Connect with us

PT: How Hackers Hide Traces of Attacks on Government and Educational Institutions



Positive Technologies experts analyzed the most famous rootkit families over the past 10 years.

Positive Technologies experts analyzed the most famous over the past 10 years, a family of rootkits – programs that hide the presence of malicious software or traces of intruders in the system. The study found that 77% of rootkits are used by cybercriminals for espionage.

Rootkits are not the most common malware. Rootkit detections tend to refer to high-profile attacks with resonant consequences – often these utilities are part of multifunctional malware that intercepts network traffic, spies on users, steals authentication information, or uses victims’ resources to carry out DDoS attacks. The most famous use case of a rootkit in attacks is Stuxnet malware distribution campaign , whose main goal was to halt the development of Iran’s nuclear program.

Positive Technologies analysts have conducted a large-scale study of rootkits used by cybercriminals over the past ten years, starting in 2011. According to the data obtained, in 44% of cases, attackers used rootkits in attacks on government agencies. Slightly less frequently (38% of cases), these malware were used to attack research institutes. Experts associate the choice of these targets with the main motive of cybercriminals distributing rootkits – obtaining data. For example, the information processed by these organizations is of great value to cybercriminals. According to the survey, the top 5 industries most attacked by rootkits also include telecom (25%), industry (19%) and financial institutions (19%). In addition, more than half of rootkits (56%) are used by hackers to attack individuals. These are mainly targeted attacks in the framework of cyber espionage campaigns against high-ranking officials, diplomats and employees of targeted organizations.

“Rootkits, especially those working in kernel mode, are very difficult to develop, so they are used either by highly qualified APT groups that have the skills to develop such a tool, or by groups whose financial capabilities allow buying rootkits on the shadow market., – explains Yana Yurakova, analyst at Positive Technologies… – The main goal of attackers of this level is cyber espionage and data acquisition. These can be both financially motivated criminals who steal large sums of money, and groups that extract information and perform destructive actions in the victim’s infrastructure in the interests of customers. “

The analysis showed that the investigated families of rootkits were used by cybercriminals to obtain data in 77% of cases, in about a third of cases (31%) – to extract financial gain, and only in 15% of attacks, experts noted the motive of exploiting the infrastructure of the victim company to carry out subsequent attacks.

According to a report by Positive Technologies, advertisements for the sale of user-level rootkits dominate on shadow forums – they are commonly used in mass attacks. According to the company’s experts, the cost of a ready-made rootkit varies from $ 45 to $ 100,000 and depends on the operating mode, target OS, conditions of use (for example, the malware can be rented for a month) and additional functions (most often they request remote access and hiding files, processes and network activity). In some cases, the developers offer a customization of the rootkit for the needs of the customer and provide service support. It is worth noting that 67% of advertisements included a requirement that the rootkit should be “sharpened” for Windows. This correlates with the results of the study: the share of such samples in the sample of malware studied by Positive Technologies specialists also prevails, amounting to 69%.

“Despite the difficulties in developing these malicious programs, every year we see the emergence of new versions of rootkits, whose mechanism of operation differs from the already known malware. This suggests that cybercriminals continue to develop tools to mask malicious activity and constantly come up with new techniques for bypassing security measures – a new version of Windows appears, and immediately malware developers create rootkits targeting it., – comments Alexey Vishnyakov, Head of Malware Detection Department Security Expert Center Positive Technologies We expect that rootkits will continue to use well-prepared APT groups, which means that it is no longer just about compromising data and obtaining financial benefits, but about hiding complex targeted attacks, the result of which may be the implementation of events that are unacceptable for organizations – from incapacitation KII facilities, such as nuclear power plants, thermal power plants and power grids, to man-made disasters caused by accidents at industrial enterprises, and cases of political espionage. “

To protect your company from attacks using rootkits, Positive Technologies experts recommend using tools for detecting malicious activity on end nodes and solutions such as PT Sandbox that allow you to identify malware both during installation and during operation. Rootkits can also be detected using a rootkit scanner, system integrity check and network traffic analysis for anomalies.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Vulnerability in WinRAR allows code to run without the user’s knowledge



To carry out an attack, you need to create a malicious Wi-Fi access point, hack a router, and spoof DNS.

Positive Technologies Igor Sak-Sakovsky discovered a dangerous vulnerability in the WinRAR file archiver. An issue identified as CVE-2021-35052 exists in the WinRAR web notifier, which is used to display trial period expiration messages. The vulnerability affects WinRAR versions prior to 6.02 beta 1.

To display a message about the expiration of the trial period, the web component redirects to HHPS: // The vulnerability allows a remote unauthorized person to intercept requests sent to them and thereby carry out a man-in-the-middle (MITM) attack, create a backdoor, and even remotely execute code.

As explained by the researcher, the vulnerability exists due to the use of the incorrectly configured webbrowser module by the web notifier component.

According to Sak-Sakovsky, in order to carry out an MITM attack through this vulnerability, an attacker needs to create a malicious Wi-Fi access point, hack a router and spoof DNS, or be on the same network with the victim.

An attacker can use an SMB server to execute code remotely, but there are restrictions on the black list of executable file extensions. So, when you run files with the bat, vbs, exe and msi extensions, a message about the malicious file will appear, suggesting possible actions with them. However, since WinRAR does not have an automatic update mechanism, and vulnerable versions are common, attackers can bypass the restrictions and hide the launch using old exploits for WinRAR or Microsoft Office.

Continue Reading


Vodafone is suing the UK over a contract to develop a hacker-proof communication line



The company considers it unfair that the contract was awarded to Fujitsu, although both bidders did not meet the requirements.

Mobile operator Vodafone filed in court against the UK government after losing a tender to develop a hacker-proof communications system, in which the Japanese company Fujitsu also took part.

Although both bidders were found to have failed to meet the government’s minimum requirements, Vodafone believes Fujitsu was unfairly awarded a £ 184m ($ 254m) contract to improve the communications system used by 532 British embassies and other agencies.

The Echo 2 project aims to provide secure communications for the UK Foreign and Commonwealth Office, employees and agents in over 170 countries.

According to the government, the current communications system operated by Vodafone is “outdated” and poses a risk to national security.

Vodafone went to court after Cable & Wireless, acquired by the operator in 2012, lost its long-term contract for the Echo 1.

“We do not believe that the procurement process was carried out correctly. The contracting authority itself admitted that the Fujitsu Solution was ‘not fit for purpose,’ said a Vodafone spokesman.

According to foreign ministry lawyers, Fujitsu’s proposal had problems with two requirements, but generally met the terms of the tender. Fujitsu representatives did not comment on the situation.

The trial in this case is scheduled for January 2022. The court allowed the UK government to enter into a “conditional contract” with Fujitsu. The details of the contract were not disclosed due to security concerns.

Continue Reading


FIN7 recruits specialists to carry out ransomware attacks



FIN7 created a fictitious information security company with the aim of hiring experts, ostensibly to conduct penetration tests.

It appears that cybercriminal group FIN7 is trying to find a new source of income by joining the ranks of ransomware hackers. In particular, FIN7 created a fictitious information security company with the aim of hiring cybersecurity experts, ostensibly to conduct penetration testing, but in fact – to carry out ransomware attacks.

According to investigation specialists Gemini Advisory (a division of the information security company Recorded Future), the group posted hiring advertisements on the website of a company called Bastion Secure, allegedly specializing in providing penetration testing services to companies and organizations around the world. The “company” was interested in specialists in the field of reverse engineering, system administrators, programmers with knowledge of C ++, Python and PHP. The proposed salary ranged from $ 800 to $ 1200 per month.

Gemini Advisory managed to get an insight into Bastion Secure’s work with the help of an “insider”. As it turned out, job seekers were asked to complete a three-stage interview, which, however, did not include any explanation or legal documents authorizing penetration tests.

In practical terms, applicants were only allowed to use certain tools that were not detectable by security solutions, and to search for backups and file storage systems on the company’s network. At the same time, the tasks set “coincided with the steps taken in the preparation of ransomware attacks.” During the attacks, the ransomware Ryuk or REvil was installed, experts say.

Proposed testing tools included Carbanak and Lizar / Tirion malware, which security experts have linked to FIN7 attacks.

This is not the first time the group has used fictitious companies to attract specialists. For example, a few years ago FIN7 set up a company called Combi Security that looked for pentesters to hack companies’ networks and install malware on PoS terminals.

Although creating and running fictitious companies is a laborious process, hiring an information security expert will cost FIN7 much less than partnering with hackers or hacker groups recruited through cybercriminal forums, which are likely to demand a share of the proceeds from ransomware attacks, the researchers explained.

Continue Reading

Most Popular