Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2014
10:00 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Why Regin Malware Changes Threatscape Economics

Never before have attackers been able to deploy a common malware platform and configure it as necessary with low-cost, quick-turnaround business logic apps.

Recently, Symantec and Kaspersky Lab released research on an advanced persistent threat (APT) dubbed Regin. Symantec focused on the software’s technical sophistication, its use as an espionage tool, and indications of nation-state origins. Kaspersky concentrated on victimology, the attackers’ objectives, and the compromise of at least one cellular communications network. Impressive (or terrifying, depending on your point of view) as these attributes are, Regin’s real impact on the threatscape is programmatic in nature: Regin fundamentally shifts the economics and timelines of APT development and deployment in the attackers’ favor.

Unlike other APTs, Regin is not a self-contained software package. It’s an evolutionary design, mirroring general software design trends. Historically, software was developed in a monolithic manner. Applications were completely encapsulated and independent from other applications. They contained all the logic necessary to complete any function required. While they might function reliably, monolithic applications were neither easy nor inexpensive to adapt and maintain. Due to their tightly coupled architecture, a minor change in one portion of the codebase often had an impact on other components. This results in lengthy and costly regression testing, repair, and re-engineering phases. Additionally, due to its specialized nature, it is generally difficult to reuse a monolithic program’s components in other development projects.

The answer to monolithic architecture’s inherent shortcomings was modular software architecture. Here, a program’s functionality is divided along logical boundaries into discrete, interchangeable components, each of which executes a specific part of the overall functionality. Typically, modules use well-defined standards to communicate. As long as compliance with the standard is maintained, a module’s internal mechanics can be modified, or the entire module swapped out with another, without affecting the program’s overall functionality. For conceptual purposes, think of Lego® bricks. As long as the studs on top and the hollows on the bottom (the interfaces) are of the proper dimensions, the bricks will snap together, regardless of internal composition or external shape.

It’s all about SOA
The most sophisticated and versatile instantiation of the modular architecture concept is found in a class of products known as service oriented architecture (SOA) middleware platforms. These platforms provide application developers with a set of composable infrastructure components that manage critical functionality between the specific business logic the developer is seeking to implement and the data on which the logic is acting. The platform’s components may provide a combination of capabilities such as (but not limited to) data transport, transformation and mediation, asynchronous communication, data access, identity management, data analytics, application execution, and real-time event processing and analysis.

Developers take advantage of SOA middleware platforms by using them to create versatile and reusable application infrastructures. If properly designed and implemented, an application infrastructure is agnostic to both the business logic that it supports and the data that it processes. As a result, the same infrastructure that is used to support a cellular telephone network can form the basis for a military command-and-control application or an automated concert venue ticketing capability. All that needs to be created are the specific business application modules and data sources. While neither of those is a trivial endeavor, they represent a far smaller resource investment (e.g., time, personnel, funding) than developing both the infrastructural and business logic every time a new capability is desired.

Regin, as Kaspersky and Symantec noted, is not a malware payload in and of itself. Rather, it is a malware platform onto which the attacker can deploy specific business logic to achieve mission objectives. In other words, unlike earlier generations of malware or espionage tools, Regin can be tailored after deployment to exploit targets of opportunity.

[Find out more about Regin in Newly Revealed Cyber Espionage Attack 'More Complex' Than Stuxnet, Flame.]

It’s worth a quick look at the Regin architecture to see how this works. As noted in the reports, Regin loads in five stages. Of these, the fourth stage (called the dispatcher library by Kaspersky and the user framework by Symantec) is the core of the Regin framework, managing complex tasks such as the application programming interface (API) supporting plug-in integration, communications, storage, and data transport. In middleware terms, this is Regin’s application infrastructure. Stage five (Kaspersky: Plug-ins, Symantec: Payload Module) is a tailorable collection of business logic apps, ranging from keyloggers to email message extractors and cellular network command and control utilities.

Taking an architectural page from the SOA middleware book, Regin’s creators have fundamentally altered threatscape economics. Using Regin’s “malicious middleware” paradigm, attackers need not reinvent the wheel each time an APT is generated for a new target. Instead, they can deploy a common platform (Regin), and configure it as necessary with relatively low-cost, quick-turnaround business logic apps. This model provides tremendous economic and temporal efficiencies for the attacker that shorten decision cycle times, thus increasing difficulty for cyber defenders.

By technically addressing the programmatic and economic side of the malware development lifecycle, Regin represents a leap forward in sophistication, planning, and effectiveness. Extensible, composable, and modular malware, it seems, is here to stay. Defenders, up your game.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ChrisR796
50%
50%
ChrisR796,
User Rank: Apprentice
12/4/2014 | 7:45:44 PM
Mal-middleware
Excellent post thanks.

 

Doesn't the common architecture/codebase also allow security vendors to deploy protections for Regin based malware?

I know I'm missing something, seems far too simple.
aws0513
50%
50%
aws0513,
User Rank: Ninja
12/5/2014 | 8:55:04 AM
A whitelisting policy in your future
It is new threats like this that give me more ammunition to fight for comprehensive application whitelisting policies and procedures for our enterprise.
I believe that whitelisting of application and code execution will become the new normal practice for most organizations in the not so distant future simply because of the new technical tactics demonstrated by the Regin exploitation platform.

Great article - including the reference article by Kelly Jackson Higgins.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/5/2014 | 9:56:01 AM
Re: A whitelisting policy in your future
"Regin" certainly raises the stakes for enterprise security. Raising awareness is obviously the first step, but the challenges necessary to defeat these advance threats are daunting, to say the least.....
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: Buffer Overflow. The impact is: buffer overflow in strcpy. The component is: tempo. The fixed version is: after commit b1559f4c9ce2b304d8d27ffdc7128b6795ca82e5.
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash (DoS). The component is: onset. The fixed version is: after commit e4e0861cffbc8d3a53dcd18f9ae85797690d67c7.