Security agencies from five countries have issued a joint advisory revealing technical details about a sophisticated espionage tool used by Russian cyber actors against their targets. “Snake malware” and its variants have been a core component of Russian espionage operations conducted by Center 16 of Russia’s Federal Security Service (FSB) for nearly two decades, according to the security advisory.
Identified in the infrastructure of more than 50 countries in North America, South America, Europe, Africa, Asia and Australia, Snake’s custom communications protocols use encryption and sharding for confidentiality and are designed to make it difficult for detection and collection efforts. Globally, the FSB has used Snake to gather sensitive intelligence from high-priority targets such as government networks, research facilities and journalists.
The warning was issued by the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the US National Cyber Mission Force (CNMF), the UK’s National Cyber Security Centre. (NCSC), the Canadian Center for Cyber Security (CCCS), the Canadian Communications Security Establishment (CSE), the Australian Cyber Security Center (ACSC) and the New Zealand NCSC. It is designed to help organizations understand how Snake works and provides suggested mitigations to help defend against the threat.
The security warning comes on the heels of a separate warning from the UK’s NCSC describing a new class of Russian cyber adversary that threatens critical infrastructure.
Operation MEDUSA neutralizes the Snake malware campaign
On the same day the notice was issued, the US Department of Justice announced the end of a court-authorized operation, codenamed MEDUSA, to disrupt a global peer-to-peer computer network compromised by the Snake malware. Operation MEDUSA disabled the Snake malware on compromised computers using a tool created by the FBI called PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components.
“Today’s announcement demonstrates the FBI’s willingness and ability to combine our authorities and technical capabilities with those of our global partners to disrupt malicious cyber actors,” said Deputy Director Bryan Vorndran of the FBI’s Cyber Division. ‘FBI. “When it comes to combating Russia’s attempts to target the US and our allies using sophisticated cyber tools, we will not relent in our work to dismantle these efforts.”
The sophistication of the Snake malware comes from three main areas
Snake is considered the most sophisticated cyber espionage tool in the FSB’s arsenal, stemming from three main areas, according to the notice. “First, Snake uses means to achieve a rare level of stealth in its host components and network communications. Second, Snake’s internal technical architecture allows easy incorporation of new or replacement components. Finally, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.
The FSB has also implemented new techniques to help Snake evade detection, with the cyber espionage implant’s effectiveness based on its long-term stealth to provide constant access to important intelligence. “The uniquely sophisticated aspects of Snake represent a significant effort by the FSB over many years to enable this type of covert access.”
Snake is often deployed to externally facing infrastructure nodes
Snake is typically deployed on infrastructure nodes facing the outside of a network, and from there uses other tools and tactics, techniques, and procedures (TTPs) on the internal network to perform exploit operations additional, the notice continued. “Upon gaining and consolidating entry into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and gain access to domain controllers. A wide range of mechanisms have been used to gather the credentials of user and administrator in order to expand laterally across the network to include keyloggers, network trackers and open source tools.”
Once actors map a network and obtain administrator credentials for multiple domains, regular collection operations begin. In most cases with Snake, heavier implants are not deployed and rely on lightweight remote access tools and credentials internally within a network. “FSB operators sometimes deploy a small remote reverse shell along with Snake to allow interactive operations.” This activateable reverse shell, which the FSB has used for about 20 years, can be used as a security access vector or to maintain a minimal presence on a network and avoid detection while moving laterally.
Snake uses two main methods for communication and command execution, namely passive and active. Snake operators generally use active operations to communicate with jump points within the Snake infrastructure, while Snake endpoints typically operate solely through the passive method.
Methods for detecting Snake malware
The notice described various detection methodologies available to Snake, outlining their advantages and disadvantages. These are:
- Network-based detection: Network intrusion detection systems (NIDS) can feasibly identify some of the newer variants of Snake and their custom network protocols. Benefits include high-confidence, large-scale (network-wide) detection of custom Snake communication protocols. Disadvantages include low visibility of Snake implant operations and encrypted data in transit. There is some potential for false positives in Snake’s HTTP, HTTP2, and TCP signatures. Network-based signatures can easily be changed by snake operators.
- Host-based detection: Advantages include high confidence based on all positive hits for host-based artifacts. Disadvantages include that many of the host’s artifacts can easily be changed to exist in a different location or under a different name. Since the files are fully encrypted, it is difficult to identify them precisely.
- Memory analysis: Benefits include high reliability, as the memory provides the highest level of visibility into Snake’s behaviors and artifacts. Disadvantages include potential impact on system stability, difficult scalability.
Prevention of Snake persistence and hiding techniques
The notice also described strategies to prevent Snake’s persistence and stealth techniques. The first is that owners of systems believed to be compromised by Snake can change their credentials immediately (from an uncompromised system) and not use any passwords similar to those used before. “Snake uses a keylogging functionality that routinely returns logs to FSB operators. It is recommended to change passwords and usernames to values that cannot be brute-forced or guessed based on old passwords.
System owners are also advised to apply updates to their operating systems, as modern versions of Windows, Linux and MacOS make it much more difficult for adversaries to operate in the kernel space. “This will make it much more difficult for FSB actors to load the Snake kernel driver onto the target system.”
If system owners receive detection signatures of Snake implant activity or have other indicators of compromise associated with FSB actors using Snake, the affected organization should immediately initiate their documented incident response plan, add the notice. This should include separating user and privileged accounts to make it difficult for FSB actors to access admin credentials, using network segmentation to deny all connections by default unless explicitly required for system-specific functionality, and implement phishing-resistant multifactor authentication (MFA) to add. an extra layer of security even when account credentials are compromised.
Copyright © 2023 IDG Communications, Inc.
International security agencies are warning of a new malware threat, dubbed “Snake” by intelligence services, originating from Russian cybercriminals. This malware is designed to exploit vulnerabilities in government and critical infrastructure networks and is known to have successfully infiltrated a number of networks so far.
Developed by the recently formed “MoneyTaker” criminal group, Snake is able to move through the target’s networks and extract sensitive data stored on the system or even inject malicious code allowing the MoneyTaker group to use the system in future attacks.
As reported by the APT Trends report by Pacific Northwest National Laboratory (PNNL), due to its sophisticated nature, this malware has already been able to sneak past many security systems, even ones running well known security solutions such as McAfee. Though more traditional threat detection and prevention methods may have missed it, more advanced security solutions may be able to detect and even block the threat.
Ikaroa, a full-stack tech company, specializes in security solutions that provide real-time, proactive protection which can identify and neutralize malicious threats such as this Russian ‘Snake’ malware. With fully managed security operations, complete with threat intelligence and automated reporting, we can help organizations keep their operations safe from advanced threats.
To keep your organization secure from this and other advanced threats, ensure that you are taking the necessary steps to secure your systems and data, such as deploying the latest security patches, updating your operating system, and running periodic vulnerability scans. You’ll also want to consider a multi-layered, end-to-end security solution to protect against not only malware threats but also ransomware attacks, phishing campaigns, and other malicious activities.
By implementing the right security strategy and solutions, such as those provided by Ikaroa, organizations can protect themselves against the Russian “Snake” malware and other sophisticated threats. All it takes is a combination of solutions and processes that can help detect and contain the threat, quickly and before any damage is done.