Written by: Mike Parkin, Product Marketing Engineer – In the first week of February, Catalin Cimpanu at ZDNet and Kacy Zurkus at Infosecurity Magazine reported on a new malware campaign spreading primarily through China, with smaller infestations in South America and other parts of Asia. Known as SpeakUp, it was first discovered by the folks at Check Point on February 4th. The malware payload is a cryptomining program, but that’s not the interesting part of this. What is interesting about this one is the range of targets it can infect and its ability to move laterally after the initial infection.
SpeakUp targets CVE-2018-20062, a flaw in ThinkPHP, to infect Linux and Mac servers running on bare iron, virtually, or in the cloud, loading in a back door that’s currently undetected by any of the anti-virus or anti-malware engines. The multi-step infection is straightforward, but the overall structure appears well suited to swapping in other payloads.
I suspect we’ll see more of this family of malware in the near future.
The techniques SpeakUp uses for lateral propagation rely on a range of existing vulnerabilities, with some of them dating back to 2010, showing that old vulnerabilities never die – they just lurk on unpatched systems until someone gets around to exploiting them. Fortunately, Attivo Networks deception technology can identify and mitigate an infection, even when the exploit is a zero day and the payload can evade current AV.
SpeakUp moves laterally by scanning accessible subnets for vulnerabilities it can leverage, including the 9-year-old exploitmentioned earlier. It will also try to brute force Control-Panel Admin access with a set of pre-defined user ID’s and passwords if it finds one. This lateral movement phase is where deception interrupts the attack cycle.
When an infected system scans for fresh targets, it will encounter a decoy which alerts the incident response team to the event. If the malware tries to compromise the decoy, the entire process is logged, captured, and available for analysis. This intelligence lets the incident response team identify new variants and related attacks as they emerge. The ThreatDefend platform will also identify and interrupt this kind of attack with its Vulnerability Simulation capability – which simulates the response for any of the known exploits without actually being vulnerable.
Deception remains extremely effective even as new threats emerge, and old vulnerabilities remain unpatched, by adding synthetic targets to the attack surface, whether the environment is physical, virtual, or in the cloud. Threat actors, live or automated, can’t differentiate between what’s real and what’s a decoy, which makes their job harder while the security team’s job gets easier.
Bottom line is we’re almost certainly going to see more of this attack family, and closely related derivatives, in the future. Mitigating them requires keeping up with security patches to stop attackers from exploiting old bugs, and adding defenses that can identify and mitigate new families of attacks –such as the ThreatDefend platform, which is specifically designed to detect in-network threats and their lateral movement.
The full report on SpeakUp from Check Point, including the Indicators of Compromise (IoC), are here.