Regin Malware is “Groundbreaking”

Symantec has revealed details about malware called “Regin”. This shows a multi-stage attack that is capable of being adapted easily to gather different types of data. According to Symantec this is not just screen grabs and password information but something far more sophisticated. Symantec claims that it has identified dozens of different payloads that Regin has access to. 
 
Once Regin has acquired the data it encrypts the data and then exfiltrates it. The stolen data may never be written to disk but may be sent back immediately and the encryption means that security devices and software do not easily detected this.
Symantec describes how Regin uses special features to stay below the detection radar: “These include anti-forensics capabilities, a custom-built encrypted virtual file system (EVFS), and alternative encryption in the form of a variant of RC5, which isn’t commonly used. Regin uses multiple sophisticated means to covertly communicate with the attacker including via ICMP/ping, embedding commands in HTTP cookies, and custom TCP and UDP protocols.”
Regin has been found in 10 countries and the targets seem to be key business sectors, individuals and small businesses. The full list of countries and targets which Symantec gives are:
  • 28% Russian Federation
  • 24% Saudi Arabia
  • 9% Mexico
  • 9% Ireland
  • 5% India
  • 5% Afghanistan
  • 5% Iran
  • 5% Belgium
  • 5% Austria
  • 5% Pakistan
  • 48% Private individuals and small businesses
  • 28% Telecoms backbone
  • 9% Hospitality
  • 5% Energy
  • 5% Airline
  • 5% Research
Symantec describes Regin as follows: “In the world of malware threats, only a few examples can truly be considered groundbreaking and almost peerless. What we have seen in Regin is just such a class of malware.”
  

Iran Cyber Attack Feared Soon

Fears are growing that Iran will release cyber warfare on US companies if negotiators fail to reach a nuclear deal by Monday that would require Iran limits its nuclear program.
Cyber-attacks from Tehran dropped after the US, Iran and other countries agreed an interim nuclear deal in 2013, but if discussions in Vienna failed before a November. 24 deadline, observers expect a new series of attacks.
American financial companies, oil and gas companies and water filtration systems could be among the targeted companies. 
 
The US has not yet faced the full force of Iran’s rapidly developing cyber capabilities. Iran initially increased its cyber efforts in 2010 and launched a barrage of simplistic attacks on the US financial sector in 2012. Detecting such relatively harmless attacks was easy.  
Over the last two years, Iran has formed a Supreme Council of Cyberspace that meets once a month and includes President Hassan Rouhani.
Iranian officials also strengthened cybersecurity research partnerships with Russia and Iran has gone from a nascent to a burgeoning cyber power.
Security company FireEye described that one popular Iranian hacking group went from website defacements in 2010 to “malware-based espionage” in just four years.
It is reported that Iranian hackers attacked oil giant Saudi Aramco, the world’s most valuable company, and deleted the contents of 30,000 computers. The same virus also hit Qatar-based liquid petroleum gas firm RasGas.
While the US is bombarded with cyber attacks, it has never been the subject of a large-scale destructive attack. So far Tehran’s hackers are mostly suspected of probing around US infrastructure networks to understand their designs.
But if the nuclear talks fell apart that could change. And this time an Iranian attack could be more advanced.