Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

McAfee Blew Shady RAT Analysis, Kaspersky Says

Security expert Eugene Kaspersky dismissed the seriousness of the Shady RAT botnet and suggested McAfee was purposefully alarmist in its report.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
A war of words has emerged over McAfee's Shady RAT report, which traced the use of a set of remote access tools to a series of online attacks.

Eugene Kaspersky, CEO of Kaspersky Lab, alleged Thursday that McAfee--and in particular, Dmitri Alperovitch, McAfee's threat research VP and author of the report--purposefully mischaracterized the seriousness of the threat he found.

"We conducted detailed analysis of the Shady RAT botnet and its related malware, and can conclude that the reality of the matter (especially the technical specifics) differs greatly from the conclusions made by Mr. Alperovitch," said Kaspersky, in his blog post, titled "Shoddy RAT."

"We consider those conclusions to be largely unfounded and not a good measure of the real threat level," he said. "Also, we cannot concede that the McAfee analyst was not aware of the groundlessness of the conclusions, leading us to being able to flag the report as alarmist due to its deliberately spreading misrepresented information."

According to Kaspersky, the malware used in the attack was widely known, but relatively unsophisticated, and would be worth just a few hundred dollars on the black market, compared with top botnets, which might fetch $2,000 to $3,000. "Most security vendors did not even bother assigning a name to Shady RAT's malware family, due to its being rather primitive," he said. Furthermore, he said, there was no evidence of a state sponsor behind the attacks.

Kaspersky's criticism came in the wake of a letter sent to McAfee's Alperovitch by Rep. Mary Bono Mack (R-Calif.), chairman of the House Subcommittee on Commerce, Manufacturing, and Trade, seeking more details on Shady RAT.

Kaspersky's post also followed the publication, on Wednesday, of a story in SC Magazine, quoting McAfee's Alperovitch as saying, "If you think this is an unsophisticated botnet then you've got no clue, or you're not willing to talk about it."

That seemed to be a response to an analysis of Shady RAT published by Symantec researcher Hon Lau, which disputed that the attack was advanced, since the attackers made server configuration errors and used "relatively non-sophisticated malware" and other attack techniques. "Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them," said Lau, referring to two well-known and quite effective botnet and rootkit families used by criminals.

Kaspersky's criticism in turn triggered a response from McAfee. "He's missing the point," said Phyllis Schneck, McAfee's VP & CTO for global public sector at McAfee, in a blog post released Friday.

"It's not the sophistication of the attack that's important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture," she said. "It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary."

"Quiet, insidious, market-changing threats like these hide in the noise of botnets, 'hacks,' and other high-profile or nuisance events," she said.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14300
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
CVE-2020-14298
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
CVE-2020-15050
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.