Organizations and IT security professionals spend a lot of time focusing on guarding against external threats–building up the defensive wall that keeps internal systems and data safe from outside attackers. Those efforts are all well and good, but miss the fact that there’s a pretty good chance attackers have already compromised your network and are just patiently waiting for the right opportunity to attack.
Researchers at Damballa uncovered a couple tools attackers use to keep exploits and compromises hidden on your network:
There is an ongoing struggle in computer and network security. Every day security professionals diligently scan for vulnerabilities, deploy patches and updates, make sure antimalware defenses are up to date, and monitor firewall logs to keep a vigilant eye out for malicious or suspicious activity. It’s a noble fight to defend network resources and sensitive data from would-be attackers “out there”. Unfortunately, there’s a fair chance that the enemy is already in your network and most organizations are not equipped to detect or defend against those threats effectively.
Researchers at Damballa have scrutinized the Destover malware used to wipe target machines in the Sony attack, as well as the related Shamoon malware used to destroy data in the 2012 Saudi Aramco attack. In both cases the goal of the malware was purely destructive, and in both cases the malware exploit seems to have been inside the network for an extended period of time before the actual attack was launched.
A blog post from Damballa explains, “While researching a newer sample of Destover, we came across two files that were identified by one antivirus product at the time under a generic signature. After analyzing further, we found two utilities closely related to Destover. Both utilities would be used during an attack to evade detection while moving laterally through a network to broaden the attack surface. Both utilities had usage statements and were named as setMFT and afset.”
According to the researchers at Damballa the combination of the tools enables attackers to thwart many of the tools and methods commonly used by security professionals to detect the presence of attackers on the network. The attackers can gain access to sensitive servers and clean or redirect log files to prevent any evidence of their activity from ever reaching a SIEM or log analysis tool that might reveal suspicious activity.
Read the full story on CSOOnline.com: Damballa warns that the enemy may already be in your network.