Even the most advanced threats rely on unpatched systems


Common cybercriminals pose a threat, there’s no doubt about it: from bedroom hackers to ransomware groups, cybercriminals do a lot of damage. But both the tools used and the threat posed by common cyber criminals pale in comparison to the tools used by more professional groups like the famous hacking groups and state sponsored groups.

In fact, these tools can be nearly impossible to detect and protect against. BVP47 is an example of this. In this article, we’ll outline how this powerful state-sponsored malware has been circulating quietly for years, how it cleverly disguises itself, and what that means for cybersecurity in the enterprise.

Backstory behind BVP47

It’s a long story, fit for a spy novel. Earlier this year, a Chinese cybersecurity research group called Pangu Lab published an in-depth 56-page report on a piece of malicious code that the research group decided to call BVP47 (because BVP was the most common string in the code, and 47 since the encryption algorithm used the numerical value 0x47 used).

The report is really in-depth with a thorough technical explanation, including a deep dive into the malware code. It reveals that Pangu Lab originally found the code during a 2013 investigation into the state of computer security at an organization most likely a Chinese government department — but it doesn’t say why the group has waited until now to publish the report.

As a key factor, the report links BVP47 to the “Equation Group”, which in turn is linked to the Tailored Access Operations Unit of the United States National Security Agency (the NSA). Pangu Lab came to this conclusion because it found a private key that could activate BVP47 in a series of files published by the group The Shadow Brokers (TSB). TSB attributed that file dump to the Equation Group, which leads us back to the NSA. You just couldn’t make it up, and it’s a story fit for a feature film.

How does BVP47 work in practice?

But enough about the spy vs. spy element of the story. What does BVP47 mean for cybersecurity? Essentially, it acts as a very clever and very well-hidden back door to the target network system, allowing the party controlling it to gain unauthorized access to data – and this undetected.

The tool has some very sophisticated tricks up its sleeve, partly based on exploiting behaviors that most system administrators wouldn’t look for – simply because no one thought a technology tool would behave that way. It starts its contagious path by setting up a hidden communication channel in a place where no one would think they were looking: TCP SYN packets.

In a particularly insidious twist, BVP47 has the ability to listen on the same network port used by other services, which is very difficult to do. In other words, it can be extremely difficult to detect because it is difficult to distinguish between a standard service using a port and BVP47 using that port.

The difficulty of defending against this line of attack

In yet another twist, the tool regularly tests the environment it’s running in and clears its tracks along the way, hiding its own processes and network activity to make sure no traces can be found.

In addition, BVP47 uses multiple encryption methods across multiple encryption layers for communications and data exfiltration. It is typical of the top-notch tools used by advanced persistent threat groups, including the state-sponsored groups.

When combined, it adds up to incredibly sophisticated behaviors that can evade even the most savvy of cybersecurity. The most capable mix of firewalls, advanced threat protection and the like still can’t stop with tools like BVP47. These backdoors are so powerful because of the resources that government actors with deep pockets can use to develop them.

As always, good exercise is the best choice

Of course, that doesn’t mean that cybersecurity teams should just switch and give up. There is a range of activities that can at least make it more difficult for an actor to deploy a tool like BVP47. Awareness and detection activities are worthwhile, as close surveillance can catch a remote intruder. Likewise, honeypots can lure attackers to a harmless target – where they can reveal themselves.

However, there is a simple, first-principles approach that offers a tremendous amount of protection. Even advanced tools like BVP47 rely on unpatched software to gain a foothold. Consistently patching the operating system and applications you depend on is therefore your very first point of contact.

Applying a patch in itself is not the most challenging step to take, but as we know, patching quickly every time is something most organizations struggle with.

And that, of course, is exactly what threat actors like the team behind BVP47 rely on, as they lie and wait for their target, who would inevitably have too many resources to patch consistently, and end up missing a critical patch.

What can pressured teams do? Automated, live patching is a solution because it eliminates the need for manual patching – and eliminates time-consuming reboots and the associated downtime. Where live patching is not possible, vulnerability scanning can be used to highlight the most critical patches.

Not the first – and not the last

In-depth reports like these are important to help us stay on top of critical threats. But BVP47 has been in the game for years and years before this public report, and countless systems have been attacked in the meantime — including prominent targets around the world.

We don’t know how many similar tools there are – we just know what to do to maintain a consistently strong cybersecurity attitude: monitoring, distracting and patching. Even if teams can’t mitigate every threat, they can at least build an effective defense, making it as difficult as possible to successfully use malware.