After the revelation of the Chinese attack against the Gray Lady, other U.S. media companies have admitted to have been targeted by (probably state-sponsored) Chinese Hackers in 2012. Immediately after the NYT, even the Wall Street Journal has revealed to have been infiltrated, and similar rumors have emerged for Bloomberg and the Washington Post in what appears to be a systematic hostile campaign.
In particular the attack against the NYT has apparently confirmed the inadequacy of signature-based antivirus against targeted attacks. As the same New York Times admitted, over the course of three months, the foreign attackers installed 45 pieces of custom malware, but the antivirus in use, made by Symantec, was only able to detect one instance of malware over the entire sample.
The security firm has immediately replied to those allegations:
“Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”
Said in few words: signatures alone are not enough. The sophistication of the next generation targeted attacks require advanced security capabilities such as reputation and behavioral analysis.
According to the scant information available even the Washington Post used Symantec technology to protect its assets, and even in this case it could not prevent the hostile attackers to systematically compromise computer systems.
I wonder if this double coincidence could somehow be connected to the infamous leak of Symantec antivirus source code which occurred (or better was made public) approximately one year ago (the 6th of January 2012). As a consequence of the breach (that allegedly dates back to 2006) the source code of two old products (Symantec Antivirus Corporate Edition 10.2 and Symantec Endpoint Protection 11) were leaked on the Internet. Of course the affected products have been greatly modified since then, nevertheless it is likely that any core functions have not evolved, so in theory, hostile hackers could have taken a (detailed) look at them and have consequently found ways to evade the antivirus (some claim that a similar scenario happened for the infamous RSA breach).
Of course this is just a speculation, maybe the reality is much more simple: traditional antivirus technologies are not enough to thwart sophisticated targeted attacks.
- Symantec: don’t blame us for New York Times hack (go.theregister.com)
- Symantec Gets A Black Eye In Chinese Hack Of The New York Times (forbes.com)
There’s no day without a new high-profile cyber attack. The last victim in order of time is The White House which has confirmed to have been targeted by an unsuccessful spear phishing campaign.
According to officials, hackers linked to China’s government have tried to break into the computer network used by the White House Military Office (WHMO), the president’s military office in charge of some of the U.S. government’s most sensitive communications, including strategic nuclear commands. This is considered one of the U.S. government’s most sensitive computer networks, since it is used by the White House Military Office for nuclear commands. The secrets behind the WHMO include data on the so-called “nuclear football,” the nuclear command and control suitcase used by the president to be in constant communication with strategic nuclear forces commanders for launching nuclear missiles or bombers.
The cyber attack took place earlier this month, and the hackers are believed to have used servers located in China. According to officials, this kind of attack is “not infrequent” and hence there are unspecified “mitigation measures in place” which allowed to identify the attack and isolate the system. As a consequence there is no indication that any exfiltration of data took place.
This is not the first time in which alleged state-sponsored Chinese hackers have breached (or at least have tried to breach) high-profile U.S. targets. On July, 14, 2011, The Pentagon revealed to have lost 24,000 files during a cyber attack happening in March of the same year (suspects were directed to China). On May of the same year several U.S. Defense contractors such as Lockheed Martin, Northrop Grumman and L-3 Communications were hit by targeted attacks carried on with compromised SecurID tokens as a consequence of the infamous RSA breach.
At this link a non-exhaustive collection of the main cyber attacks carried on by Chinese hackers, maybe it is a little old (and should be updated), in any case it is enough to understand how active the Red Dragon is inside the cyber space.
Targeted attacks exploiting endpoint vulnerabilities are becoming more and more common and increasingly aggressive.
For this reason I could not help but notice the last report from NSS Labs dealing with the capability of 13 consumer grade AV products, to protect against two critical Microsoft vulnerabilities (CVE-2012-1875 and CVE-2012-1889). The successful exploitation of these critical vulnerabilities could result in arbitrary remote code execution by the attacker leading to very harmful consequences for the victim, such as, for instance, to make it become part of a botnet. Unfortunately a very common scenario in these troubled days.
Even if these vulnerabilities are a couple of months old (and patched), the resulting report is not so encouraging, and renews the dramatic question: are endpoint protection technologies, on their own, capable to offer adequate protection in the current cyber-landscape?
Probably not, considering the the findings which are quite frustrating:
- Only 4 of the 13 products blocked all attacks: exploit prevention remains a challenge for most products;
- More than half of the products failed to protect against attacks over HTTPS that were blocked over HTTP, a serious deficiency for a desktop AV / host intrusion prevention system (HIPS.);
- Researchers are not the only ones testing security products – criminal organizations also have sophisticated testing processes in order to determine which product detects which malware, and how the various products can be evaded. Some crimewares
will(already) include various one-click buttons to “Bypass VendorX,” for example.
Ok, you might argue that only consumer-grade AV products were tested, so enterprise organizations are not so exposed against exploit attacks. Mmh… Do not jump to conclusions, as I believe the reality is pretty much different and enterprise organizations are even more exposed for the following reasons:
- More and more organizations are approaching the BYOD
philosophypolicy in which users are free to use their own devices. Even worse, too often these are equipped with outdated EPPs (how many organizations enforce NAC policies to check the integrity of the endpoint?).
- Most of all… If cyber criminals have sophisticated testing processes in place, aimed to test the detection capability of the various products, why should they use them only for consumer products and not (also) for the most appealing enterprise crime market?
Yes, definitively I believe endpoint protection technologies, on their own, do not offer adequate protection for exploit prevention, and the time has come for Advanced Threat Detection/Prevention technologies (like Lastline :-)).