Attention Federal Agencies: You Aren’t Stopping All Malware
- On March 4th 2016 an endpoint at a U.S. Federal Agency encountered the Angler EK TeslaCrypt while browsing a web site (hxxp://pssor.com/pssor-home) with Internet Explorer.
- At the time the malware was executed on the endpoint (March 4th 2016), this was not known by any anti-virus vendor. In fact, the earliest this was discovered was March 7th 2016.
- Due to Bromium’s ability to hardware isolate each untrusted task, this endpoint was never compromised even though the exploit easily navigated past all the advanced perimeter and endpoint malware prevention solutions.
As a Sales Engineer on the U.S. Public Sector team, I am privileged to work with some of the most exciting Federal Agencies in the United States. A portion of my job is to demonstrate how Bromium can solve the cyber challenges today with hardware isolated protection. In many cases I do this by getting a Proof of Concept up and running in the Federal Agency’s environment.
A little over a year ago, I performed one of these Proof of Concept deployments at a Federal Agency (their name is being omitted to protect the innocent). During the short Proof of Concept, a threat triggered an alarm within the Bromium console. Believe it or not, this doesn’t always happen during the Proof of Concept because Bromium is the last line of defense. This means that for Bromium to see an alert, the threat has to bypass all perimeter and other endpoint solutions. In most cases, U.S. Federal Agencies spent a lot of money on advanced solutions to stop external threats. You can imagine how happy I was that Bromium was on this particular endpoint as part of the Proof of Concept.
Below is the write up Bromium created to detail the attack and show the Federal Agency that Bromium Secure Platform protected the endpoint.
On March 4th 2016 an endpoint at a U.S. Federal Agency encountered the Angler EK TeslaCrypt while browsing a web site (hxxp://pssor.com/pssor-home) with Internet Explorer. Bromium Secure Platform protected the endpoint from the malware by hardware isolating the Internet Explorer session. At no point was the endpoint itself compromised, simply a disposable micro virtual machine due to Bromium.
Angler is the most sophisticated and active Exploit Kit in the cybercrime world today. Angler uses a variety of advanced tools and techniques to deliver malware to end user devices. As was the case here, Flash is often the browser software that is initially exploited. Bromium isolated and recorded the attempt. From the Bromium management console, the payload (malware) was fully inspected and analyzed. The following shows the “dropped & executed” portion of the event.
After inspection of the MD5 hash from the file that was dropped and executed, it was determined by anti-virus vendors to be TeslaCrypt. Tesla is a ransomware type malware. Ransomware operates by encrypting all the local and networked files connected to the infected machine. This level of attack could have caused substantial damage to the endpoint as well as network shares on the domain. Fortunately, the endpoint was protected with Bromium Secure Platform. At the time the malware was executed on the endpoint (March 4th 2016), this was not known by any anti-virus vendor. In fact, the earliest this was discovered was March 7th 2016. That left a three day gap had this endpoint not been protected by Bromium. The following shows a sample from VirusTotal. At the time of the screenshot, only 33 of the 53 major AV vendors knew about the malware and had remediation for it.
Microsoft, the AV vendor for this particular U.S. Federal Agency identifies this as Ramson:Win32/Tescypt!rfn. However, Microsoft didn’t discover it until March 7th. Again, this endpoint received this malware on March 4th (3 days before Microsoft discovered).
Each micro-virtual machine is purpose built for the task the user is performing. In the case of this U.S. Federal Agency event, the micro-vm was created to produce Internet Explorer web content. Each purpose built micro-vm contains a profile of what is expected behavior. At any point tasks outside of expected behavior occur, Bromium records all activity inside that particular micro-vm. Once analysis output from the trace of data gathered during the life of micro-VM a full analysis can occur. This full analysis allows complete inspection of every part of the infection. From this trace, it was determined that in this particular the endpoint was redirected several times to reach the final point of exploit. This behavior is typical for Angler malware. Multiple redirections before the landing page (one that hosts the exploit) is done to avoid detection based protections.
Thankfully, due to Bromium’s ability to hardware isolate each untrusted task, this endpoint was never compromised even though the exploit easily navigated past all the advanced perimeter and endpoint malware prevention solutions. Only Bromium could have stopped that particular zero-day attack for that endpoint in this U.S. Federal Agency.