The Cybersecurity Express – issue #5

Good day and welcome aboard the Cybersecurity Express for another information packed adventure to the corners of the malicious underground to satisfy your appetite for shady tech news. On today’s ride, we will visit the past and see how a forgotten botnet malware is being brought back to life, a ransomware’s software flaw being used to decrypt its very own encrypted files, and lastly, because you’ve been good the past year, CISA put together a present, just for you.

IoT Still Haunted by the Ghost of Mirai

In this day and age, considering how rapidly software and computing evolve, 6 years is a really, really long time. So, it’s safe to assume that you may be too young to know about the Mirai malware, that harvested the power of about 100.000 IoT devices running Linux (like the smart TV in your living room, or your wi-fi enabled light bulb) to almost bring down the entirety of the US internet in October 2016. The targets were the DNS servers of Dyn, a company that controls much of the Internet’s domain name system infrastructure. This attack was of an unprecedented scale for its time, managing to bring down web giants such as Twitter, the Guardian, Netflix, Reddit, CNN, among others.

Perhaps it was fate which made it so that the name chosen at the time was Mirai, which means “future” in Japanese, foreshadowing that the soul of this malware would, one day, come back to haunt us. Or maybe the researchers really understood that, although still in its infancy back then, the IoT would only multiply in the coming years, and that what they just have witnessed was only a taste of what the future had to offer.

It just so happens that in 2020 and 2021 data revealed an increase in IoT device led attacks, and given the total number of IoT devices connected worldwide is projected to be about 30.9 billion devices by 2025, this is a trend that we’ll only start hearing more of. The situation is only made worst by the security breaches suffered by compromised IoT manufacturers and the leaked confidential data being sold on the black market. Armed with this knowledge and having more targets to infect (the targets themselves only getting more powerful), it’s only a matter of time until something terrifying happens, the likes of which we have never seen before. With the power of research and technology, specialists at intel471 managed to pierce into the underworld, by analyzing data from compromised IoT devices (mainly in Europe and North America), and steal a glimpse of a specter, brought forth by the deployment of two kinds of botnet malware built on some familiar code bases, carrying out the echo of a long lost attack that once stumped the world: Gafgyt and Mirai. Just to name a few based on the latter: BotenaGo, Echobot, Loli, Moonet, Mozi and Zeroshell – which have been active since the start of the COVID-19 pandemic in early 2020 and have continued to evolve throughout 2021. And to put this in perspective, let’s name some of the vulnerabilities affecting IoT that have been disclosed lately:

• CVE-2018-4068, CVE-2018-4070 and CVE-2018-4071 – Information disclosure vulnerabilities impacting Sierra Wireless AirLink ES450 FW gateway version 4.9.3
• CVE-2019-12258, CVE-2019-12259, CVE-2019-12262 and CVE-2019-12264 – DoS vulnerabilities impacting several versions of Wind River Systems’ VxWorks real-time operating system (RTOS).
• CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263 – Memory corruption vulnerabilities impacting several versions of Wind River Systems’ VxWorks RTOS.
• CVE-2021-28372 – An authentication bypass vulnerability impacting ThroughTek Kalay P2P Software Development Kit (SDK) versions 3.1.5 and earlier.
• CVE-2021-31251 – An improper authentication vulnerability impacting multiple firmware from Chiyu Technology, for which an exploit and walk-through demonstration of an exploit were observed in open sources.

This leaves many possible options for both the attackers and the defenders. All is not lost, as such research is done for the sole purpose of understanding how the underground is leveraging the flaws in these devices and then deploy the correct defenses. Proactive measures can be taken to prevent damage, as such is the mission of cybersecurity services providers like CyBourn.

Ransomware Encrypted Data, Decrypted by Researchers

Just as the title suggests, researchers at South Korea Kookmin University have managed what they call “first successful attempt” at decrypting data infected with Hive ransomware “without the attacker’s private key, by using a cryptographic vulnerability identified through analysis”.

First observed in June 2021, when it struck a company called Altus Group, Hive leverages a variety of tactics to infect their victims and as well as scare them, not just by encrypting the data but also exfiltrating sensitive data and threatening to post it publicly, in a tactic called double extorsion. Since then, they have victimized more than 355 companies. But now a glimmer of hope arises as the researchers claim that they were able to weaponize a flaw in the encryption algorithm to devise a method to reliably recover more than 95% of the keys employed during encryption. “For each file encryption process, two keystreams from the master key are needed,” the researchers explained. “Two keystreams are created by selecting two random offsets from the master key and extracting 0x100000 bytes (1MiB) and 0x400 bytes (1KiB) from the selected offset, respectively.”

The encryption keystream, which is created from an XOR operation of the two keystreams, is then XORed with the data in alternate blocks to generate the encrypted file. But this technique also makes it possible to guess the keystreams and restore the master key, in turn enabling the decode of encrypted files without the attacker’s private key.

            CISA Lists Free Security Tools and Services

In an effort to help organizations fight off the malicious actors and reduce their cybersecurity risk, U.S. Cybersecurity and Infrastructure Security Agency (CISA) released repository of free tools and services, encompassing a mix of 101 “items” provided by CISA, open-source utilities and by private and public sector organizations across the cybersecurity community.

“Many organizations, both public and private, are target rich and resource poor,” CISA Director, Jen Easterly, said in a statement. “The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment.”

This is not the first time CISA launces initiatives to help organizations maximize resilience by campaigning patching software security flaws, enforcing multi-factor authentication, and halting bad practices. Just in the recent past they gave us known exploited vulnerabilities, cybersecurity procedures, guidance for resisting ransomware infections as well as threats associated with nefarious information and influence operations, and just last week’s “Shields Up” campaign notifying organizations in the U.S. of potential risks arising from cyber threats that can disrupt access to essential services and potentially result in impacts to public safety. “Malicious actors may use tactics — such as misinformation, disinformation, and malinformation — to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors,” CISA said.

                That’s a wrap for today’s Cybersecurity Express ride, and we thank you for being onboard. Be on the lookout for when we post the next itinerary, for we will want you back. Until then, stay safe!