Growing use of Python Malware hints at malware authors development

In 2018, there have already been several instances of Python-written components of malware. This was a developing trend across 2017 and is widely seen as either lower level actors trialing their hand at malware development or proof of concepts. However, recent developments seem to suggest that the threat landscape has surpassed just lower level actor’s use of Python, with examples of the language becoming much more commonplace.

Strategic assessment:

PyCryptoMiner was the first example of this development in 2018. Identified by F5 Labs, the crypto miner had recently been developed to include leveraging CVE-2017-12149 on J-Boss servers. Initially it used dictionary and brute force attacks against SSH login credentials of target Linux systems, deploying a base64-encoded Python script designed to connect to the C&C server. The additional payloads were also written in Python code.

Palo Alto also identified a Python-based malware, dubbed “PowerStager”. Thematically, Python-based malware often targets Linux systems, most likely due to the development environments the malware was used in. However, PowerStager generates Windows executables and then launches PowerShell scripts in order to execute a shellcode payload. It also had several configuration options, suggesting the authors were much more organised, and potentially skilled, than previously seen.

The targeting of a Brazilian management institution by two different versions of CannibalRAT written in Python also highlights an example were potentially more skilled actors have switched to using Python. The code targeted INESAP users and given its sole targeting of Brazil and use of obfuscation, Talos suggested it could have been for cyberespionage purposes.

It is noted that most malware making use of Python scripts rely on other languages for increased functionality. The latest example, a backdoor identified by Alien Vault, found 50% of the code was written in Python. However, the language’s ubiquitous use in malware development is an increasing trend and perhaps most poignantly seen in the GitHub DDoS random note. According to CyberReason, the note was written in a line of Python code that repeated multiple times.

Historically, Python-based malware was an indication of the lower skilled actors, as Python is viewed as a gateway language to learn coding. However, with more groups leveraging the scripts in successful operations, this arguments seems harder to sustain.


Anonymous Launch OpPeaceForSyria

Target: UK political organisations

Attack Vector: DDoS

Threat Actor: @Anonymous/@UnitedSecTeam

Summary: In response to airstrikes carried out against Syrian targets on the morning of Saturday 14th April 2018, The @Anonymous hacktivist collective has announced the launch of the cyber operation #OpPeaceForSyria. The aim of the operation is to show international opposition to the air strikes and to encourage citizens in Western countries to hold their governments to account regarding the military action.

Risk assessment summary: It is currently assessed that #OpPeaceForSyria presents a 3e MODERATE threat. Whilst most activity will comprise DDoS attacks, hacks, data leaks and website defacements may also be used against targeted organisations. At the time of writing no target list has been issued but statements by @UnitedSecTeam suggest the group is planning on moving beyond smaller targets. As the group is ideologically driven with an anti-government agenda, then politically linked organisations such as councils and the government sector targets are likely to be considered attractive targets.

Activists from the wider @Anonymous collective are almost certain to support the operation given the high profile of the attacks on Syria and the implications for global peace and security. A more worrying aspect of forthcoming hacktivist activity is that it may be used as a smokescreen for more damaging APT related activity. Both Russian and Iranian actors have previously used the pretext of being a hacktivist group as cover for their activity, indeed APT28 have used the hashtag #OpOlympics during hacks and data leaks of sporting related bodies such as WADA or the IOC. The group also claimed to be from the ISIS-linked UnitedCyberCaliphate during the service affecting attack against the French media organisation TVMonde5.

Given that malicious state-sponsored entities may seek to complicate blame attribution during the current period of international tensions, then it may be prudent to monitor hacktivist incidents more carefully, especially if such activity is targeting critical infrastructures or organisations. Monitoring of the threat environment will continue in order to identify any emerging target lists or other actionable intelligence.

Air Strikes Syria

Air Strikes in Syria likely to result in Russian retaliation

Target: UK/USA/France

Attack Vector: Hack & Data Leaks/Phishing/DDoS/Website Defacement/

Threat Actor: Russian & Iranian APT actors

Summary: On the morning of Saturday 14th April 2018, the US, UK and France launched a number of air and missile strikes against suspected Syrian chemical weapon production sites at Mayssaf near the city of Homs, and Barzeh on the outskirts of Damascus. It is reported that the airstrikes were successful, resulting in no fatalities and only a handful of minor injuries. The attacks were launched in response to the 7th April chemical weapons incident in Dhouma, Eastern Ghouta which have been laid at the door of the Assad regime by Western politicians. Prime Minister Theresa May also stated that UK support for the action was also as a consequence of the alleged Novichok attack on Sergei Skripal on 4th March 2018 in Salisbury. Despite the limited nature of Western action, Russia has reacted angrily and has vowed there will be as yet unspecified consequences.

Risk assessment summary: It continues to be assessed that Russian state-sponsored actors and allied groups present a 2a HIGH threat to a number of sectors including health, telecoms, government, defence, energy and finance. Organisations outside these sectors may also be targeted or become “collateral damage” in any campaign of service disruptive attacks.

Recent reconnaissance activity by Russian actors is entirely consistent with earlier threat intelligence reports which suggested that the ongoing crisis which began with the Skripal poisoning, would directly impact on the cyber threat environment.

Rhetoric by senior Russian actors such as Sergei Lavrov who have promised retaliation, should not be considered idle threats. Whilst direct military conflict between Russia, the UK and the US has been avoided for the time being, the situation remains highly tense and it may be that Moscow will consider cyber-attacks one way of responding to the Syrian air strikes without risking further military escalation. There is also a strong possibility that non-state actors such as hacktivist groups or “patriotic hackers” will become active in response to the situation which will complicate attribution.

System administrators are therefore advised to remain highly vigilant over the short to medium term and be aware that DDoS, website defacement and hacks and data leaks may also be a growing threat in addition to ongoing APT activity. Monitoring of the threat environment will continue in order to identify further actionable intelligence.

Flaw Microsoft Outlook

Flaw in Microsoft Outlook allows attackers to easily steal sensitive information

Target: Microsoft Outlook users

Attack Vector: OLE attachments in Outlook.

Summary: A vulnerability tracked as CVE-2018-0950 has been partly patched by Microsoft in April’s Patch Tuesday. The details of the vulnerability have been released after a security researcher made Microsoft aware of it 18 months ago. The vulnerability allows an attacker to access sensitive information such as usernames and password hashes by enticing victims to preview an email in Microsoft Outlook.

Risk assessment summary: This threat is assessed at 3E MODERATE. As Microsoft has patched, the risk of exploitation is lowered however, there is still a risk of other attack techniques which require user interaction that can still take place using this vulnerability. An attacker also has to be able to crack the hashed password to make use of the other personal information they would get from carrying out this attack.

Early Bird

New ‘Early Bird’ code injection technique helps malware evade detection

Target: Windows Users

Attack Vector: Code injection

Summary: Security researchers have discovered at least three malware strains used by the Iranian group APT33 who are using a new code injection technique that allowed them to burrow the TurnedUp malware inside infected systems to avoid antivirus detection. The code injection technique dubbed EarlyBird takes advantage of the application threading process that happens when a program executes on a computer meaning their aim is to inject malware code into legitimate process threads in attempt to hide malicious code inside commonly seen legitimate computer processes. Researchers have found that the EarlyBird technique has been used in various malware campaigns including DorkBot malware downloader, the Carbep malware and the TurnedUp backdoor written by the APT33 Iranian hacker group.

Risk assessment summary: The threat is assessed as 3e MODERATE. If successful, this code injection technique can burrow malware inside infected systems without being detected by the systems antivirus and can therefore lie low for a while. The risk is also heightened as the malware targets legitimate Windows OS functions. However, a technique called hooking has been introduced by anti-malware tools that can subsequently spot when this type of technique is being used.

Powerhammer attack

Air-gapped systems vulnerable to Powerhammer attack

Target: Air gapped systems

Attack Vector: PowerHammer malware

Summary: A new attack vector, called Powerhammer has been discovered by Ben-Gurion University researchers. The method allows the extraction of data from machines that are air-gapped through a combination of malware and hardware which monitors signals being transmitted through power lines.

The ability to obtain data from air-gapped machines is significant, with these machines physically separated from unsecured networks. These machines are on a secure network, often holding classified information. The existence of a way to obtain this information, without even compromising the security of the actual machine, rather just the medium it communicates on, is significant.

Risk assessment summary: The threat is assessed as 4a LOW. The fact that the targeted communications are coming from and to air-gapped systems means the potential impact of a successful compromise would be high. Air-gapped systems typically are used for military/governmental computer systems as well as those which are life-critical or significantly share price affecting. However, testing of this method has proved that unless the perfect conditions are set, the attack can have a far lower success rate. It must also be said that this malware is only an experiment and if ever deployed in the wild, such a tool would only ever be found in the arsenal of intelligence agencies and not something normal users would use on an everyday basis.

Microsoft vulnerabilities

Microsoft vulnerabilities observed as the most heavily targeted attack vector of 2017

According to research, 7 of the 10 most exploited flaws of 2017 were Microsoft products, with two of these rated critical. This is a noticeable change from previous years where Adobe Flash was the most commonly compromised attack vector. There has also been a decrease in exploit kit development, down 62% in 2017. While this change may suggest Adobe Flash is less exploited and better protected than it was before, it gives troubling indications for Microsoft vulnerabilities. Not only does it make up most of the most popular vulnerabilities for threat actors, several of these flaws were not patched for several months despite the flaws being recognized and observed by Microsoft and several threat detection companies. Three of the vulnerabilities in the top 10 actually also appeared in the same list in 2016.

Strategic assessment:

The 7 vulnerabilities that made the top 10 list specifically targeted Microsoft’s Windows, Office, Edge and Internet Explorer programmes. Furthermore, the two critical vulnerabilities were observed to allow threat actors to execute code directly onto a target machine as well as access, modify and delete data.

One of these critical vulnerabilities was CVE-2017-0199 which was identified and patched in April 2017, yet had already been in active exploitation for three months by this time indicating issues with poor reactive mitigation with Microsoft. The vulnerability allowed arbitrary code to be executed on a victim’s machine, giving a vast array of further attack vectors.

Furthermore, this vulnerability took advantage of the Object Linking and Embedding (OLE) feature to insert foreign files into a user’s system. This is a well-known attack vector, with OLE being used in almost every previous vulnerability relating to Microsoft Office. Microsoft spent several months investigating it, unaware it was in active exploitation.

The second most critical vulnerability, CVE-2017-0189 was an escalation of privilege flaw, allowing threat actors to make new user accounts with full user rights. Yet this vulnerability too was only patched after significant exploitation, with appearances in around a dozen exploit kits and builders. This again raises questions of Microsoft’s ability to patch issues before they become heavily exploited, and gives something to look out for over 2018.

Interestingly, the sophistication of browsers presently has helped in closing the scope of vulnerabilities. For example, the “click to play” setting in Chrome is enabled by default and has been seen to limit the ability and impact of many Adobe Flash Player related vulnerabilities. Users also visit sites with Flash less often, with this dropping from 80% of users per day in 2014, to 17% in 2017. This indicates that the rise of Microsoft products to the top spot may actually simply be as other vulnerabilities are being defended against more effectively as well as a proactive push from the industry to decrease reliance on Flash, the cause of so many problems, with it expected to reach its end of life by 2020.

Global Cyber Exploitation

On 16/04/18, a joint Technical Alert1 was issued combining analysis from the Department of Homeland Security, the Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Centre (NCSC). The alert collates information on global cyber exploitation of network infrastructure devices. The report outlines the steps an adversary will go through to discover, exploit, and establish persistence in order to gain access to victim networks, extract data and lay foundations for future activities. The report makes attribution to Russian state-sponsored cyber actors.

The report does not identify any previously unknown attack vectors. Rather, it sets out a methodology of how they can be combined to achieve an advanced level of compromise on using legacy protocols or poorly configured devices. As an organisation, we have been tracking these issues and have published advisories to customers of Security Threat Intelligence.

What is affected?

Networking devices e.g. switches, routers (predominantly Cisco but also including other vendors such as Juniper and MikroTik) have been targeted. The actors make use of weak or default configurations to targeted poorly secured management interfaces.

Exposed protocols targeted include:

  1. Cisco Smart Install (SMI) Enabled Devices
  2. Simple Network Management Protocol (SNMP) Enabled Network Devices
  3. Telnet and SSH management interfaces
  4. HTTP / HTTPS management interfaces
  5. Generic Routing Encapsulation (GRE) Enabled Devices

Risk Assessment

Risk ratings are assessed based on the IMPACT that the threat poses against the LIKELIHOOD of the threat occurring. Organisations need to conduct their own risk assessment based on their security posture and their own assessment of vulnerability against the information contained in this advisory. On that basis, the risk assessed as 2a HIGH (likelihood = LIKELY, impact = VERY HIGH). However, it must be reiterated that organisations need to assess their own position.


The Technical Alert sets out comprehensive advice and guidance for mitigation and the appropriate steps should be followed for your organisation. We advise that you also refer to your vendor’s guidance for secure deployment of their devices.

We works at the forefront of cyber security and has been closely tracking the tools, techniques and procedures (TTPs) detailed in the report for some time. Based on this research and experience, we would advise the following immediate steps that you should take to ensure the integrity of your networks and devices.

Priority actions

Examine your estate for exposed services that are vulnerable or have weaknesses that are detailed in the report. If you find any of the following, then take steps to harden and consider taking action to ensure the integrity of the device and your network.

  1. Smart Install exposed to the internet, and as a secondary consideration any internally exposed devices.
  2. SSH / Telnet / HTTP(S) management interfaces exposed with weak / default credentials e.g. cisco:cisco.
  3. Insecure SNMP implementations such as default / weak community strings e.g. public / private, no access list applied, internet-facing SNMP v1/2c communities with read-write permissions.
  4. Check authentication logs for any anomalous authentication attempts or successful logins e.g. authentications from an IP address that is not recognised as a management source.
  5. Check device logs for anomalous commands or events (see Appendix A and B of the NCSC report for further details).
  6. Examine logs of network traffic for signs of reconnaissance or successful exploitation such as port scanning, SNMP requests, and unexpected FTP / TFTP transfers, GRE tunnels to unknown destinations or established SMI connections on port TCP/4786.
  7.  If you find evidence of unauthorised access to devices, follow your Incident Response process but ensure that you consider:
  8. Use of vendor supplied documentation to ensure the device’s software has not been tampered with
  9. Assessing what credentials and other sensitive information or data may have been exposed and responding accordingly.
  10. Reviewing the entire estate to establish if problems exist on other devices.

Standard mitigation practices

These actions are not necessarily less important than the priority actions included above, but may take more time to implement. These should also be part of your organisation’s standard security practices.

  1. Regularly review vendor security guidance and ensure it is implemented on devices used in your networks. This should not be a one-off exercise.
  2. Segregate the management of your network devices from the network that they carry. If this cannot be carried out, then restrict access to trusted management systems only, using access control. Disable all unnecessary services.
  3. Migrate away from use of legacy management protocols such as Telnet on SNMP v2c. If this is not possible, protect the protocol within other encryption layers such as VPN.
  4. Monitor for and alert on unauthorised or unexpected changes in device configuration.
  5. Implement centralised authentication and ensure that devices and users do not share credentials. Consider using two factor authentication for privileged access.
  6. Implement regular reviews of device software updates and implement upgrades where appropriate.
  7. Implement network segregation and restrict outbound connectivity from your devices.

Microsoft BugFixes April

Microsoft Fixes 66 Bugs in April Patch Tuesday Release

Target: Users using the affected software.

Attack Vector: Various methods of delivery.

Summary: Microsoft Patch Tuesday updates have been released for April including 66 CVE listed vulnerabilities, 24 of which are rated critical. The count of patches are fewer than recently observed, however, the number of vulnerabilities rated critical has increased by almost 50 percent, the majority of these being in browsers and browser-related technologies. The security updates were rolled out across numerous pieces of software, with elevation of privilege, bypass and remote code execution vulnerabilities making up a large portion of this month’s issue.

One of the most notably important flaws Microsoft focused on is an elevation privilege bug, CVE-2018-1034, which could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. Five font based flaws were also a major focus for Microsoft this month that could allow attackers to take control of the victim’s system through specially crafted websites and fonts. Furthermore, a Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability, CVE-2018-8117, has also been observed, which could allow an attacker to log keystrokes.

Risk assessment summary: The threat is assessed as 4c LOW. Although there are several vulnerabilities in this release which could potentially be exploited by actors and an increase in critical vulnerabilities compared to last month, there is only one zero-day flaw. This flaw is identified as CVE-2018-1034 which is most likely used for cross-site scripting attacks. The elevation of privilege vulnerability leaves users at risk who installed the security updates in January and can only be fixed by the user installing the new service updates. The Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability has been patched by Microsoft who have enhanced the security by mandating unique AES encryption keys. The last vulnerability detailed is the remote code flaw in the Microsoft Malware Protection Engine. Microsoft released an emergency patch to mitigate this flaw earlier in the week.

Commonwealth hacktivism

Commonwealth Heads State meeting presents attractive hacktivism target

Target: Commonwealth governments and their partners.

Attack Vector: Potentially phishing emails, doxing, data breach, DDoS.

Threat Actor: Various, potential nation states include Russia and Iran. Potential groups include Anonymous.

Summary: On the 19th and 20th of April, heads of the Commonwealth states will be convening in London for the Commonwealth Heads of Government Meeting 2018 (CHOGM 2018). The summit has historically been an opportunity for heads of states to agree on policy for current events, issues such as apartheid in South Africa or others affecting member states of the Commonwealth. With the large concentration of heads of state, media and guests in one location, the summit has proved a prime opportunity for protests and potentially hacktivism.

Risk assessment summary: The threat is assessed as 3e MODERATE. The a large number of heads of state in one location, in addition to the intense media attention such a gathering provides, presents an opportunity for a high profile cyber-attack. This would invariably cause much embarrassment to the Commonwealth and Theresa May, Chair of the summit. As it is a member only summit, excluding nations with whom cold relations are maintained, this further raises the hacktivist threat, particularly in the current political climate. The fact that member states of the bloc have previously been targeted by hacktivist campaigns, such as #OpIsrael and #Africa, provides further motive for hacktivists.