BlackBerry’s Cylance finds Word-based Rosneft malware attack

Russia’s Rosneft oil and gas firm has been the subject of a pretty extended attack, which appears to be using the current political climate as a disguise for some good old fashioned criminal enterprising. That’s the findings of Cylance’s latest Threat Intelligence Bulletin, a company that was recently purchased by BlackBerry for $1.4bn, in an attempt to shore-up its enterprise offerings.

The attacks illustrate just how simple an attack needs to be, in order to gain vast footholds. Cylance didn’t expand the impact of the attack, but it looks like a lot of confidential information will have been intercepted by the attackers, which is never a good thing. Dubbing the attack ‘Poking the Bear’ (PtB), Cylance illustrates just how easy it is to infect a target.

This comes as recent disclosures by NHS trusts in the UK highlight the woeful cybersecurity spending, which in some cases can be best described as non-existent. Healthcare providers are by no means alone in this habit, and in the increasingly connected world that is being afforded by the IoT, there still needs to be a step-change to shock these stakeholders awake.

Of course, many won’t wake up to the threat, and that means businesses are going to have to accept the reality that their clients and partners could be riddled with infections at all stages – from the highest cloud applications in the stack, all the way down to the lowliest of microcontrollers in a network-edge device.

For BlackBerry, this market is the basis for its future growth – having ditched mobile phones, and finding increased competition in the automotive software market. The largest acquisition in its history, the $1.4bn paid for Cylance should secure it a company with a good reputation, some 3,500 customers (20% of the Fortune 500 too, apparently), and some expertise in AI and machine-learning. This will be injected into BlackBerry’s ‘Enterprise of Things’ initiative.

Cylance says its expertise in AI-based and algorithmic security software has allowed it to become a market-leader, using a lightweight client on end-devices to identify and that mitigate malicious traffic and attacks. These are going to be used inside BlackBerry’s new Spark PaaS, which was unveiled back in September.

Spark aims to provide a ‘single pane of glass’ view for enterprises that are looking to connect and manage devices securely. It isn’t trying to be an application platform with security features, which is wise as it would be pummeled by the big boys, rather it has integrations to play nice with Microsoft Azure, Google, and AWS.

Cylance’s assets should be augmenting Spark’s capabilities, especially its claimed ability to spot threats before they appear in the wild and become capable of causing damage. Cylance says it spots them 25-months ahead, which is thanks to it being able to leverage some 14.5mn endpoints. With all those ears to the ground, Cylance can use its AI-based tools to spot patterns in the noise, which lets it find those threats early.

PtB used a set of Word document macros (compiled shortcuts), which would exploit a Windows machine. The malware would communicate with a command and control server, which would then deliver its code payload. Cylance notes that it’s not clear if PtB was targeted, or if it was a spray-and-pay attack on the Russian-speaking business world.

Similarly, it’s not clear if the stolen information is being used for anything, but the code installed a backdoor that could: “upload and download files, manipulate files and folders, compress and decompress files using ZLIB, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes on the infected system.”

Cylance’s breakdown of the attack is quite extensive, but at its peak, the attack would allow for remote control of someone’s desktop. The person or group behind the attack was “using more than two-dozen websites to mimic real Russian critical infrastructure companies.” The Cylance research eventually discovered that Russian infosec company Group-IB had discovered the malware at some point in 2017, publishing an article on the Russian version of Forbes.

Rosneft was not the only company to be used in the deception – Gazprom, Mendeleevkazot, the Siberian Business Union (HCSDS), and EuroChem were also being imitated. Cylance concludes that it was probably EuroChem that paid Group-IB to start digging, and that the attack is an evolution of one that was initially targeting the gaming community – which in Cylance’s view, shows that this is most likely a good old-fashioned criminal endeavor, and not an attack on Russian interests by another nation.

Cylance warns that “the line between well-organized criminal efforts and nation-state activity can often be blurry, but practitioners and consumers of threat intelligence should beware of inherent biases. What appears at first blush to be a clear indicator of nation-state malfeasance may in fact simply allow a criminal to hack your way of thinking shortly before hacking your organization.”