The information security forensics community has been making news headlines with some of the high-profile investigations that have been discovered and disclosed recently, including Flame and Gauss. Kaspersky Lab's unveiling of the Red October
Enterprises that haven’t embraced the importance of antiphishing, strong authentication, rapid patching and network monitoring will be successfully exploited by future Red October-like attacks.
Kaspersky's research uncovered that Red October, at the time of its discovery, had been active for at least five years, operating virtually undetected. Cyberespionage attacks are not new, but they have become significantly more sophisticated. It's now often trivial for attackers to infiltrate organizations for months, if not years, without detection. But, by dissecting these advanced attacks, enterprises can learn important lessons.
In this tip, we'll discuss the details of the Red October malware campaign and what enterprise security teams can learn from it in order to detect future attacks.
The Red October malware campaign uncovered
Red October targeted several hundred victims since 2007, if not earlier. Its authors went after scientific research, diplomatic, government and supporting organizations across the globe, but mostly in Eastern Europe. Based on the text and names in the malware, Kaspersky Labs attributed the Red October modules to Russian-speaking developers and the exploit development to Chinese hackers.
The execution of the campaign proved to be similar to some other recent, high-profile attacks; it started with a phishing attack carrying a malicious attachment that, once executed, exploited Microsoft Office and Java vulnerabilities. From there, backdoors and short-term executables gained access to local systems, set up persistent access and then utilized modules for password stealing, keylogging and scanning for other systems to attack. The end game was typically to identify credentials to access remote systems or system information for the purpose of data exfiltration. It downloaded instructions from its command-and-control (C&C) server, including new malware, then scanned for targeted data and exfiltrated it to its C&C infrastructure, which included proxies to hide the master server.
From the editors: More on whitelisting
Bruce Schneier and Marcus Ranum debate the value of whitelisting and blacklisting.
Learn how application whitelisting can provide an extra layer of defense against malware.
The Red October campaign did feature some unique components that differentiated it from standard malware attacks, including the depth of the attack reconnaissance on the target network, the planning that went into the attack and the framework. Each target system was given a victim ID that allowed the attackers to track them more efficiently. Given the size of the attack, this victim ID would allow the attacker to better analyze and control the vast network of compromised devices. This tracking system also allowed the attackers to target the malware (and to avoid reusing the same malware), enabling them to stay under the antivirus radar for years. The malware even had functionality to restore access to its C&C infrastructure when a specific type of attachment was received, making for faster exfiltration of potentially high-value data.
Unusually, it used NTFS low-level APIs and access to scan for deleted data and to recover targeted data. During the network scans, the Red October attackers looked for Cisco routers that could potentially be used later to further compromise the network. Even SIP configuration data was captured, which allowed the attackers to potentially listen to phone conversations. Information was also gathered from iPhone, Nokia and Windows mobile smartphones to further identify targeted data.
Red October response: Examine existing, new controls
In terms of lessons for enterprise security teams, Red October largely used attack methods that organizations should already be able to defend from, if they have security basics in place. Enterprises that haven't embraced the importance of antiphishing, strong authentication, rapid patching and network monitoring will be successfully exploited by future Red October-like attacks. From there, additional supplemental defenses are worth considering. Application whitelisting, for one, may have thwarted unauthorized executables on target systems. There's also a growing case to be made for emerging anomaly-detection products, like those from vendors such as FireEye and Damballa. Strong two-factor authentication, though not a new defense, could be used to prevent the attacks on the credentials.
Red October should be viewed as a signpost indicating where advanced attackers are going in terms of the comprehensive, multifunctional nature of their attacks and underscoring the importance of adjusting security programs to effectively defend against them. Like all other successful attacks, attackers will use the methods and ideas from the Red October campaign in future attacks, even if the attacks are publically known. Enterprises will need to plan for attacks that will rival the comprehensive nature of Red October in the coming years, as less sophisticated attackers adopt these new tactics. Enterprises should prioritize efforts to reassess their environments and determine where controls can be improved or new ones implemented to prevent similar attacks.
About the author:
Nick Lewis (CISSP) is an information security architect at Saint Louis University. Nick received his master of science in information assurance from Norwich University in 2005, and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.
This was first published in May 2013