Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA

[Ignitionnet]

Quote:

A highly advanced malware instance said to be as sophisticated as the famous Stuxnet and Duqu has has been detected. "Regin" has security researchers opining it may be nastier than both.

"Regin" malware is thought to have been developed by a nation-state because of the financial clout needed to produce code of this complexity. The malware targets organisations in the telecommunications, energy and health sectors.

http://www.theregister.co.uk/2014/11/24/regin/
http://www.theregister.co.uk/2014/11..._silent_about/

This beastie 'does' GSM networks too, and is suspected to be behind the Belgacom hacks and been used to pwn the European Commission, amongst a number of other targets.

QTX - a gift for you - password is 'infected'.

Rest of you, that's a link to the Regin modules found thusfar in the wild - do you really want that on your computer? If you do, stick it in a VM on a sinkholed network. If you need to Google what a VM on a sinkholed network is leave it alone

[qasdfdsaq]

I'm always surprised how little publicity GSM's vulnerabilities get given how easily they can be 'done', it was possible on my consumer laptop ten years ago.

By the sounds of things though this malware doesn't actually do any RF level tapping into GSM networks, it just happens that some of the target organizations have been operators, the networks themselves don't tend to run on vulnerable x86 systems to begin with.

[Ignitionnet]

Quote:

Originally Posted by qasdfdsaq

I'm always surprised how little publicity GSM's vulnerabilities get given how easily they can be 'done', it was possible on my consumer laptop ten years ago.

By the sounds of things though this malware doesn't actually do any RF level tapping into GSM networks, it just happens that some of the target organizations have been operators, the networks themselves don't tend to run on vulnerable x86 systems to begin with.

It has at least one module specifically to attack Base Station Controllers. Nothing at RF level.

Playing games with mobile networks over the air is business as usual stuff for these guys when required I imagine.

[qasdfdsaq]

But BSCs don't run Windows... How does that work?

[Ignitionnet]

Quote:

Originally Posted by qasdfdsaq

But BSCs don't run Windows... How does that work?

It's an espionage kit. One of the modules sniffed Ericsson OSS traffic.

Perhaps 'attack' was a bad word to use, although if it was able to sniff commands no reason to think it couldn't insert them too. In fact re-reading the paper it's unclear whether this thing was issuing the commands or simply sniffing them.

[Qtx]

NSA firewall exploits for Fortinet, Cisco etc are here along with some of the implants: https://mega.nz/#!zEAU1AQL!oWJ63n-D6...7MEsa1iLH5UjKU

Nice and safe python files which are really well commented too. Some need you to already have a telnet username/pass, which is easy if you can monitor world communications but less useful for everyone else unless you sniff a local network. Others might be more useful such as the one below.


The files are pgp encrypted with AES256 so to decrypt on linux you do: $ gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg


For windows, probably a nice GUI to do the same thing somewhere.


Password = theequationgroup


The Shadowserver Foundation has conducted a scan of the Internet for CISCO devices running IOS software affected by the CVE-2016-6415 vulnerability.

Recently experts from CISCO discovered a vulnerability, tracked as CVE-2016-6415, in IOS system,while investigating the Equation Group‘s exploits leaked by the Shadow Broker hacker group. In particular, experts from CISCO were evaluating the impact of the BENIGNCERTAIN exploit. The experts also discovered another zero-day exploit dubbed EXTRABACON that could be used to hack CISCO ASA software.
The CVE-2016-6415 resides in the IKEv1 packet processing code. A remote, unauthenticated attacker could exploit it retrieve memory contents.
“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” reads the security advisory published by Cisco.
The flaw affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.


http://securityaffairs.co/wordpress/51505/security/cve-2016-6415-impact.html

[Ignitionnet]

The standard of names of bugs is really going downhill.

[Qtx]

They are all names the NSA gave to their exploits. ExtraBacon was the NSA codename for their Cisco exploit. Egregious Blunder for Fortigate firewalls, Bananaglee for Jupiter Netscreen etc.

They named the implants/backdoors in a similar fashion.

How can you not like the codename EpicBanana?

[Ignitionnet]

The only time EpicBanana should be heard is either in porn or kids TV. Nothing in between.

Wasn't he in Black Hawk Down, Hulk, the first reboot Star Trek, and Hanna?

[Ignitionnet]

I have a wide definition of porn.

[Uncle Peter]

Well at least down at the Donut the annual graduate intake gets to work in the Directorate of Silly Names. Beats making the coffee or chasing deals in procurement for left handed screwdrivers.