Week in review 21 November 2014
The US Postal Service, the NOAA and now the US State Department have all recently experienced some form of cyber attack. Domain Name Generation Algorithms (or DGA) are becoming smarter. Android users are again coming under attack with a new version of NotCompatible, whilst the DarkHotel campaign continues on. Finally, password managers are now being attacked by malware, in this case Citadel.
US State Department shuts down unclassified email system
US government agencies have been a target for attacks in 2014. The list is growing; the NOAA suffered an attack, the US Postal service was hacked, and most recently, the US State Department had to shutdown its unclassified email system. No military systems or classified systems were affected.
The NOAA breach affected four websites and feeds from satellites. Fortunately the attack was detected early and was swiftly shutdown. Less fortunate was the attack on the USPS; around 800,000 employees had their personal details stolen. 3 million USPS customers were also affected by the breach.
Domain Name generating algorithms evolving, getting smarter
One of the methods used by attackers to evade detection is Domain Name Generation. The technique is relatively simple: generate a large number of domain names, register some and use them as command and control servers. Malware installed on a victim PC can then use the same algorithm to generate a list of domain names which it then loops through until it finds a command and control server.
Algorithms devised to generate domain names are sometimes called DGA (short for Domain name Generation Algorithm). Initial versions were pretty simple; usually the domain name was gibberish. Naturally, countermeasures were devised to check that a domain name had some meaning. Attackers now use words taken from a variety of sources; in one case, the US declaration of independence was used as a source.
A newly identified malware called Matsnu has an algorithm that utilises a list containing 878 nouns and 444 verbs. Matsnu then creates a domain name with the form noun, verb, noun, and verb. This is designed to fool software that looks to block domain names with no intrinsic meaning. Matsnu is spread via spam email.
New version of NotCompatible a danger to organisations
Mobile malware is fast becoming as big a headache as PC malware. This week the NotCompatible malware was in the news again, due to a new version being detected. NotCompatible affects Android devices, and is spread either via spam email or drive by downloads. It does not steal user information, but it does build botnets, which can then be used to conduct spam email campaigns.
The new version of NotCompatible uses encryption to communicate with its command and control server. This makes it harder to detect by network monitoring software.
DarkHotel uses a malicious welcome pack
It’s not an unfamiliar scene for many people: arrive at a hotel, check in, grab some refreshments after a long trip, and pop open the laptop to start catching up on emails. Most hotels provide Wi-Fi these days, so part of the process is to first connect to the hotel Wi-Fi network. Unfortunately, the process of connecting to a Wi-Fi network is where recent malicious activity has been detected.
This malicious activity has been dubbed DarkHotel. DarkHotel starts off with a compromised Wi-Fi network in a hotel. DarkHotel appears to be targeting only certain individuals; usually high level executives, from a range of industries. They are targeted once only.
When the victim connects to the hotel network, they are sent a “welcome pack”, ostensibly from the hotel. If the victim opens the welcome pack, malware is downloaded onto their laptop. The malware is designed to steal sensitive information, including login credentials. Once the attackers have the information they require, they remove all traces of the malware. This makes tracking the attackers very difficult.
Password managers are now the target for the Citadel malware. In some ways, it’s surprising that attacks on password managers have not happened sooner. Citadel is known to lie undetected on a PC; currently, it is estimated that Citadel is installed on 1 in 500 PCs worldwide.
A new version of Citadel attempts to steal a user’s master password by listening into the password manager process, and logging the keystrokes when the user accesses the password manager. At this point, the motive behind stealing master passwords is unknown. There is speculation that the data obtained will be used to launch attacks on organisations.