Coming to a router near you - beware of Slingshot malware!
Cybercrooks and cyberspooks never sleep, and their new “creations” keep popping up. One of the recent trends is targeting routers to cyberattack. Recently, the routers of Latvian manufacturer MikroTik were attacked in a highly sophisticated manner.
The malware dubbed “Slingshot”, infected at least 100 computers worldwide. Using a multi-layered attack, the malware spies on PCs. Similar to the advanced backdoor Trojan Regin (which infected Belgian telecom Belgacom), it was able to remain undetected - in case of Slingshot for six years. The infected computers were located primarily in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia, and Tanzania. Although most of the victims were individuals, others were government organizations and institutions.
The creators of Slingshot are no amateurs, the two-pronged attack used stealth to stay undetected. It avoided detection by calling services and shutting down components during a security scan. Once installed, Slingshot could steal whatever it wanted, e.g., files, keyboard strokes, network traffic, passwords and screenshots. However, the main purpose of the malware appeared to be espionage, which means that the Slingshot was quite likely state-sponsored. If that is the case, the odds are that the brains behind it would be a Western nation, since Slingshot is highly sophisticated and took a lot of time and resource to develop. Needless to say, the Blame Game has just begun, with fingers pointing in all directions, including the Five Eyes nations, France, Israel and Russia. Although a recent MikroTik router firmware update got rid of Slingshot, routers of other manufacturers might still be vulnerable or even infected, harvesting computers for sensitive data as we speak.
Targeting routers in itself is not new. In December 2016, Mirai malware infected millions of routers with malicious firmware which couldn’t be removed. Mirai was the brainchild of a hacker aka BestBuy, who was also responsible for a massive IoT-powered DDoS attack in October 2015.
Router attacks are part of a new trend of so-called “clickless,” attacks that bypass user interaction altogether. For a long time, employees were targeted using social engineering techniques since they were the “weakest link” in IT security. Now that organizations have trained their employees in security awareness, the attack success rate has dropped. Making attacks “clickless” eliminates the need of a user clicking on a malicious link or opening a malicious file. Another characteristic of router attacks is, that the cybercrooks (and cyberspooks) are evading detection by “living off the land”. The attackers leverage programs that are already at their targets’ end to evade detection and actively spread the malware.
The year 2018 has just begun, but it looks like there will be dire times ahead with severe attacks that will be more and more sophisticated and inflicting substantial damage. If you want to check how your organization holds up against a wide range of cyberattacks, including recent “in the wild” ones, try out Cymulate’s Breach & Attack Simulation (BAS) platform. It simulates all kinds of cyberattacks against your organization and validate if your security products are working properly to defend you from known and unknown cyber threats.