In the past two weeks there have been dramatic announcements of vulnerabilities in open source and proprietary products that allow credential stealing with nothing more complicated than a structured information query. We are all aware of the risks of cyber-threats like hacking, credential misuse, lateral movement, and general mayhem consequential to uncontrolled access in computer networks - now we have a blatant example in “Heartbleed”.
The Heartbleed vulnerability has been widely reported and exhaustively reviewed so we will not delve too much into those aspects. Rather we want to focus on the risk it poses to an organization, and try to offer some context to understand that risk – so the threat can be assessed with regard to the exposure the organization has to attacks.
Once again, the sky is not falling. However, it is certainly raining much harder today than it was two weeks ago. The Heartbleed and similar vulnerabilities (such as the Apple bug of a few weeks ago, the widespread use of hardcoded certs in hardware devices and related firmware updates reported by Project Basecamp, or the many publicized MITM SSL attacks since 2002), have existed for a long time. The threat to consider since Heartbleed’s expose’ however is not the vulnerability (that is the risk); rather it is awareness in the global technical community, and corresponding tools (metasploits, various scripts and etc.) that have popped up and made the exploitation of that vulnerability so easy.
It is a fair assumption that in the past two weeks most Internet-accessible systems have been scanned to enumerate vulnerable software configurations, and where discovered the vulnerabilities have been tested or actually exploited in attempts to compromise those systems. Who is doing these activities can be summarized as – anyone, since the sensational attention and community tools were so quickly provided. Heartbleed has provided a targeted method, but as the awareness increases of the accessibility of vulnerable systems – other methods are concurrently being utilized as well. In other words the risk has grown from the toehold that Heartbleed offered attackers, to a foothold of other known and developing exploits.
Just to clarify the risk of these attacks though, let’s detail the fundamental concerns (so companies can assess the threat for themselves):
1) This is an access control issue. If successfully exploited it allows credentialed access to corporate systems via VPN or other systems designed to secure internal networks.
2) If not detected and examined, it could result in APT activities (reconnaissance, sabotage, subversion, or theft) and expose sensitive information to competitors or malicious actors.
3) No malware is necessary; however the bulk of scanning activities have so far been attributable to “catalog operators” who typically drop botnet or other backdoor malware into compromised networks for subscriber access. Therefore it provides an avenue of infiltration for infection.
There is an adage that is becoming more widely accepted in information security: “There are two types of companies, those who know they are compromised and those who don’t.” Heartbleed demonstrates more clearly than any past events the truth of that statement. In order to understand which type of company you are, an assessment of related indicators and activities is needed. Blacklists aren’t going to help detect this type of event, instead an assessment focused on configuration, use, and access anomalies is needed to understand whether an organization has been compromised – and what happened afterwards. What changes in the environment were made, what data was stolen, and what malware was left behind to provide access on-demand to botnet operators or other malicious actors?
Cylance has an efficient method for performing an assessment of an organization’s entire managed IT estate (including all O/S types for managed devices) that helps a company establish a definitive answer, as well as determining other risks that are evident and may threaten the brand, legal or compliance posture, operational, or financial situation of the organization. That is called a Compromise Assessment, and is performed with the CylanceCAT.
A Compromise Assessment collects information from managed endpoints of the IT estate with no endpoint agents, by leveraging IT estate management tools and processing the resulting data into informative results. The collected data represents risk issues including build inconsistencies, malware and IOCs, lateral tools use for movement in the estate, credential abuse and propagation, and data theft. The data is processed with complex (though automated) analytical methods to answer questions that relate to the demonstrated impact of risk indicators – in order to help an organization assess the related threat of the activities. CylanceCAT provides the analytical platform for processing of the IT risk indicators and presentation of the results for management understanding of the potential threats.
Heartbleed, and similar attacks are compromise activities that seek to harvest credentials on vulnerable systems in order to use an organization’s own network architecture (such as VPN and AD) in order to gain access and exploit internal systems. The following indicators collected from recent investigations that we performed for clients may be helpful for organizations to answer the initial question of “was I compromised?”
During several recent engagements we found that anomalous entries in SSL VPN logs provided clues to when and how attackers were able to gather credentials for authenticated access to corporate networks. An analysis of SYSLog entries from VPN concentrators and SSL authentication services resulted in a low-frequency incident of anomalous connections that failed but were subsequently allowed. The session messages included the following reasons:
SSL negotiation failed while client at source IP ‘126.96.36.199’ was trying to connect to ‘192.168.154.1’
Reason:’http request’ Reason: ‘no certificate returned’ Reason:’sslv3 alert certificate revoked’ Reason:’tlsv1 alert unknown ca’ Reason:’wrong version number’ Reason:’unknown protocol’
An example of a susceptible (and later compromised) OpenVPN log entry is shown below:
root@ubuntu:/var/log# grep --color "WARNING: Bad encapsulated packet length from
peer" /var/log/openvpn.log … Thu Apr 17 14:49:00 2014 us=407724 192.168.154.1:62755 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1544 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]
From another client we collected the following SYSlog events that show the SSL negotiation, attempted credentials use (SYSTEM which failed, and user1 which succeeded), and successful access after a necessary A/V check was passed:
Apr 9 20:47:35 ASA3-inside ASA3 %ASA-1: Starting SSL handshake with client External:188.8.131.52/52696 for TLSv1 session.
Apr 9 20:47:36 SSLVPN2 Juniper: 2014-04-09 20:47:35 - VPNWEB - [184.108.40.206] System() - SSL negotiation failed while client at source IP '220.127.116.11' was trying to connect to '10.10.14.95'. Reason: 'sslv3 alert bad certificate' Apr 9 20:47:37 ASA3-inside ASA3 %ASA-1: Device completed SSL handshake with client External:18.104.22.168/52696 Apr 9 20:47:38 ASA3-inside ASA3 %ASA-1: SSL session with client External:22.214.171.124/52696 terminated. Apr 9 20:47:38 ASA3-inside ASA3 %ASA-1: Teardown TCP connection 766485681 for External:126.96.36.199/52696 to identity:172.18.1.16/443 duration 0:00:05 bytes 3687 TCP FINs … Apr 9 20:49:03 SSLVPN2 Juniper: 2014-04-09 20:49:03 - VPNWEB - [188.8.131.52] System() - SSL negotiation failed while client at source IP '184.108.40.206' was trying to connect to '10.10.14.27'. Reason: 'tlsv1 alert unknown ca' Apr 9 20:49:03 SSLVPN2 Juniper: 2014-04-09 20:49:03 - VPNWEB - [220.127.116.11] System() - SSL negotiation failed while client at source IP '18.104.22.168' was trying to connect to '10.10.14.27'. Reason: 'tlsv1 alert unknown ca' … Apr 9 20:51:22 SSLVPN2 Juniper: 2014-04-09 20:51:22 - VPNWEB - [22.214.171.124] System() - Host Checker policy 'Cache Cleaner policy' passed on host 126.96.36.199 . Apr 9 20:52:27 SSLVPN2 Juniper: 2014-04-09 20:52:26 - VPNWEB - [188.8.131.52] user1(OrgAD) - Primary authentication successful for user1/OrgAd2 from 184.108.40.206 Apr 9 20:52:27 SSLVPN2 Juniper: 2014-04-09 20:52:26 - VPNWEB - [220.127.116.11] user1(OrgAD) - Host Checker realm restrictions successfully passed for user1/OrgAD
Upon successful access to the internal network, the attacker made use of the stolen credentials to navigate to selected windows systems with tools already in the network. This is demonstrated with the following information from Microsoft Windows Security Event Logs.
In this compromise a total of 17 systems were accessed successfully with 2 compromised user credentials, additionally 5 other systems were identified by the attackers and attempted access using administrative and super user credentials were attempted – but denied. Fortunately this client had user profile abuse monitoring rules and was quickly alerted to the events and was able to stop the activities within 30 minutes of the activity beginning.
In our recent webcast “To XP or Not to XP” we described that there are only 3 things necessary for APT activities: tools, credentials, and time. In order for Heartbleed, or similar attacks to succeed time is the essential element to control. No (malware) tools are necessary as the vulnerability is exploited externally (and although this vulnerability can in most cases be patched there will always be more vulnerabilities to exploit). Credentials can be stolen, crafted, or impersonated in varied ways – either technically or through social engineering. However, with diligent alerting, monitoring, and review/investigation time to accomplish attacker activities can be limited, and prevent subsequent compromise.
Prevention involves processes to monitor and respond; however it also includes preventing the use of in-memory or file-based infections of computers with malware or similar tools. As mentioned previously, the bulk of Heartbleed exploitation activities have been attributed to catalog operators and similar actors - who seek to subjugate compromised systems by expanding their botnets and offer the access to subscribers for varied purposes. Accordingly, it is crucial to prevent the installation (in memory or by file) of malicious services. CylancePROTECT™ provides that capability.
CylancePROTECT can determine malicious use of instructions in memory as well as malware files – without ever having seen them before. Other security software products are limited to what someone has seen (and analyzed) before. CylancePROTECT is the next-generation endpoint Advanced Threat Detection that prevents operating and file system exploitation to prevent infection and botnet spread.
Prevention is key to a security posture, attackers are interested in system control – not simply gaining access. Therefore early detection on the network of service compromise and credential misuse, and prevention of malicious software use on endpoints – will prevent subsequent sabotage, subversion, and theft of sensitive information. Prevent APT activities by preventing malware use with CylancePROTECT, and investigate compromise activities efficiently and comprehensively with CylanceCAT.
Every organization has probably been scanned in the past two weeks, but how many know if they have been compromised? Call us to help answer that question.
Shane D. Shook, PhD
CKO/Global VP of Consulting