Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/25/2019
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russian Threat Group May Have Devised a 'Man-on-the-Side' Attack

Data from an intrusion last year suggests Iron Liberty group may have a new trick up its sleeve, Secureworks says.

Iron Liberty, a Russia-based cyber espionage group known for targeting energy, nuclear, and defense organizations worldwide, may have developed a dangerous new technique called a "man-on-the side" attack.

Secureworks warned about the new threat in a report this week describing a "man-on-the-side" (MOTS) attack to install malware. The security firm says MOTS differs from a typical man-in the-middle (MITM) attack.

"The difference between MITM and MOTS is straightforward," says Don Smith, senior director of the Counter Threat Unit at Secureworks. "With MITM, the attacker is present on infrastructure the traffic is traversing and can tamper with it," he says. "With MOTS, the attacker has sufficient access to observe and inject traffic which through timing/bandwidth is consumed by the victim before the legitimate reply arrives."

The security vendor's theory is based on its analysis of a campaign last year where Iron Liberty actors managed to install a malware tool called Karagany on a target system without leaving any trace of how they did it. According to Secureworks, its research showed no evidence of a phishing email, drive-by-download, or a malicious link being used to drop the malware on the system.

Secureworks' forensic analysis showed that Karagany was installed on the system shortly after its user initiated a legitimate request to download Adobe Flash over HTTP from Adobe's official website. Logs showed that Karagany was installed on the system in the short period of time during when the user request was initiated and the Adobe file was downloaded.

Secureworks found that Kargany files were dropped on the system just 20 seconds after the initial Flash Player binary was downloaded, and by 27 seconds, additional malicious files were downloaded on the system.

Multiple Explanations

"There are several credible explanations for how the Karagany payload was delivered alongside the Adobe installer file," Secureworks said in its report. But none of them appeared very likely in this case, the company said.

For example, the malware could have been downloaded if Adobe's website had been compromised. But Secureworks' investigation showed no indication that such a thing had happened during the compromise timeframe.

Another possibility was that someone with access to the victim organization's internal or gateway systems had intercepted and manipulated traffic between Adobe and the infected system in a typical MITM attack. Here again, Secureworks was unable to find any signs that such activity had taken place. A third possibility, which Secureworks similarly deemed unlikely, was a Border Gateway Protocol (BGP) attack where the user's traffic was routed through attacker-controlled systems.

Instead, they believe the Iron Liberty actors likely managed to compromise a router outside the victim organization, and then used it to intercept the Adobe installer request and return a Trojanized response, Secureworks said.

"Being 100% clear, the traffic injection we saw in these cases could have come from Man on the Side or from Man in the Middle," Smith says. "We do not know how the fraudulent traffic was injected. [It] could have been router compromise or could have been traffic injection."

For enterprises, attacks like these are another reason not to implicitly trust anything on the Internet. Protecting against a man-on-the side attack is no different from dealing with a man-in-the-middle attack, Smith says.

Some common mitigating tactics include using SSL encryption and checking the hashes of files that are downloaded from the Internet to make sure they match with the original file.

With a man-on-the-side attack, there are two parties trying to respond to the same request and the bad actor's goal is to get in first, Smith says.

The only way to detect such activity would be to monitor the sequence of packets arriving in response to a request and looking for out of sequence packets arriving and likely being discarded. "You need to be extremely well instrumented to detect it," Smith says.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/27/2019 | 2:26:33 PM
Ways to address the MOTS issue

"The difference between MITM and MOTS is straightforward," says Don Smith, senior director of the Counter Threat Unit at Secureworks. "With MITM, the attacker is present on infrastructure the traffic is traversing and can tamper with it," he says. "With MOTS, the attacker has sufficient access to observe and inject traffic which through timing/bandwidth is consumed by the victim before the legitimate reply arrives."

 Wouldn't it be better to implement IPv6 and utilize its capabilities, it has a number of advantages that IPv4 does not:
  • IPv6 can run end-to-end encryption
  • Widespread adoption of IPv6 will, therefore, make man-in-the-middle attacks significantly more difficult
  • IPv6 also supports more-secure name resolution

Also, why not implement ways to block countries, this can be done using Powershell and IPtables/UFW, the user would have to do it from an ingress and egress standpoint. I would think this would be a way to mitigate this issue because the payload could not be downloaded from "Command and Control".

Something to think about.

Todd
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15129
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_n...
CVE-2019-15130
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parame...
CVE-2019-15135
PUBLISHED: 2019-08-18
The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability informa...
CVE-2019-15136
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
CVE-2019-15137
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.