Perpetual IT

The coder who created the massive Satori botnet of enslaved devices and a handful of other botnets will be spending 13 months behind bars, the US Attorney’s Office of Alaska announced on Friday.

Kenneth Currin Schuchman, 22, from Vancouver, Wash., spent years developing distributed denial-of-service (DDoS) botnets. In September 2019, he pleaded guilty to operating the Satori botnet, made up of IoT devices, and at least two other botnets; to running a DDoS-for-hire service; to cooking up one of the evolving line of botnets while he was indicted and under supervised release; and to swatting one of his former chums, also while on supervised release.

Satori did massive damage: it and its iterations would be unleashed in record-setting DDoS attacks that enslaved more than 800,000 devices – things like home routers, security cameras and webcams – and flattened ISPs, online gaming platforms and web hosting companies.

Schuchman was indicted in September 2018 on two counts of fraud and related activity in connection with a computer, but in the plea agreement he struck with prosecution, he pleaded guilty to just one count of fraud and related activity in connection with computers, in violation of the Computer Fraud & Abuse Act (CFAA).

Schuchman worked with two criminal colleagues: “Vamp”, also known as “Viktor,” and “Drake”. The recently unsealed indictment reveals the names and locations of the two men who were sometimes his friends, sometimes his competitors and targets. Vamp is actually Aaron Sterritt, a national from the UK, while Drake turns out to be Logan Shwydiuk, a Canadian national.

They initially lifted code from the Mirai botnet to cook up their botnets, but over time, they added additional features, making the botnets ever more complicated and devastating. The botnets they spawned out of Mirai were known over time as Satori, Okiru, Masuta, and Tsunami/Fbot. Schuchman and his pals not only used this line of increasingly devilish botnets themselves; they also rented them out to customers as a DDoS-for-hire service.

Stressers

DDoS-for-hire, also known as stressers or booters, are publicly available, web-based services that launch server-clogger-upper attacks for a small fee … or, sometimes, for nothing at all.

Such services have included ExoStresser, QuezStresser, Betabooter, Databooter, Instabooter, Polystress, and Zstress. DDoS-for-hire sites sell high-bandwidth internet attack services, sometimes under the guise of “stress testing” – hence the name stresser. Some of these services also try to pass as legitimate by calling themselves a “penetration testing service”.

DDoS attacks are blunt instruments that work by overwhelming targeted sites with so much traffic that nobody can reach them. They can be used to render competitor or enemy websites temporarily inoperable out of malice, lulz or profit: as in, some attackers extort site owners into paying for attacks to stop.

One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service. LizardStresser was given a dose of its own medicine when it was hacked in 2015.

Of the trio, Schuchman specialized in finding vulnerabilities in IoT devices that could be exploited at scale. “Specialize” might be a bit too fancy a term: “run an online search” might be more like it. According to the plea agreement, the vulnerabilities often included default usernames and passwords, for example.

They’re all too easy to find, since researchers have found that the manufacturers of off-the-shelf IoT gadgets often post default passwords online in order to aid in quick device setup.

Using such default credential pairs, Schuchman and his buddies managed to compromise not only individual devices but entire categories of devices that shared the same vulnerability, as the plea agreement described.

From at least July 2017 until at least July 2018, Schuchman and his co-conspirators, who aren’t named in the indictment, rented out access to an evolving series of DDoS botnets. They were initially based on source code from Mirai – the botnet that was the subject of Schuchman’s previous prosecution in Alaska and which, in 2016, targeted security journalist Brian Krebs in what experts said at the time was the biggest DDoS attack in public internet history.

Over the course of that year, Vamp was the primary developer and coder, while Drake managed sales and customer support. Schuchman, besides researching new vulnerabilities, also helped out with botnet development.

In August 2018, the trio named one of their botnets Satori. That one built on Mirai by targeting devices with Telnet vulnerabilities. It also used an improved scanning system that was borrowed from another DDoS botnet, Remaiten. Mirai would go on to compromise 100,000 devices.

The conspirators unleashed this version of Satori on a range of victims in the US, including a large ISP, popular online gaming services, prominent internet hosting companies, and hosting companies specializing in DDoS mitigation.

At the same time, Schuchman bragged about compromising another 32,000 devices belonging to a large Canadian ISP. He used the added might of those devices to attack targets with bandwidth of about 1TB per second. He also bragged about causing a dramatic increase to internet latency on a national level with a test attack.

In late 2017, the trio, along with other co-conspirators, made yet more improvements to Satori, which they rechristened “Okiru.” They used Okiru to compromise vulnerable devices, including exploiting flaws in customized versions of GoAhead web servers embedded in wireless surveillance cameras.

The next botnet version, which arrived in November 2017, was dubbed Masuta. It targeted vulnerable Huawei and Gigabit Passive Optical Network (GPON) fiber-optic networking devices. That one infected up to 700,000 compromised nodes.

At the same time that Masuta was being launched in a large number of attacks, Schuchman was also operating his own, distinct DDoS botnet, which he used against IP addresses associated with ProxyPipe, a DDoS mitigation network.

He was quite busy at that point: he was also scanning for more vulnerable Telnet devices to suck up into the botnets. When he got complaints about the scanning, he’d respond using his father’s identity. That was part of his modus operandi: he frequently hid behind his father’s identity throughout his criminal career. According to his plea agreement, after he’d been indicted, he kept committing new crimes from his father’s apartment.

Around January 2018, Schuchman, Drake and others merged elements of Mirai with those of Satori in order to target devices largely based in Vietnam, in order to expand the merged botnet further still.

The refinement of the botnet continued: by March 2018, the improved botnet came to be called by the names Tsunami and Fbot. Mostly comprised of GoAhead cameras, the botnet infected up to 30,000 more devices and was used to attack gaming servers, including gaming server provider Nuclear Fallout.

During this time, Schuchman et al. also discovered vulnerabilities in about 650,000 High Silicon DVR systems. Schuchman managed to pwn at least 35,000 of the DVRs and dragged them into the Tsunami/Fbot botnet. He and his co-conspirators ran test attacks using about 10,000 of the hijacked DVR systems – attacks that attained estimated bandwidths of more than 100Gbps.

By April 2018, having moved on from Drake and Vamp to work with others, Schuchman developed another, unnamed DDoS botnet based on the Qbot financial malware. To create it, he exploited devices that included high-bandwidth GPON devices at the Mexican broadcast TV network Telemax.

By that point, Vamp had become a competitor: he and Schuchman were using the same credentials to go after the same universe of botnet nodes. They tried to block each other from getting at the infected nodes by changing configurations. Schuchman employed tactics including using the IPTables tool to kill all the open ports on the devices: a technique that, court documents say, is a good way to cause “substantial damage” to a victimized device.

Schuchman was first interviewed by the FBI in July 2018. He and Vamp were getting along again at that time, and they resumed working “in earnest” to keep buffing up their DDoS botnet iterations.

Schuchman, who was going by the aliases Nexus and Nexus-Zeta, was indicted on 21 August 2018, but that didn’t slow him down. Around October 2018, he created a new Qbot DDoS botnet variant – while he was on supervised release, and after he’d already been indicted for creating and deploying botnets.

Also in October, he used some of the data that turned up in a legal discovery to figure out where Drake was located so that he could swat him. The swatting involved a fake 911 call about a purported hostage situation at Drake’s house, triggering a “substantial law enforcement response,” according to court documents.

Schuchman was facing a maximum penalty of 10 years in prison and $250,000 in fines, but it’s not surprising that he’s only looking at 13 months: the recommended sentence agreed to by prosecutors called for penalties “at the low end of the guideline range.”

According to The Daily Beast, Schuchman has Asperger’s syndrome, which might also have been taken into account during his sentencing.

Get yourself up to date with everything we’ve written in the last seven days – it’s weekly roundup time.

Monday 22 June 2020

Tuesday 23 June 2020

Wednesday 24 June 2020

Thursday 25 June 2020

Friday 26 June 2020

Latest video

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Newsletter

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

You’ve probably heard the French saying, “Plus ça change, plus c’est la même chose.”

Alliteratively coined by the French satirical writer Jean-Baptiste Alphonse Karr, it means that the more things change, the more they remain the same, and it’s a cynical observation that what seems like an improvement may not, in the end, sort out the underlying problems or attitudes it was mean to fix.

Well, here’s a change that really does seem to be a change, in heart as well as in direction!

Sony, maker of the PlayStation games console series, has not always been friendly to hackers.

About ten years ago, the company famously took legal action against a young George Hotz, better known as geohot, an American hacker – in the neutral sense of the word here – who has found his way into numerous “locked down” devices over the years.

Hotz, who is now into open source self-driving automotive software, has variously come up with jailbreaks (or roots as they are known on Android phones, after the Unix name for the top-level administrative account) for iPhones, locked-down Androids such as Galaxies…

…and for the Sony PlayStation 3.

Sony wasn’t impressed, and launched legal action against Hotz, even though the main purpose of Hotz’s reverse engineering seems to have been an attempt to allow PS3 owners to run alternative operating systems such as Linux or FreeBSD on their own devices.

(Sony used to allow users to install their own software on PlayStations through an feature descriptively known as OtherOS, but ultimately removed the option, making the PS3 a locked-down system in the fashion of a device such as the iPhone.)

As you can imagine, Sony’s reponse didn’t go down well in the hacking and modding (short for modification) community.

Ultimately, as far as we can tell, Sony settled its legal wrangle with Hotz pretty much on the basis that he would give up on PlayStations, retire all his Sony hardware to a box in the cupboard under the stairs, and not hack on it again.

Well, both the hacking scene and the industry have moved on since then, with the finding and responsible disclosure of exploitable security holes now a respectable and often very well paid job in cybersecurity.

Indeed, Hotz himself went on to achieve successful exploits against both Adobe Acrobat Reader and Firefox at the PWN2OWN competition, where entrants publicly target mainstream products such as document readers and browsers to prove that they can bypass the security protection of those products and win (often substantial) cash prizes.

Bug bounty hunting

Of course, bugs-for-money programs, generally known as bug bounties, aren’t just free-for-all exercises.

There are generally very strict rules of engagement, notably that getting paid depends on a series of things:

• You can’t break the law, or use morally dubious or manipulative methods, to carry out your hack. For example, calling up an employee of the vendor and trying to trick or bribe them into helping you is out, as is cracking into someone else’s account to get hold of insider information.
• You have to be the first person to find the bug you are claiming payment for. This may sound a bit harsh, especially when two researchers working entirely independently just happen to find the same complex security hole at almost the same time after months of hard work. But bug bounty hunting is, at heart, a competitive market, and winner-takes-all is the easiest way for a vendor to avoid the problem of two researchers covertly colluding for extra money. It also encourages researchers to hunt more widely for security holes, including obscure ones that might otherwise get overlooked by everyone.
• You mustn’t probe for holes in a way that is likely to harm or inconvenience others. Especially when looking for bugs in online services, bounty hunters are expected not knowingly to crash live systems in order to further their efforts or extract data for their research. Peeking at confidential data along the way is also unacceptable. (This probably violates the first condition anyway, given that unauthorised access is illegal in most countries, but many bug bountry programs make the point about “no peeking” separately.)
• You have to hand over full and frank information about the bug to the relevant vendor. In return for paying up for the bug information, the vendor gets the first use of it in the hope of fixing the hole before anyone else – such as a cybercriminal – finds it. This is the responsible disclosure part of modern bug hunting. The vendor can’t sweep the problem under the carpet, because there’s a formal record of it being found and reported, but the details of the exploit are kept confidential for enough time to allow time for a patch to be prepared carefully and tested properly.
• You can’t tell anyone else how you did it until the vendor has had a fair time to fix it. Most bug bounty programs have a rule under which a reasonable timeframe is agreed for fixing the bug. 90 days is a popular period. This ensures that the vendor is motivated to fix the issue, otherwise it will be disclosed anyway, but it also stops information leaking out that could give the crooks strong hints on where to look while the bug is not yet patched.

Sony joins the club

Sony has now announced its own bug bounty programs for the PS4 and the PlayStation Network:

We believe that through working with the security research community we can deliver a safer place to play. We have partnered with HackerOne to help run this program, and we are inviting the security research community, gamers, and anyone else to test the security of PlayStation 4 and PlayStation Network. Our bug bounty program has rewards for various issues, including critical issues on PS4. Critical vulnerabilities for PS4 have bounties starting at $50,000.

We’re assuming that a critical PS4 vulnerability would be the sort of bug that allows remote code execution, or RCE, whereby an attacker could run untrusted code, implant malware – or, indeed, jailbreak the device.

Other critical vulnerabilities usually include bugs that allow attackers to extract private data such as cryptographic keys or other information that is vital to the security of the device or ecosystem.

Sony says that it has had a closed bug bounty program for a while – one in which selected researchers have been invited to take part – but the program is now open to all.

By the way, that $50,000 payout for a critical PS4 vulnerability is a minimum, so for a bug that offers a full, automated, “click here to jailbreak” attack, you can probably expect a fair bit more than that.

Over to you…

What would you do if your law firm to the stars were to be presented with this choice: pay us $42 million or we’ll sell Mariah Carey’s confidential legal documents on the dark web on 1 July?

… followed by a carefully laid out schedule to sell personal correspondence, contracts, agreements, non-disclosure agreements, court conflicts and other internal correspondence relating to other clients, including Nicki Minaj, Lebron James, Bad Boy Records, MTV and Universal?

If you were Allen Grubman, founder of the star-studded law firm Grubman Shire Meiselas & Sacks, you’d tell the ransomware crooks to get lost. Following a ransomware attack from the REvil cybergang that flattened gsmlaw.com in May, Grubman said he wouldn’t negotiate with the hackers, equating them to terrorists.

In the May attack, the gang stole more than 750GB in total. Now, the blackmailers are making good on their threats to publish it.

According to Variety, REvil has threatened to auction off sensitive documents from the firm’s top clients, laying out a schedule that begins on 1 July with documents from Mariah Carey, Nicki Minaj and Lebron James, starting at $600,000 per celebrity. They plan to auction off documents from Bad Boy Records (starting at $750,000) and from MTV and Universal (starting at $1 million each) two days after that. There’ll be more from an unspecified celebrity – or two or three or more of them, who knows – released on 5 July, the REvil gang promised.

If your eyes aren’t already watering at those prices, here’s the gang’s broken-English note, in which the extortionists claim to have plenty more good, salacious, high-value data where that came from:

We have so many value files, and the lucky ones who buy these data will be satisfied for a very long time. Show business is not concerts and love of fans only — also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery.

The ransom note concludes with a message to Grubman, referencing what we presume was an earlier demand for a $42 million ransom:

Mr. Grubman, you have a chance to stop that, and you know what to do.

Here they go again

Sex and drugs and rock-and-roll, indeed. This new threat comes after the gang purportedly sold off data on Donald Trump and Lady Gaga. They also released a legal document that’s allegedly Madonna’s tour contract.

Trump reportedly isn’t a gsmlaw client, but the ransomware gang says the documents come from previous attacks on other businesses that have allegedly reaped correspondence, fundraising letters, and invitations to the president’s Mar-A-Lago resort in Florida.

Before that, the REvil crew followed through on its threats to embarrass victims who don’t pay by publishing over 12GB of data that allegedly belongs to another one of its victims, Brooks International.

Earlier in the year, Travelex was also hit by Sodinokibi/REvil ransomware, sending the currency exchange back to the stone ages of using pen and paper and crippling customer service for weeks: an attack that it reportedly paid $2.3 million in ransom to call off.

When will it stop? Well, how deep is the ocean? According to Variety, gsmlaw has a jaw-dropping list of clients, including music artists, actors and TV personalities, sports stars, and media and entertainment companies, from Bruce Springsteen, Bette Midler, Jessica Simpson and Priyanka Chopra to Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” Run DMC and Facebook – to name just a few.

What we know

We don’t know how much REvil got away with and from which clients, but we do know a bit about the gang.

It operates the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS).

RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.

Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.

“Get lost” redux

Unlike Travelex, gsmlaw isn’t rolling over. Rather, the law firm is yet again telling the REvil gang to go jump in a lake. A spokesman sent a statement describing the gang as pathetic:

The most recent post is yet another desperate nuisance tactic these criminals are using to try to squeeze out a profit from stolen data. Our clients and the entertainment industry as a whole have overwhelmingly applauded the firm’s position that we will not give into extortion.

What to do?

As Paul Ducklin said when he originally analyzed this attack, it’s an example of how ransomware crooks aren’t just scrambling your data these days. They’re also blackmailing victims, threatening to hang their dirty laundry where all can see. Advice for how to save yourself from these attacks is too little, too late for gsmlaw.com and its star-studded clients, but there’s still hope for the rest of us.

Here are our top tips:

• Patch early, patch often. Crooks who pull off all-your-network-at-once attacks can afford to spend time probing for any existing holes they know about. Make it harder for them by patching known bugs as soon as you can.
• Check that you don’t have unexpected ways into your network. It’s OK to use technologies such as RDP and SSH for remote administration – just make sure your only remote login portals are where you expect them to be and are set up as you intended, for example within a VPN (virtual private network).
• Watch your logs. Ransomware crooks who steal masses of data start out by carefully sniffing their way around your network. Very often, they leave telltale signs that someone’s been hanging around where they shouldn’t.
• Set up an early-warning email address for staff. Crooks often use phishing emails to dig for passwords or data they aren’t supposed to have in order to find their way in. The crooks very rarely send emails to a single person in an organization. One alert staffer who raises the alarm could warn 50 colleagues who might otherwise be in harm’s way.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For more advice, please check out our END OF RANSOMWARE page.

The latest security patches from NVIDIA, the maker of high-end graphics cards, are out.

Both Windows and Linux are affected.

NVIDIA hasn’t yet given out any real details about the bugs, but 12 different CVE-tagged flaws have been fixed, numbered sequentially from CVE-2020-5962 to CVE-2020-5973.

As far as we can tell, none of the bugs can be triggered remotely, so they don’t count as RCEs, or remote code execution holes, by means of which crooks could directly hack into your laptop or server over the internet.

However, as is very common with security bugs in kernel-land, they could let crooks carry out what’s known as information disclosure or elevation of privilege attacks.

Given that the kernel contains information about the entire system, including details such as which processes are allowed to access what memory locations, being able to fiddle around inside the kernel is usually a privilege reserved for top-level sysadmins only.

Kernel bugs that allow regular users to peek into the kernel’s protected memory areas are therefore dangerous because they can often be exploited by criminals to grant themselves permanent administrator powers without needing to know any administrator passwords.

These days, of course, graphics cards, known as GPUs (short for graphics processing units), aren’t just the province of high-end gamers and graphic designers.

Unlike a central processing unit or CPU, which is designed to be a general-purpose workhorse capable of running a modern operating system securely, GPUs are focused on the sort of mathematical calculations commonly needed in computer graphics.

A typical CPU these days might have 4 or 8 “cores”, which you can think of as processors-within-a-processor, each capable of running a completely different program at the same time.

CPUs are packaged in a multicore format rather than as 4 or 8 separate chips to improve speed, size, performance and power consumption. Electrical signals arrive more quickly, take less power and generate less heat when they move around inside a single chip.

In contrast, a high-end GPU might have 2000 to 5000 cores, but they aren’t each able to run completely different instructions at the same time.

GPUs typically follow a computing model abbreviated SIMD, which is short for single instruction, multiple data.

That makes sense for image processing, where you very often want to perform the same mathematical transformation on a whole buffer full of pixels at the same time

For example, instead of writing explicit loops to modify a 64×64 pixel graphics sprite, as in this pseudocode…

 for x = 1 to 64 do for y = 1 to 64 do s = pixelbuff[x][y] d = adjust_luminance(s,0.8) // process pixels 1-at-a-time pixelbuff[x][y] = d end end

…you can do the whole thing in one go, more like this…

 adjust_luminance(pixelbuff,0.8) // do the same thing to every pixel

…and let the GPU take care of adjusting as many pixels as it can at tha same time, given that it’s optimised to perform the same calculation on thousands of memory locations in parallel.

But this sort of parallel processing power isn’t useful only for graphics and high-frame-rate gaming.

Many algorithms, from fields as diverse as machine learning, financial modelling, molecular simulation and cryptocurrency mining, can take advantage of the special-purpose computing power of GPUs.

As a result, even servers that will never in their working lives have screens plugged in or run graphics software may be fitted out with a whole row of GPU cards.

For example, a $20,000 password cracker fitted out with 25 GPUs across five server cases could try out nearly half a trillion Windows password hashes (4 x 10¹¹ MD4s) a second – and that was more than seven years ago:

In other words, these patches aren’t just for hard-core gamers but will be needed by many administrators of high-performance computational servers too.

In fact, servers fitted with GPUs probably need two sets of patches, covering both the NVIDIA GPU drivers that control the actual hardware in the physical system, and the NVIDIA vGPU software (“v” stands for “virtual”), which shares out physical GPUs between guest operating systems running under virtualisation software from vendors including Citrix, Red Hat and VMWare.

Virtualisation splits up a physical host computer into a number of pseudo-computers known as guest virtual machines (VMs) that each run independently, as though they had dedicated hardware of their own.

NVIDIA’s virtual GPU drivers help to share out the physical GPUs in the host computer between VMs that need them, allowing GPU-intense tasks such as machine learning and molecular modelling to be split up between virtual machines, just like conventional programs such as web servers.

What to do?

Patches have been announced for NVIDIA Geoforce, Quadra, NVS and Tesla GPUs on both Windows and Linux.

Most of the updates are available right now, except for the Tesla R450 drivers, which are delayed until next week (2020-06-29).

There are also updates for NVIDIA Virtual GPU guest drivers for Windows and Linux, as well as for the NVIDIA Virtual GPU Management software.

Once again, most of the vGPU updates are available now except for users with the very latest release (version 10), who will need to set a calendar entry for two weeks’ time (2020-07-06).

If you’re not sure what software version you have, or even if you computer has NVIDIA hardware at all, NVIDIA has a support article that tells you how to find out.