No ordinary mobile attack: The Regin menace

03.12.2014
When you read about security attacks involving mobile network technology, typically they're incidents that target mobile devices used by consumers.

All kinds of malware has been found over the years that targets iOS and Android. Isolate the malicious files, wait for antivirus software to acquire signatures a day or so after a zero-day is discovered, run it, reboot your device, you're all set.

That's not what Regin is, oh no. Regin is the story of a global cyberattack mechanism on a massive scale. Hold on to your seats, because I'm going to take you on a bumpy ride.

Something Smells Like Duqu

To the uninitiated, Duqu is a trojan that was binded to Microsoft Word files. It exploits a vulnerability that existed in Windows' win32k.sys True Type Font parsing engine. Its obfuscated code is among the reasons why researchers at Kaspersky, F-Secure, and Symantec believe it may have been developed by the team behind the ever notorious Stuxnet worm. A chilling parallel is how Stuxnet's kernel driver, mrxcls.sys, is so similar to Duqu's kernel driver, jmient7.sys, that it triggered F-Secure's signatures to identify Duqu as Stuxnet. It appeared to be developed with the aid of Visual Studio 2008's C compiler.

Duqu is spyware that fingerprints for vulnerability and system configuration data to aid in attacking industrial SCADAs. Duqu wasn't designed to have a destructive effect, it was just programmed to sit in the kernel and application layer in Windows machines and snoop.

Duqu was discovered in September 2011. Months later, sometime in spring 2012, Kaspersky Lab held a conference for security researchers to discuss Duqu. A researcher (who Kaspersky hasn't identified) said that he noticed patterns in Duqu's behavior that reminded him of something else. He mentioned a malware attack that he and his colleagues have been stumped by for years, Regin.

Regin's Genesis and Platform

Malware researchers aren't yet certain as to when Regin debuted. There are logs with timestamps dating back to 2003 which may have indicated it, that's still being analyzed.

But according to Kaspersky, Regin is too complex to simply be labeled as malware. It's more accurate to say that Regin involves malware. Regin is a highly sophisticated cyberattack platform.

So far, according to Symantec, Regin has been found to attack computers in the following countries, that I've listed in order of infection frequency: Russia, Saudi Arabia, Ireland, Mexico, India, Pakistan, Belgium, Austria, Afghanistan, and Iran. Inevitably, if it hasn't already, Regin will attack other parts of the world very soon.

Typically, a Regin attack starts by targeting a Windows client or server. It executes in a sequence of five stages.

Regin: The GSM Cyberespionage System

It appears that the intended targets of Regin are mainly GSM cellular networks, to spy on governments, scientific research institutions, corporations, and private individuals. The majority of the world's cell networks use GSM. By entering Windows machines that are front-ends of GSM infrastructure, Regin has been able to incur immense cyberwarfare activity.

Kaspersky believes that Regin's name comes from reversing "in reg," as in, in the Windows registry. I really wish Windows wasn't deployed as a GSM network front-end, or in any SCADA system. I would deploy GNU/Linux or BSD/Unix based operating systems instead. There's a much greater diversity of Linux and Unix-based OSs than Windows, so targeting any particular vulnerability will only affect a percentage of operating systems of a certain platform, instead of most or all of them. Microsoft developers also integrate libraries way too much for my liking, *nix libraries tend to be much more isolated, affecting fewer applications and components.

As so many of the world's cellular networks are GSM, mobile devices used by all kinds of individuals with access to highly classified data can be attacked. And as Regin operates in GSM infrastructure, it doesn't matter if a target's phone or tablet runs iOS, Android, Windows Phone, or BlackBerry.

[What's wrong with this picture The NEW clean desk test]

The earliest attacks that we're certain are Regin date back to 2008, even though suspected Regin attacks may be as old as 2003. Regin has evolved over the years, and keep in mind that it's a complete cyberattack platform, not a single piece of malware. The most recent versions of Regin have been identified since 2013, the latest cycle.

Because of the sophistication of Regin, and how very expensive it probably is to develop and deploy, it's probably the project of a nation's military cyberwarfare division. My gut tells me it's likely the Chinese government, although there's no evidence of that yet. China and Russia are the usual international cyberwarfare suspects, and Russian networks have been attacked by Regin, with no evidence of Chinese networks having been attacked. If Regin's source turns out not to be China, then Chinese GSM networks have been attacked and we don't know it due to their possible secrecy.

If you operate a Windows GSM network front-end, Kaspersky and Symantec's signatures can now identify many Regin backdoors for stage one.

But Regin components evolve so quickly, and so much of Regin's malware is still unknown. So there are probably still many zero-day Regin attacks in the future. If your Windows machines don't operate GSM networks, Regin may not be targeting them, as its payload seems to target GSM infrastructure for the most part. I predict that UMTS, CDMA and other non-GSM cellular networks may be targeted by new specific versions of Regin in the near future.

Crawley is a security researcher for the InfoSec Institute.

(www.csoonline.com)

Kim Crawley

Zur Startseite