Anatomy of an attack: Flushing out detection-evading malware
A single breached endpoint can spread quickly to compromise a business's entire network
By Byron Acohido, ThirdCertainty
Core finding: Detection-evading malware implanted on just one machine within a corporate network has become a daunting, omnipresent threat. By infecting a single computer, an intruder can move horizontally to spread various types of infections far and wide throughout the compromised network.
While traveling on a recent business trip, a senior engineer from a U.S.-based software manufacturer on the West Coast used his company laptop normally, logging into the company network via its Virtual Private Network.
Free resource: How to build customer loyalty by keeping data secure
A SIEM alarm from LogRhythm’s Advanced Intelligence Engine (AIE) went off in the company’s Security Operations Center (SOC) signaling that the same user had established simultaneous VPN access from two separate locations. The executive was contacted as he was about to board a return flight home. He followed instructions to leave his laptop turned off and deliver it straight away to the investigation team.
Attack vector: An initial full antivirus scan of the laptop found no suspicious files or programs. The laptop was then isolated and probed further. Eventually, investigators discovered a file related to the malware, which was “polymorphic”—designed to randomly alter its appearance, the better to bypass antivirus scanners.
Related story: Study finds C-Suite overconfident about network security
Distinctive technique: Adobe Flash was suspected as the malware’s entry point because the laptop’s Adobe Shockwave media player was found to be improperly patched. Also found were unusual, irregular browser helper objects, or BHOs, of a type used to hijack web browsing sessions and send the user to a malicious site.
Wider implications: Investigators studied traffic initiated and received by the malware and traced it back to a server leased from an Internet service provider in the United States. The ISP was notified and the customer agreed to take the server offline, resolving the matter. Unbeknown to the customer, the compromised server had been redirecting malicious traffic to a location in Finland.
Excerpts from ThirdCertainty’s interview with Randy Franklin Smith. (Answers edited for length and clarity.)
3C: How much havoc was this attacker able to wreak before being detected?
Smith: None of the organization’s vital information was compromised because the suspicious activity was caught so quickly and aggressively, and because effective action was taken so promptly. What could have been a major incident, or even a catastrophic data breach, was a mere bump in the road.
3C: What else did the company do in the wake of this discovery?
Smith: The computer that experienced the suspicious activity was reimaged, and patching was tightened on it and on computers across the company for potential Flash- and Shockwave-related problems. The organization also created a procedure to flag, alert and capture proxy traffic and the same malware, should it reappear. In addition, the investigation team uploaded the suspicious files to the antivirus community so that the community could create and deploy signatures and other heuristics to combat this malware threat.
3C: How commonplace is this particular type of attack?
Smith: It’s easy to shrug off the threat of malware and believe that the target will never be your organization. However, according to a 2015 Ponemon study, 80 percent of all organizations experience some form of Web-borne malware.
And these attacks aren’t confined to large, multinational corporations. Cyber criminals frequently target small and midsize businesses. Granted, attacks on SMBs may not be on the same scale as the more well-publicized breaches we hear about in the media. But for a small company, an attack of this size can be just as devastating, if not more so.
3C: Is malware more insidious than most people realize?
Smith: Malware is not just an annoyance or minor inconvenience, it’s the gateway to far more serious problems. Once it affects a single computer, it can quickly spread throughout a network like an out-of-control forest fire. Attackers will use any means to access corporate information. And it all starts with one compromised endpoint.