|
HB1PMS > TECH 18.02.20 08:34l 83 Lines 3782 Bytes #999 (0) @ WW
BID : 2098HB1PMS
Read: DAE595 GAST
Subj: Ukrainian Blackout Malware Spreads Through Dark We
Path: DBO595<DBX320<FRB024<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200217/1916Z 8397@HB1BBS.ZL.NLD.EU BPQ6.0.19
Van: HB1PMS@HB1BBS.ZL.NLD.EU
Ukrainian Blackout Malware Spreads Through Dark Web Forums
February 13, 2020 | Malware and Vulnerabilities
shell, ssh, key, prompt, tracert, command, network, windows, secure, remote,
trace, white, bash, server, line, ssh-keygen, what, malware, route, service,
port, linux, ping, black, deamon, technology, is, terminal, generate,
silent, connect, quiet, unix, traceroute, information, application, secret,
virus, client, hacker, tunnel, putty, config, sshd
The malware now adds attackers’ SSH keys to a list of authorized key files
on victim machines.
We’re now seeing a ‘trickle-down’ effect, where SSH capabilities are
becoming commoditized.
Cyber experts at Venafi have found sophisticated backdoor malware
techniques, that were used to cripple Ukrainian power stations in 2015,
being deployed more widely by the black hat community.
The malware behavior
The malware specifically targets SSH keys designed to secure remote commands
for communications between machines.
A single compromised SSH key could allow attackers to reach mission critical
systems to spread malware or sabotage processes while staying undetected.
As a recent upgrade, malware can now add attackers’ SSH keys to a list of
authorized key files on victim machines (added as a trusted key).
The other technique malware uses is brute-forcing weak SSH authentication to
gain access and move laterally across system networks.
Such techniques have been tested and verified over the past year by
TrickBot, cryptomining campaign CryptoSink, Linux Worm, and Skidmap,
security experts noted. However, the backdoor SSH server used by the
BlackEnergy gang, that attack caused mass power outages in parts of Ukraine,
had far beyond capabilities.
Commoditization of SSH Keys
SSH keys are one of the most critical components in today’s remote user
authentication system, hence a potent weapon in the wrong hands.
Yana Blachman, threat intelligence specialist at Venafi told that “Until
recently, only the most sophisticated, well-financed hacking groups had this
kind of capability. Now, we’re seeing a ‘trickle-down’ effect, where SSH
capabilities are becoming commoditized.ö
She further added that, with commoditization of SSH keys, attackers will
attempt to monetize for the backdoor they accessed by selling it through
dedicated channels to more sophisticated and sponsored attackers including
nation state threats.
In a similar case, the TrickBot gang were seen selling “bot-as-a-serviceö to
North Korean hackers.
Final thoughts
Organizations need to have a clear visibility of how their systems are
running and provide protection for all authorized SSH keys in the enterprise
to prevent them being hijacked. Their security infrastructure must withstand
attempts by attackers to insert their own malicious SSH machine identities
into systems by blocking those immediately.
73 Henk.
======================================================================
_ _ ____ __ ____ ____ _____
| | | | _ \/_ | _ \| _ \ / ____| SYS: Henk (hb1nos@hb1bbs.com)
| |__| | |_) || | |_) | |_) | (___ QTH: Ouwerkerk - JO11XO
| __ | _ < | | _ <| _ < \___ \ BBS: HB1BBS.ZLD.NLD.EU
| | | | |_) || | |_) | |_) |____) | QRV: 27.235 MHz (FM 1200bps)
|_| |_|____/ |_|____/|____/|_____/ WEB: www.hb1bbs.com
======================================================================
** Host of BPQ Netrom/Node NLDHUB::NL9HUB 85.214.163.10 UDP 93
======================================================================
** This message is generated with Sally 7.2.033
----------------------------------------------------------------------
** Timed maandag 17 februari 2020 20:15 West-Europa (standaardtijd)
** BBS HB1PMS@HB1BBS.ZL.NLD.EU
Lese vorherige Mail | Lese naechste Mail
| |