In: Computer Science
Research the methods attackers are using to bypass virus scanners to get users to run malicious code. Theorize some mitigation methods
Methods Attackers are using bypass virus:
1. Script-based attacks
In a script-based or "fileless" attack, the malware is actually a
script that runs in an existing, legitimate application to leverage
PowerShell or use other already-installed Windows components.
There's no new software being installed, so many traditional
defenses are bypassed.
According to Ponemon, these kinds of attacks are significantly more likely to result in a successful breach, and they're going up, from 30% of all attacks in 2017 to 35% last year. "There would be very few artifacts — for example no actual malware binary to scan," says Jérôme Segura, senior security researcher at Malwarebytes.
There could be some network traffic that could be picked up by security systems. "However, attackers can encrypt those communications as well and use a trusted communication route to exfiltrate the data quietly," he says.
According to the Symantec Internet Security Threat Report, released earlier this year, the use of malicious PowerShell scripts increased 1000% last year. Attackers use PowerShell by, for example, executing commands that are not readable by humans such as base64-encoded commands, says Naaman Hart, cloud services security architect at Digital Guardian. "PowerShell is a necessity these days and therefore it’s generally always available for exploit."
The key to catching these kinds of attacks is to look for instances where common applications are executing uncommon operations, Hart says. "If, for example, you tracked the last thousand executed commands in your environment, you’d be looking for the ones that occurred less than five times," he says. "This will generally lead to the uncommon commands, which are more often than not the ones that are nefarious."
2. Hosting malicious sites on popular
infrastructure
Many security platforms defend against phishing attacks by
preventing users from clicking on malicious links. For example,
they might check if a particular IP address has been associated
with other malware campaigns. "However, if you host it on something
like Azure or Google cloud, then this is infrastructure that is
widely used and cannot be blacklisted," says Segura. Slack, GitHub,
and other collaboration tools can also be used to help bypass
defenses.
Once malware has already been installed, it often communicates back to command-and-control (C&C) servers to get instructions for what to do next and to exfiltrate data. Again, this communication channel can be disguised if the C&C server is hosted on an otherwise legitimate platform.
Plus, these services have built-in encryption features, says Liviu Arsene, senior e-threat analyst at Bitdefender. Even online photo-sharing sites can be used as part of attacks. "Attackers create social media accounts and upload photos that contain hidden code or instructions within the image," he says. "The malware is then instructed to simply access the account, look at the most recent picture, pull the set of instructions hidden in the image, and then execute the instructions."
To the IT department and corporate security teams, it will just look as if the employee is browsing social media. This is hard to catch. Even the latest generation of endpoint protection technology will have trouble since the attackers are mimicking normal user behavior.
To guard against this, defenders may want to look for instances where these otherwise normal communications are taking place at unusual times, or when an application isn't typically used by a department.
The technique of hiding commands in images, called steganography, can also be used to hide commands in image attachments. In May, ESET published a report about Turla LightNeuron, a backdoor designed to target Microsoft Exchange mail servers. According to ESET, LightNeuron uses emails to communicate with its command and control servers, and hides the messages in image attachments, such as PDFs or JPGs.
3. Poisoning legitimate applications and
utilities
Every enterprise has a multitude of third-party apps, tools and
utilities used by employees. If attackers compromise those
applications by getting into the companies that develop them, into
the upgrade utilities, or into the codebase of open source
projects, they can install backdoors and other malicious code. "For
example, Cleaner, a popular computer utility for cleaning
potentially unwanted files and registry entries from a computer,
was tainted with a backdoor," says Arsene.
According to the Symantec Internet Security Threat Report, the number of attacks that targeted the software supply chain rose by 78% in 2018.
Open-source code is particularly vulnerable, says Tim Mackey, principal security strategist at Synopsys. First, attackers contribute a legitimate bug fix or software improvement that actually works. "The legitimate code is there to mask any malicious code in an effort to pass the review process," he says.
If the review process doesn't vet the full functionality of the contribution, the contribution becomes part of a future release of the software, Mackey says, "but more importantly could become part of a branch of that component embedded into commercial software packages."
To defend against this, enterprises and software developers must be careful to inspect software for open-source code, Mackey says, and then map that code back to its precise origin so that it can be removed or remediated quickly once spotted.
4. Sandbox evasion
One common feature of next-gen endpoint protection platforms is
sandboxing, where unknown malware is detonated within a safe,
virtual environment. This is a useful technique when attackers are
constantly modifying malware so that it isn't picked up by
signature-based defenses.
"A hacker can also easily bypass such filters," says Oliver Münchow, founder at Lucy Security. They do this by writing the malware in such a way that it only activates the bad behavior outside the sandbox. For example, it might only activate when a real person interacts with it, or when other criteria are met.
There might be a delay, for example. Malware might wait hours, or days, or even weeks before it detonates, allowing the infection to spread as far as possible before the payload is triggered. Or the malware can simply check if it's running in a hypervisor environment. For example, the latest version of the JasperLoader malware queries the Windows Management Instrumentation subsystem to find out where it's running, and if it's on VirtualBox VMware, or KVM it terminates execution, according to a May report from Cisco Talos.
5. Unpatched vulnerabilities
EternalBlue, a security tool first developed by the National
Security Agency (NSA), was leaked online in 2017. Since then,
EternalBlue has been implicated in attacks against the British
healthcare system, a $400 million attack on FedEx, a $670 million
attack on Merck, and many other targets — even though Microsoft had
quickly released a patch.
Most recently, Baltimore was hit by a ransomware attack that reportedly used the EternalBlue vulnerability. And Baltimore isn't alone. According to security firm ESET, the number of attack attempts involving EternalBlue have been rising since 2017 and have reached historic peaks this spring. Almost a million machines in the world still use the obsolete, vulnerable SMB v1 protocol, and more than 400,000 of them are in the U.S., ESET reported.
According to Ponemon, 65% of organizations said that keeping up with patches was challenging or extremely challenging.
6. Taking down the security agents
The average device has ten security agents. That's a lot of
endpoint protection. However, it isn't always as effective as it
could be. To start with, the agents overlap, collide and interfere
with one another. At any given point in time, 7% of endpoints are
missing protection and 21% have outdated systems.
Even if the endpoint protection security is installed, up-to-date and fully effective, once attackers gain a foothold — such as by the use of EternalBlue — they have several ways to turn off endpoint protection services. For example, they can use an existing legitimate application such as PowerShell, says Humberto Gauna, consultant at BTB Security.
They can also launch a denial of service attack against the endpoint security agents, overwhelming them so that they are no longer able to function, or they might be able to take advantage of agents that haven't been properly configured, Gauna adds. Then, attackers make changes to the registry to escalate privileges, so that they can override the endpoint protection services once they resume.
The way to protect against it is by creating a more rigorous privilege hierarchy, Gauna says, and by consistent patching.
All the above methods are sophisticated. They typically show up in attacks from nation-state attackers.
Well, they used to. Now, they're being used by a much broader set of attackers, says Justin Shattuck, director of threat research at Baffin Bay Networks, a cybersecurity company based in Sweden. "This is really problematic," he says.