The best way to get the keys to the kingdom is to get the sys admins passwords…
The malware, dubbed Slingshot by researchers at Kaspersky Lab and showcased at the firm’s Security Analyst Summit, resides in Mikrotik routers – presumably on the principle that the only people who access the devices are an organization’s IT team. It’s not known how the malware gets onto the router, but it contains a malicious dynamic link library that’s capable of pulling in all kinds of nasty attack tools.
“Never seen this attack vector before, first hack the router and then go for sysadmin,” said Costin Raiu, Kaspersky’s director of global research and analysis. “We’ve seen a lot of attacks against sysadmins but sometimes it’s tricky to find them. This is a very good way to hack the sysadmin and get the keys to the kingdom – it’s a completely new strategy.”
The malware was discovered by accident. The team was analyzing a piece of keylogging code and decided to scan to see if it could be found elsewhere. The malware’s signature turned up in a seemingly innocent file on another computer labelled scesrv.dll.
In testing, once a computer links into the router’s configuration system, the malware activates and dumps a copy of itself onto the connecting PC and gains root access. It then downloads new modules, including two powerful pieces of code dubbed Cahnadr and GollumApp which can harvest screenshots, keyboard data, network data, passwords, USB connections, other desktop activity, and clipboard data.
What does that mean for Thai Based IT Companies, well we think the door is still way to wide open here and getting a good IT Consultant / Trusted Advisor would be our recommendation. We still see lots of PCs running windows XP and no updates or free antivirus solutions.
Thank you to the register for the heads up about this article.
