One of my favourite parts of working at Guardicore is seeing the cool stuff that our Labs team does, and their latest piece of research is no different. The illustrious Guardicorians Liad Mordekoviz and Ophir Harpaz are back at it with their update to the Indexsinas worm. You might also know this worm by its pseudonym NSABuffMiner.
If you missed the original research release, I’ll break it down in a high-level here. Like, super high-level. If the actual research is more your jam, click that button below.
Who was affected?
This was a pretty large attack scope. Since 2019, our sensors have recorded over 2000 attacks from over 1300 sources. Some of the notable affected industries were hospitality, education, healthcare, government, and telecom.
How does Indexsinas work?
It’s nothing if not persistent. Between covering its tracks by deleting its own handiwork and stopping other unrelated programs – this worm is no joke.
Once the worm makes it into an environment, it installs a Remote Access Tool (RAT) and
and pulls an E.T. – phones home – to the command and control domain in South Korea. Once this has happened, it can propagate throughout using the user’s token.
Then it drops the cryptominer.
What does it want?
Indexsinas wants two things: to move and groove across the network and across the internet. Just like any other worm, it wants more friends at their party. As mentioned before, it cleans house of the programs that could tattle on it as well as its own old traces. At least it’s a rather polite house guest, cleaning up after itself. Once it’s ready for the next one, it moves onto the next machine (house in this analogy) and starts over.
How to detect and prevent against Indexsinas
Our Labs team not only did the research, but has a detection tool as well. You can run a command line prompt found in our Github with detailed instructions.
For prevention, as it is with any sort of threat that thrives on lateral movement, visibility and segmentation are going to be your friends here. As cliche as it is, you really can’t secure what you can’t see. Additionally, having proper segmentation in place makes it more difficult for the attack to move – and allows more opportunities for it to be seen and stopped. It’s just like stopping ransomware, the less it can move, the less damage it can do.
Want to learn more?
Like I mentioned, this is just an overview of the incredible work Ophir and Liad did on this project. You can see their full research on our Labs blog. It’s, as the kids say, lit.
I wouldn’t be doing my job as a marketer without hat tipping to the fact that the prevention piece of shutting down lateral movement is exactly what we do here. You can see some screenshots of Centra in the research showcasing that.