Next-Generation Threats: The Inside Story

  /     /     /  
Publicated : 22/11/2024   Category : security


Next-Generation Threats: The Inside Story


Cutting-edge attacks like Stuxnet and Zeus will be the everyday security challenges of tomorrow. Heres what you need to know.




Wicked Innovation
When Iranian President Mahmoud Ahmadinejad announced in November that the nations nuclear program had been hit by a software attack, he confirmed what many security researchers suspected: that Stuxnet had struck, modifying key systems that controlled the motors of the centrifuges used to process uranium.
Ahmadinejad downplayed the attacks impact, but security researchers think the damage is far more extensive than he let on. A steady increase in Iranian traffic to Web sites dealing with securing industrial control systems indicates that the countrys IT experts are searching for an answer to a persistent threat, says Eric Byres, CTO and co-founder of Tofino Industrial Solutions, which secures manufacturing and control systems.
Theres no way that the Iranians cleaned it up, says Byres. Wiping Stuxnet from one machine is easy, he says, but on a network, its a living hell, because its aggressive and it spreads in so many different ways.
Stuxnet, which was first identified in July, exploits four previously unknown vulnerabilities, spreading via USB memory sticks and network shares. It infects Windows systems used to manage industrial control systems, overwriting embedded controllers to sabotage those systems.
Welcome to the future of network security, where todays most sophisticated and successful attacks will be everyday challenges. Cybercriminals are likely to try to duplicate Stuxnets ability to persist in a network and hide in embedded devices. And its inevitable that theyll try to copy techniques used in other attacks--Zeus skill at manipulating browser sessions and Confickers resistance to being shut down, for example.
Attackers also are changing how they operate, adopting new ways to develop and disseminate attacks. Cyberespionage operations increasingly leverage social networks to find easy targets. With Operation Aurora, for instance, attackers suspected of being from China used social networks to identify employees at Google and other companies and then sent them targeted e-mails aimed at infecting key computers at those companies.
In addition, software developer communities are supporting sophisticated plug-and-play malware like the Zeus banking Trojan. Dynamically generated domains, à la Conficker, will make it even more difficult to take down botnet command-and-control networks.
Proof of Identity
How to Choose Multifactor Authentication

Become an
InformationWeek Analytics

subscriber
and get our full report on how to choose multifactor authentication. This
17
page report will help you weigh authentication cost vs. risk for your high-risk apps. What youll find:
It compares various two-factor authentication approaches
Assesses different authentication methods effectiveness
Looks at how malware can defeat two-factor authentication
Get This
And
All Our Reports
Stuxnets Legacy
In the end, Stuxnets impact on the Iranian nuclear program may be far less than its long-term impact on the type of cyberattacks well have to deal with in the future. With Stuxnet, its become less about attacks on industries like financial and power, and more about in-the-weeds attacks, says Dean Turner, director of Symantecs Global Intelligence Network. Stuxnet was targeted at the details--the frequency component of a motor.
Security experts have long warned that embedded control systems are vulnerable. In 2007, Department of Energy tests showed that embedded systems attacks could take control of a power companys generator and cause it to self-destruct. Most factories are also controlled by embedded systems and programmable logic controllers.
Until Stuxnet, the danger was theoretical. Now anyone who gets their hands on the code has a blueprint for attacking embedded systems. And the code has spread widely, infecting computers worldwide. Stuxnet has provided a crash course in writing programmable logic controllers code, says Tofinos Byres. Its only a matter of time before we start seeing all sorts of specialty worms going after control systems.
Lock Down For Coming Threats

DONT JUST COMPLY
Security controls required by law are seldom sufficient
GO BROAD
Technology isnt the whole story; pay attention to policy and implementation
SECURE MOBILE USERS
All those new devices are putting your data at risk
PARSE YOUR DATA
Identify your most valuable information and focus your efforts there
SCRUTINIZE EVERYTHING
All components of your digital and physical systems are now at risk
Embedded systems typically link physical and digital systems, so when attackers take control of them, they also get control of critical systems. In addition, code can be hidden in embedded systems, allowing attacks to persist and making it difficult to clean them up.
Private companies arent likely to remain unscathed by Stuxnet for long, says Jon Ramsey, CTO of managed security provider SecureWorks. He points to Operation Aurora as the first of the most sophisticated attacks to hit a private company. With Aurora, the attackers are saying, Why not go after the industrial base … large corporations that have a lot of intellectual property, that are highly competitive in global markets, Ramsey says.
Attacker Specialization
Knowledge about these advanced attacks and the techniques they use is spreading rapidly. A major reason is that attackers have created an infrastructure of chat rooms, forums, drop boxes, and technical publications that support and expand their operations. There, they share ideas and develop areas of expertise. One group helps members hone their skills in attacking popular software. Another develops exploits to plug into popular malware. Others focus on growing and maintaining botnets to steal data.
Zeus is a prime example of this specialization. The banking Trojan, which spreads via phishing and drive-by download attacks from legitimate sites, has an ecosystem of underground programmers who create spam campaign templates that plug into Zeus and exploit kits that capitalize on specific vulnerabilities. Criminals can buy one exploit kit to attack computers running Mozillas Firefox and another to attack Adobe Acrobat vulnerabilities. Zeus openness has driven its popularity and dramatic increases in functionality. More than 90,000 variants of it now exist, according to Symantec.
Zeus development infrastructure lets users do more for less money, says Symantecs Turner. Thats part of a trend whereby cybercriminals are becoming more efficient, optimizing their operations to get the maximum value from each compromise. Some advanced malware will remove competing and inefficient programs from the systems they infect, and even go so far as to patch those systems in order to get the most out of infected machines, says Brian Contos, director of global security strategy and risk management at McAfee. The malware uses a single computer for multiple crimes, such as stealing data and capturing log-on credentials. Unsuspecting victims end up benefiting, too, since their machines--albeit infected--run better, Contos says.
Attackers also are using automation to increase efficiency. Rather than attack every Internet address in the world, they focus on ones known to belong to computers that use specific vulnerable software, such as WordPress and other popular blogging platforms. Spammers buy out-of-the-box spam campaigns. And bot operators use Web interfaces to monitor and control their networks of compromised systems.
Driving all this innovation in cyberattack software development, support, and infrastructure is money. Rather than sharing techniques, many cybercriminals are becoming more secretive, treating their code and approaches as intellectual property.
It used to be you could go to a conference like DEF CON and people would share tools, Contos says. Not any more. Instead, theyre busy developing zero-day threats, he says, because they want to make money.
Software development ecosystem
Just-In-Time Attacks
Changes in how cybercriminals operate have made another type of attack--cyberprotests--easier to organize and execute. Recent denial-of-service attacks against MasterCards, Visas, and Amazon.coms sites, in retaliation for their refusals to do business with WikiLeaks, also offer a look at the future of cybercrime.
While cyberprotests and denial-of-service attacks arent new, the technology to support them is getting better and the tools more sophisticated--a trend that will continue. For example, the WikiLeaks attacks, conducted by a group known as Anonymous, used a program called the Low Orbital Ion Cannon, or LOIC. It lets any protester input an IP address and join an attack against the targeted network or system.
Three factors are contributing to the effectiveness of distributed denial-of-service attacks, say Earl Zmijewski, VP and general manager of Internet security firm Renesys. First, the systems being attacked have more bandwidth than ever before, so attackers need to compromise fewer of them to have significant impact on a target. Second, many users continue to run old software, making it easier for attackers to take over their computers and make them part of a botnet. Third, theres still no easy fix for DoS attacks. Content distribution networks can help, but the most effective defense is to use a specialized network that filters out malicious traffic before it gets to the targets servers.
Because of those three factors, botnet operators wield enormous power. Conficker, for example, compromised 6.4 million systems, giving it an aggregate bandwidth of 28 TB per second, says McAfees Contos. Thats more than Amazon and Google combined--thats massive,he says.
Threats are inserting themselves between the user and the Internet. These man-in-the-browser attacks--widely used by the Zeus banking Trojan--let attackers control what users see. A user banking on a Zeus-infected computer is led to believe hes sending his utility company $100 but, instead, $7,000 is being sent to an account in another state owned by a member of a cybercriminal network. When the user confirms the transaction, he sees only a $100 debit, while the bank receives a request to transfer the $7,000.
You never know youre defrauded until you look at it from a physical branch, says Amit Klein, CTO at banking security firm Trusteer. Other malware used this technique first, but with Zeus, its becoming much more widespread.
Zeus and other threats are circumventing protections aimed at eliminating bank fraud, such as two-factor authentication. Because the attack is done in real time and from the victims PC, conventional protection fails.
Better Defenses
Many companies assume its enough just to comply with the security controls required by law. But compliance doesnt cut it. Advanced threats will circumvent well-known security requirements, SecureWorks Ramsey says. If everybody has the same technology and controls, then the criminals are going to modify their attacks to subvert those types of defenses, he says.
It was the Federal Deposit Insurance Corp.s mandate that banks use two-factor authentication and encryption that spurred criminals to develop Zeus to circumvent those protections. Malvertising--online ads that send users who click on them to malicious sites--is another example of attackers circumventing defenses. These attacks avoid firewalls by coming in over the Web. Its the No. 1 attack vector that companies see, according to SecureWorks.
Conventional defenses, such as antivirus software, havent fared well against sophisticated attacks, says Trusteers Klein. Stuxnet may have circulated for more than a year before it was detected. Zeus regularly dodges signature-based defenses.
Companies need well-rounded defenses, not just technology, says Symantecs Turner. We have to start talking about how we share information online, and how we use things, he says. Policy and implementation are as critical as the technology itself.
Protecting the perimeter is key, but even thats getting more complicated as mobile consumer devices like iPads and iPhones find their way into businesses. As the line between personal and business devices blurs, Turner says, weve increased the number of touch points that our confidential or business data has.
Companies must identify their most valuable assets as well as potential threats. They need to understand the threats, what theyre going to target, and how theyre going to target it, SecureWorks Ramsey says.
Companies also must determine how many users and systems can access critical information, and whats worth protecting. They must implement a data classification system to identify their most valuable intellectual property and focus security dollars and people on that data, Turner says. Businesses have a much better chance of protecting a small subset of their data than trying to protect all of it equally.
IT managers also can no longer ignore components on their networks that arent computers and routers. Security researchers have shown that printers, which increasingly resemble small servers, can be used as a beachhead into corporate networks, and Stuxnet is weaseling its way in via embedded controllers.
We have to start thinking about different pieces of technology, Turner says. Valves are an engineers purview, and networks are the domain of an IT guy, and we have to get them speaking the same language.
Companies also must focus on better detection and response. Network anomaly detection as well as intelligence services can identify attacks that have successfully found a beachhead in the corporate network, says Ramsey. But detection isnt a good defense against these attacks. Its cheaper to keep them out than it is to clean them up, and the longer theyre in, the more expensive it becomes to take control back of your IT systems, he says.
And thats even more important when looking at the sophisticated attacks that will be everyday fare in the future. As Stuxnet has taught us, these programs persist longer and do more damage than ever. Ultimately, defenders must evolve their defenses to stay a step ahead of the bad guys.
Write to us at [email protected].
Download
a free PDF of Dark Reading January Digital Issue
(registration required)
Sidebar: Is 2011 The Year Of The Mac Attack?
This year may be the one when cybercriminals turn their attention to the Mac, a platform theyve pretty much left untouched. Several articles in the Russian hacker magazine Xakep have focused on attacking Mac OS X, suggesting that eastern European hackers may be developing attacks, says Steve Santorelli, a former Scotland Yard detective and director of global outreach for security research group Team Cymru Research.
Because of the dearth of threats, most Mac users dont run anti-malware programs. If someone comes out with a browser exploit pack next year, were going to see a lot of people get infected, Santorelli says. So you may end up having a Zeus for OS X.
Apples strict control of the Mac, simpler code, and better security model make it more secure than Windows. But OS X isnt fundamentally a more secure operating system than Windows 7, according to Santorelli. The reason theres only a small amount of OS X malware is because the application base is so much smaller.
In 2008, computer scientist Adam ODonnell used game theory to calculate that malware would start to be a problem for OS X when Macs accounted for about 17% of the computer installed base. Macs now comprise about 11.5% of the U.S. installed base and about 5% worldwide, according to NetMarketshare.com.
Signs of interest from the criminal underground suggest that Apple users should beware. In October, a version of the Koobface virus, which spreads among Facebook users, targeted OS X users. The attack exploits vulnerabilities in Java software on the Mac to turn it into a command-and-control server for a botnet. --Robert Lemos

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Next-Generation Threats: The Inside Story