They are among us! ISACA has just released its Advanced Persistent Threat Awareness Report. The study presents the results of a survey undertaken by ISACA in the fourth quarter of 2012 with a sample of information security professionals including information security managers in different industries and organizations throughout the world (1,551 individuals globally, representing more than 20 industries).
The results of the survey are interesting to measure the level of awareness, but not so encouraging (and in several circumstances also contradictory) for other aspects:
- The survey results reveal that 25.1% of respondents are very familiar with APTs, although (somehow in contradiction with the previous statement), 53.4% of respondents indicated that they do not believe APTs differ from traditional threats.
- 89.7% of respondents believe that the use of social networking sites increases the likelihood of a successful APT attack.
- 87.3% think that BYOD, combined with rooting or jailbreaking makes a successful APT attack more likely.
- The biggest risk for the enterprise is the Loss of Intellectual Property (25.5%) and the Loss of Personal Information (23.6%). Reputational damage is the third biggest risk (20.5%).
- Only 21.6% of respondents reported having been subject to an APT attack, but 63% of them believes that it is only a matter of time before their enterprise is targeted.
- In any case, nearly 60% of respondents believe that they are ready to respond to APT attacks. Of those: 14% responded that they are “very prepared,” which indicated that they have a documented and tested plan in place for APT. Another 49.6% responded that they have an incident management plan although it does not specifically cover APT.
But in my opinion, the most surprising finding is the fact that, from a technological point of view, a very high percentage (above 90%) of surveyed responded that they are using antivirus and anti-malware and/or traditional network perimeter technologies to thwart APTs. Other kinds of technologies (Sandboxing, Event Correlation, Mobile or Traditional Endpoint Control, Remote access), have a much lower impact (below 60%).
Contradictory results that show a high awareness about Advanced Persistent Threats, but maybe more from a marketing point of view than from a substantial perspective. As a matter of fact more than one half of the sample does not consider APTs different from the other threats. This explains the high value of respondents who leverage traditional technologies to (believe to) thwart this class of threats.
Another high-profile security company has been breached. Bit9, a leading provider of application whitelisting technology, has admitted to have been attacked by a malicious external third party who was able to illegally gain access to one of their digital code-signing certificates. The attackers did not waste time and the compromised certificate has immediately been used to sign malware infiltrating, according to the company’s investigation, the network of three customers.
The news was initially revealed by Brian Krebs in a blog post, and later confirmed by the security vendor, which also gave additional (scant) details, including the fact that the malicious attackers were able to infiltrate a portion of their internal network not protected by their product.
“We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.“
At first glance the attack has many points in common with the infamous RSA Breach of 2011, including the fact that maybe the real target of the attack was not the company itself, but the protected network of its customers. On the other hand, if it is true, as the company claims, that Bit9 was the only security company capable to stop both the Flame malware and the RSA breach attack, to achieve their target, the attackers had no other chance than attacking the source of their technology.
The latest demonstration, if necessary, that attacks are becoming more and more aggressive and sophisticated, and the protection is not only a matter of technology but even of good procedures and best practice, and not only for the possible victims…
Adobe is the latest victim of a targeted attack. The news has been reported in a blog post by Brad Arkin, Director of product security and privacy at Adobe.
According to Mr. Arking the company has recently received two malware strains in disguise of malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate and has identified the possible reason for the illegitimate code signing in a compromised build server with access to the Adobe code signing infrastructure as part of the build server.
The first malicious utility is called pwdump7 v7.1 and extracts password hashes from the Windows OS as a single file that statically links the OpenSSL library libeay32.dll. The second malicious utility, dubbed myGeeksmail.dll, is a malicious ISAPI filter.
Of course the forensic investigation is ongoing. To date Adobe has identified the presence of malware on the build server (although the details of the machine’s configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process”) and the likely mechanism used to first gain access. Although the forensic investigation has found evidence linking the build server to the signing of the malicious utilities, it appears that the private key required for generating valid digital signatures was not extracted from the HSM, which is kept in physically secure facilities. Even, so far there is no evidence that the source code was compromised or stolen.
As a natural consequence the company has changed the signing process and has deployed an interim solution including an offline human verification to ensure that all files scheduled for signature are valid Adobe software. Furthermore the company is also designing and deploying a new, permanent signing solution.
All the certificates signed with the impacted key since July 10, 2012 will be revoked on Thursday October 4, 2012 (does this means that the build server has been compromised, undetected, for more than two months?). Potentially there could be 5127 applications signed with the compromised key.
According to the available information, we are in front of a typical targeted attack:
We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.
Moreover “Targeted Attacks generate Targeted Attacks” since the malware samples discovered (most of all in case of the pwdump7 “utility”) show the typical features used by Advanced Persistent Threats: compromise one machine, extract information to escalate privileges (see password) and use the initial entry point as a bridgehead to harvest the target network.
So at the end Adobe is the latest high-profile target to join the group of the companies hit by targeted attack: “Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate. We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example).”
“Please stay tuned for more details in the coming weeks.”
- Inappropriate Use of Adobe Code Signing Certificate (blogs.adobe.com)
The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict
cooperation coproduction between CIA and Mossad.
Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.
Consequantly it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).
Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
- A Flame on the Cyberwarfare Horizon (hackmageddon.com)
Or better “The Unbearable Lightness of (Human) Beings and APTs”. Immediately after my post on Cyber Weapons, I was pointed out that APTs are not Cyber Weapons. On a more general perspective, APTs are not things but (groups of) human beings who have the capability and the intent to target specific entries with multi-factor attacks. Said in few words an APT is not a “what” but is a “who”. On the other hand, how many could afford to hire (and pay) a double agent capable of implanting a malware inside a nuclear complex through an infected USB thumb?
An Oxford dictionary for Information Security has not already been published, hence this term is commonly used to refer to cyber threats or long-term sophisticated hacking attacks. The latter is the interpretation closer to what I meant in compiling the chart.