Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
25-11-2014, 12:51
|
#1
|
Inactive
Join Date: Jun 2008
Location: Leeds, West Yorkshire
Age: 45
Posts: 13,996
|
Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
Quote:
A highly advanced malware instance said to be as sophisticated as the famous Stuxnet and Duqu has has been detected. "Regin" has security researchers opining it may be nastier than both.
"Regin" malware is thought to have been developed by a nation-state because of the financial clout needed to produce code of this complexity. The malware targets organisations in the telecommunications, energy and health sectors.
|
http://www.theregister.co.uk/2014/11/24/regin/
http://www.theregister.co.uk/2014/11..._silent_about/
This beastie 'does' GSM networks too, and is suspected to be behind the Belgacom hacks and been used to pwn the European Commission, amongst a number of other targets.
QTX - a gift for you - password is 'infected'.
Rest of you, that's a link to the Regin modules found thusfar in the wild - do you really want that on your computer? If you do, stick it in a VM on a sinkholed network. If you need to Google what a VM on a sinkholed network is leave it alone
|
|
|
25-11-2014, 17:25
|
#2
|
cf.mega poster
Join Date: Aug 2004
Posts: 11,207
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
I'm always surprised how little publicity GSM's vulnerabilities get given how easily they can be 'done', it was possible on my consumer laptop ten years ago.
By the sounds of things though this malware doesn't actually do any RF level tapping into GSM networks, it just happens that some of the target organizations have been operators, the networks themselves don't tend to run on vulnerable x86 systems to begin with.
|
|
|
25-11-2014, 17:35
|
#3
|
Inactive
Join Date: Jun 2008
Location: Leeds, West Yorkshire
Age: 45
Posts: 13,996
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
Quote:
Originally Posted by qasdfdsaq
I'm always surprised how little publicity GSM's vulnerabilities get given how easily they can be 'done', it was possible on my consumer laptop ten years ago.
By the sounds of things though this malware doesn't actually do any RF level tapping into GSM networks, it just happens that some of the target organizations have been operators, the networks themselves don't tend to run on vulnerable x86 systems to begin with.
|
It has at least one module specifically to attack Base Station Controllers. Nothing at RF level.
Playing games with mobile networks over the air is business as usual stuff for these guys when required I imagine.
|
|
|
26-11-2014, 02:24
|
#4
|
cf.mega poster
Join Date: Aug 2004
Posts: 11,207
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
But BSCs don't run Windows... How does that work?
|
|
|
26-11-2014, 08:42
|
#5
|
Inactive
Join Date: Jun 2008
Location: Leeds, West Yorkshire
Age: 45
Posts: 13,996
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
Quote:
Originally Posted by qasdfdsaq
But BSCs don't run Windows... How does that work?
|
It's an espionage kit. One of the modules sniffed Ericsson OSS traffic.
Perhaps 'attack' was a bad word to use, although if it was able to sniff commands no reason to think it couldn't insert them too. In fact re-reading the paper it's unclear whether this thing was issuing the commands or simply sniffing them.
|
|
|
23-09-2016, 14:22
|
#6
|
CF's Worst Nightmare
Join Date: May 2012
Location: Probably outside the M25
Services: Sky Fibre Unlimited 40/10
Posts: 3,473
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
NSA firewall exploits for Fortinet, Cisco etc are here along with some of the implants: https://mega.nz/#!zEAU1AQL!oWJ63n-D6...7MEsa1iLH5UjKU
Nice and safe python files which are really well commented too. Some need you to already have a telnet username/pass, which is easy if you can monitor world communications but less useful for everyone else unless you sniff a local network. Others might be more useful such as the one below.
The files are pgp encrypted with AES256 so to decrypt on linux you do: $ gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg
For windows, probably a nice GUI to do the same thing somewhere.
Password = theequationgroup
The Shadowserver Foundation has conducted a scan of the Internet for CISCO devices running IOS software affected by the CVE-2016-6415 vulnerability.
Recently experts from CISCO discovered a vulnerability, tracked as CVE-2016-6415, in IOS system,while investigating the Equation Group‘s exploits leaked by the Shadow Broker hacker group. In particular, experts from CISCO were evaluating the impact of the BENIGNCERTAIN exploit. The experts also discovered another zero-day exploit dubbed EXTRABACON that could be used to hack CISCO ASA software.
The CVE-2016-6415 resides in the IKEv1 packet processing code. A remote, unauthenticated attacker could exploit it retrieve memory contents.
“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” reads the security advisory published by Cisco.
The flaw affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.
http://securityaffairs.co/wordpress/51505/security/cve-2016-6415-impact.html
|
|
|
29-09-2016, 21:58
|
#7
|
Inactive
Join Date: Jun 2008
Location: Leeds, West Yorkshire
Age: 45
Posts: 13,996
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
The standard of names of bugs is really going downhill.
|
|
|
30-09-2016, 11:55
|
#8
|
CF's Worst Nightmare
Join Date: May 2012
Location: Probably outside the M25
Services: Sky Fibre Unlimited 40/10
Posts: 3,473
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
They are all names the NSA gave to their exploits. ExtraBacon was the NSA codename for their Cisco exploit. Egregious Blunder for Fortigate firewalls, Bananaglee for Jupiter Netscreen etc.
They named the implants/backdoors in a similar fashion.
How can you not like the codename EpicBanana?
|
|
|
01-10-2016, 11:35
|
#9
|
Inactive
Join Date: Jun 2008
Location: Leeds, West Yorkshire
Age: 45
Posts: 13,996
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
The only time EpicBanana should be heard is either in porn or kids TV. Nothing in between.
|
|
|
01-10-2016, 13:34
|
#10
|
laeva recumbens anguis
Cable Forum Team
Join Date: Jun 2006
Age: 67
Services: Premiere Collection
Posts: 42,099
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
Wasn't he in Black Hawk Down, Hulk, the first reboot Star Trek, and Hanna?
__________________
There is always light.
If only we’re brave enough to see it.
If only we’re brave enough to be it.
If my post is in bold and this colour, it's a Moderator Request.
|
|
|
01-10-2016, 14:25
|
#11
|
Inactive
Join Date: Jun 2008
Location: Leeds, West Yorkshire
Age: 45
Posts: 13,996
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
I have a wide definition of porn.
|
|
|
03-10-2016, 23:05
|
#12
|
81-82-83-84
Join Date: Nov 2006
Location: on holiday by mistake
Age: 54
Services: Vivid 200, Full House, V6 x2
Posts: 5,977
|
Re: Regin - malware (probably) by GCHQ, maybe in co-operation with the NSA
Well at least down at the Donut the annual graduate intake gets to work in the Directorate of Silly Names. Beats making the coffee or chasing deals in procurement for left handed screwdrivers.
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +1. The time now is 03:37.
|