3 Changes in Crimeware You Can Count On

Crimeware is becoming a significant threat to most organizations. The capability and dependence on crimeware as an attack model is growing. With that in mind, here are 3 things that the folks at MSI think you will see in the next year or two with crimeware:

1. Cross platform crimeware will grow. Attackers will continue to embrace the model of malware that runs everywhere. They will focus on developing tools capable of attacking systems regardless of operating system and will likely include mobile device platform capability as well. They have embraced modern development capabilities and will extend their performance even further in the coming years.

2. Specialized crimeware will continue to evolve. Organized criminals will continue to develop malware capable of focusing in on specific business processes, keying on specific types of data and attacking specific hardware that they know are used in areas they wish to compromise. Whether their targets are general data, ATM hardware, check scanners or the smart grid, the days of crimeware being confined to desktop user PCs are over. The new breed knows how ACH works, can alter firmware and is capable of deeper comprise of specific processes.

3. Crimeware will get better at displacing the attack timeline. Many folks consider malware to be symetric with time. That is, they see it as being operational continually across the event horizon of a security incident. However, this is not always true and attackers are likely to grow their capability in this area in the coming years. Modern malware will be very capable of making its initial compromise, then sitting and waiting to avoid detection or waiting for the right vulnerability/exploit to be discovered, etc. The attacks from the next generations will have a much longer tail and will come in a series of waves and lulls, making detection more difficult and extending the time window of control for the attackers.

MSI believes that organizations need to be aware of these threats and ideas. They must get better at detecting initial stage compromises and begin to focus on closing the window of opportunity attackers now have, once they get a foothold (in most cases days-months). Prevention is becoming increasingly difficult, and while it should not be abandoned, more resources should be shifted into developing the capability to detect incidents and respond to them.

OpenSSL Vulnerability

A new security issue in OpenSSL should be on the radar of your security team. While Stunnel and Apache are NOT affected, many many other packages appear to be. The issue allows denial of service and possibly remote code execution.

Patches for OpenSSL and many packages that use it are starting to roll in. Check with your favorite vendor on the issue for more information. The CVE is: CVE-2010-3864

HoneyPoint users who leverage black hole defenses should ensure that they have exposed port 443/tcp honeypoints and have dilated other common ports for their applications that might be vulnerable. Internal HoneyPoint users should already have these ports deployed, but if not, now is a good time to ensure that you have HoneyPoint coverage for any internal applications that might be using OpenSSL. Detecting scans and probes across the environment for this issue is highly suggested given the high number of impacted applications and platforms.

If you have any questions about this issue or the proper HoneyPoint deployment to detect probes and scans for it, please give us a call or drop us a line. We will be happy to discuss it and assist you.

Keep Your Eyes on This Adobe 0-Day

A new Adobe exploit is circulating via Flash movies in the last day or so. Looks like the vulnerability is present across many Adobe products and can be exploited on Android, Linux, Windows and OS X.

Here is a link to the Dark Reading article about the issue.

You can also find the Adobe official alert here.

As this matures and evolves and gets patched, it is a good time to double check your patching process for workstation and server 3rd party software. That should now be a regular patching process like your ongoing operating system patches at this point. If not, then it is time to make it so.

Users of HoneyPoint Wasp should be able to easily any systems compromised via this attack vector using the white listing detection mechanism. Keep a closer than usual eye out for suspicious new processes running on workstations until the organization has applied the patch across the workstation environment.

SAMBA Vuln Could Be Dangerous

If you are not already looking at the newest SAMBA issue, you should be paying attention. It is a stack-based buffer overflow, exploitable remotely without credentials. The MetaSploit folks are already hard at work on an exploit and some versions are rumored to be floating about the underground.

The vulnerability exists in OS X, Linux and a variety of appliance platforms using the core SAMBA code. Updates are starting to roll into the primary distributions and OS images. Ubuntu, for example, already has a fixed version available.

You can read the SAMBA folks release here for more information.

Likely, wide scale exploitation is on the horizon and malware/worm development is also predicted for this particular issue.

In terms of actions, begin to understand where SAMBA is used in your environment, reduce your attack surfaces as much as possible, implement the patches where available and increase your vigilance on SAMBA utilizing systems/processes.

Keep your eyes on this one. With this also being a fairly heavy/serious Microsoft patch day, your security team and admins might be focused on other things. You don’t want this one to slip through the cracks.

Excellent Source for Metrics on PHP RFI

My friend Eric has put up some excellent statistics and metrics on PHP RFI attacks against his honeynet. This is some excellent data. If you have read other stuff we have pointed to from Eric, then you know what to expect. But, if you are interested in a real world look at trends and metrics around PHP exposures, give this a few moments of your time.

You can find the interface and metrics set here.

Check it out, I think you’ll be impressed. Thanks, as always, to Eric and other folks in the honeypot community for all of their hard work, time and attention.

If you have some honeypot metrics to share, drop a comment below! As always, thanks for reading!

Another Good Reason to Increase Internal Security

Well, the much anticipated 2010 Verizon Data Breach Investigations Report is out, and once again it is an eye-opener! Let me say what a boon these reports are to the infosec community! Verizon and their team are to be praised and congratulated for all their hard work. These reports really help us keep current so we can protect our information from the right threats in the right ways. I know it’s not a large scale study, but I do feel it gives us good indications of trends and threats in the industry.

This particular threat report mainly gives us the data breach picture for 2009. It was compiled from nearly 900 actual incidents and includes a lot of input from the U. S. Secret Service this year. One of the surprising results of this particular report was the 26% increase in data breaches from insiders. It seems that organized cybercriminals are promising money to insiders with access to administrator level credentials. Unfortunately for these naïve inside individuals, it is proving very easy for the authorities to catch them. Also, it seems, the cybercriminals are usually not even paying them as promised! Despite these facts, it is evidently fairly easy to find plenty of insiders that are willing to sell their credentials. Go figure!

There are several ways to help counter the insider threat. The easiest thing you can do right off the bat is to ensure that those with high level access to the system don’t use the same credentials for their administrator and user accounts. You’d be amazed at what a common practice this is! All cybercriminals have to do is bust a few user level accounts and there is a VERY good chance that they will then be able to gain administrator level access. Administrator level passwords should be long, strong and ONLY used for administration purposes.

Another very effective method to counter the insider threat is to use true multi-part authentication mechanisms for administrative level access to the system; especially with very effective mechanisms such as tokens. Employing this practice means that cyber criminals not only have to steal credentials, they also have to get their hands on a token. And even if they do, it only gives them a short time to act; admin tokens are usually missed very quickly. There is also the option to employ biometrics. These can be problematic, but are improving all the time. And effective and reliable biometrics are even harder to overcome than token use.

You might say that good passwords, biometrics, and tokens won’t keep actual system and database administrators from selling out to the bad guys, which is true. However, there are other mechanisms available that can prevent lone bad-actors from compromising the system. One effective practice is management monitoring of high level access. If, every day, managers are looking at who accesses what and when, then the difficulty of stealing or corrupting data goes WAY up! Also, there are applications out there that can send out alerts when high level access is underway.

Another method, and a tried and true one, is the use of dual controls. If it takes two individuals to access systems, then cybercriminals have to corrupt two individuals and it becomes even easier for the authorities to figure out who the rats are. I don’t recommend this control except for very high value assets. The downside is that it’s a hassle to implement. There ALWAYS has to be at least two individuals available at all times or access becomes impossible. There are vacations, lunches and breaks to consider, and what happens in true emergencies such as floods, snow storms and the like? But this is a control that has been in use since long before computer systems were in place and it has proven to be very reliable.

These certainly aren’t all of the controls available to help counter the inside threat. I’m sure that you can come up with some others if you give it a little thought. But used individually, or even better, in combinations, should go a long way in protecting your data from the bad guys within!

Fighting Second Stage Compromises

Right now, most organizations are fighting a losing battle against initial stage compromises. Malware, bots and client side attacks are eating many security programs alive. The security team is having a nearly impossible time keeping up with the onslaught and end-user systems are falling left and right in many organizations. Worse, security teams that are focused on traditional perimeter security postures and the idea of “keeping the bad guys outside the walls” are likely unaware that these threats are already active inside their networks.

There are a number of ways that second stage compromises occur. Usually, a compromised mobile device or system comes into the environment via remote access, VPN or by being hand carried in by an employee or consultant. These systems, along with systems that have been exploited by client-side vulnerabilities in the day to day network represent the initial stage compromise. The machines are already under attacker control and the data on these machines should already be considered as compromised.

However, attackers are not content with these machines and their data load. In most cases, they want to use the initial stage victims to compromise additional workstations and servers in whatever environment or environments they can ride those systems into. This threat is the “second stage compromise”. The attackers use the initial stage victims as “pivot points” or bots to attack other systems and networks that are visible from their initial victim.

Commonly, the attacker will install bot-net software capable of scanning other systems and exploiting a few key vulnerabilities and bad passwords. These flaws are all too common and are likely to get the attacker quite a bit of success. The attacker then commands the bot victim to scan on new connections or at designated times, thus spreading the attacker’s presence and leading to deeper and deeper compromise of systems and data.

This pattern can be combated in a number of ways. Obviously, organizations can fight the initial stage compromise. Headway has been made in many organizations, but the majority are still falling quite short when it comes to protecting against a growing diverse set of attack vectors that the bot herders and cyber-criminals use. Every day, the attackers get more and more sophisticated in their campaigns, targeting and approach. That said, what can we do if we can’t prevent such attacks? Perhaps, if we can’t prevent them easily, we can strengthen our defenses in other ways. Here are a couple if ideas:

One approach is to begin to embrace enclave computing. This is network and system trust segregation at the core. It is an approach whereby organizations build their trust models carefully, allowing for initial stage compromises and being focused on minimizing the damage that an attacker can do with a compromised workstation. While you can’t prevent compromise, the goal is to create enough defensive posture to give your team time to detect, isolate and respond to the attack. You can read more about this approach in our 80/20 rule of Information Security.

A second idea is to use HoneyPoint decoy hosts on network segments where exposures and initial stage compromise risks are high. These decoy hosts should be dropped where they can be easily scanned and probed by infected hosts. VPN segments, user segments, DMZs and other high exposure areas are likely candidates for the decoy placement. The idea is that the systems are designed to receive the scans. They offer up services that are fake and implemented just for this purpose. The decoy systems have no other use and purpose than to detect scans and probes, making any interaction with them suspicious or malicious. Decoy services, called HoneyPoints, can also be implemented on the servers and other systems present in these network segments. Each deployed HoneyPoint Agent ups the odds of catching bots and other tools deployed by the attacker in the initial stage compromise.

Both of these strategies can be combined and leveraged for even more defense in depth against initial stage compromises. If you would like to learn more about how these tools and techniques can help, drop us a line or give us a call. We would be happy to discuss them with you.

In the meantime, take a look at how your team is prepared to fight initial stage compromises. What you find may be interesting, especially if your team’s security focus has been on the firewall and other perimeter controls.

HoneyPoint Decoy Host Pays Off

Just talked to a client who had dropped a HoneyPoint decoy host in their VPN termination segment a couple of weeks ago. Yesterday, it paid off.

They caught a machine that had passed the anti-virus and patching requirements of the NAC for the VPN. The machine was AV scanned clean. But, immediately upon connection the machine began to port probe hosts around it. This triggered the decoy machine’s HoneyPoints, causing the security team to investigate. The machine was brought in and examined. Closer inspection found it infected with a bot tool that escaped AV detection, but was capable of scanning for bad passwords and a couple of common vulns on surrounding machines. The machine is currently being imaged and rebuilt.

This is an excellent example of how HoneyPoint can help catch bots and malware, even when other controls fail. Defense is depth pays off and the leverage that HoneyPoint provides is often quite powerful, as in this case.

Have you thought about using decoy hosts? If so, how?

Catching PHP RFI Infected Hosts with Log Greps

I posted details here along with a current list of PHP RFI drop hosts that are being used to compromise web servers with vulnerable code.

You can use the list along with grep/regex to scan your outbound web/firewall/proxy logs for web servers that are likely infected with bot code from the scanners using these sites.

The link to the list and such is here: http://hurl.ws/cf5s

This data was entirely generated using captured events from the last several weeks by the Honeypoint Internet Threat Monitoring Environment (#HITME). You can find more information about HoneyPoint here.

If you would like to learn more about PHP RFI attacks, please feel free to drop me a line, check out @lbhuston on Twitter and/or give my RFI presentation slides a look here. If you would like to schedule a presentation or webinar for your group on PHP RFI, HoneyPoint or PHP/web application security testing, please give us a call at 614-351-1237 x206.

As always, we appreciate your reading State of Security and we hope you make powerful use of the information here.