Tag Archives: advanced attacks

Operation Arachnophobia: An Introduction

| By and | Threat Intelligence, Threat Research |
Comments
0

We recently had the opportunity to collaborate with ThreatConnect’s Intelligence Research Team (TCIRT) to conduct follow-up reporting on threat group activity that appears to originate from Pakistan. The TCIRT originally reported on this activity in August 2013 in their “Where There is Smoke, There is Fire” blog post. This post covered a threat group using malware and apparent lures that would be effective against Indian targets: an Indian Government Ministry of Defense pension memorandum and an apparent lure related to Sarabjit Singh, an Indian national who died in a Pakistani prison last year.

Our collaboration with ThreatConnect centered on technical analysis of the BITTERBUG malware family and other technical characteristics of the activity. ThreatConnect provided deep analysis of open source data to highlight interesting persona and organizational details. FireEye Labs analysts have also been tracking this group’s activities – identifying and tracking their custom malware family that we call BITTERBUG and their command and control (C2) servers.

The report was released today assessing new information on this group and identifying new factors that draw further suspicion to Pakistan as the probable origination point. From the earliest samples of BITTERBUG to its latest variants, we have observed changes that show movement away from specific debug paths to new, generic paths; a process that occurred following TCIRT’s original blog post.

The group appears to have remained active after the TCIRT blog post, using new BITTERBUG malware variants with the more-generic embedded file paths. During this same timeframe, we observed these variants packaged with various support components and using lures related to the December 2013 arrest of Indian diplomat Devyani Khobragade in the United States and the March 2014 disappearance of Malaysia Airlines flight 370 (cast in these ‘lure’ emails as a Pakistan-related hijacking). Though BITTERBUG deployment methods remained similar throughout, we also observed new deployment behaviors following the August blog post.

We encourage you to read the new paper here http://www.threatconnect.com/arachnophobia.

Real-World Tests, Real-World Results: Are You Building Another Maginot Line?

| By | Advanced Threat Trends, Incident Response, Security Perspective, Technology |
Comments
0

Today we are releasing “Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model.” The report is a first-of-its kind analysis of real-world data spanning more than 1,217 organizations in 65 countries across more than 20 industries. It reveals a deeply flawed defense-in-depth model, at least as it’s commonly deployed. In short, most of today’s top-selling security tools fail to protect 97 percent of organizations that deploy them.

The only true test of a product is in a real-world setting. Our data comes from organizations testing FireEye network and email appliances, but not yet fully protected by the FireEye platform. Because FireEye sits behind all conventional security defenses, the tests provide a unique vantage point to observe other security layers in action.

In other words, any threats observed by FireEye in these tests have passed through all of an organization’s other security layers.

We call this state of affairs the new Maginot Line. That’s because it reminds us of France’s famed 940-mile string of deep-earth bunker fortresses, anti-tank obstacles, and barbed-wire entanglements built to fend of Germany in the run-up to World War II.

It was expensive and futile. Germany sidestepped the line using a novel blitzkrieg-style attack through Belgium. The French military, which had diverted much of its budget to the line, could not mount an effective defense.

Today, many organizations face a similar problem. They spend billions of dollars every year on defense-in-depth IT security architecture. And attackers are easily stepping around them.

As our report shows, it doesn’t matter what types of signature-based firewall, intrusion prevention system (IPS), Web gateway, sandbox, and endpoint systems make up your Maginot Line. Attackers are circumventing them all.

So what should organizations do? For one, they need a new approach to securing their IT assets. For many, that means reducing waste on redundant, backward-looking technology and redeploying those resources on defenses designed to find and stop today’s advanced attacks.

Operation Saffron Rose

| By , , and | Advanced Malware, Threat Intelligence, Threat Research |
Comments
0

There is evolution and development underway within Iranian-based hacker groups that coincides with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities. The capabilities of threat actors operating from Iran have traditionally been considered limited and have focused on politically motivated website defacement and DDoS attacks.

Our team has published a report that documents the activities of an Iran-based group, known as the Ajax Security Team, which has been targeting both US defense companies as well as those in Iran who are using popular anti-censorship tools to bypass Internet censorship controls in the country.

This group, which has its roots in popular Iranian hacker forums such as Ashiyane and Shabgard, has engaged in website defacements since 2010. However, by 2014, this group had transitioned to malware-based espionage, using a methodology consistent with other advanced persistent threats in this region.

It is unclear if the Ajax Security Team operates in isolation or if they are a part of a larger coordinated effort. We have observed this group leverage varied social engineering tactics as a means to lure their targets into infecting themselves with malware. They use malware tools that do not appear to be publicly available. Although we have not observed the use of exploits as a means to infect victims, members of the Ajax Security Team have previously used exploit code in web site defacement operations.

The objectives of this group are consistent with Iran’s efforts at controlling political dissent and expanding offensive cyber capabilities, but we believe that members of the group may also be dabbling in traditional cybercrime. This indicates that there is a considerable grey area between the cyber espionage capabilities of Iran’s hacker groups and any direct Iranian government or military involvement.

Although the Ajax Security Team’s capabilities remain unclear, we believe that their current operations have been somewhat successful. We assess that if these actors continue the current pace of their operations they will improve their capabilities in the mid-term.

To view a full version of the report on “Operation Saffron Rose,” please visit: https://www.fireeyesolution.com/resources/pdfs/fireeye-operation-saffron-rose.pdf.

Ghost-Hunting With Anti-Virus

| By and | Executive Perspectives, Security Perspective

In October 2012, data security firm Imperva released a controversial report on the efficacy of anti-virus (AV), which concluded that AV solutions only stopped 5 percent of all malware identified. Few reports in the security industry had been as polarizing as this one—many reacting with white-knuckle rage. It was a classic case of Chris Christensen’s “Innovator’s Dilemma,” where old school technologies cling to life, in the face of a new paradigm. Just yesterday, one of the original anti-virus vendors joined the fray in “declaring anti-virus dead” in the Wall Street Journal.

At FireEye, we look at hundreds of malware samples daily, and, in a recent talk at RSA Conference, Zheng Bu, vice president of research at FireEye presented some interesting data that security teams should consider as they think about their AV initiatives. Looking at nearly half a million malware samples over two years, our researchers discovered that the average lifespan of a piece of malware is very short. The chart below compares how many hours (X axis) malware lives against the total pool of malware samples (Y axis) to show just how quickly they disappear:

av1

Our data shows an interesting picture: most malware remains active for no more than two hours when FireEye is detecting it. To be precise, our analysis showed that in 2013:

  • 82 percent of malware disappears after one hour
  • 70 percent of malware only exists once

With the half-life of malware being so short, we can draw the conclusion that the function signature-based AV serves has become more akin to ghost hunting than threat detection and prevention. In spite of this, IDC found the market for endpoint security products like anti-virus to generate $11 billion in revenues in its “Worldwide IT Security Products 2013 – 2017 Forecast” despite APT activities creating nearly fifty unique malware infections everyday.

In AV Land, Everyone Is a Sacrificial Lamb

Today’s AV model makes everyone a sacrificial lamb. In the past, malware writers would write their attack code once with little need to iterate. Today, as our numbers show, rapidly developing iterations of malware is becoming the de facto way of hacking.

A simple comparison of the malware writing process versus anti-virus signature development shows a stark contrast.

First, let’s look at the malware development process:

figure1_v2

Malware is developed, QA’d against the latest AV signatures, released, and once it is picked up by AV sensors and shared among vendors—the malware dies. The process takes a few days at most.

By contrast, anti-virus vendors work in a process that takes a few days to a few weeks.

av2

Examining the two “supply chains,” you quickly see why anti-virus is inherently behind the curve – doomed to chasing ghosts. By the time malware signatures are updated from collection and have gone through QA, the samples are more-or-less defunct unless it is a rare instance where the core code of the malware could not be modified. Over the years AV vendors have increased the frequency of signature updates to convey the benefits of eventual detection. However, it is already an increasing challenge to apply frequent security updates to thousands of business-critical computer assets in medium to large size organizations – especially where many assets such as laptops are also mobile. Ultimately this does not close the days to weeks collecting new malware samples can take, which is why security solutions – like FireEye – that do not rely on such a reactive model detect malware faster.

To be clear, single-iteration malware will continue to persist, and a minor need for AV will remain to provide a layer of reactive protection against these unsophisticated, benign threats. But with high-profile breaches occurring frequently, being driven by fast-moving, advanced threats, it is clear that next generation technologies and approaches are needed. Even Gartner has noted the senescence of anti-virus in two very recent reports. Notably, in the Magic Quadrant for Endpoint Protection Platforms (i.e., anti-virus), where its opening sentences of the “Market Overview” state:

The rise of the targeted attack is shredding what is left of the [endpoint] anti-malware market’s stubborn commitment to reactive protection techniques. Improving the malware signature distribution system, or adapting behavior detection [in endpoint solutions] to account for the latest attack styles, will not improve the effectiveness rates against targeted attacks. (From 8 January 2014).

So, what should we do as an industry knowing that the AV is ineffective today based on these findings? We recommend:

  • Accepting that the signature-based AV model cannot play a key part of enterprises’ threat-prevention models. Start shifting security strategies to modern methods that identify malware at the time of attack rather than after it has died.
  • Reconfigure compliance mandates to place much less emphasis on AV and other reactive, signature-based approaches. Once regulators and compliance mandates make it easier to adopt innovation, we’ll finally make life a little harder for the attackers.

In doing this, we will be able to protect ourselves not from the ghosts that we imagine are haunting our homes, but from the burglars and malware that truly steal our possessions and erode our foundations.