead to patient data being stolen,” reads a dire warning from the experts.

They also highlight risks associated with the use of new technologies in the healthcare system, including “robotics, artificial intelligence, implantable medical devices and personalized medicines based on a person’s genes”, and call for security to be built into the design of these technologies.

Then there is of course the need to manage third-party risk, as reliance on external IT service providers may leave patient data vulnerable to theft and exploitation.

Says ESET cybersecurity specialist Jake Moore: “More and more third-party technology firms are brought into helping government organizations with their day-to-day work as outsourcing is seen as a cheaper option. However, when such third-party operations are chosen, the main reason can sometimes be on cost alone, which can inevitably put security and protection of the systems lower down the priority list”.

“To see the NHS attacked again would be a disaster; therefore, protecting confidential health data on its patients should be seen as priority number one whatever the cost,” he added.

Way to go

The white paper acknowledged work that is being done across the healthcare system to boost its cyber-preparedness, including a plan announced by the Department of Health and Social Care in October 2018 to spend £150 million (US$188 million) over the next three years to bolster the NHS’s cyber-preparedness.

Having said that, the document also says that additional investments are urgently needed and suggests more measures for NHS organizations to put in place with an eye towards improving their ability to fend off cyberattacks.

Among other things, it urges the NHS to hire cybersecurity professionals, ensure that staff know where they can ask for help and guidance on IT security, and implement network segmentation and segregation strategies to stop potential threats from spreading further and limit the damage.

WannaCryptor cost the NHS £92 million ($115 million).

3 Jul 2019 – 05:31PM

Two billion user logs leaked by smart home vendor

The leak, which apparently has yet to be plugged, exposes a range of very specific data about users

A Chinese smart home solutions provider has been leaking billions of logs from devices managed via the company’s cloud platform, exposing a range of sensitive information about their users.

The database – which was found sitting an ElasticSearch server with no password protection – belongs to a Chinese company called Orvibo. The platform, called SmartMate, is used by customers from around the world to manage their Internet-of-Things (IoT) devices, including home entertainment and security devices, and energy management and HVAC systems. A maker of around 100 smart home or smart automation products, Orvibo claims to have a million customers, both individual users and businesses.

Researchers at vpnMentor, who discovered the misconfigured server in the middle of June and described their findings in this blog post, wrote that Orvibo has been notified of the issue several times since June 16. Per latest reports (from yesterday), the database remains exposed.

There is no evidence that cybercriminals have accessed the data, but with such abundance of identifying information the scope for abuse is practically endless.

Says ESET cybersecurity specialist Jake Moore: “Criminal groups may have been aware of this data exposure, but it is unknown if anyone has taken advantage of this leak yet and I’d hope it would be plugged quite quickly now it is out. What a criminal hacker could do with this goes as far as their imagination will take them”.

What data?

The user logs – no fewer than two billion of them, in fact – contained a collection of truly varied and very specific data. There were user IDs, family names and IDs, email addresses, hashed (but not salted) passwords, smart device details, precise location data, IP addresses, as well as account reset codes, which could be used to lock people out of their accounts.

Scheduling information for things such as smart lights is also there for anyone to see. Combined with the geolocation data, this might expose people to burglaries. In one case, a smart camera log contained “a message that was recorded word for word”, according to the analysis, complete with a host of screenshots showing redacted examples of the leaked data.

2 Jul 2019 – 06:46PM

Ex-Equifax executive sent to jail for insider trading after breach

“Sounds bad”, the former Equifax CIO wrote in a text after learning of the breach that ended up affecting almost half the US population

The Equifax debacle is in the news again, as a former executive of one of the firm’s business units was sentenced to four months in prison last week for capitalizing on early knowledge of the massive security incident two years ago, according to a press release by the US Department of Justice (DOJ).

Jun Ying, the former Chief Information Officer (CIO) of Equifax’s US Information Solutions division, pled guilty back in March to selling his shares in the credit bureau. He admitted to dumping his stock after becoming aware of the breach but before it was disclosed a week and a half later.

This ultimately earned him the prison sentence, which was imposed last Thursday, as well as a fine of US$55,000. He was also ordered to pay restitution worth some US$117,000 and the prison time will be followed by a year of supervised release.

According to MarketWatch citing a court filing, prosecutors were seeking a longer jail time – a year and three months, as well as a $75,000 fine and the restitution worth US$117,000.

“Sounds bad”

As retold in detail by the DOJ, Ying knew full well what he was doing when becoming aware of the hack, and acted with alacrity:

On Friday, August 25, 2017, Ying texted a co-worker that the breach they were working on “sounds bad. We may be the one breached.” The following Monday, Ying conducted web searches on the impact of Experian’s 2015 data breach on its stock price. Later that morning, Ying exercised all of his stock options, resulting in him receiving 6,815 shares of Equifax stock, which he then sold. He received proceeds of over $950,000, and realized a gain of over $480,000, thereby avoiding a loss of over $117,000. On September 7, 2017, Equifax publicly announced its data breach, which resulted in its stock price falling.

The breach at Experian, a competitor to Equifax, affected up to 15 million people.

Meanwhile, the breach at Equifax was eventually found to affect up to 148 million people. One in every two Americans, as well as hundreds of thousands of Canadians and Brits, had a range of sensitive information, including names, social security numbers, birth dates and addresses, siphoned by hackers. As we recalled a few weeks ago, the incident was facilitated by a critical vulnerability in the Apache Struts web application framework for which a patch was issued on March 6, 2017 but which Equifax failed to install in time.

Ying is the second former Equifax executive to face the music over insider trading relating to the data breach. Last October, former Equifax software product development manager Sudhakar Reddy Bonthu was sentenced to eight months of home confinement, fined $50,000, and made to give back his ill-gotten gains.

1 Jul 2019 – 06:00PM