NyaDrop Backdoor and Dropper Targets IoT Devices

Internet of Things (IoT) devices with hardcoded default login credentials are being targeted by a newly discovered Linux malware, security researchers warn.

Dubbed NyaDrop, the new Linux threat was spotted in some attacks almost half a year ago, but it wasn’t well-built and couldn’t successfully infect devices, a Malware Must Die post reveals. Recently the malware resurfaced with a series of improvements, in better-choreographed attacks.

The main driver for these attacks, security researcher unixfreaxjp says, is represented by known factory hardcoded default login credentials, a flaw that IoT devices were long said to be impacted by (the Mirai botnet has proven how easily these devices can be ensnared). The malware is targeting the vulnerable routers and similar networking devices based on the MIPS CPU architecture.

Just as other IoT malware out there, NyaDrop is spreading via brute-force attacks that leverage easy-to-guess credentials and which have a Russian IP address as source. The threat actor is believed to focus more on keeping the distribution of this malware under the radar than on spreading the infection fast. Thus, the actor attacks only specific IP targets per session and also stops previous attacks, though they return to previous failed attempts in a slow rotation. 

The security researcher believes that the attacker is intentionally aiming at MIPS devices, by checking CPU info, and is avoiding ARM and PPC devices. Once the vulnerable machine has been successfully breached, the NyaDrop malware is dropped onto it. 

The threat is a Linux backdoor and dropper that opens an Internet socket (AF_INET) on the infected host to remotely connect to the attacker’s server to receive any Linux executable that should be used to further infect the machine. The received data is saved as a “nya” ELF malware file and is executed by Linux/NyaDrop with its permission privilege on the targeted device.

Each time new attacks are successfully logged into the MIPS machine, the “nya” file is deleted and then the “nya” malware is updated, which allows the attacker to easily keep the botnet component up to date. If attacks aren’t successful, the “nyadrop” (the malware’s executable) and “nya” binaries aren’t saved, which should prevent detection.

The malware’s executable is a small, clean libc compiled ELF coded in C, the researcher reveals. Despite being small, however, the file packs a punch. What’s worse is the fact that detection is very low, and the security researcher notes that hash-based signature detection would almost certainly fail, because NyaDrop’s nature of infection will result in multiple hashes being created.

Related: Weak Credentials Fuel IoT Botnets

Related: The IoT Sky is Falling: How Being Connected Makes Us Insecure

Related: Attackers Use Decade-Old Flaw to Target IoT Devices

Evidence Links Russia to DNC Attack

Several security firms have found evidence that the recent attacks against the Democratic National Committee (DNC), the formal governing body for the U.S. Democratic Party, were launched by Russia-linked threat groups.

Threat intelligence firm CrowdStrike, which assisted the DNC’s investigation and cleanup efforts, reported last week that its incident response team uncovered evidence tying the attacks to two previously known advanced persistent threat (APT) groups.
One of the groups is Russia-linked Cozy Bear, which is also known as CozyDuke and APT29. The actor is believed to have breached the DNC’s networks as far back as the summer of 2015 using an implant dubbed “SeaDaddy” and a PowerShell backdoor.

The second group, also believed to be operating from Russia, is Fancy Bear, aka APT28, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team. The actor reportedly targeted the DNC in a separate attack in April 2016 using a piece of malware dubbed X-Agent and a network tunneling tool called X-Tunnel.
CrowdStrike said it did not see any evidence that Fancy Bear and Cozy Bear had been collaborating or that they had known about each other’s operation.
Shortly after the security firm made its findings public, a hacker using the online moniker “Guccifer 2.0” took credit for the attack and started leaking documents stolen from the DNC. The hacker mocked CrowdStrike for reporting that the attack was carried out by sophisticated groups and claimed that it was “very easy” for him to breach the organization’s systems.
“Guccifer” is the nickname first used by 44-year-old Romanian national Marcel Lazar Lehel, who has been extradited to the United States after hacking the online accounts of several celebrities and politicians, including the email server used by presidential candidate Hillary Clinton.
Guccifer 2.0 has set up a WordPress website and a Twitter account, which he has been using to release documents allegedly stolen from the DNC. On Monday, he threatened to leak a “dossier on Hillary Clinton” taken from DNC servers.
However, CrowdStrike is not the only security firm to point the finger at Russian government-backed actors for the attack on the DNC. Fidelis has conducted an independent investigation of the malware leveraged by hackers and confirmed CrowdStrike’s findings.

“Based on our comparative analysis we agree with CrowdStrike and believe that the COZY BEAR and FANCY BEAR APT groups were involved in successful intrusions at the DNC. The malware samples contain data and programing elements that are similar to malware that we have encountered in past incident response investigations and are linked to similar threat actors,” Fidelis said.
ThreatConnect has analyzed one of the domains used by attackers for command and control (C&C) and discovered additional links to Fancy Bear.
In March, the SecureWorks Counter Threat Unit (CTU), which tracks Fancy Bear as Threat Group-4127 (TG-4127), observed a spear-phishing campaign that leveraged Bit.ly shortened links to target email accounts connected to the upcoming presidential election in the United States, including accounts belonging to individuals working for or associated with Hillary Clinton’s campaign and the DNC.

“CTU researchers do not have evidence that these spearphishing emails are connected to the DNC network compromise that was revealed on June 14. However, a coincidence seems unlikely, and CTU researchers suspect that TG-4127 used the spearphishing emails or similar techniques to gain an initial foothold in the DNC network,” SecureWorks researchers said.
An analysis of the documents leaked by Guccifer has shown that the individual might be based in Russia, and experts have pointed out several reasons why Russia could benefit from the hack.

While it’s possible that Guccifer 2.0 has nothing to do with the cyberspy groups, experts believe the persona might have been set up by Russian intelligence in an effort to throw investigators off track. CrowdStrike said it stands by its analysis and findings.
“Whether or not this posting is part of a Russian Intelligence disinformation campaign, we are exploring the documents’ authenticity and origin. Regardless, these claims do nothing to lessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public and the greater security community,” the company said.

Russia Slams 'Unprecedented' U.S. Threats Over Cyber Attacks

The Kremlin on Saturday slammed Washington for its "unprecedented" threats against Moscow over an alleged series of cyber attacks and vowed to respond. 

Last week, Washington formally accused the Russian government of trying to "interfere" in the 2016 White House race through cyber attacks on American political institutions.
And on Friday, US Vice President Joe Biden told NBC a "message" would be sent to Russian President Vladimir Putin over the alleged hacking, with the channel saying the CIA was preparing a retaliatory cyber attack "designed to harass and 'embarrass' the Kremlin leadership."
Kremlin spokesman Dmitry Peskov immediately denounced Biden's remarks, saying Moscow would take precautions to safeguard its interests in the face of the increasing "unpredictability and aggressiveness of the United States".
"The threats directed against Moscow and our state's leadership are unprecedented because they are voiced at the level of the US vice president," RIA Novosti news agency quoted him as saying.
"To the backdrop of this aggressive, unpredictable line, we must take measures to protect (our) interests, to hedge risks."
And Kremlin aide Yuri Ushakov vowed Moscow would respond to any US cyber attacks, saying such threats were "borderline insolence", the news agency said.
In the NBC interview, excerpts of which were released late Friday, Biden said Washington would respond "at the time of our choosing and under the circumstances that have the greatest impact."
Earlier this week Russian Foreign Minister Sergei Lavrov shrugged off the US allegations, telling CNN the hacking claims were "flattering" but baseless, with not a "single fact" to prove it.
The Kremlin was propelled to the heart of American politics in July after Hillary Clinton's campaign blamed Russia for an embarrassing leak of emails from the Democratic National Committee.
Russia has been accused of favoring Donald Trump -- who has praised Putin and called for better ties with Moscow -- over the more hawkish Clinton. Russia's relations with the United States have plunged to their post-Cold War nadir over the conflict in Ukraine and stalled efforts to end the five-year Syrian war

Related: More Evidence Links Russia to DNC Attack 

Google Receives Increasing Number of Government Requests

Google’s transparency report update for the first half of 2016 shows that the number of requests received by the search giant from governments has continued to increase.

The company said it received nearly 45,000 requests seeking information on more than 76,000 accounts. Google reviewed each of these requests and complied with 64 percent of them, the same percentage as in the previous period.
Some governments made requests for the first time during this period, including Saudi Arabia, Fiji, El Salvador, Algeria, Belarus and the Cayman Islands. Each of these countries made only a handful of requests, but Google did not comply with any of them.
In the case of the United States, the government made over 14,000 crime-related requests for roughly 30,000 accounts. Data was produced in response to 79 percent of these requests.
U.S. authorities have also sent a large number of Foreign Intelligence Surveillance Act (FISA) requests and National Security Letters (NSLs). However, Google is prohibited from disclosing exact numbers for these types of requests and the data is subject to a six-month delay.
According to Google, the U.S. government made between 500 and 999 FISA requests for content associated with 21,000–21,499 accounts in the second half of 2015, compared to 16,000–16,499 in the previous six months. The FBI has lifted a gag order on an NSL issued in the second half of 2015 so the range has been modified from 0-499 to 1-499.
“In recent years, the United States has implemented or enacted meaningful surveillance reforms. And the U.S. Congress is beginning the process of assessing potential reforms to Section 702 of FISA, which authorizes surveillance of non-U.S. persons outside of the United States,” said Richard Salgado, Google’s director of law enforcement and information security. “We look forward to working together with others in our industry on continuing surveillance reform in the U.S. and around the world.”
The highest number of requests, after the U.S., came from Germany (8,700), France (4,300), India (3,400) and the United Kingdom (3,300). Turkey made 390 requests, but Google only produced data in response to one percent, which is not surprising given the country’s poor human rights record.
Google’s transparency report was recently expanded to include the use of HTTPS on the world’s top websites. According to the company, there are still many highly popular sites that still haven’t implemented default HTTPS.

Related: Microsoft Launches New Transparency Website

Related: Google Adds Certificate Transparency Log for Untrusted CAs

Researchers Leverage RKP Module to Bypass Samsung KNOX

Security researchers from Viral Security Group Ltd. have managed to bypass the Samsung KNOX security features by exploiting vulnerabilities that render unpatched devices susceptible to compromise. 

To successfully bypass Samsung’s security, the researchers focused on a module called TIMA RKP (Real-time Kernel Protection), which is responsible for defending against kernel exploits. A standard root exploit can subvert the kernel and code can be executed in the system user context, researchers say.

According to a paper detailing the experiment, a malicious actor with access to the system account could replace legitimate apps with rogue software that has access to all available permissions, all without the user noticing. Furthermore, the RKP module can be abused to achieve root privileges, and the security researchers even managed to load a kernel module to remount the /system partition as writable.

To subvert the RKP module, the researchers abused the CVE-2015-1805 write-what-where kernel vulnerability, using the open-source exploit implementation dubbed iovyroot. A generic Linux exploit, iovyroot has been devised to leverage said flaw on recent Samsung devices, including Galaxy S6 and Galaxy Note 5, researchers say.

The RKP module, researchers say, has two layers, one interwoven with the Linux kernel, and another residing in the ARM TrustZone as a hypervisor. The RKP was meant to mask and protect certain areas of kernel memory, as it can perform its own checks and validations, hidden and independent of the kernel.

The issue with the RKP was found to be a special function rkp_override_creds, which replaces the regular kernel function override_creds, and which can be used to temporarily override the current process credentials. By leveraging this bug, researchers tried to achieve root by having the RKP override the credentials with root values, but failed, because “the hypervisor side does not take nicely attempts to override process credentials with root values.” However, it does accept system values, researchers say.

While still attempting to achieve root, the researchers discovered a file called vmm.elf, which turned out to be the RKP module itself, and were able to find in it the function that would allow them to achieve root. However, they discovered that the available permissions were limited, and that running a kernel module would provide privilege escalation, an achievable operation, especially since Samsung’s Galaxy S6 allows for the insertion of kernel modules.

The modules, however, need to be signed, and the verification is performed by Mobicore micro-kernel residing in ARM’s TrustZone. Nonetheless, because the verification was triggered only when the lkmauth_bootmode variable was set to BOOTMODE_RECOVERY, the security researchers used a kernel writing vulnerability to overwrite the value and disable the signature verification.

“At this point, we could easily load any kernel module we desired,” the researchers note. The 3 vulnerabilities that allowed for the successful exploitation of Samsung KNOX were named KNOXout. Tracked as CVE-2016-6584, the flaws are privilege escalation issues and have been already disclosed to the vendor.

Some of the remediation solutions proposed by the security researchers include treating system permissions similar to root; performing a PID check later in the permission-granting process, because RKP grants processes with PID 0 root privileges (and the researchers leveraged that); and placing the lkmauth_bootmode variable and the security_ops structure in an RKP-protected, read-only page. 

Related: Critical Vulnerability Plagues 60% of Android Devices

Related: Critical Vulnerability Breaks Android Full Disk Encryption

Hackers Could Harm Diabetics via Insulin Pump Attacks

OneTouch Ping insulin pumps manufactured by Johnson & Johnson-owned Animas are plagued by several vulnerabilities that can be exploited by remote hackers to compromise devices and potentially harm the diabetic patients who use them. While the security holes are serious, the risk is considered relatively low and the vendor does not plan on releasing a firmware update.

Rapid7 researcher Jay Radcliffe, who has been a Type I diabetic for 17 years, analyzed Animas’ OneTouch Ping insulin pumps. The product has two main components: the actual insulin pump and a remote that controls the pump’s functions from up to 10 feet away.
The four major vulnerabilities found by Radcliffe in the OneTouch Ping product have been detailed in a Rapid7 blog post and an advisory published by the Department of Homeland Security’s CERT Coordination Center.
The researcher discovered that the remote and the pump communicate over an unencrypted channel (CVE-2016-5084), allowing a man-in-the-middle (MitM) attacker to intercept patient treatment and device data. The vendor pointed out that while some data is exposed, it does not include any personally identifiable information.
Another vulnerability identified by Radcliffe is related to the setup process where the pump is paired with the remote – pairing is needed to prevent the pump from accidentally accepting commands from other remotes. The key used by the devices when they exchange information is based on serial numbers and some header information and it’s transmitted without any form of encryption.

This weak pairing (CVE-2016-5085) allows an attacker to spoof the remote and issue commands to arbitrarily dispense insulin, which could lead to the patient having a hypoglycemic reaction.
The researcher also noticed that OneTouch Ping pumps lack protection against replay (CVE-2016-5086) and spoofing (CVE-2016-5686) attacks. These vulnerabilities can be exploited to capture packets and replay them at a later time, or send spoofed packets with arbitrary commands to the pump. In both cases, the attacker can instruct the device to dispense insulin and potentially harm the user.
The OneTouch Ping pump and its remote are not connected to the Internet so these attacks cannot be carried out over very long distances. However, special radio transmission equipment could allow attacks to be conducted from hundreds of feet and possibly even up to one mile, researchers warned.
While these are serious vulnerabilities, Radcliffe said the risk is relatively low and the goal of the research is to raise awareness, allow users to make informed decisions, and get manufacturers to focus more on security when designing their products.
“Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash,” the expert noted.
Johnson & Johnson, which notified patients and healthcare professionals of Rapid7’s findings via physical mail, said it does not plan on releasing a firmware update to address the vulnerabilities. However, the company has provided instructions on how attacks can be mitigated using various features available in the OneTouch Ping product.
Rapid7’s approach contrasts with the path taken in August by medical device security firm MedSec, which decided to disclose vulnerabilities found in St. Jude Medical products without notifying the vendor. MedSec decided to team up with an investment research company that used the findings as part of an investment strategy, which led to St. Jude filing a lawsuit.

Related: FDA Issues Alert Over Vulnerable Hospira Drug Pumps

Related: Serious Security Flaws Found in Hospira LifeCare Drug Pumps