Tag Archives: Endpoint Protection

Some thoughts on “Zero-Day Exploits – Your Days are Numbered!”

23 April 2017

The Bromium Micro Virtualization Technology is indeed a game changer in the protection against zero-day exploits, unfortunately only for Microsoft Windows based devices.

Smart devices like smartphones, tablets or phablets are increasingly replacing the classic devices, with the consequence, that the overall security is reduced because no endpoint protection is available for those devices in general.

My worst nightmare: A tablet user downloads a word document with a zero-day exploit to an on-premise file share and opens it with Word for Windows on his laptop.

Thus, an additional endpoint protection solution, e.g. a Secure Web Gateway, is required to protect the users of smart devices, and the entire company, against internet born threats.

From my point of view, micro virtualization is great means for protection of classic computing devices against zero days. But to prevent blind spots, it must be embedded in an overall endpoint protection strategy.

Have a good weekend.

IBM Webinar: Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching

22 October 2016

On Tuesday, I watched the IBM webinar ‘Force the Bad Guys to Use Zero Day Exploits with Continuous Endpoint Enforcement and Patching’.

On slide 3 one could read the really interesting statement ‘NSA: no zero days were used in any high profile breaches over last 24 months’.

Slide 3 - Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Slide 3 – Force the Bad Guys to Use Zero Day Exploits — and Why That’s a Good Thing

Curtis Dukes, deputy national manager of security systems within the NSA, said that NSA has been involved in incident response or mitigation efforts for all ‘high profile incidents’ one has read about in the Washington Post or the New York times.

In all this incidents hacker used somewhat simple technology like spear phishing, water holing and USB-drive delivery to get onto the victim’s networks.

In the last 24 months, not one zero day has been used in these high profile intrusions.

That is a very interesting insight. Moreover, Curtis Dukes said that

The fundamental problem we faced in every one of those incidents was poor cyber hygiene.

The central idea of the webinar is to harden all systems by applying at least all existing patches to the known vulnerabilities, and in a timely manner. For most of the organizations this is a great challenge: Applying an endless stream of operating system and application patches to thousands of servers and endpoints is a never-ending nightmare. But essential to hinder an attacker, who managed to get on the network, in his lateral movement across the network.

If an attacker cannot exploit existing vulnerabilities, he is forced to install hacking tools from his C&C server. But this will increase the likelihood of detection because the attacker creates anomalies which can be detected e.g. by a current anti-malware solution or a well-tuned SIEM system.

It is important to recognize that cyber hygiene shall not be restricted to patching and password rules. Operating systems offer lots of powerful inbuilt tools, e.g. PowerShell, which can be used by an attacker to move laterally across the network. Such movements a much harder to detect, because they are very similar to standard user behavior. Pass-the-hash attacks are another example where patching is of limited value only.

It is very important to understand what threats a security solution mitigates. But it is of crucial importance to know the gaps and to have some ideas on how to deal with them effectively.

Have a good weekend.

Canadian hospital under attack

26 March 2016

Reports on cyber-attacks don’t come to an end. Cyber-criminals seem to focus in particular on hospitals this year. In the case of the Norfolk General Hospital attackers modified the hospital’s homepage to serve the Teslacrypt ransomware to clueless visitors. The ransomware is delivered by drive-by download when the page is opened – you won’t even need to click on something on the page.

However, this does not mean that spear-phishing with malicious attachments is no longer modern. Cyber-criminals use a range of attack methods, and outdated application middleware on a server, which is connected to the Internet, is a worthwhile destination.

On Tuesday I got two spear phishing emails directly in my inbox. A short hack on VirusTotal showed that this were two zero days.

Two hours later, now at home, I analyzed the attachments in more details. Both attachments contained the same ransomware, but in different document formats. The attachments were now detected by 6 of 56 anti-malware systems on VirusTotal, e.g. by TrendMicro as W2KM_DRIDEX.YYSSH or by Avira as W2000M/Dldr.Agent.19573. That’s a reasonable result for classic anti-malware systems, although it means, that the anti-malware systems left the users unprotected for about 4 hours.

The VBA project with the auto-open macro was password protected. But LibreOffice writer was able to display the macros; it simply overrides the obviously weak VBA project protection functions of Microsoft Office.

W2KM_DRIDEX.YYSSH Code Sample

W2KM_DRIDEX.YYSSH Code Sample. Click to enlarge.

The auto-open macro creates a file dsfsdfsdf.vbe, submits the file to the C&C server, downloads an executable named Fuckyourself.ass and runs it. Fuckyourself.ass is detected as e.g. by Microsoft as Backdoor:Win32/Drixed, by ESET as Win32/Dridex.AA.

COMODO File Execution Message

COMODO File Execution Warning.

A next-gen endpoint protection solution would have containerized or blocked at least the critical event of executing dsfsdfsdf.vbe. An infection with Dridex would have been prevented. And this without any delay for updating malware patterns.

Happy Easter!

Consumers cut off from progress in endpoint protection?

23 January 2016

The Dridex banking Trojan is back from the ashes like the Phoenix. In his post ‘Dridex malware adopts redirection attacks to target high-value UK banking customers’, published on 20 January 2016 in security blog GrahamCluley, David Bisson clearly shows that the Trojan attacks banks and end users with terrifying speed.

How can end users protect themselves?

‘As for ordinary users, maintaining an updated anti-virus solution and refusing to click on suspicious links will go a long way towards protecting your life savings from low-life criminals.’

To be honest, the advice to keep the anti-virus solution up-to-date creates a false sense of security. Let me give you a current example.

Last Tuesday I got an email with an attachment containing the malware ‘VirTool:Win32/CeeInject.GF’. I uploaded the attachment to VirusTotal for inspection and found that only 8 of 54 anti-virus solutions identified the malware, although the malware or a variant was first published about 9 month ago:

Table 1: Result of first scan

Table 1: Result of first scan

These are definitely not the heavyweights in the consumer market. 7 hours later only 12 of 54 anti-virus solutions identified the malware. For the development in the next days see the following table:

Table2: Changes in identification rate

Table2: Changes in identification rate

In the worst case consumers were unprotected for about 2 days. Moreover, up to yesterday evening 22 of 54 anti-virus solutions had still not identified the malware.

Advanced endpoint security tools could deal definitely better. Unfortunately the vendors of such solutions focus on the private businesses.

In the latest issue of the Cyber Intelligencer Michael Applebaum writes:

‘What the industry desperately needs is rigorous, scientifically validated third-party testing of endpoint security technologies, across a range of real-world scenarios. Invincea has been prominently calling for this and we hope to see progress in 2016 by reputable third parties.’

Even more than the industry the consumers need decision-making aids in how to protect effectively against malware. At the moment they are not participating in the progress in technology at all.

As always the user is the first and best line of defense. ‘Check twice before you click on whatever links or attachments’, is the best possible advice.

Have a good weekend, and, don’t rely too much on your anti-virus solution!

The Sum of all Gaps

18 January 2016

In the 11 January issue of the Cyber Intelligencer Invincea’s COO Norm Laudermilch talks about the difficulties in evaluating the effectiveness of endpoint security products:

‘The key is to understand what part of the threat landscape a product covers, the scope of the protection, the efficacy of that protection, and how it fits with the rest of your security and IT architecture.’

Very well said! But it is important to take the next step: Once you have conducted this evaluation the sum of all gaps or the residual risk could be grasped.

In my opinion this is the most important information. It shows the critical vulnerabilities and, when related to the current overall threat landscape, the direction for further investments. A CISO is  well advised to do this matching regularly.

Have a good day.

The Rebirth of Endpoint Security

24 October 2015

Past Wednesday I listened to an interesting story on Information Week Dark Reading Radio. The half-hour show titled Endpoint Security Transformed is worth listening to. In her excellent post on the same subject Kelly Jackson Higgins, the host of the show, gives a great introduction to this emerging technology and market.

Endpoint protection has been poorly treated for many years. Focus was laid on detection. But the major attacks in the past years show that once the attacker got access to network this is not enough because insider threats are hardly to detect.

This quotation from Paul Calatayud, CISO of Surescripts, sums it up:

Endpoints are getting compromised, and their credentials get stolen. Then they become an insider threat.

Another statement from the show is very remarkable:

Most of the attacks exploit vulnerabilities which were already known, sometimes for more than a year.

This statement makes clear that we need entirely new provisioning and patching concepts, or sophisticated white listing methods to lock down the end-user systems. To apply e.g. just all Flash Player patches to thousands of computers is a nightmare and, extremely expensive.

Enjoy the show… and have a good weekend.

Bypassing protection measures by direct upload of malicious content to OneDrive/Office 365

9 August 2015

I am happy about every email with malicious content or attachment, in particular if I find the mail in my inbox. Sound’s strange, but it’s important to analyze the technology of the attackers to develop proper protection strategies.

Last Wednesday I spent an hour with the analysis of an obviously malicious email attachment. Outlook blocked the access to the attachment without any error message. Therefore I logged in to my outlook.com account and opened the email:

Malicious Mail in Outlook.com

Malicious Mail in Outlook.com

A click on Download as zip resulted in the following error message:

The file “Automatische Lastschrift konnte nicht vorgenommen werden 05.08.2015.zip” is infected with an unknown virus, so it isn’t safe to download.

Perfect! This explains the strange behavior of Outlook. But saving to OneDrive surprisingly works.

Malicious Mail Save to OneDrive

Malicious Mail Save to OneDrive

Some minutes later I uploaded the zip archive to VirusTotal and found, that the malware was already known with name Trojan:Win32/Bulta!rfn. For more details please see below.

When I extracted the nested zip-archive to my local hard disk the endpoint protection system correctly identified the program, blocked access and took the predefined action.

What happened? The attackers used a standard technology (malware in nested zip archives) to deliver their payload. The outlook client and outlook.com both blocked downloading the payload because they identified a suspicious attachment.

But all protection could be bypassed by uploading the file to OneDrive. When OneDrive or Office 365 is used as collaboration platform with suppliers and partners an attacker could easily use bypass to distribute malicious content across companies. In particular for zero day exploits this may become a serious problem.

For protection against the download of malicious content from Cloud Services we have to change our endpoint protection strategy. The anti-malware systems on the surf proxy will not recognize the malicious objects because the data stream is encrypted (https protocol used). Even if the surf proxy breaks SSL it is very likely that zero day exploits, and already known viruses, are not identified. The same holds for the endpoint protection systems on the end-users desktops.

But the first line of defense, the cloud provider, has the most important task. Bypassing protection by uploading malicious objects to the cloud storage is not acceptable. This strange behavior should be corrected as soon as possible. From the above we know that this is an easy task because the system already identified the attachment as malware.

Have a good week!

VirusTotal results: 2015-08-06 20:21:06 UTC

Detection rate: 23 / 55

AntiVirus Result Last Update
Avast Win32:Malware-gen 20150806
Microsoft Trojan:Win32/Bulta!rfn 20150806
Ikarus Trojan.Win32.Crypt 20150806
Arcabit Trojan.Mikey.D538C 20150806
DrWeb Trojan.Inject1.62743 20150806
TrendMicro TROJ_KR.2B7B2BF7 20150806
TrendMicro-HouseCall TROJ_KR.2B7B2BF7 20150806
Avira TR/Crypt.Xpack.248161 20150806
Rising PE:Trojan.Win32.Generic.18EBC66C!418104940 20150731
Sophos Mal/Generic-S 20150806
AVG Generic_r.FOY 20150806
Panda Generic Suspicious 20150806
Emsisoft Gen:Variant.Mikey.21388 (B) 20150806
Ad-Aware Gen:Variant.Mikey.21388 20150806
BitDefender Gen:Variant.Mikey.21388 20150806
F-Secure Gen:Variant.Mikey.21388 20150806
GData Gen:Variant.Mikey.21388 20150806
MicroWorld-eScan Gen:Variant.Mikey.21388 20150806
McAfee-GW-Edition BehavesLike.Ransom.lc 20150806
Kaspersky Backdoor.Win32.Androm.humu 20150806
Symantec Backdoor.Matsnu 20150806
McAfee Artemis!B65DB4920F67 20150806
ESET-NOD32 a variant of Win32/Kryptik.DSND 20150806
ALYac 20150806
AVware 20150806
AegisLab 20150806
Agnitum 20150806
AhnLab-V3 20150806
Alibaba 20150803
Antiy-AVL 20150806
Baidu-International 20150806
Bkav 20150806
ByteHero 20150806
CAT-QuickHeal 20150806
ClamAV 20150806
Comodo 20150806
Cyren 20150806
F-Prot 20150806
Fortinet 20150804
Jiangmin 20150804
K7AntiVirus 20150806
K7GW 20150806
Kingsoft 20150806
Malwarebytes 20150806
NANO-Antivirus 20150806
Qihoo-360 20150806
SUPERAntiSpyware 20150806
Tencent 20150806
TheHacker 20150805
VBA32 20150806
VIPRE 20150806
ViRobot 20150806
Zillya 20150806
Zoner 20150806
nProtect 20150806

Bromium Partners to Bring Micro-virtualization to Windows 10

14 July 2015

This is perhaps the most exciting news of the year. Bromiums micro-virtualization technology in connection with the latest security technology of Windows 10 and integrated in Microsoft System Center – sounds like the next generation endpoint security solution that we so desperately need.

In particular because signature based anti-malware solutions can be tricked by simple means. For details see the cyber arms post Anti-Virus Bypass with Shellter 4.0 on Kali Linux.

Take care!

Bromium: The Vicious Cycle of “Assuming Compromise”

31 January 2015

The latest Bromium post ‘The Vicious Cycle of “Assuming Compromise”‘ is absolutely worth reading. The transition from reactive to proactive endpoint protection technology will mitigate some of our principal security risk. But, don’t forget people and processes…

Have a good weekend.