Part IV: Next Generation Threats

Next Generation threats, by comparison, do not use conventional methods to reach your electronic assets.  They can disguise themselves as trusted traffic.  They can use legitimate programs – like Outlook or Adobe Acrobat – to run rules to manipulate data on the computer or server.  Next Generation threats can use your own employees to do the work for them.

None of these are detectable by conventional antivirus or spam filters.

  • So, what if the threat is unknown, or unknowable?
  • What if there is no malicious software, or programmable signature of a file for antivirus to detect?
  • What if the malicious activity is simply malicious behavior of a trusted program, file, or protocol?
  • What if malicious code is delivered through compromised software updates?
  • What if a major software application – like Microsoft Exchange, Outlook, or Adobe Reader – were to be used to spy on and compromise an entire business network of servers, files, and databases?

One such Next Generation Threat is one that’s been around for a long time: The Zero-day Vulnerability.

Sometimes, trusted software has security holes.  There are errors in software code, and these security holes can be used right through the software to deliver malicious attacks.  When a hole is used by a malicious actor or is discovered to present a risk, it is referred to as a “zero-day vulnerability.”  This means it is not in the future, but is a vulnerability that exists today and malicious actors are already working to utilize it to gain access.  Zero-day vulnerabilities are closed by the software manufacturer engineers providing patches or hotfixes.

Again, antivirus won’t find these – the software with the security hole is trusted.  There is no malware to detect.

Zero-day vulnerabilities introduce what we refer to as the Supply-Chain attack.

The Supply-Chain Attack is one that is delivered through compromised code in trusted software, usually through a software update.  A malicious coder inserts program instructions in the software update, allowing them to use the software right under our noses.

January 2021:  a set of malware code – referred to as Sunburst and Sunspot – was reported to be found in trusted IT management software, called SolarWinds.  This malware was inserted into the development process for the popular software sometime in 2019.  This malicious code was used to monitor and encrypt computers that had the SolarWinds Orion software installed, unknown to hundreds of IT departments who used the software.

March 2021: Four zero-day vulnerabilities in Microsoft Exchange Server were being actively exploited by state-sponsored threat actors to open backdoors, harvest information, and deliver malware.  Microsoft reported that they became aware of the exploits – referred to as ProxyLogon and Hafnium – in early January 2021, and issued patches to fix the vulnerability in March 2021.  It is still unclear as to the extent and depth of the exploit, but the threat was demonstrated to allow remote execution of programs and commands on servers, and could be used to collect information and inflict ransomware on internal networks.  Cloud-based versions of Microsoft Exchange (Microsoft 365) were not impacted by this vulnerability.

July 2021: Another infrastructure software application – Kaseya – was compromised in a similar fashion as SolarWinds.  In this case, when the monitoring software was updated overnight, the latest version had the malicious code (REvil) embedded.  Endpoint devices were encrypted within two hours of update, locking networks worldwide.  When IT departments arrived at their desks the next morning, the damage was done and their only options were to pay a ransom or restore servers and computers from backup.

In all three cases, conventional protection could never detect or stop these threats.  There was no delivery of malware to a computer. There was no spam or phishing.  There was no link to click, and no attachment to open.  They were delivered through trusted software, critical to everyday business operations.

If these threats were not detectable – were not knowable – could they be stopped?   Are they inevitable?

In the case of SolarWinds and Kaseya, the malware was introduced through the IT department – those specifically responsible for watching for the safety of the network.

 

With Teqworks Advanced Threat Protection cybersecurity solution, these Next Generation threats can be prevented before they wreak havoc on your business, and recovery is possible without paying a ransom. Reach out to us to avoid the painful process of recovering from an attack that can bring your entire business to its knees.

Stay tuned for the upcoming article Part V: Targets Prediction and Behaviors Detection

Scroll to Top