Last month RealClear IT Support attended the 44Con IT security conference in London. There were lots of interesting talks given, including those on threat intelligence, network security, application security, operating system attacks and hardware hacks.
But one of the consistent themes of the conference and one of the areas which is keeping CIOs awake at night is that of the Advanced Persistent Threat. APTs are targeted, persistent, multi-phased and sophisticated threats which operate in stealth mode on the modern computer network. Their ultimate goal is to exfiltrate data back from a business or organisation to the attacker’s “command and control” centre. This might sound all very X-files-like, but APTs have become a reality in today’s threat landscape. With traditional security defences in place, they can go unnoticed in your network for years.
One of the first high-profile APT attacks was discovered in 1998 when a computer technician at an American-based company ATI Corp identified a remote access connection on their network to a US Air Force base. The RAT (remote access Trojan) was initiated every morning at 3am. The technician reported his findings to law enforcement. A specialised team of military and information security specialists from the US government was mustered. After months of research, “Operation Moonlight Maze” found that several businesses and universities were being used extensively as proxies for attacks. Proxying RAT connections from local businesses and universities is much less suspicious than those from emanating from Russia or China. The attackers used Telnet and FTP to exfiltrate thousands of classified documents from US military sources.
Since these attacks, several other high profile APTs have been discovered including those which infected RSA (ironically a computer security company) and the New York Times. In 2011, RSA a leading provider of two-factor authentication security tokens to banks, finance and healthcare organisations, got hit by an APT. Like with Moonlight Maze, the FTP protocol was used exfiltrate files which compromised their SecureID system.
The New York Times was attacked by an APT in 2012 when their journalists started investigations into the relatives of Win Jiabao, the then Chinese prime minister. The threat went unnoticed for months. Corporate passwords for every journalist were stolen. Over 45 pieces of custom malware were installed. Their Symantec endpoint security software which the company was using to protect their PCs only identified one of these (which it quarantined).
Vectors of attack
One worrying aspect of the APT threat is the simplicity of their initial attack vector. For example, the RSA hack was traced back to just one phishing email sent to a member of their administrative staff. It contained an Excel worksheet which was completely blank except for an “X” letter in one of the spreadsheet’s cells. Out of curiosity the employee clicked on it, but nothing appeared to happen. Unbeknownst to them or the firm’s security team, the Excel sheet had an embedded Flash exploit called “Poison Ivy” which, when clicked, got activated and then connected to the attacker’s command-and-control server. A payload was then surreptitiously downloaded. This seemingly innocuous action gave the attackers the keys to the kingdom as it were. The compromised system was used as a launch pad for other attacks across the New York Times computer network.
There are several other examples of how APTs exploit a seemingly small vulnerability. The “Duqu” malware strain, discovered in September 2011 exploited a vulnerability with True Type font in a Microsoft Word document as the initial attack vector. The payload installs malware which subsequently connects to the attacker’s control and command servers via TCP ports 80 and 443 using a custom protocol. For port 80 bound traffic, Duqu uses steganography for encoding and attaching data to JPEG files. It uses XOR encryption to encrypt data captured by it’s keylogger. “Flame” is another piece of malware used in APT attacks. Discovered in 2012, it propagates via USB devices and a bogus Windows Update Service (a favourite strategy of the NSA also…). Having a paltry size of just 20MB, it can take screenshots, intercept email and activate PC microphones. It communications back to its command and control server over HTTP, HTTPS and SSH. Using such prosaic protocols makes it easy to slip under the radar of even the most sophisticated firewalls. Or consider “Red October” which steals information from iPhones by using SNMP brute forcing. Once installed, it collects data via a plugin for Microsoft Office and Adobe Reader. It evades detection by encrypting its main executable with XOR encryption. For initial infection, Red October uses infected Word and Excel documents for initial infection. These are then propagated via phishing attacks.
Implications for your business
Initially, most of these attacks did not use highly sophisticated approaches to hack their victims. They used what could be described as “everyday software” coupled with social engineering (phishing) to launch. In your business environment, there are some simple steps you can take to counter such threats.
Office and Adobe PDF documents should be opened with extreme prudence. Users should be trained to spot anomalous emails, attachments and know how to manage them securely.
You should be using the recent versions of Microsoft Office for maximum protection. For Microsoft Office 2010 (and later) each version has included “protected view” functionality which acts as a sandbox and allows documents from untrusted sources to opened in a safer way. Alternatively, you could use the free Libre Office suite, but this does not suit every business environment.
Antivirus products alone cannot be trusted as most of these still use signature-based scanning, which cannot detect zero-day vulnerabilities. The New York Times hack has shown us that 44 out of 45 strains of malware went undetected by their Symantec endpoint security software. Ancillary software like Java and Flash player should always be kept up-to-date.
All your operating systems should be fully patched and updated. This includes users of Mac OS X (many of whom still believe that “only Windows users get viruses”). Be suspicious of update requests that appear out-of-the-blue. You can manually update your OS or if you want to automate it a little you can use software like Personal Software Inspector from Flexera Software (Windows).
A stateful application-layer firewall should be used. These can be effective in detecting connections from anomalous servers and can detect custom protocols. Moreover, this type of firewall will drop encrypted traffic, which cannot be decoded.
A host-based intrusion detection (HIDS) will be much more effective than anti-virus solutions for detecting more sinister threats. These can perform log analysis, Windows registry monitoring and rootkit detection. Moreover, a HIDs will be more likely to detect malicious process injection from Office documents.
There is no magic bullet for IT security, but having a layered approach greatly enhances your security and reduces the risk of your systems being compromised.
Concerned about IT security? You can contact RealClear IT support in Dublin on 01 – 685 4833. Fast remote IT support nationwide. On-site IT support for the Dublin area. Practical and no-nonsense advice.