The U.S. has not denied their role in the use of weaponized malware and already, other countries are jumping on board. India recently announced they are empowering government agencies to carry out similar such actions.
State-sponsored malware attacks are officially out of the shadows and mainstream for organizations and end users alike. In fact, Google recently announced an alert service for gmail users for “state sponsored attacks”. How exactly did we get to this point and what are the factors and threats that you need to be aware of?
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Welcome to the Age of Weaponized Malware. What Does it Mean to Your Enterprise?
1.
2. Richard Stiennon Paul Henry Paul Zimski
Author and Security Security and Forensics VP, Solution Marketing,
Industry Expert, IT-Harvest Analyst, Lumension Lumension
3. State Sponsored Malware is Officially Out of the Shadows
Google begins alerting Gmail users
to 'state-sponsored' attacks.
Warning: We believe state-sponsored attackers
may be attempting to compromise your account
or computer. Protect yourself now.
4. HOW…
…did we get to the point where your
online email provider specifically warns
users of state- sponsored attacks?
6. How Big a Problem is Weaponized Malware?
Scale vs. Real World Malware
7. Event Timeline: Stuxnet
• Publically disclosed 13 months after the first attack against Iran
• Designed to sabotage Iranian nuclear refinement plants
• Stuxnet attacked Windows systems using an unprecedented four zero-day attacks
• First to include a programmable logic controller (PLC) rootkit
• Has a valid, but abused digital signature
• Payload targeted only Siemens supervisory control and data acquisition (SCADA) systems
2009.06: STUXNET
8. Event Timeline: Duqu
• Considered to be “next generation Stuxnet”
• Believed that Duqu was created by the same authors as Stuxnet
• Exploits zero-day Windows kernel vulnerabilities
• Components are signed with stolen digital keys
• Highly targeted and related to the nuclear program of Iran
• Designed to capture information such as keystrokes and system information
• Central command and control with modular payload delivery – also capable of attacking
2010.09: DUQU
2009.06: STUXNET
9. Event Timeline: Flame
• Designed for targeted cyber espionage against Middle Eastern countries
• Spreads to systems over a local network (LAN) or via USB stick
• Creates Bluetooth beacons to steal data from nearby devices
• Most complex malware ever found
• “Collision" attack on the MD5 algorithm – to create fraudulent Microsoft digital certificates
• Utilized multiple zero day exploits
2011.05: FLAME
2010.09: DUQU
2009.06: STUXNET
10. Weaponized Malware: Scale vs. Real World Malware
millions of malware signatures discovered in the last year
11. Weaponized Malware: Scale vs. Real World Malware
only a handful of known malware has ever been weaponized
12. Weaponized vs. General Malware
First, let’s take a look at where we’ve come from. Even the oldest remote access Trojans had
convenient surveillance options such as rerecording the victim’s key strokes, turning on the
microphone, capturing screens, etc.
All in easy point-and-click interfaces. Anti-virus evasion was trivial through The use of
executable “packers” to randomize signatures:
Back Orifice: 1998 NetBus: 1998 Sub7: 1999
19. Why Should the Enterprise Care?
Retaliation Risk
US Admits Stuxnet - expect increasing retaliation risk against
sensitive economic and infrastructure assets
20. Why Should the Enterprise Care?
Collateral Damage
Loss of control of weaponized malware in (once weaponized
malware is released control is effectively lost) – being exposed to
accidentally spreading malware (Stuxnet was discovered after it
escaped its targeted environment and started spreading)
21. Why Should the Enterprise Care?
Adaptation by Cyber Criminals
Targeted attacks on sensitive information
Variants of Stuxnet already seen
22. What Should The Enterprise Do?
Know Where the Risk Is / Endpoint Not Gateway
Every endpoint Need to have Need to have a
is an enterprise of ONE. autonomous protection. layered approach.
23. Deploy Defense in Depth Strategy
Successful risk mitigation relies and solid
vulnerability management
foundations, together with layered defenses
beyond traditional black-list approaches.
Patch and Configuration Management
Control the Vulnerability Landscape
24. Deploy Defense in Depth Strategy
Successful risk mitigation relies and solid
vulnerability management foundations,
together with layered defenses beyond
traditional black-list approaches.
Application Control
Control the Grey
Patch and Configuration Management
Control the Vulnerability Landscape
25. Deploy Defense in Depth Strategy
Successful risk mitigation relies and solid
vulnerability management
foundations, together with layered defenses
beyond traditional black-list approaches.
Hard Drive and Media Encryption
Control the Data
Application Control
Control the Grey
Patch and Configuration Management
Control the Vulnerability Landscape
26. Deploy Defense in Depth Strategy
Successful risk mitigation relies and solid
vulnerability management
foundations, together with layered defenses
beyond traditional black-list approaches.
Device Control
Control the Flow
Hard Drive and Media Encryption
Control the Data
Application Control
Control the Grey
Patch and Configuration Management
Control the Vulnerability Landscape
27. Deploy Defense in Depth Strategy
Successful risk mitigation relies and solid
AV
Control the Known vulnerability management
foundations, together with layered defenses
beyond traditional black-list approaches.
Device Control
Control the Flow
Hard Drive and Media Encryption
Control the Data
Application Control
Control the Grey
Patch and Configuration Management
Control the Vulnerability Landscape
29. Employee Education
Often the first and last
line of defense.
lumension.com/how-to-stay-safe-online
30. Learn More
Quantify Your IT Watch the Get a
Risk with Free On-Demand Demos Free Trial
Scanners
31. Summary
Weaponized malware is a legitimate
threat however the “sky is not falling”.
Understand the risk and implement
technologies, process and people
to mitigate.