Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2014
10:00 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Why ‘Regin’ Malware Changes Threatscape Economics

Never before have attackers been able to deploy a common malware platform and configure it as necessary with low-cost, quick-turnaround business logic apps.

Recently, Symantec and Kaspersky Lab released research on an advanced persistent threat (APT) dubbed Regin. Symantec focused on the software’s technical sophistication, its use as an espionage tool, and indications of nation-state origins. Kaspersky concentrated on victimology, the attackers’ objectives, and the compromise of at least one cellular communications network. Impressive (or terrifying, depending on your point of view) as these attributes are, Regin’s real impact on the threatscape is programmatic in nature: Regin fundamentally shifts the economics and timelines of APT development and deployment in the attackers’ favor.

Unlike other APTs, Regin is not a self-contained software package. It’s an evolutionary design, mirroring general software design trends. Historically, software was developed in a monolithic manner. Applications were completely encapsulated and independent from other applications. They contained all the logic necessary to complete any function required. While they might function reliably, monolithic applications were neither easy nor inexpensive to adapt and maintain. Due to their tightly coupled architecture, a minor change in one portion of the codebase often had an impact on other components. This results in lengthy and costly regression testing, repair, and re-engineering phases. Additionally, due to its specialized nature, it is generally difficult to reuse a monolithic program’s components in other development projects.

The answer to monolithic architecture’s inherent shortcomings was modular software architecture. Here, a program’s functionality is divided along logical boundaries into discrete, interchangeable components, each of which executes a specific part of the overall functionality. Typically, modules use well-defined standards to communicate. As long as compliance with the standard is maintained, a module’s internal mechanics can be modified, or the entire module swapped out with another, without affecting the program’s overall functionality. For conceptual purposes, think of Lego® bricks. As long as the studs on top and the hollows on the bottom (the interfaces) are of the proper dimensions, the bricks will snap together, regardless of internal composition or external shape.

It’s all about SOA
The most sophisticated and versatile instantiation of the modular architecture concept is found in a class of products known as service oriented architecture (SOA) middleware platforms. These platforms provide application developers with a set of composable infrastructure components that manage critical functionality between the specific business logic the developer is seeking to implement and the data on which the logic is acting. The platform’s components may provide a combination of capabilities such as (but not limited to) data transport, transformation and mediation, asynchronous communication, data access, identity management, data analytics, application execution, and real-time event processing and analysis.

Developers take advantage of SOA middleware platforms by using them to create versatile and reusable application infrastructures. If properly designed and implemented, an application infrastructure is agnostic to both the business logic that it supports and the data that it processes. As a result, the same infrastructure that is used to support a cellular telephone network can form the basis for a military command-and-control application or an automated concert venue ticketing capability. All that needs to be created are the specific business application modules and data sources. While neither of those is a trivial endeavor, they represent a far smaller resource investment (e.g., time, personnel, funding) than developing both the infrastructural and business logic every time a new capability is desired.

Regin, as Kaspersky and Symantec noted, is not a malware payload in and of itself. Rather, it is a malware platform onto which the attacker can deploy specific business logic to achieve mission objectives. In other words, unlike earlier generations of malware or espionage tools, Regin can be tailored after deployment to exploit targets of opportunity.

[Find out more about Regin in Newly Revealed Cyber Espionage Attack 'More Complex' Than Stuxnet, Flame.]

It’s worth a quick look at the Regin architecture to see how this works. As noted in the reports, Regin loads in five stages. Of these, the fourth stage (called the dispatcher library by Kaspersky and the user framework by Symantec) is the core of the Regin framework, managing complex tasks such as the application programming interface (API) supporting plug-in integration, communications, storage, and data transport. In middleware terms, this is Regin’s application infrastructure. Stage five (Kaspersky: Plug-ins, Symantec: Payload Module) is a tailorable collection of business logic apps, ranging from keyloggers to email message extractors and cellular network command and control utilities.

Taking an architectural page from the SOA middleware book, Regin’s creators have fundamentally altered threatscape economics. Using Regin’s “malicious middleware” paradigm, attackers need not reinvent the wheel each time an APT is generated for a new target. Instead, they can deploy a common platform (Regin), and configure it as necessary with relatively low-cost, quick-turnaround business logic apps. This model provides tremendous economic and temporal efficiencies for the attacker that shorten decision cycle times, thus increasing difficulty for cyber defenders.

By technically addressing the programmatic and economic side of the malware development lifecycle, Regin represents a leap forward in sophistication, planning, and effectiveness. Extensible, composable, and modular malware, it seems, is here to stay. Defenders, up your game.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/5/2014 | 9:56:01 AM
Re: A whitelisting policy in your future
"Regin" certainly raises the stakes for enterprise security. Raising awareness is obviously the first step, but the challenges necessary to defeat these advance threats are daunting, to say the least.....
aws0513
50%
50%
aws0513,
User Rank: Ninja
12/5/2014 | 8:55:04 AM
A whitelisting policy in your future
It is new threats like this that give me more ammunition to fight for comprehensive application whitelisting policies and procedures for our enterprise.
I believe that whitelisting of application and code execution will become the new normal practice for most organizations in the not so distant future simply because of the new technical tactics demonstrated by the Regin exploitation platform.

Great article - including the reference article by Kelly Jackson Higgins.
ChrisR796
50%
50%
ChrisR796,
User Rank: Apprentice
12/4/2014 | 7:45:44 PM
Mal-middleware
Excellent post thanks.

 

Doesn't the common architecture/codebase also allow security vendors to deploy protections for Regin based malware?

I know I'm missing something, seems far too simple.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17123
PUBLISHED: 2019-12-13
The eGain Web Email API 11+ allows spoofed messages because the fromName and message fields (to /system/ws/v11/ss/email) are mishandled, as demonstrated by fromName header injection with a %0a or %0d character. (Also, the message parameter can have initial HTML comment characters.)
CVE-2019-19774
PUBLISHED: 2019-12-13
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential...
CVE-2019-19790
PUBLISHED: 2019-12-13
Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. NOTE: RadChart was discontinued in 2014 in favor of RadHtmlChart. All...
CVE-2019-19793
PUBLISHED: 2019-12-13
In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Windows, a local or remote user from the same domain can gain privileges.
CVE-2019-19722
PUBLISHED: 2019-12-13
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.