Attackers using apps to "hide in plain sight"

Cybercriminals are increasingly using applications to carry out and mask attacks, resulting in cyberthreats that are “hiding in plain sight”, according to a new report from Palo Alto Networks.

The report finds that there is a surprising diversity in the types of applications displaying threat activity, but at the same time the vast majority of activity is concentrated along only a few key applications.

The report, based on traffic assessments conducted across around 5500 organisations during the year ending in March, shows that 94% of the vulnerability exploit logs observed during the period were found in only 10 applications.

Common sharing applications - email, instant messaging, social media, file sharing and video - represented 27% of all applications found and were directly linked to the delivery of 32% of attacks. But threat activity was a disproportionately low 5%.

Palo Alto said this indicates that the common belief that these applications are the source of all today’s enterprise security challenges is only partially true.

Attackers often use these applications only to deliver the initial infection payload to the enterprise network, and then use this access to install a second payload aimed at the true target of the attack, the report states.

To address the vulnerabilities posed by common sharing applications, Palo Alto recommends organisations ensure all desktop applications are up to date and consider deploying endpoint protection software. Because many applications transmit over encrypted SSL channels, organisations should consider selectively decrypting and inspecting common sharing application traffic.

The report also states that during the 12-month period, a staggering 98.7% of vulnerability exploit logs were found in the internet protocol UDP (User Datagram Protocol). Many of the 66 botnets detected in the research used UDP as a command and control channel.

The heaviest UDP malware activity was generated by the ZeroAccess botnet, Palo Alto said, which is used by cybercriminals to mine for bitcoins, perpetuate advertising click fraud and generate spam emails. Infected computers communicate using a customised peer-to-peer protocol and other customised UDP. The peer-to-peer technique has given ZeroAccess its resilience and the advantage of distributed processing.

Palo Alto said this indicates that blocking or tightly controlling unknown customised or modified traffic is a good way for organisations to proactively manage some new and evolving threats.

In contrast to common sharing applications and UDP, internal business applications and network services displayed significant volumes of brute force activity during the period, the report states.

Two of the most commonly targeted applications are DNS (Domain Name System) and SMB (Server Message Block). Both represent significant risks to an organisation if a hacker is able to gain control of them - the DNS server holds the names of other servers on the network, and SMB can potentially provide cybercriminals with direct access to all business applications using the protocol.

Palo Alto urged organisations to consider restricting access to both the DNS resolvers and SMB services only to internal networks and/or trusted users.

In the wake of the security scare posed by the Heartbleed OpenSSL vulnerability, it is disconcerting to note that applications capable of using SSL encryption in some form were detected across nearly every application sub-category. Around 34% of all applications found during the network traffic assessments can use SSL, and some attacks have started taking advantage of the protocol to hide their activity in plain sight.

For example, during the high-profile Target breach, hackers stole credit card data and personal information of around 100 million customers, encrypted the data using SSL and then moved it around using FTP.

The report states that while the media furore over Heartbleed is dying down, the threat is far from behind us. Heartbleed puts tools that were once reserved for only the most skilled cybercriminals into the hands of an average attacker, and it won’t be long before an automated tool to scan for Heartbleed vulnerabilities in a network and exploits them in a single click is developed, Palo Alto predicts.

To mitigate the risks, the company recommends that organisations exert tighter control over applications that can use SSL, identify and patch affected systems and renew their security certificates and passwords.

Image courtesy of Anonymous9000 under CC