A diagram from Kaspersky Lab shows multiple stages of the Regin malware exploit. (Credit: Kaspersky)Cybersecurity professionals should be paying close attention to Web browsing and email services in the wake of a highly sophisticated malware application being compared to some of the most elaborate threats in recent memory.
Regin (pronounced REE-jin) was discovered over the weekend by security firm Symantec, which concluded that the malware is a “highly complex threat” that’s been used “for large-scale data collection or intelligence gathering campaigns.” The firm found that two versions of the software have been moving through the Internet, but the worm’s complexity has kept it hidden for years.
“One of the things that makes Regin unique is that it is very difficult to detect, due to its modular architecture and specialized encryption,” said Liam O’Murchu, a security response manager for Symantec Corp. “We believe the attacks may have originated via browsing the Web or via email, which are currently two of the most popular attack vectors we see used. Looking at these avenues is important while still understanding that attacks like these are sophisticated and can take advantage of weaknesses in many parts of an organization.”
Kaspersky Lab Inc., which also put out its own study on Regin, said information security professionals should pay particular attention to Microsoft Windows domain controllers, large databases, systems with Internet connectivity and proxy servers.
“A few things to consider are to install a modern security suite on all endpoints and servers,” a spokeswoman for Kaspersky Lab told FedScoop. “Log events and set up a centralized logging system. Keep everything updated. Also, use whitelisting and default deny policies as much as possible.”
Symantec found that targets included private companies, government entities and research institutions across the globe. Regin has been found in more than 10 different countries, with the majority of Symantec’s findings pinpointing the exploit in Saudi Arabia and Russia. The firm also said telecom industry systems have accounted for more than a quarter of reported instances.
A breakdown by country of the instances of the Regin malware exploit. (Credit: Symantec)Kaspersky took the telecom angle even further, with researchers stating in a blog post that the malware has the ability to intercept cell phone calls and text messages by manipulating antennas on GSM networks:
The ability of this group to penetrate and monitor GSM networks is perhaps the most unusual and interesting aspect of these operations. In today’s world, we have become too dependent on mobile phone networks which rely on ancient communication protocols with little or no security available for the end user. Although all GSM networks have mechanisms embedded which allow entities such as law enforcement to track suspects, there are other parties which can gain this ability and further abuse them to launch other types of attacks against mobile users.
Neither firm could pinpoint the origin of the worm, but they said they have logged instances of Regin as far back as 2008. Both Symantec and Kaspersky said Regin is specifically used for intelligence gathering by a nation-state with the ability to facilitate other types of attacks.
Multiple reports have security experts claiming Regin is the work of the NSA and Britain’s Government Communications Headquarters. A technical analysis on The Intercept finds the malware was found on European Union systems that were targeted by the NSA. A Wall Street Journal report said the bug is tied to “Operation Socialist,” which was detailed in the documents leaked by former NSA analyst Edward Snowden.
Because of its intricacy and the fact that only fragments of the worm were studied, Symantec said other versions may remain undiscovered. The firm plans to continue to examine Regin and will release updates if more information is uncovered.
Both Kaspersky and Symantec have released white papers with more information on Regin.
