INTELLIGENT SOFTWARE BUSINESS
INTELLIGENT SOFTWARE BUSINESS
Could Fireball malware
become the next Mirai? WannaCry might be the
tip of the iceberg
With the recent discovery of the potentially calamitous Fireball malware, you
need a weapon against volumetric, multi-vector DDoS attacks says Mohammed
Al-Moneer, Regional Director, MENA at A10 Networks. While recent exploits were developed
to target SMB remote code execution
vulnerabilities in Windows XP, the malware
has reportedly not deployed any additional
payload, so it's vital organisations implement
relevant patches says Rick Holland, Vice
President, Strategy, at Digital Shadows.
functionalities: the ability
to run any code on victims’
computers, downloading
any file or malware; and
hijacking and manipulating
infected users’ web traffic to
generate ad revenue. Currently,
Fireball installs plug-ins and
additional configurations to
boost its advertisements but,
just as easily, it can turn into a
prominent distributor for any
additional malware.”
Mohammed Al-Moneer, Regional Director,
MENA at A10 Networks
R
esearchers have recently uncovered
a malware strain believed to have
infected more than 250 million
computers globally. It is further believed
that this malware is present on 20 per cent
of corporate networks.
Dubbed ‘Fireball’, the massive malware
infection originated in China and has
caused disastrous outbreaks in Brazil,
India and Mexico. There’s the potential for
Fireball to become more calamitous.
Security firm Check Point, which
found Fireball, called it “possibly the
largest infection operation in history. .
. . Fireball, takes over target browsers
and turns them into zombies,” Check
Point wrote. “Fireball has two main
46
Potential devastation
What’s more startling is that
Fireball has the ability to
execute commands remotely,
including downloading further malicious
software. This means threat actors could
theoretically use the more than 250 million
infected machines to launch a colossal and
destructive botnet that could rival Mirai.
The Mirai malware is blamed for the
DDoS attack against DNS provider Dyn
that knocked many of the web’s biggest
sites offline last year; the 600-plus Gbps
attack against Krebsonsecurity; and the
attack against service provider OVH.
Attackers used the Mirai malware
to take control of unsecured Internet of
Things (IoT) devices, namely web-enabled
cameras, to build botnets. This gave rise to
the DDoS of Things and heralded a new era
of DDoS attacks which, for the first time,
exceeded the 1 Tbps threshold.
While Fireball itself isn’t a DDoS
attack, an attacker could weaponise the
compromised machines and use them to
build a botnet that rises to the level of Mirai,
especially considering infected PCs are far
more powerful than hijacked webcams.
Maya Horowitz, Threat Intelligence
Group Manager at Check Point, told Dark
Reading that Fireball has the potential
to be leveraged for a Mirai-style wave of
gigantic DDoS attacks.
“In [Fireball’s] case, each infected
machine was its own, and someday all
these machines could get the command
to do something,” Horowitz told Dark
Reading. “Any risk you can think of; any
code can run on these machines.”
Fight fire with fire
The DDoS of Things is powering bigger,
smarter and more devastating multi-vector
attacks than ever imagined.
Fireball’s potential to become
the next Mirai, or something worse,
reinforces the need for protection from
the DDoS of Things and IoT-fuelled
DDoS attacks.
DDoS attacks are damaging. Along
with service disruption, they can have
a lasting impact that harms your brand
reputation, your revenue and your user
experience. You need to fight back. If
Fireball reaches Mirai’s status, you need a
weapon against volumetric, multi-vector
DDoS attacks. You need major firepower
to stand up to the DDoS of Things. ¢
ssue 07
NTELLIGENT TECH CHANNELS
T
he attack on 200,000 plus
computers across more than 120
countries around the world by
the WannaCry ransomware certainly got
the attention of governments, media,
consumers and law enforcement. But
the actual impact could have been so
much worse.
Much ink is still being expended
trying to determine who was responsible
and what their motives were and many
believe this might have been the act of
inexperienced hackers who lost control
of their creation. Certainly, at the time
of writing, none of the ransom has been
collected from the bitcoin accounts victims
were encouraged to send their money to.
But while WannaCry could have been
so much worse in impact, what is clear is
that the base exploit code it uses was part
of a batch stolen by Shadow Brokers in
April 2017 from the US National Security
Agency’s (NSA) Equation Group and,
potentially, the attack could be just the tip
of the iceberg.
Earlier in May 2017, CERT EU (The
EU’s Computer Emergency Response
Team) reported on a worm identified in
the wild, which has reportedly spread
using exploit code leaked by Shadow
Brokers in a similar fashion to WannaCry.
CERT EU referred to this
malware as ‘BlueDoom’,
but its internal name was
reportedly ‘EternalRocks’.
In addition to the
EternalBlue Server
Message Block (SMB)
exploit used by WannaCry,
EnternalRocks has reportedly
also employed at least
three additional exploits
leaked by the Shadow
Rick Holland, Vice President, Strategy, at
Digital Shadows.
Brokers: EternalChampion,
EternalRomance and EternalSynergy as
part of its propagation process.
deployment of second-stage payloads
All three of these exploits were
sometime later. What that payload might
developed to target SMB remote code
be and what its function is are not clear
execution vulnerabilities in Windows
and it remains to be seen how the actors
XP, all of which were patched in
responsible for developing this worm will
Microsoft’s Apr 2017 MS17-010 release.
exploit their access to infected machines.
However, unlike WannaCry, following a
What is clear is that this development
successful exploitation and subsequent
highlights that the Eternal suite of
deployment of the DOUBLEPULSAR
Equation Group exploits and other
backdoor on an infected machine, the
technical assets leaked by the Shadow
malware has reportedly not deployed
Brokers will almost certainly continue to
any additional payload.
pose a threat beyond WannaCry. Users
Why no payload is being deployed
and organisations that have not already
is unclear but we can speculate that
implemented the relevant Microsoft
EternalRocks was likely intended to be
patches and mitigations on the back of
used to establish a presence on a large
EternalBlue are advised to do so quickly. ¢
number of machines to facilitate the
47