And what if a cyberattack originated from your antivirus solution?
Published on: 28 12 2020 | Modified on: 15 04 2021
Often seen as a key line of defence against cyber-threats, antivirus solutions are nevertheless vulnerable. The news reports have shown that these protective solutions have become particularly attractive targets for cyber-criminals. We explain.
You never know where a cyber-attack’s coming from. But the hack targeting Mitsubishi Electric in 2019 may come as something of a surprise: cyber-criminals successfully exploited a flaw in its... antivirus system. More precisely, they hijacked the antivirus solution to gain elevated privileges enabling them to extend their grip over the infected machines. And it’s a serious matter: a compromised antivirus solution won’t prevent a cyber-attack. Worse still, in some cases its presence on the workstation can actually facilitate an attack. This new modus operandi speaks volumes about the way cyber-attacks are changing and the responses that need to be put in place.
Why attack an antivirus solution?
It may sound counterintuitive: by targeting an antivirus solution, aren’t cyber-criminals taking the risk of triggering alerts of all kinds? “For a long while, intruders sought to hide from security solutions when performing their illicit activities, recalls Adrien Brochot, Product Manager Stormshield. But this became more difficult for them as antivirus solutions became ever more sophisticated. And so current techniques involve deactivating the antivirus system before carrying out a prohibited operation. Or even using the antivirus solution to increase their privileges on the machine”.
One of the current techniques involves deactivating the antivirus before carrying out a prohibited operation. Or even using the antivirus solution to increase their privileges on the machineAdrien Brochot, Product Manager Stormshield
Because increased privileges are the Holy Grail sought by cyber-criminals. “In a classic attack scenario, you begin by taking control of an exposed service with a low level of privileges, explains Sébastien Viou, Cyber-Evangelist Consultant Stormshield. But using another vulnerability, you can take control of a higher-level process making possible to run code or commands. And this lets you extend the scope of your activities”. This process is “fairly simple to put in place, according to Sébastien. The difficult part lies in finding the vulnerabilities”. The research phase can take time but always bears fruit, including in the case of protective solutions. By successfully compromising the antivirus system, the cyber-criminals can even access the administrator’s rights for a workstation and subsequently the domain administrator rights. How the antivirus system has become a prime target for cyber-criminals…
Enlarge your attack surface
An antivirus solution is a piece of software. And as software, it has lines of code and possible bugs which can become vulnerabilities. “When you’re coding, statistically you’ll have one bug per 1000 lines of code. And a software solution contains hundreds of thousands of lines of code. So when you add a software solution to an item of equipment you’re naturally increasing the attack surface”, stresses Sébastien Viou. It’s what’s known as a measure-related risk: in addition to the residual risk there’s also the risk of the measures you introduce. Including in the case of protective measures.
A recent study by CyberArk revealed major flaws in most security software. CyberArk’s researchers identified around a dozen vulnerabilities including in market-leading antivirus solutions. A goldmine for cyber-criminals.
A three-phase attack
To hijack an antivirus system, an example of a widely used vulnerability involves symbolic file links. The aim of this approach is to direct the antivirus solution’s attention towards a file other than that containing the malware - often one of the files comprising the antivirus solution itself - to then deactivate it. As the purpose of an antivirus solution is to scan all files arriving on the workstation, it will naturally scan the malicious file and attempt to delete it. But because of the symbolic link, it instead deletes the “legitimate” file. “This technique makes it possible to hijack the operation of the service. It’s the simplest method to use and can involve just a few lines of commands”, notes Sébastien Viou. This is the first stage in a cyber-attack, the stage enabling the cyber-criminal to gain a foothold in the system.
Once you’ve got administrator rights on a machine, it’s relatively easy to take control of the machines in the network or even the whole systemSébastien Viou, Cyber-Evangelist Consultant Stormshield
The second stage involves increasing your level of privileges. For example, an application which does not properly control its resources can load a Dynamic Link Library (DLL) controlled by the attacker instead of its own, thereby allowing the attacker to run code in the application with high privileges. This vulnerability is then sufficient to trigger the now-familiar chain reaction. “The security solution has extensive powers on the workstation. It has the highest rights, enabling it to block all kinds of critical applications. If you make it through to administrator level, you can grant yourself all rights over a machine, explains Adrien Brochot. And as antivirus solutions are generally installed on all workstations in the company, finding an exploitable vulnerability on a workstation means that you can exploit this on all of the other machines”.
“Once you have administrator rights on a machine, it’s relatively easy to control other machines in the company or even the whole system. This is why the AD is subsequently targeted”, adds Sébastien Viou. This is the third part of the attack, the launch of the malicious action. “The intruders seek to be discreet during the initial stages to infect as many machines as possible before really unleashing the malicious part including data theft, the blockage of workstations and the destruction of production activities, etc., adds Adrien Brochot. Generally, it’s at this stage that the company realises it’s under attack. People start getting locked out of the system and can no longer access what they need... And it’s at this stage that the admins can really start panicking, because it’s already too late”. With sometimes serious consequences including a stoppage of production.
How do you build a robust cybersecurity system?
And here, antivirus solutions are not the only ones concerned as cybersecurity solutions in the wider sense are not immune to this threat either. A quick look at the list of CVEs concerning software publishers is guaranteed to send a shiver down your spine… These vulnerabilities are numerous and well-documented - and that’s before we even consider the backdoors, deliberately built into some systems and solutions.
But how do we tackle these threats when the very tools which are supposed to be protecting us have embraced the dark side of the Force? A complex question to which the initial answer is relatively simple: we need to make them more robust. And therefore more secure. And it’s the responsibility of security solution publishers – like Stormshield – to introduce the best practices and all the tools needed to achieve this as part of their development cycles, by applying the concept of Security By Design.
From the very design phase for these tools, it’s vital to anticipate all applicable security requirements and to perform a risk analysis. Thus, the choice of a micro-service type software architecture for example will offer greater resilience than a monolithic solution. This micro-segmentation involves segmenting rights and isolating the workflow for each service, as Adrien Brochot explains: “we break down all of a solution’s functions into several different services. Each one has the minimum required rights needed to perform its operations and can only communicate with certain other specified services”. This is the application of the lowest privilege principle, as recommended by the France’s ANSSI cybersecurity agency. The goal: to reduce the attack surface to the bare minimum and limit the spread of the malware. Next, during the development phase, code control tools should be used and specialised outside companies called in - encouraged by a bug bounty for example. Finally, before launching the solutions in the marketplace, the solutions and their source code should be audited by independent third parties to ensure that there are no backdoors or structural vulnerabilities. It’s a simple question of trust.
Despite all of these precautions, no security solution can always guarantee to be bug-free. However, it’s possible to demand a guarantee of robustness from the solution and to ensure that it has the capacity to protect itself or even repair itself in order to minimise the impacts of any possible corruption. For this reason, the best solution to be adopted is to favour the use of trusted technology, to guarantee an overall optimal security level for your system.