One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 4209565 |
| Date de publication | 2022-02-27 22:30:37 (vue: 2022-03-01 19:05:26) |
| Titre | Previously Unseen Backdoor Bvp47 Potentially Victimized Global Targets |
| Texte | FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as "dewdrops" and "solutionchar_agents" that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr |
| Envoyé | Oui |
| Condensat | 16dc 200 2010 2013 2016 2017 according across actions actor actors after against agency agents also are around attack attacks attempt attempted auction available aware backdoor because been belongs between bidder brokers bvp bvp47 bvp47:elf/agent called carried caused centrifuge characteristics checks claimed classified close command commands components compromise concluded connection connections contained control countries coverage cyber day decade deletes description dewdrops distributions documents environment equation established eternalblue execution exploits facility failed famous file first folders following fortiguard framework freebsd from global globe group have highest highly how included includes incorporated indicates infected information iran its itself junos key lab labs late leak leaked leaks linux mainstream malware manuals may met more most national new not nsa nuclear one operation operations organizations other out over pangu panic performs potentially presumably previously private provide public purchased ransomware receiving regarded released report reported reportedly required requirements rsa runs security sell servers shadow significant skilled solaris solutionchar some speculate spread status stolen stuxnet submitted such targets than then threat tied tools undiscovered unseen upon used various victimized virustotal wannacry weeks well what which who why within zero |
| Tags | Ransomware Malware Threat |
| Stories | Wannacry Wannacry |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.