Hackers like President Donald Trump and former President Barak Obama — at least when it comes to naming ransomware. And they are exploiting a security vulnerability dubbed Peekaboo in global video surveillance software to tamper with surveillance footage and network access, according to threat research published by McAfee and Tenable.
Obama, Trump, and German Chancellor Angela Merkel have ransomware campaigns named after them, according to McAfee threat researchers, who detailed the political figure-themed ransomware in a blog post.
First identified by the MalwareHunterTeam, the Obama ransomware only encrypts .exe files (as opposed to data files, which are more typically targeted) and demands a tip to decrypt the files. “This unorthodoxy got us thinking: Was there a nation-state behind this campaign? At present, there is not enough evidence to confirm its source, although the language resources are in simplified Chinese,” wrote McAfee’s Christiaan Beek and Raj Samani.
The Obama ransomware also attempts to stop some anti-malware products from vendors including Kaspersky, McAfee, and Rising. And it mines for cryptocurrency on infected devices. In fact, the cryptocurrency coin mining component is the primary purpose of this malware, according to the McAfee team.
The Trump ransomware, meanwhile, has been previously documented. “The Trump ransomware variant is similar in its capabilities to the Obama variant, but is not nearly as developed,” wrote McAfee’s Gary Davis in another blog post.
And finally, the Angela Merkel ransomware campaign encrypts files with the .angelamerkel extension and it also demands euros.
McAfee’s threat researchers haven’t determined if these are three separate ransomware campaigns. “There are some links and, no, they are not between Obama and Trump,” Beek and Samani wrote. “The Trump and Merkel ransomware are 46 percent identical in code. We are left wondering whose campaign is the most successful.”
Tenable Plays Peekaboo
Tenable Research discovered a zero-day vulnerability dubbed Peekaboo that allows cybercriminals to monitor and tamper with video surveillance recordings via a remote code execution vulnerability in NUUO software. The threat researchers estimate this security flaw could impact hundreds of thousands of security cameras globally, which hackers could manipulate and take offline.
NUUO makes global video surveillance devices and software commonly used by retail, transportation, education, government, and banking companies. The Tenable team found the vulnerability in NVRMini2, a network-attached storage device and network video recorder.
The researchers disclosed the vulnerability, which affects firmware versions older than 3.9.0, to NUUO and said the manufacturer is working on a patch. NUUO did not immediately respond to questions about when it will release a fix.
In addition to making its own branded software and devices, NUUO is an original equipment manufacturer (OEM) that makes products and whitelabels its software to third-party vendors. This means the full list of affected third-party vendors is currently unknown. Tenable says more than 100 brands and 2,500 different models of cameras could be vulnerable by the access Peekaboo grants to usernames and passwords.
Peekaboo would give attackers access to the control management system (CMS). This exposes the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage. For example, hackers could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.
Last year the Reaper IoT Botnet targeted NUUO NVR devices.
Tenable released a plugin for organizations to assess whether they are vulnerable to Peekaboo. The security company says all NUUO NVRMini2 users should upgrade to version 3.9.1 or later.