Posts

Bypassing Government Security Controls with Customized Malware

For a moment, think from the perspective of someone who wants to hack a government organization. Think of what they want to do. Seize critical records, encrypt the drive and hold it for ransom? Convert part of a resource into a cryptocurrency mining operation? Or, worse yet, attempt to disrupt or take down critical infrastructure (e.g., utilities, transportation systems, defense)?

As we explore the final theme of National Cybersecurity Awareness Month, “Safeguarding the Nation’s Critical Infrastructure,” I thought it would be valuable to go to a reliable source.

To get a better perspective of threats to critical infrastructure I interviewed a skilled hacker. This is his plan.

Recon & Recode

First, he said he would do reconnaissance on the organization to look for potential vulnerabilities. Makes sense.

But his next step is concerning. He’d take a form of malware he’d used before — or another they find for sale in an exploit kit designed to abuse a vulnerability — and customize it for that specific organization. Customization can be as simple as making a few cosmetic changes to the code or changing the programing to do something slightly different based on previous failed attempts.

This step is important. The new batch of code hasn’t been registered with any firewall vendor, antivirus vendor, security researcher, etc. The targeted organization can’t stop it if their security controls don’t have the ability to conduct behavioral code analysis with zero-day code detonation.

Furthermore, if someone wants to take it to the next level, this code should arrive via an encrypted channel in the hopes they don’t do Man-in-the-Middle (MITM) inspection of HTTPS traffic.  This can be delivered simply over social media or webmail.

Payload Delivery

Now it’s time for everyone’s favorite part: payload delivery. At the time of writing, I am looking at a publicly accessible online sales lead-generation database. At anyone’s fingertips are millions of names and email addresses for contacts at airlines, retailers to higher education. The malicious hacker can easily download 5,886 contacts from a state transportation department or 4,142 from a previously attacked Canadian agency.

If he wants, he could send an infected attachment asking some 526 contacts from a Singapore government agency to open it, or bait 2,839 faceless people at an unnamed health department to click on his malicious link.

Despite awareness training and efforts to keep systems up to date and patched, 11 percent of people will open the attachment according to a Verizon study. Within this population, there will be systems that he can infect and use as a launching point to get his malware to a target system — or at least give him backdoor access or a harvested credential to start working manually.

A hacker selects contacts for a phishing scam against an American county department of education.

How to Defend Against Customized Malware

This method is very similar to what we are seeing happen every day. Customized malware is the main reason why SonicWall discovered and stopped over 56 million new forms of malware in 2017.

In a government organization equipped with SonicWall technology, the email may first be stopped by email security based on the domain or other structures of the message, but you can’t take it for granted.

If the malware is delivered via attachment, SonicWall secure email technology can test the file in the Capture ATP cloud sandbox to understand what the file wants to do. SonicWall Email Security can also leverage Capture ATP to scan malicious URLs embedded in phishing attacks.

To learn more about this technology, read “Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works” and review the graphic below.

Protecting Endpoints Beyond the Firewall

But what about employees not behind the firewall? What if the malware is encrypted and the administrator did not activate the ability to inspect encrypted traffic (DPI-SSL)? What about an infected domain that servers fileless malware through an infected ad?

The answer to that is SonicWall Capture Client, a behavior-based endpoint security solution. The traditional antivirus (AV) that comes free with computers (e.g., Norton, TrendMicro, McAfee, etc.) is still around, but they only check files that are known to be malicious.

In an era of customized malware and creative distribution techniques, it is nearly obsolete. This is why government organizations in all countries favor using behavior-based antivirus called a number of things like Endpoint Protection Platforms (EPP) or Next-Generation Antivirus (NGAV).

These forms of AV look at what is happening on the system for malicious behavior, which is great against customized malware, fileless malware and infected USB sticks. NGAV solutions don’t require frequent signature updates and know how to look for bad activity and can shut it down, in many cases, before it executes.

In the case of SonicWall Capture Client, it can not only stop things before they happen, but also roll back Windows systems to a known good state if the endpoint is compromised. This is extremely helpful with ransomware since you can restore encrypted files and continue on as if the infection never happened. Also, like I mentioned above, Capture Client also makes use of Capture ATP in order to find and eliminate malware that is waiting to execute.

Ultimately, by using the SonicWall Capture Cloud Platform, government agencies and offices around the world are protected against the onslaught of new malware, which is often designed to penetrate their systems. For more information on what we do and or conduct a risk-free proof of concept in your environment, please contact us at sales@SonicWall.com or read this solution brief.


About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct. 1-5: Make Your Home a Haven for Online Safety
  • Oct. 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct. 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct. 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.

Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works

Last year, SonicWall discovered and created protections for more than 56 million new forms of malware.  Because it takes time to create and roll out hundreds of thousands of protections each day, something must be done to discover and stop unknown malware, namely zero-day attacks.

The answer is Capture Advanced Threat Protection (ATP), a cloud sandbox and a core part of the SonicWall Capture Cloud Platform. In order to stop new cyberattacks, this isolated environment — independent from your network — runs suspicious files to understand their objectives.

Because of its effectiveness, SonicWall makes it available on our firewalls, email security solutions, Secure Mobile Access (SMA) and Capture Client Advanced endpoint protection solutions. Each of these use Capture ATP in different ways:

  • For firewalls: In the case of the firewall, a broad range of file types are sent over if they are greylisted, which means 1) they have not been convicted by Gateway Antivirus (blacklisted) and 2) were not previously seen by the firewall in question (whitelisted).
  • For email security: Similarly, email security will automatically send unknown files arriving via email to Capture ATP for analysis before sending them along to inboxes.
  • For mobile access: If someone tries to upload a file to a shared drive (a common malicious attack vector), SMA will test the file to ensure it is clean before being accessible by others in the organization.
  • For endpoint protection: Last, Capture Client is an antivirus solution that continuously monitors the behavior of a system. Since it is common for malware to utilize evasion techniques (such as timing delays), sending suspicious files to Capture ATP is an intelligent way of eliminating malware before it executes.

Now that we have covered a bit of context, we’ll now explain how it works once one of these solution sets has either automatically sent a suspicious file to Capture ATP or an administrator has manually submitted a file for analysis.

Step One: Verdict Check

At the time of writing, the Capture ATP sandbox service receives over 1.5 million requests to test suspicious files each business day.

The first stop for these files is a verdict check. SonicWall summarizes each file (sent via encryption) it sees as a hash and retains a verdict for that hash indefinitely and does not save your files. By keeping a verdict for each hash (for each file), we are able to quickly send a conviction or acquittal back to the submitting solution or administrator within milliseconds. Of the millions of submissions SonicWall sees each week, only around 45 percent are unique, so this step is vital.

Step Two: Community Check

If we have never seen a file before it doesn’t mean someone else hasn’t. We check for convictions for the file’s hash against a pool of over 60 virus scanners to see if they found this file to be malicious.

Note: SonicWall doesn’t send your files to anyone for analysis.

Step Three: Dynamic Processing

If we haven’t seen it before (verdict check) and no one else has seen it before (community check), we run it through multiple engines simultaneously. This is where the fun begins, because we can do so many unique things with the code that a firewall or an endpoint can’t, such as fast-forward it to look for timing delays or break it apart in memory and examine the sequences.

Capture ATP was designed to be a multi-engine environment because of the common use of evasion tactics used in malware. Academically, the concept of a sandbox is easy to grasp, but once you understand their inner workings you can design code to slip past what they check for or not activate if you sense that the code is not on a normal system.

Getting past one sandbox is moderately difficult. Evading multiple engines, which in turn have multiple ways to find malware, should be nearly impossible.

In order to find the most evasive malware, Capture ATP runs code with hypervisor-level analysis, full-system emulation, virtualization and with SonicWall’s patent-pending Real-Time Deep Memory Inspection (RTDMITM). This is done to see what code wants to do from the application, to the OS, and down to the firmware.

In an ideal world, every piece of malware we find would be detected by all technologies in use, but that is not always the case. Just remember my old adage, “Security doesn’t exist, only speed bumps.” Just like the Great Wall of China was eventually by passed by the Mongol horde, so are digital defenses by digital threats.

The Results

It is after this three-step process that we help deliver clean traffic to endpoints, inboxes, shared drives and servers and ensure endpoints stay secure by eliminating threats before they activate. By applying signature-based defenses in front of behavior-based defenses, we are able to protect the world against an onslaught of cyberattacks.

A good real-world example was the initial set of WannaCry attacks. The ransomware attack became famous for taking out 16 NHS hospitals in the UK (secured by a competitor).

However, the NHS sites protected by SonicWall were running without disruption from the attack. We stopped this attack three weeks in advance because our Capture Labs research team created protections against the SMB vulnerability and the WannaCry variant they found in the wild.

So, when the attacks started, they were stopped by internal defenses (e.g., firewalls). But what about Versions 2, 3, 16 or 18, etc.? These were discovered and stopped by Capture ATP.

To better understand how Capture ATP is protecting organizations against attacks like Meltdown, please read our solution brief on Real-Time Deep Memory Inspection.

How to Hide a Sandbox: The Art of Outfoxing Advanced Cyber Threats

Malware often incorporates advanced techniques to evade analysis and discovery by firewalls and sandboxes. When malware sees evidence that dynamic analysis is occurring, it can invoke different techniques to evade analysis, such as mimicking the behavior of harmless files that are typically ignored by threat detection systems.

Traditional sandboxing approaches that signal their own presence — for example, by instrumenting underlying virtual machines (VM) to intercept malicious function calls — make the analysis environment visible. This can trigger an action by malware to conceal itself.

Because of the increased focus by malware authors on developing evasion tactics, it is important to apply a multi-disciplinary approach to analyzing suspicious code, especially for detecting and analyzing ransomware and malware that attempt credential theft.

SonicWall’s award-winning Capture Advanced Threat Protection (ATP) multi-engine sandbox platform efficiently discovers what code wants to do from the application, to the OS, to the software that resides on the hardware. In fact, SonicWall formed a partnership with VMRay to leverage their agentless hypervisor-level analysis technology as one of the three powerful Capture ATP engines. The VMRay technology executes suspicious code, analyzes changes within the memory of a system to detect malicious activity, while resisting evasion tactics and maximizing zero-day threat detection.

How VMRay enhances Capture ATP

VMRay brings an agentless hypervisor-based approach to dynamic malware analysis. The hypervisor is the underlying computing platform that creates, runs and manages virtual machines on the underlying hardware. Most sandboxing solutions use a hypervisor as a launch pad for either the emulators or virtual machines that are hooked and monitored.

Figure 1 VMRay runs as part of the hypervisor on top of the host OS

VMRay takes a different approach to sandbox analysis by monitoring the activity of the target machine, entirely from the outside, using Virtual Machine Introspection (VMI). VMRay combines CPU hardware virtualization extensions with an innovative monitoring concept called Intermodular Transition Monitoring (ITM) to deliver agentless monitoring of VMs running a native OS without emulation or hooking (to avoid being detected by advanced malware). VMRay runs as part of the hypervisor on top of the host OS, which, in turn, is running on bare metal.

Because VMs in the sandbox aren’t instrumented, threats execute as they would in the wild, and the analysis is invisible — even to the most evasive strains of malware.

VMRay’s agentless hypervisor-based approach provides four key benefits to the SonicWall Capture ATP cloud service:

  • Resistance to evasive malware
  • Detailed analysis results
  • Extraction of IOCs
  • Real-time, high-volume detection

To learn more about these benefits in greater detail, read the Solution Brief: Five Best Practices for Advanced Threat Protection.

Catch the Latest Malware with Capture Advanced Threat Protection

Now that Halloween is over and your coworkers are bringing in the extra candy they don’t want, let’s look back at the last quarter’s results from SonicWall Capture Advanced Threat Protection (ATP) network sandbox service. Grab the candy corn and let’s crunch some data. Note: terms in italics below are defined in the glossary at the bottom to help newbies.

63,432 new threats discovered using the network sandbox over the course of three months on customer networks.

30.6% of threats that were found through static filtering. Translation- less than a third of these threats were new to us, but not to someone among the 50+ scanners we compare against.

69.4% of threats that were found through dynamic filtering. Translation- there is nearly a 70% chance SonicWall will find new malware and develop protections against it faster than anyone else.

.16% of all  files sent to the sandbox were malicious. Translation- SonicWall can find the needle in the haystack.

72% of files were processed in under 5 seconds. Translation- Capture ATP is fast!

60% increase in the number of Capture ATP customers that sent files for analysis over the past quarter. Translation – more people supplying potential threat data gives us a wider net to catch the latest threats, making it easier to protect you. Double translation – the community helps to protect the community.

20% of all new malware were found in documents (.docx & .pdf specifically) on many days throughout the quarter. Translation – Attackers put more attention to getting you to open malicious documents. Double Translation – educate your employees to not open suspicious attachments in email or found online.

I hope this helps you understand the importance of using a network sandbox, namely Capture ATP, the winner of CRN’s Network Security Product of the Year 2016 by customer demand. To learn more please review our Tech Brief: SonicWall Capture Threat Assessment or contact us with more information.

PS – I wrote a simple glossary of sandboxing terms for you to reference in case you are new to this. If you want more terms added to this, find me on Twitter and send me a note.

Glossary of terms:

Network Sandbox: An isolated environment where suspicious code can be run to completion to see what it wants to do. If your firewall doesn’t know the file, it will be sent to the sandbox for analysis.

Block until Verdict: A feature of the Capture ATP sandboxing service that blocks a file until a determination of the file can produce a verdict. If it’s malware, the file is dropped and can’t enter the network. If it’s good, a verdict for the hash of the file is stored and, if anyone tries to upload the file to our service, that verdict will be supplied within milliseconds to the user.

Hash (AKA: cryptographic hash): A cryptographic code to identify code (e.g., malware) across the community of researchers. Instead of storing malware and comparing new files against samples, the file is converted to a hash and compared against a database of known good and bad hashes. For example, the phrase “SonicWall Capture ATP stops ransomware” translates into “13d55c187dbd760e8aef8d25754d8aacadc60d8b”.

Once a new file is encountered, hashed, and doesn’t match a known hash, it is sent to the sandbox for analysis.

Static Filtering: A way of filtering out results of a file before taking it to time-consuming dynamic analysis. SonicWall static filtering compares new files against a database of shared malware hashes from over 50 anti-virus scanners.

Dynamic Filtering: The method of processing a file to see what it wants to do. SonicWall’s dynamic processing features three engines in parallel to find the most evasive malware. We use virtualized sandboxing, hypervisor-level analysis, and full-system analysis to uncover the most difficult forms of malware, including Cerber.

SonicWall First to Identify 73 Percent of New Malware with Capture ATP Sandbox

Last month, I wrote how we found nearly 26,500 new forms of malware and shared some general stats.  Let’s take a look at the new threats found by SonicWall’s network sandbox, Capture Advanced Threat Protection (ATP).

While the general number of new threats dropped, there were some interesting figures and trends to point out.

Of the 16,115 new forms of malware and zero-day attacks:

  • Only 4,321 were known by one other security firm (that we partner with), just moments before us
  • This means over 73 percent (11,794) were never seen until SonicWall identified them

This is very encouraging because it demonstrates three important points:

  1. The SonicWall customer base of Capture ATP subscribers are protecting each other by serving up samples before researchers can find them
  2. The technology is working wonderfully
  3. The month-over-month data proves that SonicWall is your best defense against new threats

Interestingly, last year at this time, I was finding a lot of ransomware versions by the big boys, such as Locky & Cerber. Now we are seeing attacks from copycat malware authors who conduct smaller attacks. The overall numbers are down, but the number of cybercriminals involved are up. As a result, a lot of ransomware attacks may fly under the radar.

Plus, this is what is now hitting the radar: credware.

What is Credware?

Credware is a term for a type of malware that is designed to steal credentials — and I’m finding a lot of credware every day, in many formats. I see new forms of spyware and a lot of Trojans that are going after all of those saved passwords in browsers. Since Chrome is harder to attack, hackers are targeting saved passwords in Firefox, Safari, Opera, Internet Explorer, and Edge. (See below).

Infected Documents

Hackers are adding their new versions of malware inside of document, such as Microsoft Word and PDFs. On a typical day, I saw that roughly 3-6 percent of new malware samples are found in these file types, but I have noticed a large increase as the days progressed.

Some days, as much as 39.3 percent of malware is found in digital documents, mostly Office files. Even if I set a high baseline of 5 percent, you can see how some days have an alarming rate of malicious documents (See below).

What is also surprising about this data is that you would expect a lot of this to be found in email traffic. Although most of it was, a lot of it was not, especially PDFs. In fact, on Sept. 26, 82 percent of malicious PDFs were found online by protected customers.

This data comes on the heels of SonicWall improving its backend performance for how quickly we can examine and return a verdict for PDFs. As we look back at the data, I’m happy to announce that the median time to process a file is around one second, and 71.3 percent of all files in September were processed with a verdict in under five seconds.

If you’d like more information on how you can add Capture ATP to protect your network and network based endpoints read: Executive Brief: Why network sandboxing is required to stop ransomware.