How to Stop Malware in the Cloud

Moving digital assets to the public cloud reduces costs and increases productivity, but it poses some new information security challenges. Specifically, many IDPS that were designed for the on-premises network come up short when deployed in the public cloud. Public cloud providers have built-in security layers to manage information security using their own security monitoring infrastructure to address this problem, but these built-in monitoring services are one-size-fits-all and may miss crucial customer-specific security requirements or user account compromises. This leaves cloud-based assets more vulnerable to data breaches.

And the threats are there. An April 3, 2019 article in ZDNet mentioned that over 540 million Facebook records were exposed on AWS. In 2017, 57 million Uber customer records were compromised because hackers extracted Uber’s AWS credentials from the company’s private GitHub account. Public cloud offers no tools for monitoring the network data that would have detected and prevented these breaches.

Why public clouds are difficult to secure
Public clouds are great when it comes to providing shared compute resources that can be set up or torn down quickly. The cloud provider offers a basic software interface to provisioning storage, servers and applications, and basic security monitoring that runs on top of that interface at the application layer. But the application layer runs on top of the network, and the network is the only place where certain classes of dangerous security breaches can be detected and prevented.

Clouds restrict users from inspecting or logging the bits that go over the network wire. Inspecting a public cloud at the application layer can give customers information about what the network endpoints are doing, but that’s only part of the picture. For example, breaches due to users’ misbehavior are only visible at the network layer by observing the communication patterns that are inconsistent with company policies. The cloud’s built-in monitoring services would not be aware of this misbehavior because they do not monitor network behavior on behalf of the enterprise. Importantly, if malware or a rogue application somehow makes it into a cloud instance or remote VM hosted in the cloud, cloud-native monitoring services may not detect malicious behavior at the network level. Because customers don’t have access to the bits being transmitted, they’ll never know the malware is there.

So what’s a cloud customer to do? Adding NG firewalls from third-party vendors to public cloud deployments adds the ability to customize the inspection of all the bits flying by, but fails to detect communications within the cloud (i.e., between a web server and a database) or lateral communications (for example, a compromised host trying to spread within the internal cloud network between VMs). This leaves blind spots that can allow malware to execute without the user’s knowledge. Lastly, when there is a breach, in most cases, cloud customers can’t even quantify, precisely, the number of records or the amount of data  exfiltrated.

As it’s not feasible to deploy hardware on a public cloud provider’s premises, the way to eliminate these blind spots lies with software that can implement a virtual tap and monitor traffic at the network level. Today, only MetaFlows offers multi-function software that will address these needs.

WannaCry Ransomware Advisory

It has been all over the news this weekend, a surge in Ransomware under the name ‘wannacry’ that has the potential to cripple large portions of networks due to the way that it spreads.

This is a pretty stealthy piece of malware at the network level, little to no CnC has been confirmed, but at an individual level it doesn’t behave much differently from any other Ransomware that we have seen in the past.

What distinguishes WannaCry is that it has a secondary infection vector that prior Ransomware variants lacked. Like any other, the primary infection vector appears to occur via email attachment (zipped javascript). However, once a machine is compromised it begins to behave more like a worm, able to exploit SMB (windows file sharing) on any systems that it can reach in order to spread its self.

This worm like behavior makes it particularly dangerous. While usually* smb (port 445) is not accessible from the outside world, it is often completely unrestricted within a local network, allowing one infected machine to spread the Ransomware across an entire site.

* This is your reminder to do double check firewall rules and run some external scans to make absolutely certain your windows file shares are not reachable from the outside world.

 

The following signatures are currently indicators to look out for:

2024218: ET EXPLOIT Possible ETERNALBLUE MS17 Echo Response
2024291: ET TROJAN Possible WannaCry DNS Lookup (trojan.rules)
2024292: ET INFO Bitcoin QR Code Generated via Btcfrog.com (info.rules)

MetaFlows has added 2024291 to our priority alerts category, and may also add 2023218 to add an extra level of alerting for these events.

 


Many of the windows related scan rules have been updated, and may be treated with greater suspicion, but are not alone indicators of this malware:

2001569 – ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection (scan.rules)
2001579 – ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection (scan.rules)
2001580 – ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection (scan.rules)
2001581 – ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection (scan.rules)
2001582 – ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection (scan.rules)
2001583 – ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection (scan.rules)

There are likely to be more updates and more information soon as researchers have time to study the samples collected so far.
Our primary signature provider, Emerging Threats, maintains a mailing list where these issues are discussed as they unfold.
https://lists.emergingthreats.net/pipermail/emerging-sigs/2017-May/028122.html
https://lists.emergingthreats.net/pipermail/emerging-sigs/2017-May/028113.html

Common Threads in Black Hat 2015

130659908_922e26a071_oWhen discussing the need for tighter, and better cyber-security one of the common themes discussed at Black Hat centered around the lack of research and preparation on the part of software developers.  Katie Moussouris, in speaking at the special event, “Beyond the Gender Gap:  Empowering Women in Security,” mentioned that her career revolved round encouraging software developers in major corporations to address security at the design stage or as early as possible in the development phase.  The issue with this, of course, is that if a potential exploit is discovered, the individual responsible for that discovery would receive no credit for it. The fix would simply exist as a part of an after-thought – thus encouraging the habit of sitting still, waiting for the problem to become evident, and then offering a security patch.  When internal efforts fail, it would behoove developers to seek outside assistance.  However, this solution is one that is not readily accepted.  In the panel, Moussoris cited Microsoft’s initial commitment to not pay individuals to hack their product, and the challenges she faces in encouraging software developers in their creation of their Bug Bounty programs on sites such as Moussoris’ HackerOne.

In the instance that companies like Adobe institute their Bug Bounty programs, they range in effectiveness as participants can be awarded in everything from cash to a high-five for their efforts.  However, when one considers how many vulnerabilities continue to crop up in Adobe’s software, a high-five may not be enough.  Given the compromises that their Flash updates have caused, it is clear that Adobe’s approach is failing.  The gravity of this issue is especially evident as Cisco’s most recent Midyear Security Report and resulting blog entry call upon companies, “To reduce the occurrence of these common code errors, software developers should participate in regular security training to build awareness of current vulnerabilities, trends, and threats.”  Although the ball for creating, publishing, and updating secure software lies within the hands of software developers, only a naïve or irresponsible user would sit back and wait for the developers to handle it.

The pro-active approach, on the user end, is to assume that every software system is inherently flawed and problematic – to have a security solution already in place that can detect when employing a new software system has unintended and quite possibly, disastrous consequences. Defensive security systems must be flexible enough and powerful enough to meet evolving threats coming from an onslaught of flawed software systems and riddled web user interfaces, that can catch users unaware but ideally, not unprepared.

As the Internet of Everything becomes more of a reality, it is the onus of the user to make sure that they are meeting the challenges that come with it.  Conferences like Black Hat open up the dialogue by asking important questions, the most resounding being, “What do you plan to do to keep your information secure?”  In a room full of options, this question may seem both overwhelming and considerably difficult.  No one can afford to spend money on services that (while not being comprehensive) will not work with others, in accidentally duplicating coverage, or even investing in a system that flat does not meet the demands of a connected world.

Finding solutions and making connections are why security professionals attend Black Hat.  At the MetaFlows kiosk, our engineers were able to explain to professional after professional as to why the SaaS model works and how the MetaFlows MSS is a cooperative solution that pulls from a variety of sources, partnering with Emerging Threats, Cyber-TA, and Virus Total, to name a few.  As Microsoft plans to release Windows 10 and Adobe continues to update their products, it is imperative that every user have a security plan in place to protect the integrity of their data.

Escaping the Jurassic: Getting Technical at Black Hat

EvolutionThe cyber security world can feel like a competitive scenario,  eat or be eaten.  However within our own community, the truth is quite a bit different.  MetaFlows belongs to a cyber security community and Black Hat is a conference about that community. In their own words, “For more than 16 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment.” It is a place to meet with the nation’s top security teams about the most cutting edge security issues and solutions.

As a company, attendance at conferences like Black Hat give us an opportunity to contribute in a very concrete way to the intelligence community. Survival has very little to do with being the biggest and the strongest but has everything to do with adaptability. By continually communicating with the security community, our service remains flexible enough to meet emerging threats. The MetaFlows Security System is a multi-faceted approach to enterprise security and that means, of course, staying relevant.

Black Hat allows the MetaFlows team to not only present our unique security solution, but to also connect with fellow security professionals, current customers, and future customers. Our kiosk will have an interactive display and our engineers will be available to explain what it is we do and why it is effective. We look forward to the opportunity to actively participate in the ongoing security dialog.  Our continually evolving product is fully scalable to meet the needs of modest business to massive enterprise.