Alex Watson, security research director at Websense, has uncovered an advanced persistent threat (APT) campaign using zero-day exploits after researching 16 million crash reports from Windows Error Reporting (WER) last year.
You recently exposed a targeted attack against a mobile network provider and a government agency. How did you do this?
For a little bit of background information, we were working on answering the question how you detect threats, such as targeted attacks that have made it passed organisations’ defences. Cyber security systems deployed today are predominantly based on extra knowledge from the vendor organisation and signature based defences. What that means is that the security systems are really good at finding an exit that we know about, but in the examples we’ve seen across the past year, cyber criminal groups are willing to spend the resources and the time necessary to avoid detection from PFs, firewalls or AD system.
How did you use Windows Error Reporting (WER) as a means of identifying the previously unknown threat?
Microsoft uses these reports to prioritise bug fixes and whether applications are failing, while we’re asking the question can we use these crash reports to find indications of ongoing attacks, exploit activity, code or injection. When you plug in the US key device into your computer, a report will be sent to Microsoft that has details about your computer, resulting in a lot of reports being sent out that have incredibly small information on Microsoft, but most organisations are not aware of these reports being sent out.
What exploits did you test?
We did a couple of case studies, exploring how we can use anomalies to find unknown attacks. We took a look at what I would say is probably one of the more popular exploits of the past year, it’s this CVE-2013-3893 – a Microsoft internet explorer very powerful exploit that we saw being used in targeted attacks in Taiwan and Japan…I think the industry saw it being used and targeted against high value organisations, but the infrastructure, shell code and obfuscation techniques they used were not up to the level of sophistication of the actual exploit, which made us wonder is this the only group that’s using this exploit.
How would you describe the attack?
It’s a targeted attack that starts out with an email campaign to a select group of people within an organisation…We made an assumption that for about 15 people in an organisation; at least one of those applications will fail, resulting in a programme crash that we can detect, while others may be successful. We reversed those exploits, found a location for it to crash and created a fingerprint for (in the event that the exploit failed) what the crash report would look like.
We then searched 16 million reports over a four month period and ended up finding a total of five reports that matched our fingerprint from four different organisations. We looked at the organisations and two in particular, a mobile network operator and government agency, stood out as high value targets for targeted attack. Both of them had Houdini H-Worm, a remote access Trojan (RAT), starting back on the same day as the failed exploit attempt happened.
Did you identify any other attacks?
We also collected application crash reports from point-of-sale (POS) applications such as those targeted by the POSRAM malware. Analysis of their crash logs indicated a possible code injection into their pos.exe application, which appears to be similar to the vector used by other POS malware…One organisation stood out almost immediately as having different crashes than the others did as well as POS application crashes…If you were looking at this from an application developer, this would be a really bad crash because it means it was someone else’s code and it’s not your own code.
From a security perspective though, it leads us to believe that there’s a possible injection of codes. So if you had a malicious product that was targeting your POS application and that malicious process crashed, then it’s quite likely it would crash outside your programme space.
How should security firms evolve to overcome these attacks?
The security industry needs to move away from signature based defences and include more intelligence around anomalies and network behaviour as hackers improve techniques to break into security systems…We’re building this into products right now and it’s something that we wanted to get organisations thinking about how to uncork techniques like anomaly detection into their defences. And if it’s not something that the organisation has resources to build themselves, it’s something that they should look for or ask for in their security product.
