Common cybercriminals are a menace, there’s no doubt about it – from bedroom hackers through to ransomware groups, cybercriminals are causing a lot of damage. But both the tools used and the threat posed by common cybercriminals pale in comparison to the tools used by more professional groups such as the famous hacking groups and state-sponsored groups.
In fact, these tools can prove almost impossible to detect – and guard against. BVP47 is a case in point. In this article, we’ll outline how this powerful state-sponsored malware has been quietly circulating for years, how it so cleverly disguises itself, and explain what that means for cybersecurity in the enterprise.
Background story behind BVP47
It’s a long story, fit for a spy novel. Earlier this year, a Chinese cybersecurity research group called Pangu Lab published an in-depth, 56-page report covering a piece of malicious code that the research group decided to call BVP47 (because BVP was the most common string in the code, and 47 given that the encryption algorithm uses the numerical value 0x47).
The report is truly in-depth with a thorough technical explanation, including a deep dive into the malware code. It reveals that Pangu Lab originally found the code during a 2013 investigation into the state of computer security at an organization that was most likely a Chinese government department – but why the group waited until now to publish the report isn’t stated.
As a key factor, the report links BVP47 to the “Equation Group”, which in turn has been tied to the Tailored Access Operations Unit at the United States National Security Agency (the NSA). Pangu Lab came to this conclusion because it found a private key that could trigger BVP47 within a set of files published by The Shadow Brokers (TSB) group. TSB attributed that file dump to the Equation Group, which leads us back to the NSA. You just couldn’t make it up, and it’s a story fit for a motion picture film.
How does BVP47 work in practice?
But enough about the spy vs. spy element of the story. What does BVP47 mean for cybersecurity? In essence, it works as a very clever and very well-hidden back door into the target network system, which enables the party that operates it to gain unauthorized access to data – and to do so undetected.
The tool has a couple of very sophisticated tricks up its sleeve, in part relying on exploiting behavior that most sysadmins would not look for – simply because nobody thought any technology tool would behave like that. It starts its infectious path by setting up a covert communication channel in a place nobody would think to look: TCP SYN packets.
In a particularly insidious turn, BVP47 has the capability to listen on the same network port in use by other services, which is something that’s very difficult to do. In other words, it can be extremely hard to detect because it’s difficult to differentiate between a standard service using a port, and BVP47 using that port.
The difficulty in defending against this line of attack
In yet another twist, the tool regularly tests the environment in which it runs and erases its tracks along the way, hiding its own processes and network activity to ensure there are no traces left to find.
What’s more, BVP47 uses multiple encryption methods across multiple encryption layers for communication and data exfiltration. It’s typical of the top-tier tools used by advanced persistent threat groups – including the state-sponsored groups.
Taken in combination, it amounts to incredibly sophisticated behavior that can evade even the most astute cybersecurity defenses. The most capable mix of firewalls, advanced threat protection and the like can still fail to stop tools such as BVP47. These backdoors are so powerful because of the resources deep-pocketed state actors can throw at developing them.
As always, good practice is your best bet
That doesn’t mean, of course, that cybersecurity teams should just roll over and give up. There is a series of activities that can make it, at the very least, harder for an actor to deploy a tool such as BVP47. Awareness and detection activities are worth pursuing, as tight monitoring may still catch a remote intruder out. Similarly, honeypots can attract attackers to a harmless target – where they may well reveal themselves.
However, there’s a simple, first-principles approach that delivers a huge amount of protection. Even sophisticated tools such as BVP47 relies on unpatched software to gain a foothold. Consistently patching the OS and applications you depend on is, therefore, your very first port of call.
The act of applying a patch in its own right isn’t the most challenging step to take – but as we know, patching rapidly every single time is something most struggling with organizations.
And of course, that’s exactly what threat actors such as the team behind BVP47 rely on, as they lie and wait for their target, who would inevitably be too resourced stretched to patch consistently, eventually missing a critical patch.
What can pressured teams do? Automated, live patching is one solution as it removes the need to patch manually – and eliminates time-consuming restarts and the associated downtime. Where live patching isn’t possible, vulnerability scanning can be used to highlight the most critical patches.
Not the first—and not the last
In-depth reports such as this are important in helping us stay aware of critical threats. But BVP47 has been in play for years and years before this public report, and countless systems were attacked in the meantime – including high profile targets around the world.
We don’t know how many similar tools are out there – all we know is what we need to do to maintain a consistently strong cybersecurity posture: monitor, distract and patch. Even if teams can’t mitigate every threat they can at least mount an effective defense, making it as difficult as possible to successfully operate malware.