Of the many WikiLeaks dumps in recent memory, none is as potentially harmful to businesses as the release of “Vault 7,” the CIA’s digital arsenal for infiltration and intelligence gathering. The data dump, which occurred this March, has since been on endpoint security researchers’ radar.
Not long after Vault 7’s release, researchers became privy to a different bombshell called BrickerBot malware, which causes irreparable damage to Internet of Things devices. While the two incidents are in no way related, they both point to a shared problem: The challenges associated with trying to detect and block new and/or well-masked cyber threats. This post explains each of these issues in greater depth, and provides context for how layered cyber security can help defend against unknown cyber threats.
CIA Malware : A Deluge of Previously Unknown Threats
If nothing else, the Vault 7 leak reminds us that at any given moment somebody somewhere (a foreign actor, the U.S. government or black-hat hackers) has access to an obscure cyber threat that current defenses are not designed to detect or defend against.
In the case of the CIA, there were a lot of them, and they’ve become available in bulk over the past month or so. They primarily impact Windows operating systems, but also contain intrusion tools for Mac and iPhone devices according to BGR. These include zero-day vulnerabilities and previously unidentified malware types, but also anti-forensics tools that mask a malware’s origin (i.e., the “Marble Framework”). DLL files are a highly used medium for the CIA. They are also handy for concealing malware in applications, and the documents show that common apps have been used for spying by exploiting DLL weaknesses. One attack technique uses several .NET DLLs and a Windows PowerShell script to implant a “listening post” on a target Windows PC.
The UMBRAGE team has a modest collection of attack tools for systems powered by Microsoft’s widely used operating system. These tools include keystroke loggers, sandbox escape ropes, and antivirus avoidance mechanisms. The analysts found flaws in Control Panel, and the ability to add data streams to NTFS without detection to smuggle data onto storage drives. Windows library files are useful stepping stones to malicious code execution, as are Windows Theme files.
If you’re using Windows Exchange 2010, the CIA has a tool for that, called ShoulderSurfer, which performs a code injection attack against the Exchange Datastore manager process that would allow an agent to collect emails and contacts at will and without the need for an individual’s credentials.
While an anti-virus solution may be able to block known malware signatures, these new intrusion tactics would easily penetrate most firewalls. That said, if application whitelists are in use to provide clearance only to known executables, most, if not all, forms of unknown threats can still be caught before they’re able to launch on the network.
Brickerbot Malware
On April, 12, the U.S. Department of Homeland Security warned businesses about a “permanent denial-of-service” called BrickerBot. In a nutshell, BrickerBot corrupts a device’s storage and turns it into a perpetual DDoS-attack device, a tactic known as bricking. In many cases, the devices can never be repaired. Moreover, according to the grey-hat hacker who is believed to have written BrickerBot, the malware has claimed 2 million devices since January.
In this case, BrickerBot is a severe warning to software developers to get their act together. The vulnerability with home users is that most of the home users out there do not run next gen firewalls or APT-based malware detection. Not that businesses are safe either. Even with these systems, a lot of malware have bypassed and evaded the most advanced systems. It’s also a stark reminder of what’s at stake for businesses that fail to be circumspect about their security posture. Every endpoint, IoT or otherwise, must be well managed and protected with layered cyber security.
Relative to human history, cyber threats are very new. Their worst days may be ahead of them – but not if we maintain the upper hand through layered security deployments and application of known best practices.