A new malware compromise identified this week was using malware officially signed and provided by its software manufacturer for public download by millions of people. It’s a move that started the week for many organizations in a state of worry.
This week, the Cisco Talos research team disclosed their investigation into a popular software utility, CCleaner, which had been compromised and disseminated to more than 2 million users. Suddenly, a software application used by millions was found to have contained malicious code. The code would be downloaded and further execute additional untrusted and unverified applications.
We are no longer defending solely against unknown applications. We are defending against our blind trust in digital signatures and prevalent applications – applications that gain inherent trust in our minds and in our existing computer protection systems and signatures.
As coffee flows and teams assemble to assess the scope and damage from these events, we should focus on how many organizations find themselves in this reactive position. Network defenders are typically faced with an unending number of threats against their environment through various types of attacks.
While general defenses can be applied to protect against drive-by malware or attacks via email attachments, organizations are continually on the hunt for advanced threats using unknown or uncommon techniques. This vigilance is both technically and emotionally draining on blue teams, who are busy plugging a thousand holes in the dam.
In light of the number of threats facing an organization, many teams begin to rank attack vectors and what the response should be. Each vector is identified, assessed, and prioritized based upon the prevalence of attacks, the ease to respond to them, and the critical damage they could bring.
Due to their wide use and high success rate, attacks via email are often heavily monitored for unusual quantities (thousands of similar emails over a short time period) or unusual attachments. On the opposing end of the spectrum, trained threat hunters continually monitor web server logs and endpoint artifacts to find unusual behavior across the environment in real time.
The near-constant gap in this analysis, as seen by Carbon Black’s Threat Analysis Unit (TAU), is the lack of focus on Potentially Unwanted Programs (PUPs). There are numerous applications that are found within environments that have no business use and are not beneficial to the organization, but are still allowed as they are deemed benign and useful to a few.
These applications range from user-installed browser plugins to applications that monitor your local system for necessary updates. The issue becomes worse as such programs issue software updates on a very frequent basis. A new update every few months can attract an analysis to spend a few minutes to review the program and ensure that it is still safe. New updates every two weeks, or every month, can exhaust the attention of defenders until they eventually turn a blind eye to offending applications. The end result is that as soon as malicious activity does occur, it is easily dismissed as just a fluke artifact of a program that’s been allowed for years.
Carbon Black’s research team identified similar attacks early in 2017, and Red Canary reported events just prior, when an investigation showed an adversary within the Ask Partner Network (APN) signing malware with an authentic digital signature and pushing it to customers as software updates. That event was very similar. A long-allowed browser plug-in obtained a regular update that immediately downloaded malware for remote attacks. Adversaries were then able to quickly act and try and take control of the system and steal information before they were eventually blocked by automated endpoint defenses.
The now-famous Petya/NotPetya malware, which Cb Threat Research analyzed during its time of attack, was identified as potentially originating from a software update to a very specific application, MeDoc. Numerous research teams found artifacts that suggest an adversary was able to gain control of this update channel to send NotPetya to targeted systems which, in turn, would infect systems around them using the EternalBlue vulnerability.
Earlier this year as well, RSA Research identified a supply chain attack using very similar activity. Named KingSlayer, an adversary leveraged the update channel of a legitimate application used by network administrators to troubleshoot servers. Upon downloading malware signed by the company, these servers immediately began infecting themselves and giving control to the adversary.
There are no easy methods to prevent these styles of attack. As adversaries hijack official channels and are often using trusted digital signatures, their presence tends to fly under the radar until a compromised system starts exhibiting unusual behavior. However, at that point, the security team is already in a post-compromise incident response and not a proactive threat-hunting mode.
With attacks leveraging software such as CCleaner, effective defenses must be designed to overcome a large amount of trust and bias. There are many static indicators to suggest that these malicious files are legitimate: digitally signed, contained appropriate metadata, downloaded from legitimate website, released on their standard schedule, performed all expected functionality. However, the malicious intent is only realistically uncovered through its eventual behavior on the endpoint. Behavioral detection is poised to address this aberrant activity by detailed event stream processing: correctly inferring malicious intent based on how an executable differs from its norm.
While this new attack highlights the dangers of trusted applications being exploited, the only novelty is in the attack vector used. Security operations with a proper baseline of their endpoints, combined with active and ongoing monitoring, could quickly identify the malicious behavior as it was occurring, regardless of its origin. Understanding what is normal in your environment and being able to quickly identify and remediate abnormalities is the goal that all security teams should strive to reach. With that knowledge there will be few threats that will be able to clean up after themselves.