Sowbug Cyberespionage Group Hits South America, South Asia

Security researchers have identified a cyberespionage group that has been stealing data from policy and diplomatic organizations in South America and South Asia since at least 2015.

“While cyberespionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted,” researchers from Symantec said in a report about the newly identified group. “However, the number of active cyberespionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat.”

Symantec’s investigation into Sowbug started in March after researchers from security firm Forcepoint published a report about a previously unknown but well-written malware program they dubbed Felismus.

At the time, the Forcepoint researchers noted that the malware was modular, hid its communications very well and was capable of hindering analysis efforts. Because very few samples were identified in the wild, they concluded that it must have been part of a highly targeted attack by a professional and coordinated group of hackers who had good “operational hygiene,” but whose ultimate intentions were unknown.

Symantec also started tracking the malware and identified related attack campaigns that went as far back as early 2015. The company attributed the operations to a single group it decided to call Sowbug.

“To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia,” the researchers said. “The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile. ”

Evidence suggests that Sowbug attackers are surgical in their operations, knowing exactly what branch of an institution they want to hit and which documents they want to locate and exfiltrate.

In one case they hacked into a specific division of a foreign ministry from a South American country that was responsible for relations with South Asia, the other geographical region the group appears to be interested in. After analyzing the documents extracted from the first division, the attackers decided to expand their access to another ministry branch responsible for relations with international organizations.

Sowbug maintains a low profile and can sit inside an organization’s network for as long as six months, according to Symantec. Its Felismus malware masquerades as known Windows components or popular software packages from Adobe and other companies.

It’s not totally clear how Felismus lands on the compromised computers, but there is evidence that in some cases it’s installed by another trojan program that Symantec calls Starloader. This tool was also used to install other malicious components including credential dumpers and keyloggers.

“It is still unknown how Starloader is installed on the compromised computer,” the Symantec researchers said. “One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools.”

Microsoft Publishes Hardware Requirements for Highly Secure Windows 10 Devices

Microsoft has revealed the hardware and firmware requirements that desktops, laptops, tablets and other devices running the latest version of Windows 10 should have to be considered “highly secure.” These specifications are needed for all of the OS security features to be enabled and work at their full potential.

According to Microsoft’s standards, the device CPU should be on Intel’s 7th generation processors (Intel i3/i5/i7/i9-7x), Core M3-7xxx and Xeon E3-xxxx, current Intel Atom, Celeron and Pentium processors or AMD 7th generation processors (A Series Ax-9xxx, E-Series Ex-9xxx, FX-9xxx).

The CPU must support the 64-bit instruction set that includes the virtualization-based security features required by the Windows hypervisor. More specifically, processors must have the Input-Output Memory Management Unit (IOMMU) device virtualization and all I/O devices must be protected by IOMMU/SMMU. They must also have virtual machine extensions with second level address translation (SLAT) such as Intel Vt-x with Extended Page Tables (EPT) or AMD-v with Rapid Virtualization Indexing (RVI).

“The presence of these hardware virtualization features must be unmasked and reported as supported by the system firmware, and these features must be available for the operating system to use,” Microsoft said.

The systems also must have a Trusted Platform Module (TPM) version 2.0 that conforms to the Trustworthy Computing Group (TCG) specification. This is needed for the secure storage of cryptographic keys, including the key used for the Windows disk encryption.

Systems must support cryptographic verification of the boot process such as Intel Boot Guard in Verified Boot mode, AMD Hardware Verified Boot or an OEM equivalent. The available RAM should be 8GB or higher.

As far as the low-level firmware is concerned, devices must support the Unified Extension Firmware Interface (UEFI) version 2.4 or later, must implement UEFI Class 2 or UEFI Class 3, their drivers must be compliant with Hypervisor-based Code Integrity (HVCI) and they must support UEFI Secure Boot and have it enabled by default. Devices also must implement Secure MOR (MemoryOverwriteRequestControlLock) revision 2 and support the Windows UEFI Firmware Capsule Update, which allows the OS to deliver firmware updates.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 46 posts and counting.See all posts by lucian-constantin