Pages

28 November 2014

NEWLY REVEALED CYBER ESPIONAGE ATTACK ‘MORE COMPLEX’ THAN STUXNET, FLAME; OTHER VARIANTS AND FEATURES YET TO BE DISCOVERED -ARE LIKELY; ‘A MIND-BLOWING’ CYBER ESPIONAGE VIRUS

November 25, 2014 

Newly Revealed Cyber Espionage Attack ‘More Complex’ Than Stuxnet, Flame; Other Variants And Features Yet To Be Discovered -Are Likely; ‘A Mind-Blowing’ Cyber Espionage Virus

Kelly Jackson-Higgins writing on the November 24, 2014 website DarkReading.com, begins by noting that “first, there was Stuxnet and Flame; and now, there’s an even more sophisticated, stealthy, and powerful cyber espionage attack called Regin, that dates back as far as 2003 — and has been found infecting machines in more than a dozen countries.”

The cyber security firms, Symantec and Kaspersky Lab has each published their separate findings on Regin, a modular malware platform that has targeted Windows machines in in telecommunications operators, governments, financial institutions, researchers, governments, small businesses, and individuals associated with cryptography research,” Ms. Jackson-Higgins writes. “The attackers most likely behind Regin,’ she argues, “are a nation-state, given the investment and resources required to design it; and, the persistent, long-term surveillance operations it appears to support. Researchers say that they have probably on scratched the surface of Regin, and there are likely other variants and features — [yet] to be discovered.”

“Regin’s targets — discovered thus far, have been found located in the Russian Federation — 28 percent of the victims — and, Saudi Arabia. 24 percent of the victims,” according to Symantec. Users in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria, Pakistan, Algeria, Brazil, Fiji, Germany, Indonesia, Malaysia, Kiribati, and Syria were also found infected with the Regin malware,” Symantec and Kapersky’s research shows.

Conspicuously missing as victims of Regin,” Ms. Jackson-Higgins observes, “are residents of the U.S., as well as many in Western Europe countries, including the U.K.; but, neither Symantec, nor Kaspersky would confirm who might be behind Regin.” The cyber security firm, F-Secure said yesterday that this newly discovered, and highly sophisticated cyber espionage virus — “did not originate from Russia, nor China.” One publication attributed the new virus to the U.K. — specifically in the case of the Belgian ISP and telecommunications firm, Belgacom, as part of the U.K.’s Government Communication’s Headquarters’ surveillance program, which came to light in previously leaked Snowden documents,” Ms. Jackson-Higgins noted.

“There is information and a certain level of indication to show Regin was possibly used by GCHQ in some attacks…However, these are just partially confirmed. And, still, it is an interesting question if GCHQ, or the U.K. developed these tools alone; or, these attacks were a part of a collaboration between countries [such as] the U.S., U.K., and others, for what we saw in many leaked Snowden documents,” said Boldizsar Bencsath of the Laboratory of Cryptography and Systems Security at the Budapest Institute of Technology and Economics.

“One of Regin’s more powerful modules,” Ms. Jackson-Higgins writes, “”allows the malware to monitor GSM base station controllers. Kaspersky Lab found that in April 2008, the attackers behind Regin captured administrative login credentials that would let them ‘manipulate’ a GSM network in a Middle Eastern country, the name of which researchers would not disclose. With access to the base controllers, the attackers could redirect calls, or shut down the mobile network,” the researchers said.

“Regin is definitely in a category of its own. It’s definitively more complex than Stuxnet and Flame — when it comes to the design of the platform, functionality, or flexibility,” said Costin Raiu, Director of Global Research and Analysis at Kaspersky Lab. Raiu adds that “Regin is also more compact. While a fully deployed Flame infection came in at 20 megabytes. Regin is about 8 megabytes, including its virtual file system, in size; and, packs the same punch as Flame, or more. “I’d say Regin is probably older than Stuxnet or Flame, — and, more sophisticated,” he said.

Victims, Victimizing Victims

“Regin includes various tools; and, comes with an intricate, and highly stealthy communications technique to control the infected networks that involves the victims organizations communicating via peer-to-peer.” Ms. Jackson-Higgins wrote. Ksapersky Lab spotted victims in a Middle East country doing just that. “This case was mind-blowing, so we thought it’s important to present it. In this specific country, all the victims we identified communicate with each other, forming a peer-to- peer network. The P2P network includes the President’s office, a research center, educational institution network and a bank,” according to the Kaspersky report.

“The infected machines communicate via HTTP and Windows network connections as a way for the attackers to burrow deep into their target networks, bypass air gaps, and minimize traffic to the command-and-control server so as to remain under the radar. In this case, one of the victims had what Kaspersky Lab calls a “translation drone,” that communicated with a C and C outside its home country, in India. Kaspersky spotted 27 different victims; and, Symantec found 1,000 infected machines from around the globe; but, both companies said this only scratches the surface of the potential victims. Regin is basically a platform with multiple modules that could wrest control of their target’s network — and “seize full remote control at all possible levels,” the Kaspersky report concludes.

“Modular platforms have been spotted before,” Ms. Jackson-Higgins notes, “such as Flame, and The Mask/Weevel; but, the multi-stage loading technique used by Regin is reminiscent of the Duqu/Stuxnet family,” according to Symantec.

Six Stages Of Regin

“There are six stages of this newly discovered cyber espionage virus, the reports noted: “The first driver is the only visible piece of the attack on the infected machine — the next five stages of the attack are encrypted. The initial stages involve the installation and configuration of the threat’s internal services. The latter stages bring Regin’s main payload’s into play,” Symantec concluded. “The most interesting stages are the executables and the data files stored in Stages 4 and 5. The initial Stage 1 driver is the only plainly visible code on the computer. All other stages are stored as encrypted data blobs, as a file, or within a non-traditional file storage area such as the registry, extended attributes, or raw sectors at the end of the disk.”

“Even so,” Ms. Jackson-Higgins argues, researchers are still not yet sure how Regin initially infects the machines. There have been no confirmations of particular zero-day exploits or, other methods. Most likely, the attackers use a range of initial attack vectors. Regin has at least a dozen different exfiltration options.”

“We don’t know how it gets onto the machines…It could be a driveby, a link, or executable sent in email. There have been no confirmations of particularly zero-day exploits, or other methods. That particular piece was not found; but, our guess is the dropper at Stage 0 is probably never resident on the machine,” said Kevin Haley, Director of Security Response at Symantec. He added that “Regin appears to be a rare, comprehensive, cyber espionage malware platform. The fact that we haven’t found other ones, means it’s rare,” he said.

“Meanwhile,” Ms. Jackson-Higgins concludes, “not everyone agrees that Regin is all that stealthy. Ken Westin, a security analyst with Trip Wire, says Regin’s file changes and the registry key changes could be detected by any organization monitoring for host configuration changes.” V/R, RCP

No comments:

Post a Comment