We go deep into sophisticated modular malware & meet the manufacturer who vows to recall their IoT devices used in recent attacks.

Plus home server questions, a fun round-up & more!

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


Show Notes:

Lifting the lid on Sednit: A closer look at the software it uses

  • Security experts at ESET have released the final two parts of their new research into the operations of the notorious Sednit hacking group.
  • The Sednit gang, also known as APT28, Fancy Bear, Pawn Storm and Sofacy, are highly experienced, and have been engaged in criminal activity since at least 2004. They have developed sophisticated attacks that bypass the typical network security at compromised organizations.
  • In parts two and three of their research, entitled En Route with Sednit: Observing the Comings and Goings and En Route with Sednit: A Mysterious Downloader respectively ESET’s threat analysts have taken a closer look at the software used by Sednit to spy on its targets and steal confidential information.
  • Sednit’s espionage toolkit is only deployed on targets deemed interesting to the hacking group after a period of reconnaissance.
  • The toolkit has three main components, made up of two spying backdoors (SEDRECO and XAGENT), and a network tool named XTUNNEL.
  • “Deploying both spying backdoors at the same time allows them to remain in contact if one of them becomes detected.”
  • Once in place, the SEDRECO backdoor trojan provides its remote operators with a variety of functions – including the ability to read and write files, turn on keylogging to furtively capture a user’s keypresses (and no doubt passwords), scour the victim computer’s hard drives and map network resources.
  • ESET’s research has further discovered that SEDRECO contains the capability to run external plugins, downloaded and executed as requested by a command-and-control (C&C) server under the hackers’ control.
  • A SEDRECO plugin identified by the researchers was found to share code with a module used by XAGENT, the other backdoor utilized by the Sednit gang.
  • XAGENT can exfiltrate information from compromised computers via HTTP and email, working alongside other components in the toolkit including USBSTEALER, which attempts to steal data from air-gapped computers.
  • During their investigations, ESET researchers were able to retrieve the complete Xagent source code intended to work under GNU/Linux operating system.
  • Although versions of XAGENT have been seen for Windows, Linux and iOS, ESET’s team of researchers believe that it would be surprising if there has not also been a version of XAGENT created for other operating systems, including Android.
  • The well-designed XAGENT malware is comprised of a series of modules providing varying functionalities, and the samples examined by ESET’s researchers indicate that the Sednit hacking gang adapts each attack for specific targets. This also, of course, avoids the risk of exposing all of XAGENT’s code to security researchers.
  • XTUNNEL, the network proxy tool used by the Sednit group to relay network traffic between a C&C server on the internet and infected computers on their local networks.
  • The researchers say that significant resources have been put into the development of XTUNNEL, SEDRECO and XAGENT, as they describe in En Route with Sednit: Observing the Comings and Goings:
  • “In order to perform its espionage activities, the Sednit group mainly relies on two backdoors, Xagent and Sedreco, which were intensively developed over the past years. Similarly, notable effort has been invested into Xtunnel, in order to pivot in a stealthy way. Overall, these three applications should be a primary focus to anyone wanting to understand and detect the Sednit group’s activities.”
  • The final focus of ESET researchers’ deep dive in the Sednit group is a special downloader called DOWNDELPH.
  • DOWNDELPH, which gets its name from being written in the Delphi programming language, is used in hacks orchestrated by the Sednit group to deploy the previously mentioned XAGENT and SEDRECO onto infected computers.
  • Once in place, DOWNDELPH downloads a configuration file from the internet, and fetches payloads from a series of command & control (C&C) servers.
  • The use of rootkit/bootkit technology to hide the activities of the Sednit group and the small number of deployments suggests one thing: this group of attackers wanted to do everything they could to avoid being noticed.

The chinese manufacturer vows to recall IoT devices used in attack

  • “A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.”
  • How effective a recall will be is hard to say, since most of the devices were sold rebranded by other companies, not by the manufacturer directly
  • The major flaw with these devices is that the passwords that allow access via SSH cannot be changed, and their presence is not even visible from the web interface that most users are expected to use.
  • “I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.”
  • “The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.”
  • “Mirai is a huge disaster for the Internet of Things,” the manufacturer said in a separate statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”
  • “At the same time, the Chinese electronics firm said that in September 2015 it issued a firmware fix for vulnerable devices, and that XiongMai hardware shipped after that date should not by default be vulnerable.”
  • “Since then, XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as Hacker cannot use the Telnet to access our devices.”
  • Additional Coverage:
  • In the meantime, it raises questions about how consumers can try to protect themselves
  • Senator Prods Federal Agencies on IoT Mess
  • “The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.”
  • “In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.”
  • “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote to the agencies. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”
  • “Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur”
  • Then some serious questions are raised, about interference with traffic
  • “In the FCC’s Open Internet Order, the Commission suggested that ISPs could take such steps only when addressing ‘traffic that constitutes a denial-of-service attack on specific network infrastructure elements,’” Warner wrote in his missive to the FCC. “Is it your agency’s opinion that the Mirai attack has targeted ‘specific network infrastructure elements’ to warrant a response from ISPs?”
  • “I have been asked by several reporters over the past few days whether I think government has a role to play in fixing the IoT mess. Personally, I do not believe there has ever been a technology challenge that was best served by additional government regulation.”
  • “However, I do believe that the credible threat of government regulation is very often what’s needed to spur the hi-tech industry into meaningful action and self-regulation. And that process usually starts with inquiries like these. So, here’s hoping more lawmakers in Congress can get up to speed quickly on this vitally important issue.”
  • Quote I saw on twitter the other day: “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.”


Round Up

Question? Comments? Contact us here!