Let IDA, Hashcat, and eight 16GB NVIDIA GPUs be your friend…
When ASUS’s live software update servers were hacked last year, an estimated million-plus computers were infected with a backdoor. But only some 600 were actually being targeted, Kaspersky Lab, which revealed the compromise, said this week.
It subsequently released a downloadable tool for users to see if one of their computers was among those targeted, but declined to unveil the MAC addresses themselves, concealing them in the tool and protecting them using a salted hash algorithm.
For some, the temptation was too strong. Aussie cybersecurity company Skylight Cyber (founded by Israeli duo Adi Ashkenazy and Shahar Zini) this week cheekily reverse-engineered the tool to work out what encryption protocol was being used, then brute-forced it to reveal (and publish) 583 of the MAC addresses, saying Kaspersky Lab’s approach “does not really serve” the security community.
The move – and research by others in the community; Skylight Cyber was not alone in cracking the list, although it was the first to publicly publish a plain text version – reveal that the MAC addresses primarily belong to other large technology corporations like Intel, as well as ASUS itself, VMware, AMPAK and more.
Almost 600 #MAC addresses targeted in the #ShadowHammer #APT attack get cracked by @360TIC. Below are statistics of related NIC manufacturers, #ASUS, #Intel and #AzureWave account for the most part. pic.twitter.com/1Geflvxp4h
— 360 Threat Intelligence Center (@360TIC) March 27, 2019
ShadowHammer Attack: The MAC Addresses
Skylight Cyber said in a blog initially shared with the Hacker News and now publicly posted, that it used reverse engineering toolkit IDA, a custom-tweaked version of the HashCat password cracking tool and AWS’s p3.16xlarge instance (which carry eight of NVIDIA’s V100 Tesla 16GB GPUs: “say hello to my little friend”) to crack the encryption on 583 of the MAC addresses in less than an hour, in a “short but sweet” challenge.
We've published the [almost] full list of MAC addresses targeted by #shadowhammer in plain-text form (based on @Kaspersky's work). Feed into your #threatintel to see if your organization was targeted.https://t.co/G8QUVpi34M
— Skylight Cyber (@SkylightCyber) March 29, 2019
As they wrote: “Kaspersky have released an online tool that allows you to check your MAC address against a DB of victim MAC addresses (which is hidden). Good on Kaspersky on one hand, but on the other hand, this is highly inefficient, and does not really serve the security community. So, we thought it would be a good idea to extract the list and make it public so that every security practitioner would be able to bulk compare them to known machines in their domain.”
As well as being an entertaining read, it’s a sharp reminder that easily available compute power makes brute forcing even the SHA256 encryption protocol viable in a short period of time. As for your average password? Forget it.