Setting up and managing security controls requires a layered operational model that is applied across many diverse areas of your corporate ecosystem topology. Given the breadth of complexity most modern IT integrated systems contain, small teams can be easily overwhelmed. Down at the application layers of security, it is not uncommon for business-required software to contain a mix of defects and functionality that conflict with standard security policies, albeit for necessity. Due to the complexity found within the software space, flaws in the user applications and the underlying operating systems can create unexpected vulnerabilities. These vulnerabilities, if not addressed, can leave your system exposed to a significant number of threats.
Vulnerabilities are not always simple programming errors, as they can sometimes be normal operational functions that work for their intended purpose within an application but can also be repurposed for more nefarious activities. Below are a few basic categories of vulnerabilities.
Type 1: Core Application Vulnerabilities
This approach takes advantage of a standard corporate package installer that runs with admin rights and leaves open a ReadMe.txt file when done. The left open ReadMe.txt instance can be used by the end-user to get administrative rights. We won’t tell you how exactly, but it can be done with very little wizardry. When the user’s system was rebooted or a process reset the user’s rights, they could just run the installation package software again, lather, rinse, repeat as necessary.
What you can do: To exploit this flaw, it requires the exploit actor to have access to the remaining application instance post-install on the desktop. Administrators should make sure that any process instances left for the user to interact with after an installation should not be launched as the Administrator user or a user with higher rights than the end-user.
Type 2: Image, Flash and PDF Malware
Some bugs do not even require the user to do more than visit a webpage that contains the corrupted content – executables embedded in images, flash, videos and PDFs that are designed to exploit user applications with known defects. Document formats include metadata headers for information and fields that denote the length of different sections of data within the file. Using invalid values in one or more of these fields (negative numbers or other special invalid inputs) can cause the document processor to misbehave. Once it is known that an application reacts poorly, but predictably to invalid input data, a handcrafted exploit document can take advantage of the defect and compromise a user’s machine. Depending on the exploit and the access level of the user, the damage could be quite significant.
What you can do: End-users should always be cautious when opening a file via the web, especially from unknown sources. Additionally, it is important to always keep applications as up to date as possible. Each vendor publishes information on known exploits against the application and works to remove them as quickly as possible. Multiple image file formats (PDF, JPEG and Flash) are commonly used as file types to compromise end-user systems.
Type 3: Open-Source Package Hijacks
Over the last several years, hackers have been found hijacking open-source hosting packages and embedding credential sniffers and other malware into otherwise very useful common libraries. Often the compromise goes unnoticed for days or weeks before it’s caught, and then subsequently undone. If your company had downloaded a version with the malware in it and is not updating package versions very often, it’s possible the company may have internal credentials or other company data being exfiltrated outside the network. In most production environments, updates and patches do not happen quickly and therefore this problem can become a big issue. Patches can introduce unexpected side effects and slow the acceptance pace.
What you can do: Protecting yourselves against package hacks requires developers to make sure they are getting what they expect and nothing extra, but vigilance is a must. Looking for odd URL requests and filtering at the firewall must be done in a sandbox environment before accepting any new packages to check for possible exfiltration attempts by compromised packages. Put a control policy in place for updating software and uninstalling unused software and what versions are acceptable. Due to the inherent requirements of development and the tools used, developers often have escalated rights, unlike normal users. This means developers need to be more careful and deliberate about their actions in an enterprise environment.
Type 4: Zero-Day Attacks
Zero-day attacks are quite problematic because the software flaw is unknown to the vendor and therefore has yet to be analyzed and corrected, meaning there may already be an exploit in the wild and no way to track the impacted.
Let’s look at a real world zero-day example. While logging all the activity of online processes, Entity A found a system to be launching cmd.exe shells in the background after retrieving online documents. An investigation found it was an unknown exploit trying to gain access to the OS. Because the user had limited access rights, the attack was not able to get access to the OS, but had the user had local administrative rights the application would have then attempted to download and install a ransomware program. This ransomware program is known to attempt to propagate further via the user’s email program to maximize the ransom it can generate meanwhile threatening to erase everything encrypted after a specific date, making it a very difficult situation for an entity that is compromised.
What you can do: It's hard to protect against zero-day attacks. Put a control policy in place for updating software and uninstalling unused software. While new updates can include new exploitable vulnerabilities, it’s safer to always have the latest software installed as developers are working hard to correct past issues. Monitoring one of the many software defects and exploit websites will help in notifying your team of issues when they become known or some new behavior is being seen but not understood. All software packages should be monitored for unexpected activity. Keep user access rights as limited as possible for day-to-day activities and force separate login accounts for more administrative type work.
In Conclusion – Stay Alert and Informed
The threats are real and could ruin a business. Security is complex and constantly evolving. Cybercriminals use a lot of different tools to exploit software vulnerabilities; there is even a black market for malware toolkits to be reused by other outfits, often with profit-sharing plans. Planning and staying informed of the threats are a good way to try and stay ahead of the situation, but beware, as it is an arms race.
Companies of all sizes are perpetually at risk and need to maintain and evolve a plan to defend against these bad actors. Keeping informed on trade journals and social media outlets, like LinkedIn, Twitter and Slack, can help but is no means a comprehensive answer. Organizations like Internet Storm Center, CyberWire, AlienValut, FireHOL, Google and Microsoft publish updates on known activity as it is being diagnosed but collecting and filtering what applies to your business is a challenge.
Additionally, one should consider local networking avenues to interact with other groups facing similar challenges so that the collective can share what activity is currently being experienced by the different members. Firms should also consider hiring outside help that specializes in cybersecurity, as with most complex subjects, look for experts in the area who can supplement your security efforts.
At Veritas Total Solutions, we help educate clients and design architectures to help prevent cybersecurity attacks. We offer a range of technology solutions across the business spectrum. If you are interested in learning more about our specific capabilities, contact us or subscribe to our blog to stay connected.