Hajime – What is the intent of this IoT Botnet?
In October 2016 the security research group at Rapidity Networks discovered a new malware, called Hajime, with similarities to the Mirai botnet: it targets Internet of Things (IoT or internet-connected) devices by scanning the Internet for devices with network vulnerabilities and attempts to connect to them using known default username/password combinations. According to Symantec, Hajime is believed to have infected between 130, 000 and 180,000 devices worldwide with Brazil and Iran having the most infections followed by Thailand and Russia. Industry partners have suggested that the number of UK devices infected currently stands at approximately 5,000.
Hajime is being compared to the Mirai malware for a number of reasons including: similarities between initial infection vectors; the targeting of internet connected devices and the use of command and control (C2) servers to communicate and send instructions out to infected devices. Hajime however differs as it adopts a decentralized approach with a Peer to Peer (P2P) model where communication and instructions are passed between infected nodes rather than the more traditional client-server architecture. It is believed that this type of approach makes the malware much more resilient to take down as it does not rely on just one central server to control the malware.
The Hajime malware is also different because it doesn’t, as yet, appear to have been used for malicious intent. Researchers have hypothesised that the controllers could be waiting for more devices to be infected before launching an attack. A more recent theory by researchers is that Hajime has been created by ethical hackers who are targeting Mirai-infected devices with Hajime in order to deny the malware of any harmful activity.
Malware targeting of IoT devices is not new and as these products are becoming more popular amongst consumers, manufacturers and suppliers should be aware of the emerging risks and cyber threats posed when attention is not paid to IoT security.
See the NCSC website for guidance on malware prevention.
Insider steals employer’s proprietary trading code
A computer engineer has been charged with illegally exfiltrating the proprietary algorithmic trading model code from a global financial services firm headquartered in New York, where he worked. The code is used by the firm to generate income by predicting market movements.
From December 2016 to March 2017, the engineer took steps to obfuscate his presence on areas of the company’s network that he was not authorised to access. He used discrete areas of the network to collect over three million files, including unencrypted portions of the algorithmic source code, before exfiltrating it.
The motivation for this activity has not been conclusively reported, nor whether this individual acted alone, or on behalf of another. The tasking of insiders by criminals to exploit access to corporate networks is a common occurrence. But the exfiltration of this particular source code is significant because trading platforms could be manipulated to allow vast amounts of money to be stolen in a single attack. Alternatively the intellectual property (IP) could be sold to a rival company.
Companies can mitigate against the insider threat by incorporating security policies that restrict access to the most classified data and installing alerts when unusual activity is taking place.
Hotpoint service site compromise
Recent reporting by cyber security company Netcraft noted the compromise of domestic appliance manufacturer Hotpoint’s UK and Irish service websites, which has since been confirmed by Hotpoint in a statement via the Register. Customers accessing the service website were reportedly presented with fake Java dialogs, which if clicked, directed users to possibly malicious third party websites, presenting a risk that users could be infected with malware. Netcraft note that the compromise occurred shortly before the Easter weekend, suggesting that this may have been done deliberately to maximise the impact.
According to the company’s statement, no customer data was compromised and the vulnerabilities were quickly resolved. Netcraft suggest that the site’s WordPress installation may have been responsible. The NCSC provides guidance on minimising the vulnerabilities to WordPress, including the recommendation to implement regular security updates of WordPress as well as any plug-ins, only using trusted plug-ins and replacing default or easy to crack passwords.
There have been a large number of updates over the last week, thanks in part at least to Oracle’s quarterly update cycle falling this week. Oracle’s updates affect multiple bugs in many of their products, from PeopleSoft, E-Business Suite, Financial Services, Java SA to MySQL, WebLogic and Solaris.
Both Mozilla and Google released updates to fix multiple vulnerabilities, the most serious of which could allow remote code execution, in their browser products, Firefox and Chrome respectively and there were three updates for BIND.
Magento saw an update to prevent the uploading of arbitrary files and remote users conducting cross-site request forgery attacks. There were also a number of updates from Cisco for ASA, IOS and Unified Communications Manager. Juniper released a number of updates for Junos.
On the virtualisation front there were updates this week for both VMware and VirtualBox.
Elsewhere this week there were updates for SquirrelMail, WatchGuard, Nessus, Wireshark and MatnisBT.
On the Debian side this week saw updates for Firefox-ESR and ICU. ICS specific updates this week came from Belden Hirschmann, Schneider Electric and Wecon.