State-sponsored group BVP47.
Use of TCP SYN packets.
Covert communication channel.
Common cybercriminals are a menace, there's no doubt about it. From bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups. In fact, these tools can prove almost impossible to detect and guard against. BVP47 is a case in point. In this article, we'll outline how this powerful state-sponsored malware has been quietly circulating for years, how it so cleverly disguises itself, and explain what that means for cybersecurity in the enterprise.
It's a long story, fit for a spy novel. Earlier this year, a Chinese cybersecurity research group published an in-depth, 56-page report covering a piece of malicious code that the research group decided to call BVP47. The report is truly in-depth with a thorough technical explanation, including a deep dive into the malware code. It reveals that the research group originally found the code during a 2013 investigation into the state of computer security at an organization that was most likely a Chinese government department. As a key factor, the report links BVP47 to the "Equation Group", which in turn has been tied to the Tailored Access Operations Unit at the United States National Security Agency (the NSA). The research team came to this conclusion because it found a private key that could trigger BVP47 within a set of files published by The Shadow Brokers (TSB) group. TSB attributed that file dump to the Equation Group, which leads us back to the NSA. You just couldn't make it up, and it's a story fit for a motion picture film.
What does BVP47 mean for cybersecurity? In essence, it works as a very clever and very well-hidden back door into the target network system, which enables the party that operates it to gain unauthorized access to data and to do so undetected. The tool has a couple of very sophisticated tricks up its sleeve, in part relying on exploiting behavior that most sysadmins would not look for simply because nobody thought any technology tool would behave like that. It starts its infectious path by setting up a covert communication channel in a place nobody would think to look: TCP SYN packets.
In a particularly insidious turn, BVP47 has the capability to listen on the same network port in use by other services, which is something that's very difficult to do. In other words, it can be extremely hard to detect because it's difficult to differentiate between a standard service using a port, and BVP47 using that port. In yet another twist, the tool regularly tests the environment in which it runs and erases its tracks along the way, hiding its own processes and network activity to ensure there are no traces left to find. BVP47 uses multiple encryption methods across multiple encryption layers for communication and data exfiltration. It's typical of the top-tier tools used by advanced persistent threat groups including the state-sponsored groups. Taken in combination, it amounts to incredibly sophisticated behavior that can evade even the most astute cybersecurity defenses. The most capable mix of firewalls, advanced threat protection and the like can still fail to stop tools such as BVP47. These backdoors are so powerful because of the resources deep-pocketed state actors can throw money at developing them.
Additional Security Info:
That doesn't mean, of course, that cybersecurity teams should just roll over and give up. There is a series of activities that can make it, at the very least, harder for an actor to deploy a tool such as BVP47. Awareness and detection activities are worth pursuing, as tight monitoring may still catch a remote intruder out. Similarly, honeypots can attract attackers to a harmless target where they may well reveal themselves. However, there's a simple, first-principles approach that delivers a huge amount of protection.
Even sophisticated tools such as BVP47 relies on unpatched software to gain a foothold. Consistently patching the OS and applications you depend on is, therefore, your very first port of call. The act of applying a patch in its own right isn't the most challenging step to take but as we know, patching rapidly every single time is something most organizations struggle with. And of course, that's exactly what threat actors such as the team behind BVP47 rely on, as they lie and wait for their target, who would inevitably be too resourced stretched to patch consistently, eventually missing a critical patch. What can pressured teams do? Automated, live patching is one solution as it removes the need to patch manually and eliminates time-consuming restarts and the associated downtime. Where live patching isn't possible, vulnerability scanning can be used to highlight the most critical patches.
In-depth reports such as this are important in helping us stay aware of critical threats. BVP47 has been in play for years and years before this public report, and countless systems were attacked in the meantime including high profile targets around the world. We don't know how many similar tools are out there. We do know what we need to do to maintain a consistently strong cybersecurity posture: monitor, distract and patch. Even if teams can't mitigate every threat they can at least mount an effective defense, making it as difficult as possible to successfully operate malware.
Reference link for the full story:
Even the Most Advanced Threats Rely on Unpatched Systems
This information is brought to you by Vectech Solutions, The Gold Standard in Cybersecurity
#stealth #BVP47 #unpatched