A series of new IoT botnets plague connected devices

The Masuta botnets

Two other new botnets on the scene do show similarities to Mirai, however.

The Masuta and PureMasuta variant were discovered by researchers at the company NewSky Security and appear to be the work of the Satori botnet creators. The Satori botnet targeted Huawei routers earlier this month, and the Masuta botnets now also target home routers.

According to the research from NewSky Security, Masuta shares a similar attack method with Mirai and uses weak, known or default credentials to access the targeted devices. PureMasuta is a bit more sophisticated and exploits a network administration bug uncovered in 2015 in D-Link's Home Network Administration Protocol, which relies on the Simple Object Access Protocol to manage device configuration.

"Protocol exploits are more desirable for threat actors as they usually have a wider scope," Ankit Anubhav, principal researcher at NewSky Security, wrote in the analysis of the botnets. "A protocol can be implemented by various vendors/models and a bug in the protocol itself can get carried on to a wider range of devices."

PureMasuta has been infecting devices since September 2017.

In other news

• Kaspersky Lab filed a preliminary injunction as part of its appeal against the U.S. Department of Homeland Security's ban on the use of the company's products in government agencies. The ban was originally issued in September 2017 in response to concerns that the Moscow-based security company helped the Russian government gather data on the U.S. through its antivirus software and other products. The ban, Binding Operational Directive (BOD) 17-01, was reinforced in December 2017 in the National Defense Authorization Act, despite offers from Kaspersky to have the U.S. government investigate its products and operations. In response to the National Defense Authorization Act, Kaspersky Lab filed a lawsuit against the U.S. government saying that the ban was unconstitutional. As part of the lawsuit, the injunction would, for now, stop the government ban on BOD 17-01.
• The PCI Security Standards Council (PCI SSC) published new security requirements for mobile point-of-sale systems. The requirements focus on software-based PIN entry on commercial off-the-shelf (COTS) mobile devices. Requirements already exist for hardware-based devices that accept PINs, so these standards expand on them. The so-called PCI Software-Based PIN Entry on COTS (SPoC) Standard introduces a "requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies," according to PCI SSC CTO Troy Leach. The standard consists of two documents: the Security Requirements for solution providers, including designers of applications that accept PINS; and the Test Requirements, which "create validation mechanisms for payment security laboratories to evaluate the security" of the PIN processing apps. The SPoC security requirements focus on five core principles, according to Leach:
  • isolation of the PIN from other account data;
  • ensuring the software security and integrity of the PIN entry application on the COTS device;
  • active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet;
  • Required Secure Card Reader for PIN (SCRP) to encrypt and maintain confidentiality of account data; and
  • transactions restricted to EMV contact and contactless.
• Alphabet, best known for being Google's parent company, launched a new cybersecurity company -- Chronicle. Chronicle is an offshoot of the group X and will be a stand-alone company under Alphabet. Former Symantec COO Stephen Gillett will be the company's CEO. Chronicle offers two services to enterprises: a security intelligence and analytics platform and VirusTotal, an online malware and virus scanner Google acquired in 2012. "We want to 10x the speed and impact of security teams' work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find," Gillett said in a blog post announcing the company launch. "We are building our intelligence and analytics platform to solve this problem." The announcement did not provide many specifics, but the launch could pose a significant threat to cybersecurity vendors that do not have access to the same resources as a company with the same parent as Google.