Common cybercriminals are a menace, there’s no doubt about it –
from bedroom hackers through to ransomware groups, cybercriminals
are causing a lot of damage. But both the tools used and the threat
posed by common cybercriminals pale in comparison to the tools used
by more professional groups such as the famous hacking groups and
state-sponsored groups.
In fact, these tools can prove almost impossible to detect – and
guard against. BVP47 is a case in point. In this article, we’ll
outline how this powerful state-sponsored malware has been quietly
circulating for years, how it so cleverly disguises itself, and
explain what that means for cybersecurity in the enterprise.
Background story behind BVP47
It’s a long story, fit for a spy novel. Earlier this year, a
Chinese cybersecurity research group called Pangu Lab published an
in-depth, 56-page report covering a piece of malicious code that
the research group decided to call BVP47 (because BVP was the most
common string in the code, and 47 given that the encryption
algorithm uses the numerical value 0x47).
The report is truly in-depth with a thorough technical
explanation, including a deep dive into the malware code. It
reveals that Pangu Lab originally found the code during a 2013
investigation into the state of computer security at an
organization that was most likely a Chinese government department –
but why the group waited until now to publish the report isn’t
stated.
As a key factor, the report links BVP47 to the “Equation Group”,
which in turn has been tied to the Tailored Access Operations Unit
at the United States National Security Agency (the NSA). Pangu Lab
came to this conclusion because it found a private key that could
trigger BVP47 within a set of files published by The Shadow Brokers
(TSB) group. TSB attributed that file dump to the Equation Group,
which leads us back to the NSA. You just couldn’t make it up, and
it’s a story fit for a motion picture film.
How does BVP47 work in practice?
But enough about the spy vs. spy element of the story. What does
BVP47 mean for cybersecurity? In essence, it works as a very clever
and very well-hidden back door into the target network system,
which enables the party that operates it to gain unauthorized
access to data – and to do so undetected.
The tool has a couple of very sophisticated tricks up its
sleeve, in part relying on exploiting behavior that most sysadmins
would not look for – simply because nobody thought any technology
tool would behave like that. It starts its infectious path by
setting up a covert communication channel in a place nobody would
think to look: TCP SYN packets.
In a particularly insidious turn, BVP47 has the capability to
listen on the same network port in use by other services, which is
something that’s very difficult to do. In other words, it can be
extremely hard to detect because it’s difficult to differentiate
between a standard service using a port, and BVP47 using that
port.
The difficulty in defending against this line of attack
In yet another twist, the tool regularly tests the environment
in which it runs and erases its tracks along the way, hiding its
own processes and network activity to ensure there are no traces
left to find.
What’s more, BVP47 uses multiple encryption methods across
multiple encryption layers for communication and data exfiltration.
It’s typical of the top-tier tools used by advanced persistent
threat groups – including the state-sponsored groups.
Taken in combination, it amounts to incredibly sophisticated
behavior that can evade even the most astute cybersecurity
defenses. The most capable mix of firewalls, advanced threat
protection and the like can still fail to stop tools such as BVP47.
These backdoors are so powerful because of the resources
deep-pocketed state actors can throw at developing them.
As always, good practice is your best bet
That doesn’t mean, of course, that cybersecurity teams should
just roll over and give up. There is a series of activities that
can make it, at the very least, harder for an actor to deploy a
tool such as BVP47. Awareness and detection activities are worth
pursuing, as tight monitoring may still catch a remote intruder
out. Similarly, honeypots can attract attackers to a harmless
target – where they may well reveal themselves.
However, there’s a simple, first-principles approach that
delivers a huge amount of protection. Even sophisticated tools such
as BVP47 relies on unpatched software to gain a foothold.
Consistently patching the OS and applications you depend on is,
therefore, your very first port of call.
The act of applying a patch in its own right isn’t the most
challenging step to take – but as we know, patching rapidly every
single time is something most organizations struggle with.
And of course, that’s exactly what threat actors such as the
team behind BVP47 rely on, as they lie and wait for their target,
who would inevitably be too resourced stretched to patch
consistently, eventually missing a critical patch.
What can pressured teams do? Automated, live patching is one
solution as it removes the need to patch manually – and eliminates
time-consuming restarts and the associated downtime. Where live
patching isn’t possible, vulnerability scanning can be used to
highlight the most critical patches.
Not the first – and not the last
In-depth reports such as this are important in helping us stay
aware of critical threats. But BVP47 has been in play for years and
years before this public report, and countless systems were
attacked in the meantime – including high profile targets around
the world.
We don’t know how many similar tools are out there – all we know
is what we need to do to maintain a consistently strong
cybersecurity posture: monitor, distract and patch. Even if teams
can’t mitigate every threat they can at least mount an effective
defense, making it as difficult as possible to successfully operate
malware.
Read more https://thehackernews.com/2022/06/even-most-advanced-threats-rely-on.html