Attacks/Breaches

10/12/2017
03:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Kaspersky Lab and the AV Security Hole

It's unclear what happened in the reported theft of NSA data by Russian spies, but an attacker would need little help to steal if he or she had privileged access to an AV vendor's network, security experts say.

With Moscow-based Kaspersky Lab under the gun for its software reportedly helping Russian cyberspies steal classified US data, some security experts say the same sort of theft the company is alleged to have enabled could have been pulled off using any other antivirus software, and without any vendor participation.

The Wall Street Journal on Wednesday cited knowledgeable sources as saying that Kaspersky Lab actively modified its anti-virus system so Russian agents could use it as a tool to search through and steal from computers running the vendor's software.

The WSJ report was the latest twist to a rapidly evolving and sometimes, bizarre, story involving Kaspersky Lab, Israeli intelligence agents, Russian cyber spooks, and the US government. The WSJ was the first to break the story when it reported last week that in 2015 Russian agents had used Kaspersky Lab systems' and network to steal highly classified material from the computer of a contractor who worked for the US National Security Agency (NSA)

In separate subsequent reports, the WSJ, New York Times, and Washington Post said the Russian hackers had used Kaspersky Lab's systems and network to search through computers worldwide that had the AV vendor's software installed on them. The Russian cyberspies were apparently looking to see if they could find and pilfer from systems containing data on classified US government programs.

Those searches, which involved the use of specific keywords such as "Top Secret" and "Classified," eventually led them to an Internet-connected home computer of an NSA contractor that happened to be running Kaspersky's antivirus software. The home computer contained highly sensitive data on NSA penetration testing and cyber offense tools stored in complete violation of the agency's rules. It remains unclear at this point if the Russian spies succeeded in finding and stealing additional classified US government information from any other computers running Kaspersky's AV software.

None of the stories make it explicitly clear if the Russians cyberspies gained access to Kaspersky's network by breaking into it, or if the Russian government coerced the vendor into granting them access, or if the vendor helped voluntarily.

Many believe it is easily possible the Russian government forced Kaspersky Lab to provide access to its platform. It wouldn't be the first time that a government has done something like this: Most famously, the NSA itself is alleged to have paid $10 million to RSA so it could install backdoors in the vendor's encryption technology.

Interestingly, the NSA data theft and the Russian hacker activity on Kaspersky's network was first spotted by a team of Israeli intelligence agents who had also managed to silently infiltrate the security vendor's network sometime in 2014. When the Israeli agents observed what was going on with Kaspersky's network, they tipped off US officials about it sometime in 2015 and warned about classified NSA data ending up in the hands of Russian intelligence.

That tip-off is believed to have eventually led to the US government's decision earlier this year to remove Kaspersky Lab from its approved list of IT vendors and to ban government agencies from using the company's software altogether. It is unclear if the mushrooming scandal around the company's technologies could now prompt US businesses and even consumers to start ditching the company's software, which has consistently ranked among the top AV products for several years.

Kaspersky Lab itself discovered the Israeli intrusion in mid-2015. In a June 2015 report, the company said it was the victim of a highly sophisticated attack by a threat actor very similar to the one that had carried out the Stuxnet campaign on Iran's uranium processing facility in Natanz. Kaspersky Lab did not specifically identify Israeli agents as being behind the attack, but said it appeared designed to steal data about the company's technologies and ongoing research.

The security company has emphatically denied it has anything to do with the Russian hacking activity on its networks and has suggested the company is the victim of a hyper-charged geo-political environment.

"Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question," the vendor said in a statement responding to Wednesday's WSJ story about its alleged complicity in the data theft. "The company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems."

Meanwhile, Kaspersky Lab on Thursday announced an extension to its work with Interpol, with the signing of a threat-sharing agreement with the global law enforcement agency. The agreement strengthens an existing relationship between the two organizations and will result in Kaspersky sharing even more threat intelligence with law enforcement authorities worldwide in their fight against cybercrime, the company said.

The company's previous engagements with Interpol included participation in an operation that led to the takedown of nearly 9,000 botnet command and control servers and hundreds of compromised websites.

AV Software Has 'Carte Blanche'

The reality is the sort of data theft in the Kaspersky Lab case would have been possible with any AV vendor if an attacker had managed to surreptitiously gain privileged access to the AV vendor's network.

Antivirus tools and their vendors pretty much have carte blanche access to files and data on any computer on which the software is installed, says Srinivas Mukkamala, CEO of RiskSense. "It is checking all your binaries, your files, your memory. It is looking at your registry and diagnosing everything on your system in a privileged mode."

Systems running AV software routinely get updates from update servers and push files out to the AV vendor's cloud for inspection, without any checks or inspection at all, he says. Technically at least, someone that wanted to abuse the tool could do anything including search for and exfiltrate data from systems with little risk of being caught, Mukkamala says.

In Kaspersky Lab's case, for instance, if someone had managed to gain privileged access to the company's update server farm they would have been able to do the sort of searching, querying, and stealing that the company is suspected of enabling. Given enough time, the intruders would have been able to scan end user systems running Kaspersky's software and pilfer data from them without needing any help from the vendor, he says.

The same thing would be true in any situation where attackers can get privileged and persistent access to an antivirus software vendors network, he says. Of course, a vendor like Kaspersky Lab can either by choice or through coercion make such data theft easier, Mukkmala says.  

With time and the necessary skills, an adversary would have been able to exploit any AV vendor's network in the same way without necessarily being detected by the vendor.

"If Kaspersky was compromised by the Russian government, then it might be possible, technically, for Russian collection from Kaspersky to go undetected," says Malcolm Harkins, chief security and trust officer at Cylance. "We don't know if that is what happened." 

Harkins notes the speculation in media reports about Kaspersky Lab allegedly modifying its software in order to make things easier for the Russian agents on its network. "Again, we don’t know if this is accurate," he notes.

"In general, AV companies are attractive targets for compromise by foreign intelligence services partly because, in theory at least, modifications aren’t really necessary," Harkins said. "AV companies are often already looking for exactly the kind of data that would be attractive to intelligence services."

Scott Petry, CEO of and founder of Authentic8, says the whole incident has exposed a fundamental weakness in current approaches to cybersecurity. When someone signs up with an AV vendor, they are essentially agreeing to have that vendor scan all files on their network and send information back to the vendor.

"A security vendor is inventorying all the data on a user’s system," he says. Sharing all that sensitive information with the vendor is dangerous, he says. "Scanning files is required. Sharing a manifest of scanned files with the vendor for better security is asinine," Petry says.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Olaf Barheine
50%
50%
Olaf Barheine,
User Rank: Apprentice
10/13/2017 | 1:03:14 PM
IMHO
Maybe former Mozilla developer Robert O'Callahan was right when he suggested in the beginning of this year to use no antivirus software at all. Antivirus software is only software as well and therefore full of errors. Errors which can be used by hackers in order to get access deep into the system.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.