At a glance.
- The US will develop a quantum internet.
- "Meow" attacks are wiping exposed databases.
- OilRig using steganography to exfiltrate data.
- Lazarus Group refines its cross-platform capabilities, enters the targeted ransomware game, and is "deeply invested" in developing macOS malware.
The US will develop a quantum internet.
The US Department of Energy and the University of Chicago are leading a group of around fifty organizations in a project to develop a US-based quantum Internet for securely transmitting sensitive information, the Wall Street Journal reports. The Energy Department's Office of Scientific and Technical Information (OSTI) published a blueprint last week that says such an Internet could be operational within a decade. Interestingly, the blueprint notes that while "a general-purpose quantum computer still is many years away, the research community perceives a quantum Internet may be closer to realization."
Under Secretary of Energy for Science Paul Dabbar summarized the blueprint's four main research projects:
- "Providing the foundational building blocks for Quantum Internet;
- "Integrating Quantum networking devices;
- "Creating repeating, switching, and routing technologies for Quantum entanglement;
- "Enabling error correction of Quantum networking functions."
Dabbar compared the initiative to the development of the current Internet, stating, "Eventually, we will connect all 17 DOE National Labs as the backbone of the Quantum Internet. We’ll also add in universities and private sector partners, working with a broad community of individuals and institutions with diverse and complementary skill sets." He added, "Ultimately, America’s private sector will unleash the full potential of the Quantum Internet."
The Washington Post says that a quantum Internet in its early stages would likely be used by government agencies and financial institutions, and it could coexist with the current Internet to transmit particularly sensitive information for consumers, such as payment card data and healthcare information.
Popular Mechanics has a useful explanation of how quantum networking works, quoting the Department of Energy:
"It works through two quantum phenomena: the first is quantum entanglement, where two particles can become so inextricably linked that no matter how much distance separates them, changing the properties of one will change those of the other. And since that communication happens instantly, a quantum internet could be much faster than today’s networks....The second phenomenon is quantum superposition, where a particle can exist in two different states at once. This is what enables tighter security of the information shared across a quantum network. Information is encoded into entangled pairs of photons, in a superposition of states—in data terms that means they represent both a one and a zero at the same time."
"Meow" attacks are wiping exposed databases.
Researchers are tracking thousands of seemingly indiscriminate data-wiping attacks affecting unsecured online databases, according to BleepingComputer. The attacker is using a script that overwrites all files in the database with a random string and the word "meow." As of Saturday, July 25th, the campaign had wiped more than 3,800 databases, 97% of which were Elasticsearch and MongoDB instances. The campaign has also affected instances of Cassandra, CouchDB, Redis, Hadoop, Jenkins, and network-attached storage devices.
Oddly, the attacks don't have any clear motive. BleepingComputer speculates that they could be the work of a vigilante seeking to teach administrators a lesson for leaving their databases exposed. Security researcher Bob Diachenko, who discovered some of the first attacks, suspects that the attacks "now have different sources and copycats."
OilRig uses steganography to exfiltrate data.
Palo Alto Networks Unit 42 says the Iranian threat group OilRig compromised a Middle Eastern telecommunications organization in April with a custom backdoor that uses steganography for data exfiltration and to communicate with its command-and-control server. The backdoor, dubbed "RDAT," has been used by OilRig since at least 2017. Newer versions of the tool use a "novel email-based C2 channel" that conceals data within BMP image files attached to the emails.
Lazarus Group refines its cross-platform capabilities.
Researchers at Kaspersky say North Korea's Lazarus Group has put "significant resources" into improving its toolset over the past two years, CyberScoop reports. The security firm analyzed an "advanced malware framework," dubbed "MATA," which the Lazarus Group has used against various industries in Poland, Germany, Turkey, South Korea, Japan, and India. Specific targets have included "a software development company, an e-commerce company, and an internet service provider." The group has been using MATA since at least April 2018, and Kaspersky believes Lazarus is its sole proprietor.
MATA is designed to run on Windows, macOS, and Linux. The malware seems to be primarily used for exfiltrating databases, but in at least one case it was observed delivering the VHD ransomware to a victim's network, suggesting that the attackers are using the tool for both espionage and financial gain (more on this below).
Kaspersky researcher Seongsu Park told CyberScoop, "This series of attacks indicates that Lazarus was willing to invest significant resources into developing this toolset and widening the reach of organizations targeted — particularly in hunting for both money and data. Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on."
Lazarus experiments with targeted ransomware attacks.
Kaspersky also says the Lazarus Group is trying to enter the big-game-hunting ransomware scene with its own custom ransomware, dubbed "VHD." The VHD ransomware was first observed in limited use earlier this year but hadn't previously been tied to Lazarus. Kaspersky observed two attacks involving VHD, and concluded that the malware itself is "nothing special," and its encryption mechanism may be vulnerable to reversal. VHD's operators also seem to be less experienced than other ransomware groups at lurking within a network and priming the ransomware to cause as much destruction as possible.
However, the attacks were notable for two reasons. First, the ransomware was spread via a component that brute-forced administrative credentials for the SMB service on each machine, then mounted a network share and copied the malware through WMI calls. Kaspersky says this type of "worming capability" is more characteristic of nation-state wiper attacks than sophisticated cybercriminal operations.
Second, one of the VHD incidents involved the MATA framework (outlined above), and Kaspersky is confident that there was only one threat actor within the victim's network at the time. This finding, combined with the fact that VHD doesn't seem to be sold on criminal forums, led the researchers to conclude that the ransomware is "owned and operated by Lazarus."
CyberScoop observes that this isn't the Lazarus Group's first foray into ransomware; the group has been accused of involvement in the 2017 WannaCry attacks. But those attacks, while destructive, were indiscriminate and largely unsuccessful from a monetary perspective, with the attackers pocketing roughly $140,000. Kaspersky's findings may indicate that the group is interested in conducting more lucrative and sophisticated ransomware operations. Kaspersky concludes that "[o]nly time will tell whether they jump into hunting big game full time, or scrap it as a failed experiment."
And the Lazarus Group is "deeply invested" in developing macOS malware.
Researchers at SentinelOne describe four macOS malware families tied to the Lazarus Group, three of which haven't previously received much coverage, and all of which were observed in the wild within the past ten weeks. The first and most widely known is the Dacls Trojan, which is linked to the MATA framework.
The second is a previously unobserved set of malware which is delivered via Trojanized cryptocurrency apps. The primary purpose of this malware is to gain access to cryptocurrency accounts by tricking users into accessing their accounts on legitimate platforms through the malicious app, but the malware can also control and exfiltrate data from the infected device.
The third malware family is a set of "lightweight, backdoor binaries, written primarily in Objective-C and C and making heavy use of standard C libraries built in to the operating system." The researchers call this family "OSX.Casso," and they conclude that these backdoors are updated versions of an older variant of Lazarus malware.
The fourth family, "WatchCat," appears to be the newest, and SentinelOne began detecting it earlier this month. The researchers haven't yet spotted an infection in the wild, but they say "[d]etections have been increasing rapidly over the last 14 days as signature-based solutions have caught up."
The researchers conclude, "These are not actors merely porting Windows malware to macOS, but rather Mac-specific developers deeply invested in writing custom malware for Apple's platform."