Newly Discovered Evasion Method For Targeted Attacks Silently Bypasses Network, Application Security

  /     /     /  
Publicated : 22/11/2024   Category : security


Newly Discovered Evasion Method For Targeted Attacks Silently Bypasses Network, Application Security


IDS/IPS, firewalls, Web application firewalls are among at-risk devices for technique that lets attackers sneak inside



CERT-Finland has reported a newly discovered technique that evades network and security devices -- namely IDS/IPS systems, but it could also work against network firewalls and Web application firewalls -- and lets attackers sneak in and conduct targeted attacks against an enterprise network.
The threat, which was discovered by researchers at Stonesofts Helsinki labs, is based on vulnerabilities inherent in several vendors IDS/IPS products, according to CERT-Finland, which has alerted the affected IDS/IPS vendors. The names of the vendors and their products have not been released publicly.
Jussi Eronen, head of vulnerability coordination at CERT-FI, which first issued an alert on the threat on Oct. 4, will update its
vulnerability alert
on the threat today.
Stonesoft says the attack method takes advantage of how TCP/IP handles packets. It takes advantage of the fact that the TCP protocol allows conservative creation of packets, but liberal receiving of packets, says Matt McKinley, director of U.S. product management at Stonesoft. There are predictable, limited ways you can evade an IPS ... packets can only be created in a few ways. We came up with a way to create packets that dont conform to rules and confuse IPSes in ways that conventional methods cannot do.
McKinley says it lets the attacker work his way inside the network without being noticed. Its a way to knock at the door until something lets you in because theres no way to detect it. It continues to knock until something lets it in, he says. When the packet then makes it to the host, the host is designed to look only at the things its interested in and ignore all else ... its end to end delivery [of a malicious payload].
McKinley says the attack could also work against other network security devices, including firewalls. It would likely be used to spread a network worm akin to the Stuxnet attack or some other targeted attack, he says. Its a way to deliver [a worm] into a network and cause any kind of harm you want, McKinley says.
How difficult would it be to pull off this attack? Thats the creepy part. The impact of this is fairly simple. We feel its well within the means of motivated hackers to do it. This is not particularly complicated, McKinley says.
ICSA Labs has verified the attack and is also sounding the alarm about the risk to enterprises. Jack Walsh, intrusion detection and prevention program manager at ICSA Labs, says it could take some time for network security vendors to add protection for this attack to their products, thus leaving enterprises at risk until those patches become available. IDS/IPSes, firewalls, next-generation firewalls, and Web application firewalls are most at risk of this evasion technique, he says.
Walsh says the evasion technique itself basically gives attackers a foot in the door to do their dirty work, and it can affect more than just TCP/IP protocols. Its only after the evasion is coupled with an attack that they exploit some vulnerability, Walsh says. The weakness that the evasions take advantage of are in the protocols, but the affected protocols arent limited to TCP/IP. Some evasions affect higher layer application protocols as well.
And protocols arent the only thing vulnerable to this evasion technique, he says. The standards defining the protocols suggest a certain amount of permissiveness between sending and receiving systems to ease interoperability and communication. Our need for systems to be interoperable and our need for communication between systems to be as easy as possible allow these evasions to work, Walsh says.
Once inside, attackers can compromise data and steal information from enterprises, he says. And its even possible they have been using this method already, unbeknown to victim organizations. Given that these evasions have always existed, criminals could be using them already. If they are in use, then there would be little evidence of it, Walsh says.
Some vendors might need to rearchitect their products to fix this, while others might have to patch or build in protections, Walsh says.
Meanwhile, CERT-Finlands Eronen wouldnt provide details of the products known to be affected thus far or their weaknesses that allow for the attack since coordination among the vendors is still under way.
If [targeted] networks have systems that are for some reason left unpatched -- legacy systems, no supported patches available, compliance does not allow for any system modification, just to name a few possible reasons -- and IDS/IPS systems are employed as virtual patches, then these systems are particularly vulnerable to attacks using evasion techniques, he says.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Newly Discovered Evasion Method For Targeted Attacks Silently Bypasses Network, Application Security