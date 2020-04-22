Image: Stefano Pollio

Special feature



Cyberwar and the future of cybersecurity

Current security threats have expanded in scope and severity. There may now be millions, or even billions, of dollars at risk when information security is not managed properly.

Read more

Three years and eight days ago, on April 14, 2017, a mysterious group of hackers known as Shadow Brokers published a collection of piracy tools that ended up forever changing the internet.

Known as the “Lost in Translation” dump, this archive collection included dozens of pirated tools and stolen exploits at the United States National Security Agency (NSA), which many believed were used by the U.S. to hack other countries.

Today, three years later, the most well-known file included in the leak is ETERNALBLUE, the exploitation that was at the heart of the WannaCry and NotPetya ransomware outbreaks.

The mystery sigs.py

However, while ETERNALBLUE is the most recognizable name for Shadow Brokers leak, there is one file that has more and more fascinated the cybersecurity community.

Named “sigs.py”, this file is what many consider to be a treasure trove of cibing operations and threat intelligence.

The file is believed to be a simple malware scanner that NSA operators would deploy to hacked computers, and use them to search for other APTs (advanced persistent threats), a term used to describe state hacking groups. nation).

It contained 44 signatures to detect files (piracy tools) deployed by other piracy groups, numbered 1 to 45 and missing 42.

The file immediately captivated security researchers. Many realized that they weren’t even close to detecting as many APTs as the ANSA was listed in the sigs.py file.

As of today, three years later, 15 signatures in the sigs.py file remain unaddressed, which shows how the NSA still has a better view on foreign hacking operations than many cybersecurity vendors.

According to my notes, it has not yet been resolved: SIG3, SIG6, SIG11, SIG14, SIG19, SIG21, SIG24, SIG26, SIG29, SIG31, SIG32, SIG33, SIG34, SIG37, SIG38, SIG43. The last one that was resolved was SIG27, like DarkUniverse / ItaDuke.

– Costin Raiu (@craiu) April 22, 2020

However, at a presentation at the OECD Virtual Cybersecurity Summit today, a security researcher has discovered a new APT – the one at firm # 37.

More precisely, the researcher corrected the incorrect attribution of # 37 to Iron Tiger, a cyber espionage group linked to China.

Crysys Report Signature # 37 With What Is Now Taken As Misapplication To Iron Tiger APT

Nazareth’s new APT thinks it would work outside Iran

Juan Andrés Guerrero-Saade, a former security researcher at Kaspersky and Google, says that after identifying files linked to this signature, he believes that signature # 37 is really for tracking a new hacking group, which he says may be based. in Iran.

Guerrero-Saade said this activity group is not currently connected to any publicly-reported groups as of 2008, although the group was most active between 2010 and 2013.

their researcher named this new group, the Nazar APT, a chain based on malicious software.

Guerrero-Saade says he was able to identify (with the help of an anonymous source) the victims who are still infected with the # 37 malware. He says the victims are exclusively in Iran.

“Oddly enough, and I say this because malware is so old and it is targeted at older versions of Windows, Windows XP and lower, there are still victims out of Iran,” Guerrero-Saade said today live.

“Whenever everyone talks about Iran as an attacker, we start to think of Western victims (…), and whenever we think of an Iranian orientation we often think of Western APTs.”

“In this particular case, if we had to have all the attributes at face value, it defies this general perception insofar as we are contemplating perhaps a Iranian-born cluster of activities aimed at those who seem to be exclusively Iranian victims.”

Guerrero-Saade plans to publish a more detailed report on the Nazarene APT the following week on his personal blog.

Among the cyber security experts, the search for the other 15 APTs mentioned in the sigs.py file of the NSA continues.

Below is a recorded stream of today’s OPCDE Virtual Summit.

Article updated shortly after publication to include the link to the Guerrero-Saad investigation, which went live sooner than announced.

(embed) https://www.youtube.com/watch?v=QImyKDvryq8 (/ embed)