Hiding in plain sight - attacks via trusted entry routes such as updates
Hiding in plain sight - attacks via trusted entry routes such as updates

The threat landscape is constantly in flux as defenders develop improved techniques to defend and protect networks, and attackers seek new means to infiltrate and infect systems to fulfil their own agenda.

Like any form of logistics, distributing malware is a difficult process for attackers. Not only may malware fail to reach its intended target, but if it is identified en route to a target, security analysts will be able to develop protection ensuring that subsequent attempts to deliver the malware will be blocked.

Malware writers use many techniques to deliver their malware and to avoid detection along the way. The recent Nyetya attack adopted the unusual approach of being distributed via the software update mechanism of a legitimate third party software provider who had been compromised.

This is not the first occasion that attackers have sought to abuse software update systems. In 2012, the Flame malware reportedly spoofed the Windows update mechanism to spread. The Havex trojan in 2014 was distributed via compromised software installation packages. While in 2016, a popular browser toolbar was reportedly used to distribute hidden malware to unsuspecting users.

The threat actors behind Nyetya clearly planned their actions, choosing ME Doc, the publishers of a tax accounting program widely used in Ukraine as the initial vector for their malware. Firstly, the attackers introduced a backdoor into the code of the legitimate accounting software and allowed this to be distributed. Then they subverted the software update system to issue instructions to the installed accounting software containing the backdoor.

Almost certainly, these instructions included the commands to download and install Nyetya. The malware then spread across the internal networks of affected organisations, wiping and destroying data while masquerading as ransomware purporting to restore data on payment of a ransom.

Distributing malware through software update systems allows attackers to hide in plain sight. Software updates are one of the few routes that executable code is expected to enter organisations. So, an executable file downloaded from a software update server doesn't necessarily attract the attention of security teams.

Sophisticated attackers deserve a sophisticated response. Simplistic approaches to security, such as blocking access to servers with a poor reputation are no longer enough to assure resistance to attacks. Abusing highly reputable legitimate servers by compromising them and using them as part of a command and control infrastructure has been a technique that we have observed sophisticated threat actors using for some time.

Organisations need to adapt to operating in a grey world, where no system is entirely trustworthy. Basic protections such as ensuring systems are fully patched, and that network ports aren't unnecessarily opened to the outside world remain the foundations of good security.

Attackers may infiltrate networks from unexpected sources, in which case defence becomes an issue of swiftly identifying the compromise and containing the attack before remediation. Proper network segmentation, and using the network as a sensor helps spot issues quickly, and stop them spreading.

Good defences take planning and investment. The aftermath of a major attack is a very good time to reflect on how current defences would protect against similar attacks, and how the organisation would respond if the same thing happened to them.

One thing is certain, the bad guys aren't getting any dumber. Each attack that highlights an effective novel distribution technique, only encourages further threat actors to adopt the same processes themselves. It's not inevitable that such attacks will be successful, but organisations need learn the lessons from attacks and ensure that their defences are up to the challenges of the threat environment.

Contributed by Martin Lee, technical lead, Security Research, Cisco Talos.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.