fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

NSA-linked Bvp47 Linux Backdoor Widely Undetected for 10 years

NSA-linked Bvp47 Linux Backdoor Widely Undetected for 10 years

A report released today dives deep into technical aspects of a Linux backdoor now tracked as Bvp47 that is linked to the Equation Group, the advanced persistent threat actor tied to the U.S. National Security Agency.

Bvp47 survived until today almost undetected, despite being submitted to the Virus Total antivirus database for the first time close to a decade ago, in late 2013.

Until this morning, only one antivirus engine on Virus Total detected the Bvp47 sample. As the report spread in the infosec community, detection started to improve, being flagged by six engines at the moment of writing.

Also Read: Privacy policy template important tips for your business

Bvp47 Linux backdoor detection until February 23, 2022
source: BleepingComputer

The Equation Group connection

The Advanced Cyber Security Research team at Pangu Lab, a Chinese cybersecurity company, says that it found the elusive malware in 2013, during a “forensic investigation of a host in a key domestic department.”

The Bvp47 sample obtained from the forensic investigation proved to be an advanced backdoor for Linux with a remote control function protected through the RSA asymmetric cryptography algorithm, which requires a private key to enable.

They found the private key in the leaks published by the Shadow Brokers hacker group between 2016-2017, which contained hacking tools and zero-day exploits used by NSA’s cyberattack team, the Equation Group.

Some components in the Shadow Brokers leaks were integrated into the Bvp47 framework – “dewdrop” and “solutionchar_agents” – indicating that the implant covered Unix-based operating systems like mainstream Linux distributions, Juniper’s JunOS, FreeBSD, and Solaris.

Apart from Pangu Lab attributing the Bvp47 malware to the Equation Group, automated analysis of the backdoor also shows similarities with another sample from the same actor.

Kaspersky’s Threat Attribution Engine (KTAE) shows that 34 out of 483 strings match those from another Equation-related sample for Solaris SPARC systems, which had a 30% similarity with yet another Equation malware submitted to Virus Total in 2018 and posted by threat intel researcher Deresz on January 24, 2022.

Also Read: 4 easy guides to data breach assessment

Bvp47 Linux backdoor correlation with other Equation malware
source: Kaspersky

Costin Raiu, director of Global Research and Analysis Team at Kaspersky, told BleepingComputer that Bvp47’s code-level similarities match a single sample in the company’s current malware collection.

This indicates that the malware was not used extensively, as it usually happens with hacking tools from high-level threat actors, who use them in highly targeted attacks.

In the case of the Bvp47 Linux backdoor, Pangu Lab researchers say that it was used on targets in the telecom, military, higher-education, economic, and science sectors.

They note that the malware hit more than 287 organizations in 45 countries and went largely undetected for over 10 years.

Bvp47 Linux backdoor targets
source: Pangu Lab

Attack stages

Pangu Lab’s incident analysis involved three servers, one being the target of an external attack and two other internal machines – an email server and a business server.

Bvp47 malware attack
source: Pangu Lab

According to the researchers, the threat actor pivoted established a connection between the external server and the email server via a TCP SYN packet with a 264-byte payload.

“At almost the same time, the [email] server connects to the [business] server’s SMB service and performs some sensitive operations, including logging in to the [business] server with an administrator account, trying to open terminal services, enumerating directories, and executing Powershell scripts through scheduled tasks” – Pangu Lab

The business server then connected to the email machine to download additional files, “including the Powershell script and the encrypted data of the second stage.”

An HTTP server is started on one of the two compromised machines, serving two HTML files to the other. One of the files was a base64-encoded PowerShell script that downloads “index.htm,” which contains asymmetrically encrypted data.

A connection between the two internal machines is used to communicate encrypted data via “its own protocol,” Pangu Lab researchers say in their report.

The researchers were able to restore the communication between the servers and summarized it into the following steps, where machine A is the external system and V1/V2 are the email and business server, respectively:

  1. Machine A connects to port 80 of the V1 server to send a knock request and start the backdoor program on the V1 server
  2. The V1 server reversely connects the high-end port of machine A to establish a data pipeline
  3. The V2 server connects to the backdoor web service opened on the V1 server, and obtains PowerShell execution from the V1 server
  4. The V1 server connects to the SMB service port of the V2 server to perform command operations
  5. The V2 server establishes a connection with the V1 server on the high-end port and uses its own encryption protocol for data exchange
  6. The V1 server synchronizes data interaction with the A machine, and the V1 server acts as a data transfer between the A machine and the V2 server

Referring to the above communication technology between the three servers, the researchers assess that the backdoor is the creation of “an organization with strong technical capabilities.”

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us