Security Experts:

Feedback Friday: 'Regin' Cyber Espionage Tool - Industry Reactions

The existence of a sophisticated cyber espionage tool that has been used in numerous operations aimed at businesses and governments from all over the world was brought to light this week.

Feedback Friday: Regin Nation State Malware

Dubbed “Regin,” the Trojan has been used since 2008 in attacks against private individuals and small businesses, and sectors such as telecoms, hospitality, energy, aviation, and research. The largest number of infections has been spotted in Russia (28%) and Saudi Arabia (24%), Symantec said in a report.

Researchers at Kaspersky have also analyzed the threat, which is said to be as sophisticated as Stuxnet, and found that it has also been used to target GSM networks.

The Intercept reported that Regin is linked to US and British intelligence agencies. The malware has been referenced in the documents leaked by Edward Snowden and it's said to have been utilized in attacks against European Union government agencies and the Belgian telecoms company Belgacom.

And the Feedback Begins... 

Tomer Weingarten, CEO of SentinelOne:

 “There are several similarities between FinFisher and Regin. The fact that Regin is a highly modular and "all-purpose" platform indicates that it probably is commercially sold code like FinFisher. The variety of targets, locations and segments seen in the wild is also consistent with Regin being used by multiple actors, possibly small governments, for espionage.


Regin also appears to display a lot of similar techniques used by a previously known malware, called Turla, which was used in a government campaign. However, we don't know if it is the same author.


One peculiar fact about Regin is that the malware kernel driver was not signed to bypass Microsoft PatchGuard in the 64bit version of Windows. To bypass PatchGuard, malware needs a genuine security certificate. This has only been seen in malware a handful of times, and only in the most advanced attacks. Stuxnet is one example. This could imply that Regin is the work of a smaller government which is not as technologically sophisticated as top tier nation states.


The most innovate elements of Regin are in the "carrier" code used to install the malware and in the persistence code which uses encrypted virtual file systems. The command and control (C&C) communications were also sophisticated and designed to conceal outgoing traffic. However, once the malware is installed, the payloads themselves (the "modules") are straightforward and display the same actions and level of sophistication seen in everyday malware, such as screen grabbing, password stealing, etc.”

Jeff Caplan, Security Operations Center manager at Foreground Security:

 “The risk to U.S. organizations of being compromised with Regin is very likely low, due to the historical countries with confirmed Regin infections*. And while the development of Regin seems to represent a significant investment in time and resources, the multi-stage & modular approach of Regin is a trend we’re seeing in newer malware development and something that many other malware authors are beginning to borrow from for their own commercial exploit kits and botnets. It’s definitely indicative of malware characteristics we’ll be seeing much more of in the future.”

Michael Sutton, VP of Security Research for Zscaler:

 “Regin is being referred to as malware, but ‘malware framework’ would be a better description. With some 50 payloads identified thus far and some dating back to 2008, this isn’t a simple matter of analyzing a single binary to determine what it does. Analyzing Regin is akin to a paleontologist that finds one fossil today and others later on, only realizing at some point in the future that they’re all part of the same beast.

 

Was Regin the work of nation state sponsored actors? Likely. It shares many of the hallmarks of past malware frameworks such as Flame and Duqu in that it presents a modular framework and was likely in use for years before being discovered. The question now isn’t when will we see the next such malware framework ,but how many exist today that we haven’t yet discovered.”

Jody Brazil, CEO at FireMon:

 “As with any advanced malware, the discovery of Regin reinforces that it's impossible to detect many of today's cutting-edge attacks, and in cases such as this, often not until years after their initial distribution. Based on this reality, organizations need to maintain constant vigilance in terms of monitoring internal security controls, especially network segmentation. By ensuring that access is enforced properly such that sensitive data is only available to the appropriate set of applications and users, the impact of these threats can be mitigated, even when they're actively present in the

environment.” 

Steve Lowing, Director of Product Management at Promisec:

 “Regin is another example of nation state sponsored malware that is a many levels beyond the advanced targeted malware that we hear about that have breached many retailers (eg Backoff, BlackPOS). What makes this malware so different is the degree of sophistication upon which it gets into system, in simplest terms it’s via multiple stages of injection and downloading where only the initial stage is definitively visible.

 

The second and subsequent stages involve introducing encrypted and thus invisible content that has custom loading abilities that builds out into an extremely advanced, undetectable set of kernel and user modules that target specific business and end users outside of the US, Britain, Canada and Australia. The deliberateness of the sophistication is reminiscent of previous malware like Duqu, Gauss, and Mahdi that aim to exhilarate sensitive data and intelligence of its victims. As with these known malware strains, Regin puts high priority on staying hidden and generally being undetectable aiming to establish command and control of a system and stay for an extended period of time.


What truly sets Regin apart and is different is the framework upon which it establishes which opens the victim to attack modules that are custom fit for the target, role, industry, etc in question. These components in the framework and even the framework itself can be dynamically changed as well. This underscores the nation state belief since the designer of regin was building this for the long haul and not to find a single set of records (or even millions of credit cards) then leave or get detected moving this information off host. Regin by contrast moves data via multiple channels and doesn’t over tax or make a lot of noise in the environment its running in making it even harder to detect.”

 

Ian Amit, Vice President at ZeroFOX:

 “Targeting individuals matches the MO of a reconnaissance effort executed by a corporation or nation state in order to profile and gather long-term intelligence on stakeholders. Some of the attributes of the malware (namely using fairly detectable elements in the C&C protocol such as "shit" and "31337") suggest it might have been developed through an "outsourced" 3rd party entity. This is common practice for nation states that do not have the capability to develop advanced malware by themselves or need to cover their tracks. Unfortunately, there are many cyber criminal organizations that would happily develop this kind of malware for the highest bidder.


The timeline of the Regin distribution demonstrates the attacker was not interested in a "smash and grab" operation but longer-term intelligence gathering. The infected assets were probably used to provide audio and visual reconnaissance, and it's likely more payload modules will be discovered that further indicate such capabilities. It's interesting to note that the infection vector has not been discussed in the disclosure. This is yet another indication that attacks like this utilize multiple infection vectors rather than zero-day vulnerabilities, performed through a combination of social engineering and traditional attacks.


From Regin's characteristics, it's clear that older APT architecture is still effective at hiding persistent threats (i.e. the Russian-doll architecture, or multiple encrypted stages). Endpoint security and advanced behavioral detection technologies are far behind in mitigating these threats. Malware that lurks in the background and uses legitimate communication channels as its C&C and exfiltration paths will go undetected for years. Regin highlights the need for better operational security (OPSEC) as part of an organization's risk management. Both the ability to minimize attack surfaces that leverage the human element and the capability to monitor changes over a long period of time are critical to dealing with persistent threats like the Regin malware.”

Kenneth Bechtel, Malware Research Analyst at Tenable Network Security:

 "While this is a piece of highly complex software, it falls in line with the patterns we've been seeing recently. Malware today, be it state or criminal gang sponsored is modular, updateable and leverages many ways of hiding its presence. If we follow the Anti-Virus model of checking each individual file, we're doomed to be playing catch-up with the authors of malware. The weakest part of all these backdoors and remote control malware is the need to communicate. Some of these pieces have complex

encrypted communications and can proxy, like Regin, others can even jump air gapped isolated networks, but they all must communicate.


By identifying and targeting these communications, Network security personnel have a better chance of identifying new malware, or even just a disgruntled employee creating a data leak. While it's important to identify and remove the infecting agent (software) a comprehensive data security policy which included checking network communications abnormalities give a much bigger lead time to remediation than sticking with traditional network defenses.”

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi:

 “As reported, Regin has the signs of a sophisticated nation-state attacker due to its complexity and stealth. These specific attackers have identified that cryptographic keys and digital certificates, both critical in the implementation of HTTPS and secure web browsing, provide the perfect recipe to gain trusted status in order to breach their targets, remain undetected and gain a long-term foothold to monitor and impersonate their targets - even since Stuxnet provided the attack blueprint in 2008.

 

Unprotected keys are certificates are a weak spot in security infrastructure and nation-states continue to exploit them as we’ve seen with Heartbleed and Stuxnet in the past. With a compromised or stolen key you can impersonate, surveil, and monitor your targets as well as decrypting traffic or impersonating trusted website, code, or administrators. Discovering a compromised key and certificate doesn’t kick an attacker out nor solve the problem; until a key and certificate is revoked and replaced the threat doesn’t go away. Bad guys, including common street criminals have figured this out and have leveraged with increased attack intensity.”

Aviv Raff, Co-Founder and CTO of Seculert:

 “Sophisticated or not, the fact that this malware has been around since 2008 shows that traditional security solutions fall short. This is mainly because these kinds of solutions focus on trying to prevent the attack, rather than trying to detect it. Fortunately, we now see more and more enterprises moving budget away from prevention focused solutions and investing more in detection and response. As long as this budgetary trend continues, so will the presence of wide-scale undetected attacks. Something needs to change, and quickly.”

Chris Messer, vice president of technology at Coretelligent:

 “Regin doesn’t pose a huge threat to American citizens or businesses at this time in its current iteration. However, if Regin is reverse-engineered, there’s risk that it could be used against our own government to steal sensitive information.

 

If foreign intelligence agencies or hacking groups are able to reverse-engineer samples of this malware and then use the techniques or code deployed in their own malware, it could be more widely deployed and cause significant damage by stealing sensitive information from Americans that they’re able to infect.

 

Regin also raises concern about whether American government intelligence agencies like the FBI, CIA and NSA could leverage this type of approach against citizens under the guise of the Patriot Act, suspected terrorism or individuals of interest.

 

The security implications with this discovery are quite clear - our intelligence agencies and those of our allies have incredibly powerful and sophisticated tools and methodologies at their disposal to spy on enemies. While these are absolutely necessary capabilities to have in our digital age, they also come with great risk and responsibility to be controlled and leveraged in a judicious manner. It’s naïve to think that these tools couldn’t be easily re-purposed or re-deployed against our allies, or even against individual business leaders, political targets or citizens.”

Steve Hultquist, chief evangelist at RedSeal:

 “Regin is another piece of evidence in the growing pile that indicate that many organizations have been compromised and do not know it. The sophistication of this attack, the multiple versions, alternative payloads, and the length of time the compromise existed within the victims' networks all indicate motivations far beyond the fast-strike thefts that have been the most commonly reported.


Organizations must recognize the likelihood that they are compromised, and so must strategize how they will prevent as much damage as possible. That strategy must include knowing all of the paths into and out of the network, ensuring that all security zones are implemented correctly, being certain that all potential paths are monitored, and generally verifying that the implemented security matches the design, and that the design address both entry and exit. The time is past for weak, reactive strategies. Regin shows us again that they don't work. It's time to be proactive and preventative while automating ongoing analysis of the implementations.” 

Until Next Friday...Have a Great Weekend! 

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.