There is an ongoing struggle in computer and network security. Every day security professionals diligently scan for vulnerabilities, deploy patches and updates, make sure antimalware defenses are up to date, and monitor firewall logs to keep a vigilant eye out for malicious or suspicious activity. It’s a noble fight to defend network resources and sensitive data from would-be attackers “out there”. Unfortunately, there’s a fair chance that the enemy is already in your network and most organizations are not equipped to detect or defend against those threats effectively.
Researchers at Damballa have scrutinized the Destover malware used to wipe target machines in the Sony attack, as well as the related Shamoon malware used to destroy data in the 2012 Saudi Aramco attack. In both cases the goal of the malware was purely destructive, and in both cases the malware exploit seems to have been inside the network for an extended period of time before the actual attack was launched.
A blog post from Damballa explains, “While researching a newer sample of Destover, we came across two files that were identified by one antivirus product at the time under a generic signature. After analyzing further, we found two utilities closely related to Destover. Both utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface. Both utilities had usage statements and were named as setMFT and afset.”
According to the researchers at Damballa the combination of the tools enables attackers to thwart many of the tools and methods commonly used by security professionals to detect the presence of attackers on the network. The attackers can gain access to sensitive servers and clean or redirect log files to prevent any evidence of their activity from ever reaching a SIEM or log analysis tool that might reveal suspicious activity.
The tools also blend effectively with legitimate system files. A cursory inspection by IT or security professionals is unlikely to raise any red flags because the files seem benign at first glance. In other words, the attackers can lay low and stay under the radar—collecting user credentials, disabling network defenses, and extending their reach throughout the infrastructure undetected for long periods of time. By the time the attackers pull the trigger and the organization realizes the threat is there it’s too late.
Damballa sums up, “The attackers behind large and long-lasting attacks are very well organized, patient and determined. Toolsets like Destover, afset and setMFT are part of an arsenal used during a cyber attack.”
Check out the Damballa blog post for more information and the technical details behind the research.