Thought leadership. threat analysis, news and alerts.
Dangers of Cyberattacks as a Result of Source Code Leak
This past week, someone posted the source code of Apple iPhone operating system iOS on GitHub – a repository of open source code.
There was confusion at first as to whether the code was real or not. Apple indirectly confirmed that the code was real by filing a DMCA legal notice demanding GitHub to remove the source code. DMCA, which stands for Digital Millennium Copyright Act, is a takedown request that empowers owners of copyrighted material who believe their rights under U.S. copyright law have been infringed.
The iPhone source code called “iBoot” published on GitHub, Apple said "is responsible for ensuring trusted boot operation of Apple's iOS software." The company added, “The ‘iBoot’ source code is proprietary and it includes Apple's copyright notice. It is not open-source.”
Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Lorenzo Franceschi-Bicchierai of Motherboard that the iBoot source code publication is the “biggest leak” in Apple's history.
A source code is a collection of computer instructions that’s written by a programmer when developing a software program. A software can either be open source or non-open source.
With an open source code, anyone can inspect or modify the code. With a non-open source code, the source code is hidden from the public and as such, only the software maker can make changes to the code.
Non-Open Source Code Leak
Apple and Microsoft are examples of companies that keep their products’ source code hidden from the public.
While most companies don’t allow outsiders to view and make modifications on their source code, they allow security researchers, also known as ethical hackers, to review their software, find security vulnerabilities and report this directly to the company to receive monetary reward, also called bounty.
Apple, through its bounty program, pays a maximum of $200,000 to someone who directly reports bugs or security vulnerabilities to the company.
Despite the takedown of the iPhone source code on GitHub, the source code has already made its way to dark web sites.
Access to non-open source code like the iBoot gives hackers a better chance of finding security vulnerabilities that could lead to cyberattacks.
EternalBlue Source Code Leak
On April 15, 2017, a hacker group calling itself the “Shadow Brokers” leaked the source of code of a number of hacking tools believed to be developed by the U.S. National Security Agency (NSA).
The source code of EternalBlue is one of those leaked by the hacker group. EternalBlue could allow remote code execution if a cyberattacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
The EternalBlue source code leak spawned devastating cyberattacks, the most notable of which was the WannaCry cyberattack. In May 2016, hundreds of thousands of computers around the world were infected with WannaCry, a malware that encrypts computer files, prevents users from accessing files and asks for ransom payment in the form of Bitcoin for the release of the decryption key to unlock the affected computer.
Adylkuzz is another malware that uses the EternalBlue source code. The purpose of Adylkuzz malware is to mine the cryptocurrency Monero. Similar to cryptocurrency Bitcoin, a Monero coin needs to be mined – a process by which a transaction is verified, added to the public ledger, known as the blockchain, and a means before a coin is released.
While cryptocurrency mining of Bitcoin can only be done on powerful computers, mining Monero can be done on regular computers and even on smartphones.
The Adylkuzz malware installs the Monero cryptocurrency miner called “cpuminer” on infected computers. Once the cpuminer is installed in a compromised computer, Monero cryptocurrency mining is conducted without the knowledge of the user. Cryptocurrency mining operation, however, will exhaust your computer CPU, resulting in slow performance.
Open Source Code Leak
With an open source code, anyone can inspect or modify the code. An open source is also known as a collaborative code. There are benefits in allowing other programmers to inspect and modify a source code. It’s a known fact that there’s not one software with a perfect source code. Allowing programmers to inspect and modify a source code can enhance and improve the code in the long run.
Linux is an example of an open source software. It’s an operating system similar to Windows and iOS. The difference between Linux and other operating systems is that it’s open source. The Linux source code is free and available to the public to view and, for users with the necessary skills, to contribute to the enhancement of the code.
While the publication of an open source code, on one hand, can be beneficial to society similar to the positive contribution of Linux, publication of an open source code with malicious intent can be detrimental to society.
Mirai Source Code Leak
The publication of the Mirai source code is an example of how a publication of a malicious open source code can be detrimental to society.
On September 30, 2016, a HackForum user by the name of “Anna-senpai” posted the source code of the malicious software called “Mirai”. The Mirai was responsible for the distributed denial of service (DDoS) attack on the website of cybersecurity journalist Brian Krebs on September 20, 2016.
On December 13, 2017, Paras Jha pleaded guilty in creating the Mirai and for conducting a series of DDoS attacks on the networks of Rutgers University between November 2014 to September 2016, which resulted in shutting down Rutgers University’s central authentication server – a gateway portal through which students, staff and faculty deliver assignments and assessments.
According to the U.S. Department of Justice, hundreds of thousands of IoT devices such as wireless cameras and routers were infected with the Mirai malware and were used "to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers".
According to Imperva Incapsula, Mirai-infected IoT devices were spotted in 164 countries, appearing even in remote locations like Montenegro, Tajikistan and Somalia.
The publication of the Mirai spawned other DDoS attacks, the most notable of which was the attack on Dyn, a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter, Netflix and even GitHub.
Dyn, in a statement, said, “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.” The company said that 100,000 IoT devices were infected with the Mirai malware to attack its DNS infrastructure.
In December 2017, the source code of the malware called “Satori”, a variant or new version of Mirai, was leaked on Pastebin. This Mirai variant particularly infects Huawei home router model HG532.
While the original Mirai malware infects IoT devices by using default usernames and passwords, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.”
Security researchers at NewSky Security said that with the release of the full working code of the Mirai variant Satori, “we expect its usage in more cases by script kiddies and copy-paste botnet masters.”
Cybersecurity Best Practices
Here are some security best practices to protect your organization’s computers from the dangers of cyberattacks as a result of source code leak:
1. Use Supported Software
Supported software refers to a software whereby security updates are regularly issued by the software vendor.
Many fell victim to WannaCry for using Windows operating systems that Microsoft – the software vendor – no longer supports or no longer issues security updates.
A patch, also known as security update, is a piece of software code added to an existing source code that fixes security vulnerabilities.
WannaCry could have been prevented by simple patching or installing of the security update issued by Microsoft on March 14, 2017 – a month before the hacker group leaked the EternalBlue source code. Microsoft’s March 14, 2017 security update patches or fixes the security vulnerability exploited by EternalBlue. This security update was issued to supported Windows operating systems.
3. Use Latest Software Version
Many leaked source code are typically source code of older software version. Software vendors normally fix security vulnerabilities found in older software versions with the latest software version.
Interesting to note that Windows 10 proved to be resilient against Petya ransomware attack unleashed more than a month after the WannaCry attack. Similar to WannaCry, Petya exploited security vulnerabilities exploited by EternalBlue and EternalRomance – two hacking tools believed to be developed by the NSA and leaked by the hacker group Shadow Brokers.
4. Practice Network Segmentation
There are instances that security updates can’t be installed right away. One way to prevent or minimize the effects of a cyberattack is through network segmentation – a process of dividing computer network into subnetworks. With network segmentation, cyberattack on one subnetwork won’t affect the other subnetworks.
5. Have the Right DDoS Protection
Cybercriminals today don’t necessarily create their own attack tools. Some simply copy leaked source code. This is the case of DDoS-for-hire groups, a bunch of cybercriminals that offer DDoS service for a fee. There are available tools that effectively counter these DDoS attacks. Connect with us today and protect your business.
Steve E. Driz, I.S.P., ITCP