[BreachExchange] Hiding in plain sight - attacks via trusted entry routes such as updates

[Audrey McNeil]

https://www.scmagazineuk.com/hiding-in-plain-sight--
attacks-via-trusted-entry-routes-such-as-updates/article/680525/

The threat landscape is constantly in flux as defenders develop improved
techniques to defend and protect networks, and attackers seek new means to
infiltrate and infect systems to fulfil their own agenda.

Like any form of logistics, distributing malware is a difficult process for
attackers. Not only may malware fail to reach its intended target, but if
it is identified en route to a target, security analysts will be able to
develop protection ensuring that subsequent attempts to deliver the malware
will be blocked.

Malware writers use many techniques to deliver their malware and to avoid
detection along the way. The recent Nyetya attack adopted the unusual
approach of being distributed via the software update mechanism of a
legitimate third party software provider who had been compromised.

This is not the first occasion that attackers have sought to abuse software
update systems. In 2012, the Flame malware reportedly spoofed the Windows
update mechanism to spread. The Havex trojan in 2014 was distributed via
compromised software installation packages. While in 2016, a popular
browser toolbar was reportedly used to distribute hidden malware to
unsuspecting users.

The threat actors behind Nyetya clearly planned their actions, choosing ME
Doc, the publishers of a tax accounting program widely used in Ukraine as
the initial vector for their malware. Firstly, the attackers introduced a
backdoor into the code of the legitimate accounting software and allowed
this to be distributed. Then they subverted the software update system to
issue instructions to the installed accounting software containing the
backdoor.

Almost certainly, these instructions included the commands to download and
install Nyetya. The malware then spread across the internal networks of
affected organisations, wiping and destroying data while masquerading as
ransomware purporting to restore data on payment of a ransom.

Distributing malware through software update systems allows attackers to
hide in plain sight. Software updates are one of the few routes that
executable code is expected to enter organisations. So, an executable file
downloaded from a software update server doesn't necessarily attract the
attention of security teams.

Sophisticated attackers deserve a sophisticated response. Simplistic
approaches to security, such as blocking access to servers with a poor
reputation are no longer enough to assure resistance to attacks. Abusing
highly reputable legitimate servers by compromising them and using them as
part of a command and control infrastructure has been a technique that we
have observed sophisticated threat actors using for some time.

Organisations need to adapt to operating in a grey world, where no system
is entirely trustworthy. Basic protections such as ensuring systems are
fully patched, and that network ports aren't unnecessarily opened to the
outside world remain the foundations of good security.

Attackers may infiltrate networks from unexpected sources, in which case
defence becomes an issue of swiftly identifying the compromise and
containing the attack before remediation. Proper network segmentation, and
using the network as a sensor helps spot issues quickly, and stop them
spreading.

Good defences take planning and investment. The aftermath of a major attack
is a very good time to reflect on how current defences would protect
against similar attacks, and how the organisation would respond if the same
thing happened to them.

One thing is certain, the bad guys aren't getting any dumber. Each attack
that highlights an effective novel distribution technique, only encourages
further threat actors to adopt the same processes themselves. It's not
inevitable that such attacks will be successful, but organisations need
learn the lessons from attacks and ensure that their defences are up to the
challenges of the threat environment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170907/ec19c605/attachment.html>