Beware of the new malware that can’t clean its tracks

A new malware compromise identified last week was using malware officially signed and provided by its software manufacturer for public download by millions of people. It’s a move that threw many organisations in a state of worry.

The Cisco Talos research team has disclosed its investigation into a popular software utility, CCleaner, which had been compromised and disseminated to more than two million users. Suddenly, a widely used software application was found to have contained malicious code. The code would be downloaded and further execute additional untrusted and unverified applications.

We are no longer defending solely against unknown applications. We are defending against our blind trust in digital signatures and prevalent applications – applications that gain inherent trust in our minds and in our existing computer protection systems and signatures.

As coffee flows and teams assemble to assess the scope and damage from these events, we should focus on how many organisations find themselves in this reactive position. Network defenders are typically faced with an unending number of threats against their environment through various types of attacks.

While general defences can be applied to protect against drive-by malware or attacks via email attachments, organisations are continually on the hunt for advanced threats using unknown or uncommon techniques. This vigilance is both technically and emotionally draining on blue teams, who are busy plugging a thousand holes in the dam.

In light of the number of threats facing an organisation, many teams begin to rank attack vectors and what the response should be. Each vector is identified, assessed, and prioritised based upon the prevalence of attacks, the ease to respond to them, and the critical damage they could bring.

Due to their wide use and high success rate, attacks via email are often heavily monitored for unusual quantities (thousands of similar emails over a short time period) or unusual attachments. On the opposing end of the spectrum, trained threat hunters continually monitor web server logs and endpoint artefacts to find unusual behaviour across the environment in real time.

The near-constant gap in this analysis, as seen by Carbon Black’s Threat Analysis Unit (TAU), is the lack of focus on potentially unwanted programs (PUPs). Numerous applications are found within environments that have no business use and are not beneficial to the organisation, but are still allowed as they are deemed benign and useful to a few.

These applications range from user-installed browser plugins to applications that monitor a local system for necessary updates. The issue worsens as such programs issue software updates frequently. A new update every few months can attract an analysis to spend a few minutes to review the program and ensure that it is still safe.

New updates every two weeks, or every month, can exhaust the attention of defenders until they eventually turn a blind eye to offending applications. The end result is that as soon as malicious activity does occur, it is easily dismissed as just a fluke artefact of a program that’s been allowed for years.

Carbon Black’s research team identified similar attacks early in 2017, and Red Canary reported events just prior, when an investigation showed an adversary within the Ask Partner Network (APN) signing malware with an authentic digital signature and pushing it to customers as software updates.

That event was very similar. A long-allowed browser plug-in obtained a regular update that immediately downloaded malware for remote attacks. Adversaries were then able to quickly act and try to take control of the system and steal information before they were eventually blocked by automated endpoint defences.

The now-famous Petya/NotPetya malware was identified as potentially originating from a software update to a very specific application, MeDoc. Numerous research teams found artefacts that suggest an adversary was able to gain control of this update channel to send NotPetya to targeted systems which, in turn, would infect systems around them using the EternalBlue vulnerability.

Supply chain attacks

Earlier this year, RSA Research identified a supply chain attack using very similar activity. Named KingSlayer, an adversary leveraged the update channel of a legitimate application used by network administrators to troubleshoot servers. Upon downloading malware signed by the company, these servers immediately began infecting themselves and giving control to the adversary.

There are no easy methods of preventing these styles of attack. As adversaries hijack official channels and often use trusted digital signatures, their presence tends to fly under the radar until a compromised system starts exhibiting unusual behaviour. At that point the security team is already in a post-compromise incident response and not a proactive threat-hunting mode.

With attacks leveraging software such as CCleaner, effective defences must be designed to overcome a large amount of trust and bias. There are many static indicators to suggest that these malicious files are legitimate: digitally signed, contained appropriate metadata, downloaded from legitimate website, released on their standard schedule, performed all expected functionality.

However, the malicious intent is only realistically uncovered through its eventual behaviour on the endpoint. Behavioural detection is poised to address this aberrant activity by detailed event stream processing: correctly inferring malicious intent based on how an executable differs from its norm.

While this new attack highlights the dangers of trusted applications being exploited, the only novelty is in the attack vector used. Security operations with a proper baseline of their endpoints, combined with active and ongoing monitoring, could quickly identify the malicious behaviour as it was occurring, regardless of its origin.

Understanding what is normal in an environment and being able to quickly identify and remediate abnormalities is the goal that all security teams should strive to reach. With that knowledge there will be few threats with the ability to clean up after themselves.