Whitelisting Not Always Effective As Legitimate Applications Successfully Abused by Attackers
LONDON – Infosecurity Europe 2015 – The trust-based foundations of whitelisting make it more difficult for organizations to properly protect their networks against cyber threats, Kaspersky Lab researchers have warned.
Juan Andres Guerrero-Saade and Fabio Assolini of Kaspersky Lab’s Global Research and Analysis Team (GReAT) provided numerous examples in which perfectly legitimate applications have been leveraged by malicious actors to achieve their goals.
However, many malicious cyber operations discovered recently have demonstrated that a situation can’t be accurately characterized on the basis of these pillars; behavior cannot be preemptively characterized, widely-available or native tools are ripe for abuse, and a developer’s identity cannot be assured.
Guerrero-Saade and Assolini pointed out that many advanced persistent threat (APT) groups use perfectly legitimate tools in their campaigns. For example, the threat actor group known as Equation, believed to be linked to the NSA, has leveraged the functionality of Sleuth Kit, a library and collection of command line forensics tools that allow users to investigate volume and file system data.
Winnti, an APT group believed to have Chinese roots, has been even more resourceful. The attackers have used the StickyKeys accessibility feature in Windows to elevate their privileges.
The StickyKeys feature is activated when the Shift key is pressed five times in a row. Winnti managed to abuse the feature during the operating system’s logon phase to gain administrative privileges to the targeted device by replacing the legitimate StickyKeys executable (sethc.exe) with a file of their own. By replacing sethc.exe with cmd.exe, the attackers gained access to a command prompt with administrator rights.
Another good example is the TeamSpy operation in which attackers targeted political and human rights activists, government agencies, and private companies. The threat actor used TeamViewer, the popular remote control application, to steal sensitive data. As researchers have pointed out, TeamViewer, which is a perfectly legitimate application, became a whitelisted and digitally signed RAT in the hands of the APT group.
Interpreters such as Python, PowerShell and Lua, which are used by many developers, are also often abused. Machete, the cyber espionage operation targeting Spanish-speaking countries, which according to Kaspersky is still active, abused the Python interpreter. Flame and Bunny (a.k.a. Evil Bunny) utilized Lua for modular design, respectively for multi-thread orchestrating.
PowerShell, the scripting tool included in Windows, has become highly popular among malicious actors. As Kaspersky researchers have pointed out, PowerShell can be highly efficient in the hands of attackers because it allows them to carry out their malicious routines without touching the disk.
Microsoft announced on Tuesday that it’s bringing SSH support to PowerShell. While the decision might be good for developers, experts believe it will also benefit cybercriminals.
Interpreters shipped with Apple’s OS X operating system can also be problematic. Kaspersky researchers are currently looking into issues related to the Perl interpreter installed by default in OS X.
Perfectly legitimate admin tools are also often abused. The SkeletonKey malware used PsExec, a utility designed for executing processes on remote systems, for lateral movement. MiniDuke and CosmicDuke leveraged the Windows Task Scheduler for persistence and malware operations scheduling.
Wiper malware, such as the ones used in the attacks against Sony and Saudi Aramco, have used the RawDisk library from EldoS to evade NTFS permissions.
As for profit-driven cybercriminals, they have exploited legitimate applications for point-of-sale (PoS) malware, banking Trojans, and ransomware. The examples provided by Guerrero-Saade and Assolini include the use of PsExec by PoS malware such as Carbanak and Backoff, the use of anti-rootkit tools such as UnHackMe and The Avenger by banking Trojans, and the use of the highly popular archiving application WinRAR by the CTB-Locker ransomware.
The Microsoft Background Intelligent Transfer Service (BITS), which is used by Windows Defender and Windows Update, has been abused by cybercriminals to download and install banking Trojans.
Riskware, as some of the legitimate applications abused by malicious actors are called, are sometimes flagged by security solutions providers. The problem with this approach is that security firms usually fail to come to an agreement on how their products treat these applications.
The Kaspersky Lab research aims to highlight that whitelisting by itself doesn’t work. A solution to this problem, at least an interim solution, lies in custom-tailored application control, the experts said. Kaspersky’s own products include such features, but customers often remain exposed to attacks because they choose not to use them.
“Whitelisting by itself is built on archaic criteria for trust proven obsolete by experience dealing with advanced and even intermediate threat actors. If execution in your system is not locked down by default deny application controls, your tools are also your attackers’ tools,” Guerrero-Saade told SecurityWeek in an interview.