back to article Slingshot malware uses cunning plan to find a route to sysadmins

If you’re trying to hack an organization then pwning the sysadmin's machine gives you the keys to the kingdom, and an advanced malware writer has found a clever way to do just that. The malware, dubbed Slingshot by researchers at Kaspersky Lab and showcased at the firm’s Security Analyst Summit, resides in Mikrotik routers – …

  1. elDog

    Sort of points out that winning against a multi-faceted adversary will never win

    The defensive position is to always look at what has worked in the past and stick ones fingers in that particular dike. Yes, you can be proactive but the corporate costs for this are far more than the costs for the perps.

    Reminds me a bit of one of the latest news stories about real attacks:

    The Yemeni government (supported by Saudi Arabia and the US among others) uses some version of the PATRIOT anti-missile system to try to protect assets.

    So these PATRIOT anti-missile batteries are being attacked by "home-made" (or perhaps Iranian) drones that attempt to take out the anti-missile defenses by swarming/jamming/attacking.

    The PATRIOTs were developed back in the days of semi-mobile artillery and when the imperial powers could control the skies. This is no longer the facts on the ground (as they say.)

    The adversaries will always be more nimble, more adept. The defenders will always be more localized/territorial. The losers will be mainly civilians and soldiers. The winners will be the architects of destruction.

    1. Mark 85

      Re: Sort of points out that winning against a multi-faceted adversary will never win

      The military quote of "if you're not mobile, you're a sitting duck" applies. The biggest problem after securing the gates to the kingdom (the HDD and data) is to figure what's coming next.

      1. Charles 9

        Re: Sort of points out that winning against a multi-faceted adversary will never win

        "The military quote of "if you're not mobile, you're a sitting duck" applies."

        Problem becomes, what if you don't any choice BUT to sit?

    2. Anomalous Cowshed

      Re: Sort of points out that winning against a multi-faceted adversary will never win

      What you say is only correct because the defenders use standard processes that are predictable: "common practice". Once you depart from this predictability, an attack becomes much harder and potentially less effective.

      1. Trevor_Pott Gold badge

        Re: Sort of points out that winning against a multi-faceted adversary will never win

        "What you say is only correct because the defenders use standard processes that are predictable: "common practice". Once you depart from this predictability, an attack becomes much harder and potentially less effective."

        Yeah, and rolling your own crypto is a great plan. Pfffffft.

        Standard security processes and procedures actually do work, except against exceptional (read: statistically extremely unlikely) threats. The problem isn't standard security processes and procedures. The problems are lazy administrators who don't implement them, and companies that don't pay for them.

        You wake me up when your'e running a fully containerized and microsegemented environment with complete data path inspection, automated baselining, baseline deviation sensing, and automated incident response that includes at the very least auto-quarantining.

        Unless and until you manage to get your security solutions to at least the above level, you have no place disparaging standard security procedures. If you understood today's IT security and were able to implement it, you'd understand the huge gap between today's best practices and the poor bastards cowering behind an edge router like it was 1993.

        1. Anonymous Coward
          Anonymous Coward

          Re: Sort of points out that winning against a multi-faceted adversary will never win

          "You wake me up when your'e running a fully containerized and microsegemented environment with complete data path inspection, automated baselining, baseline deviation sensing, and automated incident response that includes at the very least auto-quarantining."

          YOU wake US up when you can achieve all you specify against a hostile board and a shoestring budget. THEN you'll have proof of being able to achieve proper levels of security in a more-typical real-world environment. And no, there are often no ships to jump to, either.

  2. Anonymous Coward
    Linux

    What is Winbox Loader

    "we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router." ref

    "Winbox is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI. It is a native Win32 binary, but can be run on Linux and MacOS (OSX) using Wine." ref

  3. Anonymous Coward
    Anonymous Coward

    Eh?

    scesrv.dll shows up on two thirds of the Windows machines I've looked at.

    1. Daniel von Asmuth
      Paris Hilton

      Re: Eh?

      MicroTik runs RouterOS, which is a Linux distribution. The filename heavily suggests Windows code.

      1. bombastic bob Silver badge
        WTF?

        Re: Eh?

        "The filename heavily suggests Windows code."

        Right, and then the article mentions that the malware gains 'root access' suggesting NON-windows code...

  4. Anonymous Coward
    Anonymous Coward

    "The malware’s signature turned up in a seemingly innocent file on another computer labelled scesrv.dll."

    umm why isnt the computer running a tripwire for the libraries and executables...?

    why is the router fs mounted r/w under operation?

    why isnt the signature of the winbox loader checked and verified before execution?

    why are you trusting self-signed certs that arnt worth sh!+ instead of a CA or robust checksum?

    On my router if anything changes its logged to a console on the audit server and logged both in caps and in red and an audible alarm is launched. The internet connection is brought down and a thorough examination takes place before it goes up. Worst case scenario is a reflash and reload of the config, with a mod to the firewall appliance for the future.

    1. Anonymous Coward
      Anonymous Coward

      So they develop an exploit that bypasses the logger and in turn disables it and all your defenses before taking over. Unless you're sure your defenses cannot be breached (which you cannot), you can't be sure someone knows how to tunnel even under the bedrock. Plus, routers are embedded devices with limited resources. Security comes second to just getting the bloody job done.

  5. This post has been deleted by its author

    1. Jeffrey Nonken

      Re: For sysadmins, paranoia is part of the job description.

      "This is why I like to keep a separate PC for sysadmin-related stuff, which is wiped clean on a regular basis. Of course, that does cost a bit extra ..."

      The cost of one extra PC and a hard drive? My thought is that you could keep a reference clean-install hard drive around, then clone it over the "dirty" drive periodically. Only boot off the reference drive if you need to make changes, and then only in an isolated environment. No... to a clone of the drive, too, so you still have the older reference in case something goes wrong.

      Ok, so, multiple hard drives over time.

      Sorry, thinking out loud here. Probably sounds naive to somebody who does this for a living.

      1. Anonymous Coward
        Anonymous Coward

        Re: For sysadmins, paranoia is part of the job description.

        The cost of one extra PC and a hard drive? My thought is that you could keep a reference clean-install hard drive around

        Re-writeable boot drives would appear to be a big part of the problem for corporations. Yes, of course there's still memory resident infections, BIOS and firmware threats to consider, but for high security systems, why on earth allow the OS to rewrite the boot drive including its own executables and DLLs whenever it likes? That's a huge open goal, when all the things you'd want an OS to record by writing could be put on a separate writeable drive.

        So secure boot image, copied to an optical drive read-once drive, boot from that, and record whatever to a separate writeable drive, including test and verification elements.

    2. Crypto Monad Silver badge

      Re: For sysadmins, paranoia is part of the job description.

      This is why I like to keep a separate PC for sysadmin-related stuff, which is wiped clean on a regular basis. Of course, that does cost a bit extra ... but, then again, so does cleaning up after a security breach.

      Or for less hardware, use disposable VMs, in an outer environment which is not reachable from the network. Qubes-OS packages this up nicely for you.

      Yes, hypervisor break-outs have been known; but at least this approach gives you a way to fire up disposable VMs as often as you like.

  6. Doctor Syntax Silver badge

    "the software suggest it was developed by an English speaker. Kaspersky thinks that the amount of time and money it would have taken to write Slingshot strongly suggests it was developed by a nation state."

    You can see why the US govt. really hates Kaspersky.

    1. Anonymous Coward
      Anonymous Coward

      @Doctor Syntax

      Interesting that you trust Kaspersky's word for it, given that they were p0wned by the FSB. Remember, that it how the NSA tool set got into the wild. Nghia Hoang Pho took it home, he had Kaspersky on his home machine, which uploaded it to Kaspersky's servers. Kaspersky claims they deleted the tool kit as soon as they recognized what it was. Yet the FSB "somehow" got it and released it into the wild. That is why the US Government banned Kaspersky from their machines & "hates" Kaspersky.

      1. Anonymous Coward
        Black Helicopters

        Re: @Doctor Syntax

        Ok Mr. Clapper, we believe you.

        1. Anonymous Coward
          Anonymous Coward

          @troland

          Not too bright, are you? The "Nghia Hoang Pho took it home, he had Kaspersky on his home machine, which uploaded it to Kaspersky's servers. Kaspersky claims they deleted the tool kit as soon as they recognized what it was." is Kaspersky's own version of events.

          https://www.theregister.co.uk/2017/12/02/nsa_tao_exploit_leak_guilty/

    2. Anonymous Coward
      Anonymous Coward

      I don't buy it

      Claiming this is an example for why the US govt hates Kaspersky is implying that all other malware companies are working with the US government to hide CIA/NSA created malware from detection. Do you really believe that to be the case?

      Anyone selling malware who cooperated with the US government to hide US malware would be out of business if that was revealed, so such cooperation is an extreme risk. Who would ever trust that company to defend their PC after that, regardless of what promises they made?

      No US company should want to risk undetected malware sitting on their PCs. Even if they (stupidly) trusted their own government, what guarantee would they have that this US sponsored malware hadn't been compromised by other countries, or that this malware doesn't block fixes to other exploits that patches were supposed to close?

      Such a revelation would be pretty much an eventual certainty, given how often US government secrets have escaped i.e. Manning, Snowden, etc. Given the Trump administration's even more lax handling of classified data than Clinton, things are only going to get worse for the US government's ability to keep a secret.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        @DougS - Re: I don't buy it

        I buy it! Remind me please in which country a large telecom provider was asked and accepted to close their eyes and allow the redirection of Internet traffic trough a special device outside their control ? Or in which country a major security vendor was asked to use a certain weakened encryption protocol which accidentally was imposed as a federal standard ? And what were the consequences when the information leaked ? How many clients did those companies lose ?

    3. tom dial Silver badge

      There are quite a few non-US speakers of English, which stands third behind Mandarin and Spanish. Many more speak it as a second language, some of them very well, especially when it comes to the written language that might show up in code.

      The US government may be wary of Kaspersky because of its Russian domicile and the possibility that they collaborate with the government they live under or, more likely that they have been penetrated by that government.

      1. Mark 85

        The US government may be wary of Kaspersky because of its Russian domicile and the possibility that they collaborate with the government they live under or, more likely that they have been penetrated by that government.

        The same could be said then for any company collaborating with they country they live under. For the US to assume Kaspersky is co-operating says more about what the US spymasters are doing than what Kaspersky is doing or has done.

    4. Anonymous Coward
      Anonymous Coward

      "...suggest it was developed by an English speaker." (UK then)

      That rules out most USA-based coders.

      Because there spelling is atrosious.

      1. Likkie

        Re: "...suggest it was developed by an English speaker." (UK then)

        "...Because there spelling is atrosious."

        Please, let that be intentional :)

  7. Norman Nescio Silver badge

    Kaspersky and plausible deniability

    Kaspersky need not be voluntarily co-operating with the FSB for the FSB to have got a copy of the uploaded TAO tools.

    Many people assume the NSA are recording much Internet traffic as it passes through USA-controlled routing centres. It is not unreasonable to assume other country's signals intelligence services to be doing the same for Internet traffic passing though nodes that come under their jurisdiction, or through nodes where they have an agreement to do such monitoring. If, as an intelligence service, you knew a popular anti-virus vendor were uploading suspected malware to a server through a node monitored by you, it would very likely be a high-value source to be recorded - and this would need neither the cooperation of, or knowledge of the anti-virus vendor in question. The anti-virus vendor could make things difficult by using (public key) cryptography to encrypt the upload, at which point (in the USA) a National Security Letter (NSL) could be issued to obtain the relevant keys. Receipt of such NSLs cannot be disclosed. I would be unsurprised to find a similar mechanism is in operation in Russia. Note that the head of the company might not even be allowed to know that such a letter had been issued - and it might need only one person in charge of key management for a company to be issued such a letter. So I would not be quick to accuse Kaspersky of being a willing (or even knowing) accomplice of the FSB or any other security service.

    Given the capabilities and privileges of most anti-virus/anti-malware software, you might want to think hard about which country's signals intelligence service you would be happy to share any and all information on your (Internet-attached) computer with, and govern your choice accordingly. The software vendor will have little choice over whether they share things with the intelligence services of their host country.

    For most people, this is not an issue to be concerned about. However, if you work in industries like defence or 'dual-use' technological areas where things like the Wassenaar Arrangement apply, it becomes a very relevant headache.

    1. tom dial Silver badge

      Re: Kaspersky and plausible deniability

      I don't use Kaspersky software for AV, but it has been generally respected for some years and not, as far as I know, have been found to be defective or unfit for purpose. Knowing practically nothing about it, I conjecture that anything it uploads from a customer's equipment is encrypted using cryptographic algorithms and protocols generally considered secure.

      That does not guarantee that they have not been compromised or are trustworthy. Security is hard, as many have found. It is possible that the encryption Kaspersky uses, assuming they do, or their servers, have been compromised. It is possible also that they have a careless or rogue employee. And although it is much less likely in view of their business interest, it is possible that they are cooperating with their government, as companies sometimes do.

    2. Anonymous Coward
      Terminator

      Re: Kaspersky and plausible deniability

      > So I would not be quick to accuse Kaspersky of being a willing (or even knowing) accomplice of the FSB or any other security service.

      Problem is, Evgenyi Kaspersky attended, and graduated from, the KGB Higher Technical School in Moscow, and then went on to work for the GRU.

      Prior to the dismantling of the good ol' USSR, the KGB Higher Technical School was part of the Felix Dzherzhinsky KGB University.

      So, while it may be moderately interesting to wax philosophical about Kasperky Lab's theoretical plausible deniability, in reality there is no plausible deniability available here. Kaspersky Lab's direct connection to the FSB/GRU/SVR has existed from Day One of its existence, and continues to exist today. Evgenyi Kaspersky is still the CEO of Kaspersky Lab.

      There is no need for the FSB/GRU/SVR to issue the Russian equivalent of a NSL to Kaspersky Lab. The only thing they have to do is tell Evgenyi Kaspersky what to do. That would be an order.

  8. Anonymous Coward
    Anonymous Coward

    non-cloud-based antivirus toolkits?

    The comments have already gone off the rails, so I'll go a little further with this question. The AC linked article above has in it's last paragraph:

    " Meanwhile, British spies at surveillance nerve center GCHQ today warned Brits to be wary of cloud-based antivirus toolkits."

    Are there any non-cloud-based antivirus toolkits these days?

    1. Anonymous Coward
      Anonymous Coward

      Re: non-cloud-based antivirus toolkits?

      Not really. Most require at least SOME periodic central update, and because of the way they're designed they have poor reaction times to new threats that aren't known even to heuristic methods.

    2. Norman Nescio Silver badge

      Re: non-cloud-based antivirus toolkits?

      Are there any non-cloud-based antivirus toolkits these days?

      Please don't take this as a recommendation, but Clam AV is a possibility. It is Free, Libre, Open Source Software, so in principle can be reviewed by somebody with appropriate skills. Downsides are that it might be less effective for your purposes than the market leaders, and the key developers all work for Cisco, which means the intelligence services of the USA might have a means of influencing it in subtle, or not-so-subtle ways. This might or might not be a consideration in your line of work. For most, it probably isn't.

      It's is probably best to take heed of any recommendations (if any) made by your country's intelligence services. They will have experts whose job it is to do evaluations of this sort of thing, and probably means you can tick the right boxes if your decisions are audited.

  9. Bitsminer Silver badge

    State-sponsored and only a few hundred infections?

    Seems like a typical govt mess: $ per victim is huuuuge just huuuuge.

    On the other hand, six years under the radar and only found accidentally.

    Seems like there are varying degrees of sophistication even from the "same" "actors".

    1. cbars Bronze badge

      Re: State-sponsored and only a few hundred infections?

      I might be misinterpreting your comment, but if you're implying a high cost per infection is a bad thing, think of it like a super car. It's just not the point, nation states don't have the same goals as the 'entrepreneurial' malware writers.

      As you rightly state, they were staying under the radar and that's MasterCard: priceless. Every day you do it your investment is paying off, if you get discovered then your code might as well go in the bin as the targets are not tech shy consumers who will continue presenting vulnerable attack surfaces... well, not for as long.

      Edit: they're still all bastards though. Theives lurking in the shadows; FOAD

  10. Anonymous South African Coward Bronze badge

    Time for a Linux distro with a WINE environment (and Winbox etc preinstalled) which you can boot from a CD then?

    Meaning you will have to make a plan with exporting the Mikrotik configuration to a separate and well-marked memory stick/flash disk/external hard drive/whatever just to have a backup of your running configs.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like