Guest blog by Pedro Bustamante, director of special projects at Malwarebytes.
The world of enterprise security has changed significantly. Today’s CISO and CIO lives in a suspicious world, acutely aware of the threat to their enterprise from advanced attacks which often use highly evolved new methods. It now pays dividends for those in charge of IT security to question everything.
One area where this is increasingly true is with the vulnerabilities in the applications being used in the enterprise on a daily basis. Today’s advanced attacker typically researches their prey with hawkish intensity, building up a picture of which software is used, and using this intelligence to target applications with customised exploits. Due to their success rate and stealth factor, these threats are increasingly in vogue amongst specialist teams looking to breach large organisations, and some interesting trends are beginning to emerge.
Firstly, malicious actors are now pouring more energy than ever before into developing zero-day exploits, due to the high infection success rate. Previously, this was a relatively niche area of focus. Now however, with a growing knowledge base and improving techniques, zero-day vulnerabilities are found on an increasingly frequent basis.
Traditionally, these were for the expected applications such as Internet Explorer, Acrobat Reader and Java but, as these have hit the headlines, malicious actors are switching to developing zero-days for applications such as Flash Player and Silverlight. This wider spread to less obvious applications increases their chances of success.
Another advancement in the way exploits work which is set to cause big problems is the development of the file-less exploit. These ghostly threats infect the host system without ever installing a single piece of malware, something achieved by directly injecting a malicious process through an exploitable application and running it entirely from memory. For all intents and purposes, no threat exists on the ‘compromised’ system. This is a hugely powerful way of bypassing traditional security solutions, which all rely on the detection of an executable.
Another new attack which belongs in the exploit category is that of Sandbox escapes, otherwise known as application behavior exploits. These attacks have been gaining prominence as a vector of attack against high-profile organisations, including the recent Sandworm attacks on NATO, and have also had success targeting SCADA (supervisory control and data acquisition) systems.
By taking advantage of vulnerabilities in software design to bypass sandboxes, an attacker can effectively force trusted applications to do their bidding, installing and executing malicious code. Whilst this type of attack is still in its formative stages, the profile provided by recent attacks and the difficulty creating countermeasures means their ascension into mainstream usage is almost a certainty.
Finally, the most advanced exploit, and that which provides the most control over the host, is the kernel level exploit. These gained prominence during the now infamous Duqu vulnerability, and have been quietly developing ever since. Due to the complex technical nature of delivery and depth of exploitation, these attacks require a huge amount of research and development, currently limiting them to highly specialized teams.
Once used however, their effectiveness is incomparable. Kernel level access grants the attacker completely free reign, and is very hard to detect using anything other than specialized exploit protection.
The development of exploits as a way to target large organisations almost entirely unseen is coming of age and the techniques listed above are only some of the more recently developed vectors for attack. It is almost certain that, currently under development, there are new and unknown exploit threats for as yet unheard of vulnerabilities. Those in charge of the security of large organizations are right to be paranoid, because if they don’t watch their applications closely it’s almost certain that someone else is.