Gartner predicts that by 2020, 30 percent of global enterprises will have been directly compromised by an independent group of cyber activists or cyber criminals. Cyber crime is now considered a profession; malware and exploit kits are created and sold with guarantees to evade security controls. Further, Gartner estimates that while businesses spent more than $71 billion on information security in 2014, nearly $400 billion was lost globally as a result of cyber crime.
Security today is based on the premise that one can detect whether something is good or bad (e.g., web, email, files). This premise is fundamentally flawed as malware continues to evade even the latest security technologies. In this slideshow, Menlo Security CTO Kowsik Guruswamy has identified five different malware attacks that have had a profound impact on the cyber security industry.
Malware Changing the Security Industry
Click through for five malware attacks that have turned the cyber security industry upside down, as identified by Menlo Security CTO Kowsik Guruswamy.
Regin was used to spy on governments, infrastructure operators, businesses, researchers and individuals since at least 2008. Unlike some other APTs, Regin was not designed by someone looking to make a quick buck and escape. This highly sophisticated five-stage threat, with fully encrypted payloads, modular design and the fact that it’s been around since 2008, is a force to be reckoned with. The ability to extend the core with highly targeted payloads also makes it an extensible malware platform, used for the long-term collection of data and continuous monitoring of individuals. This was the first time we saw this kind of cyber “espionage” used as collateral not only against enterprises but also against nations and governments. Despite its sophistication, the infection vector for Regin, also known as the Dropper, was just another browser-based exploit, much like a phishing site.
QWERTY (Regin revisited)
In January 2015, researchers linked a QWERTY keylogger plug-in to the Regin cyber-attack platform through the code published by SPIEGEL. The QWERTY discovery was significant for the security industry; however, Regin malware will continue to pop up in our systems regardless. QWERTY plug-ins are stored inside an encrypted and compressed Virtual File System; they don’t exist directly on the victim’s machine in native format. This malware has far out-paced the products that attempt detection with signatures or virtual execution. We live our lives on the web, and web-based infection vectors continue to grow at a rapid pace. These detection mechanisms are looking for a finite set of patterns, but the number of variations is too large – it’s infinite.
In December 2014, more than 100,000 WordPress sites were infected by malware called SoakSoak that turned the infected sites into attack platforms. SoakSoak provided an example of vulnerable services becoming infection vectors themselves via Internet downloads. With more than 70 million sites using WordPress as their content management system, malware authors have a vast install base to leverage any vulnerability that shows up on the publishing platform. At the time, Google flagged 11,000 sites, but that’s still not sufficient to track and patch many of the infected sites; unbeknownst to the owners, they were being used to serve malware.
The cyber kill chain is getting smarter and more sophisticated, and malware that focuses on data exfiltration is on the rise. First seen in January 2015, Skeleton Key targets the keys to the authentication kingdom, namely the AD controller. Starting out by infecting the AD administrators (possibly via the web), this malware subsequently applies an in-memory patch to the AD controller, allowing it to masquerade as any other user to gain access to their data and email. Since the malware generates no abnormal network activity, it completely evades existing detection mechanisms. While the CTU researchers did not explicitly talk about the drop phase of the malware, it’s likely to be web-borne and we are not surprised that signature and virtual execution products did not detect and stop this in the first place. As an industry, the real question to ask ourselves is how, not if, these types of malware can be completely eliminated.
Google AdSense (malvertising)
More than 100,000 new websites come online every single day. When scammers began abusing Google AdSense for malvertising in January 2015, a single webpage would load up to eight different third-party scripts, resulting in the fetching of resources from about 250 unique domains. Because Google does not, and cannot, inspect the exact content served up on its platform, it only takes one of the ~1,600 “certified” ad networks to be hijacked. All of this untrusted and unknown content is executed on unsuspecting endpoints, resulting in a tremendous amount of risk any time a user visits a popular website. In this particular instance, the malvertising was aggressive and was forcing a redirect to a malware-serving page without user interaction. If the attack was subtler, chances are that this would’ve gone unnoticed for a long time.
From Safe Software to Pervasive Malware
We are seeing a pattern with Chrome extensions, WordPress plug-ins and the like; software that starts out safe is turned into malware either through exploitation or a software update. When a user visits a website, it’s impossible for existing security mechanisms to detect if it is a site that is serving malware or not. Even enterprises that have restricted outbound web access could still be easily compromised by a vulnerability like this because of how prominent WordPress is.
Any attempt to categorize a website as good or bad, with respect to malware, is a false notion and we are fooling ourselves into thinking that this is even possible. With billions of dollars being spent on enterprise security, we are nowhere closer to securing our users or making the Internet a safe place. As an industry, we need to step back and think about definitive ways to eliminate attacks, not just detect them or react to them after the damage is already done.