Incident Response, TDR

Report: Attackers hide in plain sight using data-sharing apps

The Palo Alto Networks 2014 Application Usage and Threat Report found that attackers are hiding in plain sight in corporate networks, masking potentially harmful threats with existing applications and adding new twists to old exploits.

Analyzing network traffic assessments from more than 5,500 organizations globally, researchers at the California-based security firm found that code execution exploits delivered across common sharing applications accounted for 19 percent of the threats they observed. While common sharing applications represented 27 percent of all apps and accounted for 32 percent of all threats, Palo Alto Networks noted that the threat activity was “disproportionately low” at around five percent.

“The low activity is an example of attackers gaining access (attack delivery) through the front door (email) but leaving through an alternative door (User Datagram Protocol),” Matt Keil, senior research analyst, Palo Alto Networks, told SCMagazine.com in Thursday email correspondence. Attackers often infect a system using one application, like email, but use a different method, like UDP, to command their malware or exfiltrate data, Keil explained.

Commonly used data-sharing applications, like email, IM and social media apps, are "all great delivery mechanisms but not well-suited for command and control of a botnet," he said.

A small number of applications seem to generate the most action, researchers found, with 94 percent of the vulnerability exploit logs observed being found in just 10 applications (among 539 apps observed by Palo Alto).

The Smoke.Loader botnet controller, which enables remote management of endpoints, generated a lot of activity in many of the applications, including social media apps Facebook and Twitter.

Once installed, Smoke.Loader allows the download and installation of other malware, the installation of files based on the geographical location of the infected system, the theft of passwords and the disabling of antivirus programs. It can also help an attacker's traffic skirt IP-based authentication systems, the report found.

While it comes as no surprise that malware creators manipulate “malware executables” to get around threat prevention measures, the report noted that they are getting quite adept at modi­fying and customizing their communications. A clear case in point – the “heavy” use of UDP. Of the 66 botnets the analysts detected, a good number used the protocol for their command and control channels. In fact, analysis shows that “99 percent of malware logs were found in UDP; the majority of which were generated by a single threat.”

The ZeroAccess botnet, which not only generates spam e-mails and click-fraud against online advertisers but also taps computer resources to solve hash challenges in an attempt to generate Bitcoins, the report said, spun out the most malware activity.

Pointing out that UDP “is connectionless, and often the packets simply contain parts of a compressed video or audio stream,” Keil said "it's harder to evaluate than TCP connections, which have more structure.” Because it's “found on every network as one of the foundational applications,” it is often overlooked or ignored, he said. “Finally, it's more difficult to write IPS signatures that detect malicious UDP traffic, but that doesn't mean we can simply ignore it. Identifying the source and purpose of all traffic – known and unknown – then systematically managing that traffic is an important part of securing a network.”

More alarming, is the revelation that a growing number of applications transmit over encrypted channels. Of the 539 applications observed, 34 percent are able to use SSL, leading the report's authors to mull over whether SSL is being used as a privacy function or an evasion tactic, if organizations know how many and which apps can use SSL and how confident companies are that they're free of malicious activity.

Calling SSL “a double-edged sword,” Keil noted that the protocol is integral in securing transactions because it “encrypts traffic between systems to prevent eavesdroppers from stealing sensitive data.” However, to inspect encrypted traffic for exploits, malware and other undesirable content, it must be decrypted, something that many organizations have been hesitant to do because it raises privacy issues. However, it is “possible to selectively decrypt traffic to address these concerns,” Keil said. The first step, though, he explained, is determining “ what applications are using SSL, then selectively decrypt the questionable applications, documenting policies and educating users.”

Because a string of high-profile security breaches have caught the attention of senior management, it has made it easier for security professionals to get the ear of upper management, Keil said.

“A common sentiment from smaller companies and certain industries has been that they have nothing attackers want to steal, so they aren't a target. After Target was breached by attackers who got in by compromising a small HVAC service company, nobody can make that argument with a straight face. Everybody is somebody's target, and companies can no longer afford to ignore that.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.