
Potent malware that hid for six years spread through routers - jonbaer
https://securelist.com/apt-slingshot/84312/
======
iforgotpassword
> When the target user runs Winbox Loader software (a utility used for
> Mikrotik router configuration), this connects to the router and downloads
> some DLLs (dynamic link libraries) from the router’s file system.

Wait, am I getting this right? The router isn't simply configured via web,
telnet, ssh, or a simple proprietary tool that talks its own protocol with the
router, but actually a proprietary tool that downloads and executes code from
the router that you're trying to configure? If so, why on earth would you
design anything like this? _What were they thinking?_ I mean, apparently those
DLLs aren't even signed or anything.

~~~
X-Cubed
You can use any of those methods to configure a Mikrotik router, you don't
have to use Winbox.

Winbox has a couple of nice features over the web interface:

\- the ability to connect over raw ethernet (rather than IP) which is useful
if you've misconfigured the firewall or routing tables

\- the ability to broadcast packets to discover new, unconfigured Mikrotik
devices

Winbox has previously downloaded components from the router to enable the UI
to update the available options based on the firmware on the device. These
components are part of the firmware update provided by Mikrotik, which is
itself signed and verified before the firmware update is applied. But yes,
they were missing a follow up check between Winbox and the router itself, to
ensure the router itself was not tampered with.

------
thomastjeffery
This is one of the reasons it's frustrating to have so many routers with
proprietary firmware that can't be replaced.

These routers essentially never get updated.

~~~
dredmorbius
OpenWRT and the Turris Omnia are an interesting alternative, for home/SOHO
use.

~~~
Teever
I'm not sure how I feel about a router with a built in simcard slot.

Does that mean that it has the 4g radio built in as well?

Can I trust that chip and hte software that runs on it?

~~~
voltagex_
Do you own a smartphone? You've got less access to the 4G chip there.

The 4G card is an _option_ on the Turris. You could always use a Quectel card
and then run Linux on that, too!

------
jack6e
Interesting that the story references this malware's similarities to Project
Sauron, and that the two main modules here are named GollumApp and Cahnadr,
which looks not entirely dissimilar from how one might play with the Russian
version of "Gandalf" if one were to convert the Cyrillic letters into
approximate English look-a-likes.

~~~
bhouston
Would Kaspersky Labs report on Russian malware?

~~~
jack6e
The meta-game at this point is open to just about any type of psychological
trick. We know/suspect Kaspersky helping FSB/GRU, but we also know that
CIA/NSA store and use fingerprints from other nation states and can assume
Russia does the same. So if something looks Russian but Kaspersky reports on
it, does that mean it is NSA trying to false flag Russia? Or is it Kaspersky
deflecting Russian suspicions and pointing to the US by bringing it to
light...6 years later?

The abilities and willingness of certain nation states to wage cyber warfare
and make it appear like someone else are so great at this point, that only
solid forensic evidence, and usually not even that, can be indicative.

~~~
Dolores12
>So if something looks Russian but Kaspersky reports on it, does that mean it
is NSA trying to false flag Russia?

It could be Russian, it could be not. What is really important that only the
Kaspersky reported it.

------
lifeisstillgood
At some point are we going to think signing each IP packet is a good idea? I
struggle to see how we can ever clean the internet without something on the
order of "I expect packets from this list of servers certificate" (ok I know
some malware would alter that list but that's a much smaller target area to
defend)

I am just wondering if this level of unstoppable infection is just going to be
it, or are we at the pre-cellular structure of life point in the internet?

~~~
acqq
> without something on the order of "I expect packets from this list of
> servers certificate"

Even now as it is it's worse than it should be: I can't control which pairs of
(address,certificate) will be allowed to be accepted for specific sites.
Instead, every browser vendor allows any "man in the middle" with the access
to any CA (and CA's are known to be very bad(1)) to insert itself between my
own server and my own client.

1) Read and weep: [https://arstechnica.com/information-
technology/2018/03/23000...](https://arstechnica.com/information-
technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-
keys/)

~~~
__jal
If you want secure browser access to some resource (for values of 'secure'
where it matters more than your bank account but less than situations in which
you wouldn't trust _any_ browser), you really need to remove certs from any
commercial CA and install only the CA you need.

~~~
acqq
I know that it is possible to _somehow_ achieve that, the thing is, it should
be possible by default, so that I can simply say to e.g. my not-too-technical
friend "this is my server, this is my cert, click there in your browser to
compare the cert for my site before you connect and the browser will provably
also not trust anybody else but your check."

This should be a basically available scenario for the secure connection, just
like what we have in SSH. Don't believe "the users are too stupid" excuse.
It's just an excuse:

[https://golem.ph.utexas.edu/category/2014/10/new_evidence_of...](https://golem.ph.utexas.edu/category/2014/10/new_evidence_of_nsa_weakening.html)

We simply shouldn't have to have the "trust in every crooked CA" when we
connect to the servers we directly know.

~~~
zaarn
If we get DNSSEC (or a less complicated alternative) working in widespread use
then we could simply parse CAA records in the browser.

That way a website owner can whitelist only a very specific CA for their
certificates.

Ideally with DNSSEC we could also get DANE and issue our own certificates and
CA's would only be necessary as cosigner for OV, EV and similar.

~~~
acqq
The problem I describe and its easy solution are completely independent of
DNSSEC.

~~~
zaarn
DNSSEC is required to secure DNS responses which can be crucial to prevent
"every crooked CA" to issue a cert for you. If CAA was interpreted by the
browser, you could determine exactly which CA is trusted to issue certs for
your site and DNSSEC would ensure that the browser gets the correct list of
trusted CAs.

------
an4rchy
It has been very interesting to see a lot of hardware/firmware based
vulnerabilities coming out recently, although they have been around for a
while.

Different vectors have different advantages but I wonder if there will be a
push towards more hardware based anti-malware/vulnerability detection devices.

------
John_KZ
At this point is there a way for small organizations and individuals to
protect themselves from data theft? IP and trade secrets are hard to develop
in a closed network without internet access at all points.

~~~
jacquesm
How do you plan on keeping the employees from being able to access the data?
Even the NSA has a slight problem on this front.

~~~
indigochill
I believe L. Bob Rife had some thoughts on that.

------
trisimix
100?

------
Jerry2
Here's a much better link: [https://securelist.com/apt-
slingshot/84312/](https://securelist.com/apt-slingshot/84312/) and PDF:
[https://s3-eu-west-1.amazonaws.com/khub-media/wp-
content/upl...](https://s3-eu-west-1.amazonaws.com/khub-media/wp-
content/uploads/sites/43/2018/03/09133534/The-Slingshot-
APT_report_ENG_final.pdf)

~~~
dang
Thanks, we changed to the first link from
[https://arstechnica.com/information-
technology/2018/03/poten...](https://arstechnica.com/information-
technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-
routers/), which cribs content from it.

------
kevindqc
>despite infecting at least 100 computers worldwide.

Really? Then why is it so surprising lol

~~~
an4rchy
Not being sarcastic but sometimes it's about quality, not quantity.

Usually something this sophisticated is used to target specific
individuals/organizations as they aren't generic botnet/bitcoin mining
operations.

They might be after specific info and after they get it, they might even wipe
their tracks as it's better to have a tool that nobody knows to look for than
one that can get on as many computers as possible.

~~~
petervm
Reminded me of this book I very much enjoyed about Stuxnet - "Countdown to
Zero Day: Stuxnet and the Launch of the World's First Digital Weapon". Stuxnet
was a targeted attack directed at Iran's nuclear program. Quality, not
quantity indeed. Super interesting to learn about these things!

~~~
wand3r
Stuxnet was highly targeted malware and certainly extremely sogisticated. That
said, it infected probably >200,000 computer systems. To the parents point, it
makes it easy to get a sample due to the volume of breaches. 100 targets with
a highly covert mission objective is a different type of threat model compared
to stux

