April 29, 2017 | Vigilantes, Disclosure fall-out, and Malware Upgrades

Vigilantes – Hajime

Hajime IoT worm fights the Mirai botnet for control of easy-to-hack IoT products. Hajime, like Mirai before it, takes advantage of factory-set (default) username and password combinations to brute-force its way into unsecured devices with open Telnet ports. Analysis from Rapidity Networks is found here.

Related posts.

  • Mirai and Hajime Locked Into IoT Botnet Battle. threatpost
  • Hajime, the mysterious evolving botnet. SecureList
  • Hajime Botnet is Now 300,000-Strong. infosecurity-magazine
  • Hajime Botnet Reaches 300,000 Hosts With No Malicious Functions. darknet
  • A vigilante is putting a huge amount of work into infecting IoT devices. arstechnica
[Comment] We need to ask ourselves: (1) why do we make it so easy for compromises to happen by not bothering to change default passwords/usernames, and (2) telnet! hard-coded passwords! – are you serious, let’s demand more basic security from these IoT products.

Disclosure fall-out – ShadowBrokers

  1. Script kiddie bonanza – exploit code is released and scans show tens of thousands of Windows servers infected with the DoublePulsar kernel exploit.
  2. SWIFT – exploiting global financial messaging, how many service bureaus were compromised?
  3. Microsoft anticipatory patches – how did Microsoft patch so quickly, before the disclosure no less. Did NSA tip Microsoft off on the extent/particulars of the disclosure?
  4. EOL – thousands of vulnerable systems, with no patch available from Microsoft, are now being actively exploited.

Related posts.

  • Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs. thehackernews
  • NSA’S DOUBLEPULSAR Kernel Exploit in use Internet-wide. threatpost
  • Tens of thousands Windows systems implanted with NSA’s DoublePulsar. helpnetsecurity
  • NSA-leaking Shadow Brokers just dumped its most damaging release yet. arstechnia
  • Protecting customers and evaluating risk. Microsoft Technet
  • Microsoft Says It Has Patched Leaked NSA Hacks. Fortune
[Comment] The unintended fallout of this is that a few of these exploits target systems that are EOL. Thus, no patches available. Now you would think that doesn’t matter as – who would still have EOL systems facing the Internet?

Upgrades – Fileless malware

So why is fileless malware so dangerous, and why will it continue to expand for the foreseeable future? In simple terms. It works. Although there are a lot of good malware detection systems that are capable of detecting and controlling fileless malware, most are not.

Related Posts.

  • Hard Target: Fileless Malware. threatpost
  • Why Fileless Malware will Continue Its Rapid Expansion. lastline
  • Will Fileless Malware Push the antivirus Industry into Oblivion? helpnetsecurity
[Comment] Fileless malware is stealthy – techniques such as polymorphism, implanting watchdogs, revoking permissions, are being used in an effort to evade detection. Coupled with leveraging features like Microsoft Windows Management Instrumentation (WMI) and Windows PowerShell in an effort to n=blend into the network noise and compromise endpoints without ever storing a binary on disk, ensuring that attacks remains hard to detect and track.
This entry was posted in Weekly Posts. Bookmark the permalink.