How ‘Slingshot’ Router Malware Lurked for Six Years

Anti-Malware , Cybercrime , Cyberwarfare / Nation-state attacks

No Link to Known APT Group Cited, But Attackers Appear to Like Tolkien

How 'Slingshot' Router Malware Lurked for Six Years
Source: Kaspersky Lab

Kaspersky Lab says it has uncovered an elegant piece of malware that in part leveraged a Latvian-designed router as part of a stealthy attack campaign that has persisted for over six years.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The Moscow-based security firm hints that the engineering behind the malware, dubbed Slingshot, could only have been accomplished by a well-resourced attacker. But it stopped short of naming one.

Kaspersky gives Slingshot high praise, putting it on a level of Regin and Project Sauron.

The security firm says it’s identified at least 100 victims of Slingshot, mostly in the Middle East and Africa. Close to half of the victims were in Kenya, with the rest in places including Yemen, Libya, Afghanistan, Iraq, Tanzania, Jordan, Mauritius, Somalia, Democratic Republic of the Congo, Turkey, Sudan and United Arab Emirates.

According to a 25-page technical paper published by Kaspersky Lab, Slingshot’s framework was designed for flexibility and reliability, which is why it has flown under the radar since 2012.

“The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor,” the company writes.

Latvian Routers

Kaspersky wasn’t able to determine the vector that resulted in the infection of most of Slingshot’s victims. But it did figure out one: routers from Latvian computer networking equipment manufacturer MikroTik.

For some time, MikroTik’s router firmware downloaded other components directly onto Windows computers. That was the expected behavior, although now MikroTik has since modified its software.

The tip-off came as Kaspersky was investigating a suspected keylogger. The company came across a malicious library that could interact with the virtual file system.

MikroTik included router management software called Winbox, which downloaded dynamic link libraries and loaded them directly into a computer’s memory. The attackers managed to swap a legitimate DLL for a malicious downloader that ended up on victims’ computers.

Kaspersky writes that the malicious downloader was exactly the same size as the legitimate one. Once the DLL has loaded other malicious modules – one a kernel-mode called Cahnadr and another called GollumApp in user mode – the original deleted DLL is replaced.

“The references to Tolkien’s ‘Lord of the Rings’ – Gollum, Smeagol – could suggest the authors are fans of Tolkien’s work.”

GollumApp, named after a character in “The Hobbit,” collects network-based information, handles input/output requests for the encrypted file system, collects saved passwords in Firefox and Internet Explorer and logs keystrokes or pull information from the clipboard, among other functions.

MikroTik Exploit

Kaspersky says it hasn’t been able to identify how MikroTik’s routers were initially infected in order for the attackers to abuse Winbox’s behavior. But it does note that suspected CIA tools contained in WikiLeaks’ Vault7 dump do mention an attack related to MikroTik.

The exploit is called ChimayRed. After it became public, MikroTik issued a statement saying that it had released a new version of its router firmware, RouterOS 6.38.4, that should remove any malicious files in devices that had been compromised.

However, one of the victims studied by Kaspersky ran version “6.38.5 of the firmware, making it unclear whether this version is still vulnerable or if attackers used a different one,” the security firm writes.

“We contacted MikroTik and reported this attack procedure,” it adds. “According to MikroTik, latest versions of Winbox no longer download the ipv4.dll file from the router, closing the attack vector.”

In a March 2017 posting to its own forum, MikroTik says it was unable to obtain the exploit from WikiLeaks. But it did note that ChimayRed was only effective if the firewall on port 80 had been disabled. The firewall is active by default.

Nod to J.R.R. Tolkien

Kaspersky steered away from attempting to guess the identity of Slingshot’s authors – a wise move given enduring controversies over attributing attacks in the murky cyber-espionage world.

But Kaspersky does say that Slingshot doesn’t appear to have any links to other so-called advanced persistent threats.

The only definitive conclusion is that whoever designed the malicious code appears to have been a fan of J.R.R. Tolkien’s fantasy novels. They also had good grammar skills.

“Most of the debug messages found throughout the platform are written in perfect English,” Kaspersky Lab writes. “The references to Tolkien’s ‘Lord of the Rings’ – Gollum, Smeagol – could suggest the authors are fans of Tolkien’s work.”

Blockchain for Identity Management: It’s Years Away

ID & Access Management , Technology

Why It Doesn’t Fix Long-Running Access Management Problems

Blockchain for Identity Management: It's Years Away
The blockchain has supported nearly 500,000 unique daily bitcoin transactions. Can it do the same for identity and access management? (Source:

Technologists are wrangling with an identity puzzle: Is it possible to create a single digital identity that can be seamlessly and securely used at a bank, a hospital or consumer websites?

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

It’s the holy grail of identity. The way identity information is collected and stored today is not only inefficient but risky: Hackers have had astounding success target centralized stores of personal data, as Equifax’s breach showed (see Equifax: Breach Exposed Data of 143 Million US Consumers).

“It’s unreal how careless we are with this stuff [data] that’s worth more than crude oil,” says Steve Wilson, vice president and principal analyst at Constellation Research in Sydney.

Many see the future of identity in the use of blockchain technology, the distributed computing network and ledger that verifies the transfer of a bitcoin from one computer to another.

“It’s unreal how careless we are with this stuff [data] that’s worth more than crude oil.”
—Steve Wilson, Constellation Research

Blockchain is the technology industry’s latest term du jour lately. That’s due to the meteoritic rise in the price of bitcoin, which has elevated a once-obscure distributed computing technology to a market mover.

When Kodak announced earlier this month a blockchain-centered digital rights platform and virtual coin, it’s stock price jumped three-fold. The Long Island Ice Tea company, whose drink sales have flagged, has renamed itself Long Blockchain, with plans to mine cryptocurrency. Its shares also dramatically jumped in price.

Self-Sovereign ID

But blockchain has appealing traits for identity: Rather than lodging a virtual currency transfer, it’s possible to embed identity information in the ledger. The broad vision is a blockchain could be a tamper-proof reference point to verify personal data without having to expose the actual data to a service provider.

Consumers would be in control of their identity information, a concept referred to as self-sovereign identity. That reduces the chance that a data breach would spill their details all over the internet.

But many analysts contend that it will be years – if not decades – before blockchain-like technologies may be used for identity at scale.

“When I talk to people who really understand what blockchain-based technology is about, they will quite openly say we’re talking about 10- to 20-year time frames here,” says Martha Bennett, a principal analyst with Forrester who has been studying the area for three years.

Who Are You?

The blockchain behind bitcoin is aimed at solving one problem: ensuring that a bitcoin isn’t spent twice, or the “double spend” problem.

Bitcoin is based on public key cryptography. A bitcoin is essentially just a 32-character secret private key that is stored in a wallet, which is represented by a public key. Bitcoin’s blockchain cryptographically verifies transactions, preventing the same private key from being fraudulently spent.

Bitcoin’s blockchain doesn’t care which parties are exchanging virtual currency, where they live, when they were born and whether they’ve been convicted of fraud before.

That’s where using blockchain for identity gets sticky: It may be a virtual stone tablet to record data, but it doesn’t solve the main problem around identity: Are you who you say you are? It’s the age-old problem with identity.

For a blockchain-enabled system, entities would have to vet, say, someone’s passport to ensure it is legitimate. That information could then be put on a blockchain in an obfuscated format for other parties to check. But the parties checking the information also have to trust the entity that vetted it.

Who is responsible for vetting data and is liable if it’s fraudulent is where federated identity projects have become stuck in the past, says Avivah Litan, a vice president and distinguished analyst at Gartner.

“It’s never been a technology problem,” Litan says. “Federated identity management has always been a business issue.”

Technology and business issues aside, Bennett says regulatory frameworks may have to be revised to make it possible for a company to simply look at a hash in a blockchain as proof of ID, relying on another party to make a judgment on its authenticity.

“All you need is one money laundering case or fraud case and the whole thing blows up,” Bennett says.

Consumer Usability

Even if the business issues around blockchain trust are ironed out, there are long-running access management problems that blockchain doesn’t solve, such as key management.

Individuals need to prove they own identity information using some form of private digital signature, either embedded in an ID card or stored electronically. Many governments already have had successful digital ID programs that do this. But using a blockchain to store information doesn’t necessarily make the administration of those systems any easier.

“There would be too many cases where you would need an administrator to roll back some transaction or grant access to someone who has locked themselves out of their digital identity,” says Ivan Niccolai, a blockchain and identity management researcher who work as a senior security architect with the security consultancy Zimbani.

There’s also the task of explaining self-sovereign ID and blockchain to the public.

“You just go to a conference in Silicon Valley or to a blockchain meetup in Sydney and you talk about self-sovereign identity and everyone nods,” Bennett says. “You go to a Walmart somewhere in the Midwest on a Saturday afternoon and talk about self-sovereign identity, I’m not so sure.”

Malware Writer Allegedly Spied on Computers for 13 Years

Anti-Malware , Technology

Justice Department Accuses Ohio Man of Authoring ‘Fruitfly’ Malware

Malware Writer Allegedly Spied on Computers for 13 Years
Source: Justice Department, Synack

One year ago, a malicious program for Mac surfaced nicknamed Fruitfly. The malware was an oddball in the context of modern malware: It used Perl, a programming language first developed in the late 1980s.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Fruitfly, experts say, appeared to be designed to spy on Apple Macs. As security experts began analyzing Fruitfly, it turns out that law enforcement was on the heels of its author (see Mac Malware Targets Biomedical Institutions).

The Justice Department on Wednesday announced the indictment of Phillip R. Durachinsky, 28, of North Royalton, Ohio. He was charged with 16 counts in federal court, including violating the Computer Fraud and Abuse Act, plus wire fraud, aggravated identity theft, illegal wiretapping and child pornography.

Prosecutors allege that Durachinsky spied on computers for more than 13 years, from 2003 through early last year. He is accused of developing Fruitfly for both Apple macOS and Microsoft Windows.

The indictment against Durachinsky.

Durachinsky spied on thousands of people, plucking millions of photos and other sensitive data from their computers, while keeping “detailed notes of what he observed,” according to the indictment.

“Defendant used his access to Fruitfly victims’ computers to collect and save personal data from Fruitfly victims including tax records, medical records, photographs, internet searches performed, banking records and potentially embarrassing communications and data,” the indictment says.

Aside from personal computers, Fruitfly was discovered on a computer run by a subsidiary of the U.S. Department of Energy, one police department, as well as schools and businesses. Security firm Malwarebytes last year also found that the malware had infected biomedical research institutions.

Odd Malware Specimen

Fruitfly proved to be such an odd malware specimen that Patrick Wardle, chief security researcher for the vulnerability testing firm Synack, undertook deep research into it.

Def Con 25 presenation: Patrick Wardle talk offensive malware analysis as he dissects OS X Fruitfly.

Wardle reverse-engineered the command-and-control infrastructure for a “B” variant of Fruitfly, finding that at least 400 computers were infected with it and that the malware had been around for at least five years. In a finding that proved prescient, about 20 percent of the infected machines were in Ohio.

In July 2017, Wardle presented his findings at the Def Con security conference in Las Vegas. His presentation focused on creating a custom command-and-control system for someone else’s malware in order to better analyze it (see Mac ‘Fruitfly’ Infections More Numerous Than Believed).

Screenshot from Patrick Wardle’s Fruitfly Def Con presentation.

Wardle concluded that Fruitfly “was created by a hacker or some malware author to basically spy on victims for perverse reasons, which kind of sucks.”

That’s exactly what prosecutors now allege.

“In certain cases, the Fruitfly malware alerted defendant if a user of an infected computer types certain words associated with pornography,” the indictment says. “Defendant used the Fruitfly malware to watch and listen to Fruitfly victims without their knowledge or permission.”

Durachinsky also been charged with using minors to engage in sexually explicit conduct.

Live Victim Feeds

It’s still unclear how Fruitfly ended up on computers. But it was a Swiss Army knife type of malware, capable of logging keystrokes, capturing authentication credentials, taking screenshots and turning on the camera and microphone, according to the indictment.

Fruitfly had a control panel that also allegedly allowed Durachinsky “to view live images and data from several infected computers simultaneously,” the indictment says.

To store the information and obscure the activity, Fruitfly needed bandwidth and storage. Once he captured login credentials for Fruitfly-infected machines, Durachinsky is accused of creating virtual machines on those computers.

“Defendant used certain Fruitfly victims’ computer networks to access sufficient bandwidth to allow the Fruitfly malware to infected protected computers,” not only in Ohio but worldwide, the indictment reads.

Recalling 9 Years of Cybersecurity News and Analysis

This edition of the ISMG Security Report is devoted to producer/host Eric Chabrow’s recollection of the evolution of cybersecurity news and analysis during his nine years at Information Security Media Group. Chabrow is retiring after 45 years in journalism.

ISMG Senior Vice President for Editorial Tom Field interviews Chabrow, who also served as executive editor of GovInfoSecurity and InfoRiskToday (click on player beneath image to listen). Topics include:

    The evolution of U.S. cybersecurity policy;

  • Memorable interviews with information security and government thought leaders;
  • A look ahead at issues that will continue to challenge decision makers in 2018.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Check out our Dec. 26 and Dec. 29 editions, which respectively analyze collaborating on the cybersecurity “moonshot” and the top five cybersecurity trends of 2018.

The next ISMG Security Report will be posted on Friday, Jan. 5, with a new host and producer, Joan Goodchild.

Theme music for the ISMG Security Report is by Ithaca Audio under a Creative Commons license.