The AchieVer Posted June 15, 2019 Share Posted June 15, 2019 Mysterious Iranian group is hacking into DNA sequencers Hackers are scanning the internet and planting shells on web-based DNA sequencing apps. Web-based DNA sequencer applications are under attack from a mysterious hacker group using a still-unpatched zero-day to take control of targeted devices. The attacks have started two days ago, on June 12, and are still going on, according to Ankit Anubhav, a security researcher with NewSky Security, who shared his findings with ZDNet. HACKERS PLANTING SHELLS ON DNA SEQUENCER WEB APPS Anubhav says the group, which operates from an Iran-based IP address, has been scanning the internet for dnaLIMS, a web-based application installed by companies and research institutes to handle DNA sequencing operations. The researcher told ZDNet the hacker is exploiting CVE-2017-6526, a vulnerability in dnaLIMS that has not been patched to this day after the vendor was notified back in 2017. Anubhav says the attackers are using this vulnerability to plant shells that allow them to control the underlying web server from remote locations. ATTACK MOTIVES UNKNOWN It is unclear how the group is using these backdoors into hacked systems, post infection. Anubhav says there could be two scenarios. In the first, the attacker may be looking to exfiltrate hashes of DNA sequences from the application's database. "DNA theft in specific cases can be fruitful," Anubhav said. "Either it can be sold on the black market, or a high profile attacker can actually be looking for a specific person's data." Second, and the most plausible scenario, is that the attackers might be using the infected servers as part of a botnet, or using the shell to plant cryptocurrency miners on the hijacked systems. A previous ZDNet report highlighted that most IoT botnets nowadays are the works of attention-seeking kids that take random exploits from the ExploitDB exploit database and assemble botnets at random. This might be one of those cases, with this botnet's author using an exploit at random, not knowing what they're actually targeting. "This particular attack may not be useful for a script kiddie or a botnet operator," Anubhav said, pointing out that there are only between 35 and 50 such highly-complex DNA sequencer apps available online, a number far too small to build a botnet around. GROUP ALSO TARGETED ROUTERS AND STRUTS SERVERS Furthermore, the theory that this might be the work of a script kiddie playing with random exploits, rather than a nation-state sponsored group, becomes more believable when we look at the historical activity coming from the attacker's IP address. Per NewSky's own records, the attacker has been seen using the nmap tool to scan the internet and attempt to use two other exploits to take over systems -- one for Zyxel routers, and a second for Apache Struts installations. "We can not decide on the motive of these attacks just yet," Anubhav told ZDNet. "Regardless, the DNA sequencer systems which hold this confidential information can get pwned." With the vendor refusing to patch the security flaw back in 2017, these systems remain open for attacks. The dangers that these systems pose can only be evaluated on a per-case basis. If the DNA sequencing data is anonymized, any stolen data will most likely be useless. If not, then a serious breach may occur if the hackers have stolen any info from these systems. Sure, DNA data may be useless right now, but with biometric solutions spreading every year, non-anonymized data might be actually worth something in a few years from now. Source Link to comment Share on other sites More sharing options...
Web-based DNA sequencer applications are under attack from a mysterious hacker group using a still-unpatched zero-day to take control of targeted devices. The attacks have started two days ago, on June 12, and are still going on, according to Ankit Anubhav, a security researcher with NewSky Security, who shared his findings with ZDNet. HACKERS PLANTING SHELLS ON DNA SEQUENCER WEB APPS Anubhav says the group, which operates from an Iran-based IP address, has been scanning the internet for dnaLIMS, a web-based application installed by companies and research institutes to handle DNA sequencing operations. The researcher told ZDNet the hacker is exploiting CVE-2017-6526, a vulnerability in dnaLIMS that has not been patched to this day after the vendor was notified back in 2017. Anubhav says the attackers are using this vulnerability to plant shells that allow them to control the underlying web server from remote locations. ATTACK MOTIVES UNKNOWN It is unclear how the group is using these backdoors into hacked systems, post infection. Anubhav says there could be two scenarios. In the first, the attacker may be looking to exfiltrate hashes of DNA sequences from the application's database. "DNA theft in specific cases can be fruitful," Anubhav said. "Either it can be sold on the black market, or a high profile attacker can actually be looking for a specific person's data." Second, and the most plausible scenario, is that the attackers might be using the infected servers as part of a botnet, or using the shell to plant cryptocurrency miners on the hijacked systems. A previous ZDNet report highlighted that most IoT botnets nowadays are the works of attention-seeking kids that take random exploits from the ExploitDB exploit database and assemble botnets at random. This might be one of those cases, with this botnet's author using an exploit at random, not knowing what they're actually targeting. "This particular attack may not be useful for a script kiddie or a botnet operator," Anubhav said, pointing out that there are only between 35 and 50 such highly-complex DNA sequencer apps available online, a number far too small to build a botnet around. GROUP ALSO TARGETED ROUTERS AND STRUTS SERVERS Furthermore, the theory that this might be the work of a script kiddie playing with random exploits, rather than a nation-state sponsored group, becomes more believable when we look at the historical activity coming from the attacker's IP address. Per NewSky's own records, the attacker has been seen using the nmap tool to scan the internet and attempt to use two other exploits to take over systems -- one for Zyxel routers, and a second for Apache Struts installations. "We can not decide on the motive of these attacks just yet," Anubhav told ZDNet. "Regardless, the DNA sequencer systems which hold this confidential information can get pwned." With the vendor refusing to patch the security flaw back in 2017, these systems remain open for attacks. The dangers that these systems pose can only be evaluated on a per-case basis. If the DNA sequencing data is anonymized, any stolen data will most likely be useless. If not, then a serious breach may occur if the hackers have stolen any info from these systems. Sure, DNA data may be useless right now, but with biometric solutions spreading every year, non-anonymized data might be actually worth something in a few years from now. Source
shmox Posted June 16, 2019 Share Posted June 16, 2019 So this group is smart enough to exloit 0 day breach and dumb enough to not spoof their ips ? 😛 Link to comment Share on other sites More sharing options...
Jogs Posted June 16, 2019 Share Posted June 16, 2019 Fake IP Link to comment Share on other sites More sharing options...
steven36 Posted June 17, 2019 Share Posted June 17, 2019 23 hours ago, Jogs said: Fake IP Most vpns don't have Iran's ips , besides security researchers can run a check on ips to see if they using a vpn or proxy to spoof there ips. Hacking DNA is not really useful sounds like a someone just trying prove a point . DNA is only useful if you committed a crime or wanted to find out if someone bitrh parents . stealing it would not be very profitable . sounds like the same group of hackers who hacked into the collages here while back and stole academic studies that are freely available on the internet . Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.