Analysis of Linux.Okiru

In keeping with our campaign of detection and documentation of IoT botnets, a few days ago we found another threat not classified before. It was first uploaded to the VirusTotal platform on November 3 and is only detected as malicious by 4 antiviruses.

During the article, two variants of the malware will be analyzed, which differ fundamentally in their propagation. The first one was detected in our honeypot systems (specifically for the SPARC architecture). The second one is a variant of the first, which was found under the Intel x86_64 architecture, and which the Netlab360 malware lab echoed a few days ago.

As no records of its identification were found, we decided to classify it as Linux.Okiru, due to the name of its binaries.
[Read more…]

Publication of the NIS Implementation Regulation (for digital service providers)

(This entry has been prepared in collaboration with Ana Marzo, from Equipo Marzo, which provided a good part of the information).

Just a couple of weeks ago Ana March, from Equipo Marzo, an attorney for whom I have great professional respect, contacted me to tell me about the publication, not expected (at least by me), of a new regulation of the Commission related to the NIS Directive, which I have called in a display of originality NIS implementation regulation.

In fact, on 30 January, the Implementing Regulation (EU) 2018/151 of the Commission from 30 January 2018 was published, laying down rules for the application of the Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to the specification of the elements to be taken into account by digital service providers in order to manage the existing risks for the security of networks and information systems, as well as the parameters for determining whether an incident has a significant impact..

At least it caught me by surprise (and I am sure that some of our readers will see the same thing), since I expected a transposition of the directive, not a regulation emanating directly from the Commission (which does not mean, of course, that we will not enjoy our own NIS-compliant legislation, as the legislator must be kept busy…). Given that, although in different areas, we had both coincided at the same client that fitted into the concept of digital services provider and could therefore be affected, we asked ourselves about the applicability of the regulation to this specific client. For example, is an online newspaper affected? And an online sales website? An online bingo? And the purchase-sale between individuals? Deriving the answer to these questions is the subject of this entry.
[Read more…]

Security of blockchain-based smart contracts I

Recently, blockchain technology has been advocated as a game changer for many industries. Distributed ledger technology that has emerged out of Bitcoin has promising applications beyond digital currencies.

One of the most promising use cases of blockchain technology is the development of smart contracts.

Smart contracts are self-executing contracts, in which the terms are specified in code. Essentially, this means encoding legal contracts in computer code, which executes them automatically.

Whilst the concept has been around for a while, at least since Nick Szabo’s wrote up the concept in 1996, it was not until the advent of the Turing-complete Ethereum blockchain that smart contract use became common.

Contracts on the Ethereum blockchain exist at contract addresses and can be invoked by transaction calls.

Executing contracts written in code and stored on an immutable public blockchain creates certain risks and issues, which we will discuss in a general way in this post. In an upcoming second part, we will look at more specific examples of smart contract security vulnerabilities. [Read more…]

Linux.IotReaper Analysis

A couple of days ago we learned about the existence of a new threat IoT considerably more elaborated than any of the ones detected to date (, said botnet has been named by Netlab 360 as IotReaper. So, from the malware laboratory of S2 Grupo we have obtained and analyzed some of the related samples.


The infrastructure of the network is quite similar to that of the Mirai botnet, which is formed by four elements:

  • Report Server: Responsible for collecting the information sent by the bots.
  • Server Downloader: Responsible for providing malware samples via HTTP. The presence of an element allows the continuous incorporation of updates without the need to leave obsolete versions of the malware.
  • Server C2: Responsible for sending denial of service orders.
  • Bot: IoT device infected by the IotReaper botnet.

[Read more…]

The Russian ICC (XVIII). Conclusions

For a few months we have published a series of posts about Russian cyber intelligence in SecurityArtWork, which we hope you have liked and they have helped you to better understand Russian capabilities, groups, structures, APT… without a doubt, Russia has been and continues to be one of the main players in the field of security, intelligence and defense (and of course in cybersecurity, cyber intelligence and cyber defense … or cyber things in general) and, as such, we must know it well if we work on these issues.

As we have seen in this series, Russia is a world power in many fields (as was the USSR in its day) and still retains Soviet reminiscences; the “Cold War Mode”, which we have referred to in different posts, perfectly defines its current cyber strategy and the management of information that the country has historically done, which are applied in this broad concept of information warfare which we have also referred to on many occasions, significantly different from the West, and which includes propaganda or deception, to give just a few examples. If Russia is your mother and your mother is in danger you will do whatever is necessary to save her. Period. No further discussion.
[Read more…]

The Russian ICC (XVII): objectives. Spain

The First General Directorate of the KGB was responsible for all operations of the service outside the USSR; this Directorate included departments focused on different geographical areas of the world, which were the operational nucleus of the General Directorate and were responsible, among other things, for the duties of almost all KGB-linked companies operating outside Soviet territory. And within these geographical departments, the Fifth was concerned with France, Italy, the Netherlands, Ireland … and Spain. Certainly we did not reach the level of the United States and Canada (First Department, exclusively occupied by these two countries) but we were not very far, perhaps on a second level. For different reasons that have obviously changed over the years, since the Civil War until now Spain has been a historical objective (not the most important, but relevant) for Soviet intelligence and now it is still so for Russian intelligence: from the NKVD during its lifetime to the current services, obviously passing through the KGB from the middle to the end of the last century. Exactly the same as the USSR, or Russia today, it also is and has been an important objective for the West: for example, we have only to read something about the operation Mari, in the 60s ([2]).... Leer Más

The Russian ICC (XVI): objectives. Countries

Any country in the world is a potential target of Russian-or non-Russian-espionage. As an example, infiltration in America has historically been high, not only in the United States, a country of highest priority for Russian intelligence, but also throughout Latin America.

However, the maintenance of a large ecosystem of intelligence is not cheap – although it is certain that, thanks to the particularities and relations of the Russian services, it is not as expensive as it would be in other circumstances. So as in any country, Russians should prioritize their usual activities and interests, leaving for temporary occasions those temporary objectives: for example, the Middle East (Syria, Iran …) can be considered in the list of these temporary objectives, for reasons of security —counterterrorism— as well as economic —customers or suppliers of basic goods for Russia.

In addition to these, countries such as Australia or New Zealand, technologically developed and close to the West —not from the physical point of view, of course —are also targets of Russia for different reasons, such as industrial espionage. We have highlighted in gray the target countries of Russian espionage:

[Read more…]

The Russian ICC (XV): objectives. Information needs

Let us recapitulate: so far we have made several entries concerning the Russian ICC, in which we have contextualized Russian intelligence, we have described its different services with cyber attributions and have analyzed, as far as possible, their relations with third parties, thus describing the complex ecosystem of intelligence in Russia. With this ecosystem already described (we had to stop at some point), we will now try to analyze the objectives of this intelligence, its information needs: what is Russia looking for and where?

A bit of history: Vasili Mitrokhin was a KGB archivist who, after the dissolution of the USSR, defected and collaborated with the British MI6; the material exfiltrated by Mitrokhin, which gave rise to several books that are known together as “the Mitrokhin archive”, revealed among many other secrets that the Soviet leader Mikhail Gorbachev already considered industrial espionage as a key aspect for economic survival and for the restructuring of the country. This became clear after the dissolution of the USSR, so that in accordance with its legal basis ([3]), the objective of Russian intelligence has been to gather information in the political, economic, military, scientific, technical and ecological fields to support the economic development and scientific-technical and military progress of the Russian Federation; even the GRU has entrusted the acquisition of military, political-military, technological-military and economic-military information. In other words, Russia is concerned about its defense, both military and economic, from the Soviet era (from Mitrokhin’s information) to Russia at the end of the last century. Something, on the other hand, completely logical in any modern country. [Read more…]

The Russian ICC (XIV): The intelligence ecosystem. Cybercrime

The relations of the Kremlin (by extension, of its intelligence services) with “classic” organized crime, with Russian mafias, is a fact more or less proven. Without going any further, in documents leaked by WikiLeaks the Spanish prosecutor Jose Grinda directly links the Russian mafia with the intelligence services of the country.... Leer Más

The Russian ICC (XIII): The intelligence ecosystem. Patriotic hackers

The concept of patriotic hacker can be understood as the attacker, in the cyber field, whose activities support in one way or another his country in a real conflict, directed against the enemy of the state ([1]). Along with China, Russia has been perhaps one of the countries that has most empowered these groups, active for years in conflicts such as Kosovo (1999), Estonia (2007) or Georgia (2008). In Spain, if there has ever been something similar and in any case not state sponsored, it could be linked to small actions in the network against the environment of ETA after the murder of Miguel Angel Blanco (1997), perhaps at odds between hacktivism and patriotic hackers (this would give for an interesting debate), but in any case very far from the activities of patriotic groups in other conflicts or countries.... Leer Más