Monthly Archives: August 2018

DeepLocker: AI Powered, Ultra-Targeted and Evasive Malware

19 August 2018

Mohit Kumar’s report on DeepLocker (1) published on 9 August 2018 in The Hacker News made me jump. Is AI becoming the doomsday machine of the 21st century?

DeepLocker is the result of a study (2) performed by IBM Researcher Marc Stoecklin and his colleagues on the question how the use of AI will change cyber-attacks:

“DeepLocker has changed the game of malware evasion by taking a fundamentally different approach from any other current evasive and targeted malware.”

The good news is that DeepLocker still needs a carrier app. Marc Stoecklin writes:

“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.”

Seven Phases Cyber Kill Chain

Cyber Kill Chain

DeepLocker is hence not invincible. A compromised carrier app will have another fingerprint than the not compromised version, at least until the carrier app is not compromised during development.

With this, program reputation, a must-have in every Next Generation Endpoint Protection Solution (NGEPS), can stop a malicious app very early in the Cyber Kill Chain (CKC).

The bad news is that reverse engineering is hardly possible. Marc Stoecklin writes:

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

Although I am fond of reading malware analysis papers I won’t miss them. From my point of view, it is only important that the NGEPS blocks the payload from being executed. In terms of the Cyber Kill Chain this means: ideally in the delivery phase, the latest in the installation phase.

For more details on DeepLocker please see the presentation (3) Marc Stoecklin delivered at the Black Hat 2018 conference.

Don’t panic, but be prepared: Skynet will gain world supremacy soon …

Have a great week.

  1. Kumar M. Researchers Developed Artificial Intelligence-Powered Stealthy Malware [Internet]. The Hacker News. 2018 [cited 2018 Aug 13]. Available from: https://thehackernews.com/2018/08/artificial-intelligence-malware.html
  2. Stoecklin MP. DeepLocker: How AI Can Power a Stealthy New Breed of Malware [Internet]. Security Intelligence. 2018 [cited 2018 Aug 13]. Available from: https://securityintelligence.com/deeplocker-how-ai-can-power-a-stealthy-new-breed-of-malware/
  3. Stoecklin MP, Kirat D, Jang J. DeepLocker – Concealing Targeted Attacks with AI Locksmithing [Internet]. Black Hat USA 2018. 2018 [cited 2018 Aug 19]. Available from: https://www.blackhat.com/us-18/briefings/schedule/#deeplocker—concealing-targeted-attacks-with-ai-locksmithing-11549

Digital Carelessness – a disease without a chance of cure

12 August 2018

Two messages this week showed that there is no cure in sight for the fatal disease called digital carelessness.

ONE: Two remote code execution (RCE) vulnerabilities found in certain HP Inkjet printers (1).

CVE-2018-5924: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2018-5925: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This sort of vulnerabilities is particularly popular in the cyber crime scene because they are network exploitable (Attack Vector AV:Network), attack complexity is low (AC:L), no privileges required (PR:None) and no user interaction is required (Ui:None).

Under normal conditions, Inkjet printers are operated inside the company network. Thus there is no need to enter into panic mode because the vulnerability can not be exploited from the internet.

Unfortunately, some HP Inkjet printers are, for whatever reason, accessible from the internet. A Shodan search reveals that 539 HP DesignJet printers are directly connected to the internet. One of the vulnerable printer models is the HP DesignJet T520 24-in ePrinter, Product number CQ890A, Firmware version 1829B. For a complete list of the affected printers please see the HP Security Bulletin HPSBHF03589 (2).

HP DesignJet T520 Map

HP DesignJet T520 Map. Click to enlarge.

As of today, 79 printers of this type are directly attached to the internet. Some of them are ready for printing and with this prone to CVE-2018-5924 or CVE-2018-5925 because the HP JetDirect Line Printer Daemon port 515 is open.

But why should an attacker exploit these RCE vulnerabilities if he can hijack the printer because basic security is not configured?

HP advised its customers to update the firmware of the affected printers as soon as possible. This is the best opportunity

  • to configure basis security,
  • to eliminate the http protocol, and
  • to close unnecessary open ports.

TWO: TSMC Chip Maker Blames WannaCry Malware for Production Halt

Taiwan Semiconductor Manufacturing Company (TSMC), the world’s largest makers of semiconductors and processors, was hit by a variant of the WannaCry ransomware last week. According to TSMC, its computer systems were not directly attacked, but instead, were exposed to the malware when a supplier installed corrupted software without a virus scan.

“We are surprised and shocked,” TSMC CEO C.C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened. (3)

It doesn’t matter how often installations went well in the past. It’s always the next installation that counts.

Have a good week.

  1. Zorz Z. HP plugs critical RCE flaws in InkJet printers [Internet]. Help Net Security. 2018 [cited 2018 Aug 6]. Available from: https://www.helpnetsecurity.com/2018/08/06/hp-inkjet-printer-vulnerabilities/
  2. HP Customer Support. HPSBHF03589 rev. 2 – HP Ink Printers Remote Code Execution. 2018 [cited 2018 Aug 6]. Available from: https://support.hp.com/us-en/document/c06097712
  3. Wu D. iPhone Chipmaker Blames WannaCry Variant for Plant Closures. Bloomberg.com [Internet]. 2018 Aug 6 [cited 2018 Aug 12]; Available from: https://www.bloomberg.com/news/articles/2018-08-06/iphone-chipmaker-blames-wannacry-variant-for-plant-closures