Anatomy of an attack: Flushing out detection-evading malware

A single breached endpoint can spread quickly to compromise a business's entire network

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Core find­ing: Detec­tion-evad­ing mal­ware implant­ed on just one machine with­in a cor­po­rate net­work has become a daunt­ing, omnipresent threat. By infect­ing a sin­gle com­put­er, an intrud­er can move hor­i­zon­tal­ly to spread var­i­ous types of infec­tions far and wide through­out the com­pro­mised network.

Ed note_LogRhythm_Randy SmithWhile trav­el­ing on a recent busi­ness trip, a senior engi­neer from a U.S.-based soft­ware man­u­fac­tur­er on the West Coast used his com­pa­ny lap­top nor­mal­ly, log­ging into the com­pa­ny net­work via its Vir­tu­al Pri­vate Network.

Free resource: How to build cus­tomer loy­al­ty by keep­ing data secure

A SIEM alarm from LogRhythm’s Advanced Intel­li­gence Engine (AIE) went off in the company’s Secu­ri­ty Oper­a­tions Cen­ter (SOC) sig­nal­ing that the same user had estab­lished simul­ta­ne­ous VPN access from two sep­a­rate loca­tions. The exec­u­tive was con­tact­ed as he was about to board a return flight home. He fol­lowed instruc­tions to leave his lap­top turned off and deliv­er it straight away to the inves­ti­ga­tion team.

Attack vec­tor: An ini­tial full antivirus scan of the lap­top found no sus­pi­cious files or pro­grams. The lap­top was then iso­lat­ed and probed fur­ther. Even­tu­al­ly, inves­ti­ga­tors dis­cov­ered a file relat­ed to the mal­ware, which was “polymorphic”—designed to ran­dom­ly alter its appear­ance, the bet­ter to bypass antivirus scanners.

Relat­ed sto­ry: Study finds C-Suite over­con­fi­dent about net­work security

Dis­tinc­tive tech­nique: Adobe Flash was sus­pect­ed as the malware’s entry point because the laptop’s Adobe Shock­wave media play­er was found to be improp­er­ly patched. Also found were unusu­al, irreg­u­lar brows­er helper objects, or BHOs, of a type used to hijack web brows­ing ses­sions and send the user to a mali­cious site.

Wider impli­ca­tions: Inves­ti­ga­tors stud­ied traf­fic ini­ti­at­ed and received by the mal­ware and traced it back to a serv­er leased from an Inter­net ser­vice provider in the Unit­ed States. The ISP was noti­fied and the cus­tomer agreed to take the serv­er offline, resolv­ing the mat­ter. Unbe­known to the cus­tomer, the com­pro­mised serv­er had been redi­rect­ing mali­cious traf­fic to a loca­tion in Finland.

Excerpts from ThirdCertainty’s inter­view with Randy Franklin Smith. (Answers edit­ed for length and clarity.)

3C: How much hav­oc was this attack­er able to wreak before being detected?

Smith: None of the organization’s vital infor­ma­tion was com­pro­mised because the sus­pi­cious activ­i­ty was caught so quick­ly and aggres­sive­ly, and because effec­tive action was tak­en so prompt­ly. What could have been a major inci­dent, or even a cat­a­stroph­ic data breach, was a mere bump in the road.

3C: What else did the com­pa­ny do in the wake of this discovery?

Smith: The com­put­er that expe­ri­enced the sus­pi­cious activ­i­ty was reim­aged, and patch­ing was tight­ened on it and on com­put­ers across the com­pa­ny for poten­tial Flash- and Shock­wave-relat­ed prob­lems. The orga­ni­za­tion also cre­at­ed a pro­ce­dure to flag, alert and cap­ture proxy traf­fic and the same mal­ware, should it reap­pear. In addi­tion, the inves­ti­ga­tion team uploaded the sus­pi­cious files to the antivirus com­mu­ni­ty so that the com­mu­ni­ty could cre­ate and deploy sig­na­tures and oth­er heuris­tics to com­bat this mal­ware threat.

3C: How com­mon­place is this par­tic­u­lar type of attack?

Smith: It’s easy to shrug off the threat of mal­ware and believe that the tar­get will nev­er be your orga­ni­za­tion. How­ev­er, accord­ing to a 2015 Ponemon study, 80 per­cent of all orga­ni­za­tions expe­ri­ence some form of Web-borne malware.

And these attacks aren’t con­fined to large, multi­na­tion­al cor­po­ra­tions. Cyber crim­i­nals fre­quent­ly tar­get small and mid­size busi­ness­es. Grant­ed, attacks on SMBs may not be on the same scale as the more well-pub­li­cized breach­es we hear about in the media. But for a small com­pa­ny, an attack of this size can be just as dev­as­tat­ing, if not more so.

3C: Is mal­ware more insid­i­ous than most peo­ple realize?

Smith: Mal­ware is not just an annoy­ance or minor incon­ve­nience, it’s the gate­way to far more seri­ous prob­lems. Once it affects a sin­gle com­put­er, it can quick­ly spread through­out a net­work like an out-of-con­trol for­est fire. Attack­ers will use any means to access cor­po­rate infor­ma­tion. And it all starts with one com­pro­mised endpoint.

Relat­ed sto­ries:
To get ahead of threat curve, boost secu­ri­ty dur­ing soft­ware development
New tac­tics need­ed to search for, destroy net­work invaders
Don’t keep data breach a secret


Posted in Cybersecurity, Data Security, Featured Story