Intel Reports

Activity Summary - Week Ending on 18 May 2023:

• Red Sky Alliance identified 18,782 connections from new IP’s checking in with our Sinkholes
• Free[.]ntuo.net in Ukraine hit 359x
• 2,772 ‘new’ Botnets hits
• Maori Ransomware
• AndoryuBot   
• Philadelphia Inquirer
• Cars and Cyber
• Malicious cyber-attacks on Vehicles

Red Sky Alliance Compromised (C2) IP’s  

On 17 May 2023, Red Sky Alliance identified 18,782 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 17 May 2023, analysts identified 2,772 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

MALICIOUS CYBER TRENDS:

Maori - On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community.  The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.   Below covers the Maori Ransomware.[1]

Affected platforms:             Microsoft Windows
Impacted parties:               Microsoft Windows Users
Impact:                             Encrypts files on the compromised machine and demands ransom for file decryption
Severity level:                    High

Maori Ransomware - FortiGuard Labs recently came across a new ransomware variant called Maori. Like other ransomware variants, it encrypts files on victims’ machines to extort money. Interestingly, this variant is designed to run on Linux architecture and is coded in Go, which is somewhat rare and increases the analysis difficulty.

Infection Vector - Information on the infection vector used by the Maori ransomware threat actor is not currently available. However, it is not likely to differ significantly from other ransomware groups.  At the time of this research, there is no indication that Maori is widespread.

Ransomware Execution - Maori targets all user files in their home directory (Linux; “/home/<username>”). It ignores files placed elsewhere (including those just in the “/home/” directory as well as in other Linux system directories, like “/”). Due to this narrow objective, it accomplishes its job very quickly. Upon completion, the Maori executable deletes itself from the victim machine.

Figure 1. “Before” shot of a victim directory.

Figure 2. “After” shot of the same directory, now with the files encrypted

All affected files are appended with a “.maori” extension, and a “README_MAORI.txt” file is dropped into each directory with encrypted files.

Figure 3. Encrypted file

The entire contents of each affected file are encrypted, rather than just enough of the contents to render them unusable.  As a result, files end up slightly larger than the original, as seen in the size differences between Figures 1 and 2.  As mentioned, a ransom note is deposited into each directory that has had its files encrypted. The note asks the victim to contact them using Tox (a peer-to-peer, end-to-end encrypted messenger application).  It also provides an onionmail e-mail address as a backup communication method and unique strings for both to provide as identification to the Maori operators.  No monetary sum is listed as a ransom amount.

Figure 4. Ransom note.

IOCs - File-based IOCs:

AndoryuBot - Last April, Fortinet researchers observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). This botnet, known as AndoryuBot, first appeared in February 2023. It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies.  Based on our IPS signatures trigger count (Figure 1), this campaign started distributing the current version sometime after mid-April.[2]

This article details how this malware leverages the Ruckus vulnerability and examines its behavior once inside an infected device.

Figure 1: IPS Signature Activity

Infection - AndoryuBot targets the Ruckus vulnerability to gain access to a device. It then downloads a script for further propagation. The complete script is shown in Figure 3, and the downloading URL is http[:]//163[.]123[.]142[.]146. The AndoryuBot variant in this analysis targets the following architectures: arm, m68k, mips, mpsl, sh4, spc, and x86. It is saved under the filename “Andoryu,” which is how the campaign name was derived. It also uses its downloading method, “curl”, as its file extension. In addition, although it has “.ppc” in the script, instead of a valid execution file, the link only contains the string “Invalid file bixxh axx boi”.

Figure 2: Traffic capture of CVE-2023-25717

Figure 3: The downloading script

Initialization - AndoryuBot first checks the argument count—the assembly code is shown in Figure 4. Take the x86 file as an example: the original parameters are “Andoryu.10curl” and “ruckus”.

Figure 4: Checking the parameter

It then decodes data from the “.rodata” section.  Figure 5 shows part of the code. The encryption key, “0x2A41605D“, and the clear text are shown in Figure 6. After the execution, it prints the string, “Project Andoryu(12/30/2022). What color is your botnet !” in the console. Analysis indicates that this project began last year, which makes this quite a new botnet group.

Figure 5: Code flow of decoding data

Figure 6: XOR function for decoding

Technical Analysis – C2 Communication:  After initialization, AndoryuBot sends a GET request to extract the victim’s public IP address.  The HTTP request to “api.ipify.org” has a hardcoded User-Agent string, shown in Figure 7.

Figure 7: Get the victim’s public IP address

Then it starts a connection to its C2 server, 45[.]153[.]243[.]39[:]10333, using the SOCKS protocol. The code is shown in Figure 8.

Figure 8: Setup C2 connection

The first data sent from the compromised endpoint is shown in Figure 9.

Figure 9: Traffic capture of the C2 connection

Technical Analysis – DDoS Attacking:  After its communication channel setup, the client waits for a command from the server to launch a DDoS attack.  The functions are shown in Figure 10.  AndoryuBot includes 12 methods: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. We can locate these from the decoded data in the previous section.

Figure 10: Functions for DDoS attack

Once the victim system receives the attack command, it starts a DDoS attack on a specific IP address and port number. One example of the DDoS attack traffic is shown below:

Figure 11: UDP flood

Based on the above features from AndoryuBot, we found a YouTube video published on April 25 that gives a brief induction about “Andoryu Net”.   The description of its attack methods found on its selling page in Telegram is shown in Figure 12.  The names match the decoded data from the AndoryuBot sample we collected.  The Andoryu project will likely continue to update its features to increase interest and sales.

Figure 12: YouTube video and seller’s introduction

Figure 13: seller’s telegram channel

Conclusion: CVE-2023-25717 is a remote code execution vulnerability affecting multiple Ruckus wireless Access Point (AP) devices (FortiGuard Labs released a threat signal report about CVE-2023-25717 on April 28). Once a target device is compromised, AndoryuBot quickly spreads and begins communicating with its C2 server via the SOCKS protocol. In a very short time, it is updated with additional DDoS methods and awaits attack commands. Users should be aware of this new threat and actively apply patches on affected devices as soon as they become available.

IOCs - C2:

• 163[.]123[.]142[.]146
• 45[.]153[.]243[.]39

Files:

• ea064dd91d8d9e6036e99f5348e078c43f99fdf98500614bffb736c4b0fff408
• f42c6cea4c47bf0cbef666a8052633ab85ab6ac5b99b7e31faa1e198c4dd1ee1
• 3441e88c80e82b933bb09e660d229d74f7b753a188700fe018e74c2db7b2aaa0
• 3c9998b8451022beee346f1afe18cab84e867b43c14ba9c7f04e5c559bfc4c3a
• b71b4f478479505f1bfb43663b4a4666ec98cd324acb16892ecb876ade5ca6f9
• e740a0d2e42c09e912c43ecdc4dcbd8e92896ac3f725830d16aaa3eddf07fd5c
• 4fe4cff875ef7f8c29c95efe71b92ed31ed9f61eb8dfad448259295bd1080aca
• 2e7136f760f04b1ed7033251a14fef1be1e82ddcbff44dae30db12fe52e0a78a
• 1298da097b1c5bdce63f580e14e2c1b372c409476747356a8e9cfaf62b94513d
• 55e921a196c92c659305aa9de3edf6297803b60012f83967562a57547875fec1

GLOBAL TRENDS:   

US / Philadelphia - The Philadelphia Inquirer experienced the most significant disruption to its operations in 27 years due to what the newspaper calls a cyberattack.  The company was working to restore print operations after a cyber incursion that Maprevented the printing of the newspaper’s Sunday print edition, the Inquirer reported on its website.  The news operation’s website was still operational Sunday, although updates were slower than normal, the Inquirer reported.  Inquirer publisher Lisa Hughes said Sunday “we are currently unable to provide an exact time line” for full restoration of the paper’s systems.  “We appreciate everyone’s patience and understanding as we work to fully restore systems and complete this investigation as soon as possible,” Hughes said in an email responding to questions from the paper’s newsroom.[3]

Germany - In January 2022, 19-year-old David Colombo from Dinkelsbühl, Germany, announced via Twitter that he had been able to hack at least 25 Tesla vehicles in 13 countries and partially take them over.  “So, I now have full remote control of over 25 Teslas in 13 countries and there seems to be no way to find the owners and report it to them,” he tweeted.  Luckily, Colombo’s intentions were good.  As the founder of cyber-security firm Colombo Technology, he used his actions simply to demonstrate the security flaw of the third-party software that Tesla was using, and to warn automakers the world over about the danger of malicious attacks.  Colombo isn’t alone in his mission.  Cyber-security firm McAfee demonstrated how it could trick autonomous vehicles (AVs) into speeding over 50mph above the speed limit.  And Ubiquitous System Security Lab, along with a series of partners, demonstrated how ‘poltergeist’ attacks, where attacks are made against the camera-based computer-vision systems found in Avs, can trick self-driving cars’ machine-learning systems into ignoring obstacles.[4]  “If we don’t find vulnerabilities in the vehicles of tomorrow, threat actors will,” Colombo wrote in an article for Medium.  “Malicious cyber-attacks on vehicles and/or the automotive ecosystem can have disastrous outcomes affecting not just the public image of automakers and OEMs, but also having a direct impact on human lives, infrastructure, and other aspects.  A fleet hacked by a threat actor with malicious intent would be a worst-case scenario that should be avoided at all costs.”

The possibilities don’t bear thinking about.  “The ultimate risk would be a fleet of commercial vehicles or buses could be taken over remotely and turned into missiles,” said Tu Le, founder of global innovation and management consultancy firm Sino Auto Insights.  “Autonomous systems in military vehicles could be disabled while attacking or while under attack – and made useless.  Warships could be taken over and used to attack or ambush unsuspecting entities.  This is just to name a few.”  However, Mike Ramsey, a research director focused on automotive and smart mobility at analyst firm Gartner, argues that the chances of malicious attacks causing real danger to human lives are slim.  But he does believe that ransomware attacks are a very real possibility. “You have to think about things in terms of incentives,” he says.  “There’s not a lot of incentive to do something dangerous.  However, threat actors can hack a network and shut down a large number of vehicles or make them non-functional and then demand a ransom.  Hackers are very good at figuring out the economics of this. When automakers are faced with a decision of fixing $25m-worth of cars or paying a ransom of $1m, there’s not much of a decision to be made.”

Elad Robb, head of cyber threat intelligence, AutoThreat at Upstream Security, agrees: “As more autonomous and connected vehicles interact with other vehicles, road signs over networks, mobile applications and charging infrastructure, it will be more lucrative for malicious actors to attack them,” he says.  “Put simply, adversaries follow the money, so the greater the gain, the more likely they are to try and gain access.”  Fortunately, the attacks reported to date, while dangerous, have not carried the impact of their full potential, but they have not been trivial.  “In April 2022, an EV charging station in the Isle of Wight was hacked to show inappropriate content, with some EV owners also experiencing high-​voltage fault codes, leaving them stranded,” Robb says. “Also, in February, a Japanese OEM was forced to shut down 14 manufacturing facilities as a result of a cyber-attack.”

Meanwhile, Honda recently acknowledged that hackers had found a way to remotely start the engine of some of its models, and unlock doors by taking control of the car’s remote keyless entry system.  These aren’t isolated incidents.  According to Upstream’s 2022 Global Automotive Cybersecurity Report, the number of cyber events on cars soared by a massive 225 percent between 2019 and 2022.

 Why such a dramatic uptick?  According to Gartner’s Ramsey, there are multiple reasons. “Not only are there so many more vehicles on the road today, but the majority of these now have embedded connectivity,” he says. “Embedded connectivity means that they are sending and receiving information all the time – and that makes them more vulnerable to cyber-attacks.”  In fact, the number of connected vehicles on our roads will increase by 134 percent, from 330 million in 2018 to 775 million this year, according to Juniper Research.  And, by 2025, a connected car will produce 25GB of data per hour and up to 500GB if fully autonomous.  “As the automotive industry transforms from individual, siloed vehicles into an interconnected smart mobility ecosystem, it expands the auto-industry ecosystem from vehicles into services,” explains Robb. “As vehicles become software-defined and more connected, threats and attacks escalate accordingly. New attack surfaces continuously emerge and are exposed by cyber-security experts.”

It appears that some automakers are paying attention.  “Pioneering automotive players are definitely beginning to recognize that this is a unique use case where traditional IT cyber-security solutions may not fully meet the complex needs of protecting vehicles on the road, and have started implementing purpose-built solutions,” says Robb.  Audi, for example, is prioritizing the issue.  “Audi is taking technical, organizational and process-related measures to ensure automotive security,” says Christian Hartmann, a company spokesperson for electric mobility and automated driving.  “We are doing this from the development stage, through encryption and authentication of data connections between cars, for example, right through to the backend.  We are searching for weak points, and security experts and pen testers check the processes from the start of development to the start of production. We are constantly expanding the security mechanisms to develop new functions around data security, protecting the vehicle against hacking and privacy demands.”

Is your car safe from a cyber-attack?  Meanwhile, the approach taken by Waymo, the company formerly known as the Google self-driving car project, is to think about cyber security holistically.  “At Waymo, we build an autonomous driver, not a car,” says Stacy Janes, head of cyber security at the company.  “It can be applied to different vehicle types and use cases from passenger cars to delivery vans to big rig trucks.  So, when we think about cyber security, that includes the Waymo Driver, the vehicle platform it’s going to be applied to, how they interact and communicate with each other and the infrastructure that supports that.”  There are threats that are unique to each application of the Waymo Driver.  “We use a risk-based approach to identify these threats, evaluate what the main risks are and prioritize what to focus on first, working our way down through the list,” Janes says.  “Of course, this approach is not unique to the autonomous driving space and has been widely used across many other industries.”

Waymo uses layers of security to protect its autonomous driving system – especially its safety-critical functions like steering and braking, and the way it interacts with the base vehicle.  “We also consider the security of our wireless communication,” Janes adds.  “The Waymo Driver does not rely on a constant connection to operate safely. While on the road, all communications between the operations centers and the vehicles are encrypted, including those between Waymo’s operations support staff and riders.  The Waymo Driver can communicate with the operations center to gather more information about road conditions, while the Waymo Driver maintains responsibility for the driving task at all times.”  That’s not all. Waymo also has diverse mechanisms for noticing anomalous behavior and internal processes for analyzing those occurrences.  “Should Waymo become aware that someone has attempted to impair its vehicle’s security, it will trigger its company-wide incident response procedure, which involves impact assessment, containment, recovery and remediation,” Janes says.

However, Le at Sino Auto Insights believes that this approach is the exception rather than the rule.  “Many traditional automotive manufacturers are still trying to learn the basics of software development,” he says.  “So, generally speaking, they may be aware of the exposure that’s created by manufacturing and selling smart, electric vehicles to the public (because they have high-paid lawyers that will tell them), but they’re not savvy enough to know how to set up a bulletproof/hackproof infrastructure that’s always one step ahead of the bad guys.  “Software hasn’t been in their wheelhouse for the last hundred or so years, so most of them are still trying to understand the implications of having vulnerable firmware, control modules, operating systems or infotainment systems, for example,” he continues. “Also, remember that they may rely on partners for software add-ons, so there’s another vulnerability they’re likely relying on their partner to secure.”

It’s also widely accepted that regulations are lacking. In fact, at the moment, it appears that the move toward connected autonomous vehicles is outpacing the cyber-security measures and regulations that are in place.  “Despite regulatory progress, automotive-specific cyber-security standards have not been fully mandated worldwide,” says Robb. “With the proliferation of connectivity and software-based services, the attack surfaces on vehicles are rapidly expanding.”

However, change is on the horizon.  New regulations are being implemented in Europe with the aim of protecting vehicles from both today’s known threats, and the unknown threats of the future.  “Since July 2022, a common set of cyber-security requirements is mandatory for all new vehicle types, and it will become mandatory for all new vehicles produced from July 2024,” explains Sonya Gospodinova, a spokesperson at the European Commission.  “The new regulations on automated vehicles refer to the cyber-security requirements and add specific requirements when needed.”  Moreover, she adds, the new NIS2 Directive on cyber security specifically includes motor vehicles among the sectors covered.  When the NIS2 directive enters into force, the manufacture of motor vehicles, trailers and semi-trailers, like other entities in sectors that are dependent on network and information systems and that provide key services to the EU economy and society, will be required to take cyber-security measures and report significant incidents with a view to increasing the overall level of cyber resilience throughout the internal market.

However, Gospodinova is quick to recognize that cyber security must be constantly implemented to be future-proof.  “Manufacturers have to put in place a cyber-security management system covering the whole lifecycle of the vehicle, from design to decommissioning, including software updates,” she says. “A challenge faced by the industry today is to define a cyber-security approach that allows third parties to develop and offer services for the vehicle users.”  Robb shares this opinion. “In order to mitigate and thwart these attempts to gain access to sensitive and critical systems,” he says, “OEMs should focus on ensuring they have a holistic view of all potential access points – from companion apps to charging stations as well as vehicles already on the road. Having the tools in place to monitor and understand the live state of the vehicle, consumer or application that interacts with the vehicle to detect unusual or malicious activity is key so that OEMs can respond efficiently via a dedicated virtual security operations center.”  This is where Le believes that many automakers will continue to fall short. “I think generally many CAV manufacturers outsource their cyber security to ‘security’ partners or rely on/assume that their suppliers are taking the necessary steps,” he says. “As long as the supply contract says it’s not their responsibility and they bear none for any hacks, then I think that’s as far as they’ll take it.”

Ramsey agrees, adding that, while the new regulations will lead to some action, automakers won’t really make cyber security a priority until something serious happens.  “At some point in the not-too-distant future, there’s going to be a major hacker event that will probably wake up the industry and start changing the talk around it,” he says.  “I don’t know when that’s going to happen, of course, or the context of it, but it’s almost inevitable.  As sad as it sounds, it probably needs to happen in order for the speed of implementation to quicken.  If one automaker has a million cars that stop working suddenly, and the cost of that is astronomical, that is a pretty big motivator to change.”

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-maori?lctg=141970831

[2] https://www.fortinet.com/blog/threat-research/andoryubot-new-botnet-campaign-targets-ruckus-wireless-admin-remote-code-execution-vulnerability-cve-2023-25717/

[3] https://www.washingtontimes.com/news/2023/may/14/philadelphia-inquirer-cyberattack-disrupts-newspap/

[4] https://eandt.theiet.org/content/articles/2023/05/is-your-car-safe-from-a-cyber-attack/