In the past couple of months, there have been a handful of high-profile security breaches that have thrown companies for a loop, catapulting cyber security to the forefront of everyone’s minds. Since the Target breach, CIOs and CISOs have begun evaluating what policies and services they have in place to protect their employees, partners, customers and ultimately data from attack.
To dive deeper into recent attacks like SoakSoak and Regin, these highly sophisticated malware threats shine a light on the inability of today’s signature-based detection tools, and the even newer set of virtual execution technologies to ultimately mitigate the problem. Not only the enterprise, but also government entities feel at risk when surfing the Web or providing personal information via online vectors.
More than 100,000 WordPress sites were infected by a malware called SoakSoak that turned the infected sites into attack platforms. SoakSoak provides an example of vulnerable services in turn becoming infection vectors themselves via Internet downloads. With more than 70 million sites using Wordpress as their content management system, malware authors have a vast install base to leverage any vulnerability that shows up on this publishing platform. While Google has flagged 11,000 sites, it's still not sufficient to track and patch many of these infected sites; unbeknownst to the owners, they are now being used to serve malware. Like the Drupal 7 vulnerability a few weeks ago, the urgency and window of time available for patching Internet-facing services is rapidly decreasing.
We are seeing a pattern with Chrome extensions, Wordpress plugins and the like; software that starts out safe is turned into malware either through exploitation or through a software update. The initial download of the legitimate software is being used as a Trojan horse. When a user visits a web site, it's impossible for existing security mechanisms to detect if it is a site that is serving malware or not. Even enterprises that have restricted outbound web access can still be easily compromised by vulnerability like this because of how prominent Wordpress is.
Looking back at Regin, it is the bad guys’ well thought-out version of Metasploit, which is an open source framework used for penetration testing with unified exploit codes and payloads against remote targets. Regin had been used to spy on governments, infrastructure operators, businesses, researchers and individuals since at least 2008. Unlike some other APTs, Regin was clearly not designed by someone looking to make a quick buck and escape. This highly sophisticated 5-stage threat with fully encrypted payloads, modular design and the fact that it's been around since 2008 makes it a malware to be reckoned with. The ability to extend the core with highly targeted payloads also makes it an extensible malware platform that can be used for long-term collection of data and continuous monitoring of individuals. This is the first time we have seen this kind of cyber “espionage” used as collateral against not only enterprises but also nations and governments.
Despite its sophistication, the infection vector for Regin, also known as the Dropper, seems like just another browser-based exploit, much like a phishing site. We live our lives on the web and web-based infection vectors continue to grow at a rapid pace. That fact that Regin went unnoticed since 2008 validates the belief that malware has far out-paced the products that attempt detection with signatures or virtual execution. These detection mechanisms are looking for finite set of patterns, but the number of variations in malware is infinite.
Cybercrime is now a profession; malware and exploit kits are created and sold with guarantees to circumvent security controls. According to Gartner, business will spend more than $71 billion on information security in 2014, but nearly $400 billion has been lost globally as a result of cybercrime. Security today is based on the premise that one can detect whether something is good or bad (e.g., web, email, files). This premise is fundamentally flawed as malware continues to evade even the latest security technologies.
These high profile attacks signal a new era in the Internet age where no one is safe, including government bodies. We have to step back and evaluate the state of security technologies and the steps needed to protect ourselves from attacks.