Operation Windingo (no, it’s not a font name) - Indicators of Compromise
The latest comer to the never-ending parade of botnet and hacking campaign discoveries has been announced; ESET released a paper on Tuesday, March 18th containing their research into a long running attack against Linux and Unix based server, named “Operation Windingo”.
Included in this paper is actionable information, known as “Indicators of Compromise” (IOC’s) that enable security analysts and systems administrators to determine if a service-providing system under their control may be infected. While the IOC’s are not always guaranteed to be completely accurate, they help level the playing field by enabling system owner to key in on suspect systems for further analysis.
Any time a body of research with significant and wide reaching implications is released, system owners and their management should respond as practicably and as efficiently as possible. The Windingo operations only targeted Unix & Linux systems, which narrows the scope of work for most organizations that may only have a small population of Linux & Unix systems in their infrastructure.
Also to be considered is the end goal of the Windigo campaign; infect visitors who visit infected web servers and capture the credentials of system owners using SSH to access the systems. With this in mind, checking the systems in your infrastructure now becomes an exercise in prioritization; check those system with public connections and running ssh & a webserver, followed up with checks of non-public systems after.
A quick-check script is available at http://bit.ly/OCoNsc for use by security analysts and systems administrators. This script is intended to perform the most basic checks with the least impact to a system. Based on individual system output, further investigation to confirm a potential compromise will be required.
If you’re running the StealthWatch System, the paper contains a number domains, IP addresses, and ports that you can use to create host groups, searches or filters. (learn how processes IOCs in the StealthWatch System here)
On a related note, this release and its wealth of information highlights the importance of ensuring your organization has a functional threat intelligence collection method. This can be as simple as an individual or team tasked with checking security news sources and subscribing to mailing lists, or as complicated as threat intelligence automation and the use of third-party intelligence subscriptions. Staying informed enables an organization to stay ahead of the curve when combined with good people and process.