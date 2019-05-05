Security: SSH Honey Keys and Chaos of Microsoft/NSA
SSH Honey Keys
The thought behind honey keys is similar to Honeywords, a concept published a while ago to help identify attempts to use data collected in breaches to gain unauthorized access to a user account. In our case, the attacker attempts to authenticate with the honey key, the action is logged (or another action chosen by the defender) and an alarm is sounded for use of the key.
Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak
One of the most significant events in computer security happened in April 2017, when a still-unidentified group calling itself the Shadow Brokers published a trove of the National Security Agency’s most coveted hacking tools. The leak and the subsequent repurposing of the exploits in the WannaCry and NotPetya worms that shut down computers worldwide made the theft arguably one of the NSA’s biggest operational mistakes ever.
On Monday, security firm Symantec reported that two of those advanced [attack] tools were used against a host of targets starting in March 2016, fourteen months prior to the Shadow Brokers leak. An advanced persistent threat [attack] group that Symantec has been tracking since 2010 somehow got access to a variant of the NSA-developed "DoublePulsar" backdoor and one of the Windows exploits the NSA used to remotely install it on targeted computers.
Turla LightNeuron: An email too far
Recently, ESET researchers have investigated a sophisticated backdoor used by the infamous espionage group Turla, also known as Snake. This backdoor, dubbed LightNeuron, has been specifically targeting Microsoft Exchange mail servers since at least 2014. Although no samples were available for analysis, code artefacts in the Windows version lead us to believe that a Linux variant exists.
Researchers discover highly stealthy Microsoft Exchange backdoor
Aside from the Transport Agent, which is dropped in the Exchange folder located in the Program Files folder and registered in the mail server’s configuration, the backdoor also uses a DLL file containing most of the malicious functions needed by the Transport Agent.
As mentioned before, the backdoor can block emails, modify their body, recipient and subject, created a new email, replace attachments, and re-create and re-send the email from the Exchange server to bypass the spam filter.
It can create email and attachment logs, encrypt emails and store then, and parse JPG/PDF attachments and decrypt and execute the commands found in them.
LightNeuron can also be instructed to write and execute files, delete and exfiltrate them, execute processes, disable itself, perform extensive logging (backdoor actions, debug, error, etc.) and perform automatic file exfiltration at a particular time of the day and night.
Russian Nation-State Group Employs Custom Backdoor for Microsoft Exchange Server
"It's not really a vulnerability. They are using legitimate functionality [of Exchange]," he says.
Microsoft was not available for comment at the time of this posting.
New backdoor targets Microsoft Exchange mail servers
The malware was able to use the transport agent to read and modify every email passing through the server, compose and send emails, and block any email.
ESET said LightNeuron used steganography to hide its commands inside a PDF document or a JPG image.
