Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:00 AM

JavaScript Malware Strikes Firewalls

It's a security hole no one knows how to fix, except by degrading Web browsing to little more than a text-based experience

2:00 PM -- In the beginning, there was application security.

All ports were open to the world and practically every application had holes in it. It was like the Wild West. Eventually application security became a big deal as more serious issues were uncovered and more commerce depended upon secure platforms.

Network security was next on the scene. It made sense to build a single choke point for all security needs. It was slick because it could see all the packets in transit to and from your servers, and turn off all access to anything that had a known hole in it. Those were the good times. Times have since changed.

Network security, in large part, had a huge role to play in creating the newest attacks. Network administrators rightly told their architects to build applications that could be tunneled over hypertext transfer protocol, while at the same time they would close down all access to any other unnecessary inbound services. Can you see the obvious flaw in their logic here?

Even still, aside from the occasional hole in IMAP or BIND, the world of computer security seemed to be calming down quite a bit with the advent of stateful packet inspection and security information management tools. Most of the holes at that time were against the security tools themselves, which most of the hardcore security folks felt was scraping the bottom of the barrel -- the last bunch of entry points to a secured network.

Now there is a new emerging threat: JavaScript malware. Coined by Jeremiah Grossman of WhiteHat Security, JavaScript malware is a concept we have been working on for nearly a year that defeats firewalls completely. To be frank, it's the one security hole no one has figured out how to fix yet without degrading your browsing experience back into the text-based dark ages.

Traditionally every firewall allows one thing by default: outbound access to any Web server on earth. That Web server can either be under the attacker's control or have a cross-site scripting vulnerability in it. When a user inside a corporate LAN visits the malicious Web page, that Web page starts making requests to internal devices behind your firewall.

The first thing the malware does is attempt to locate any machine that responds. Once it does that it attempts to fingerprint things on the machine that might tell the attacker more (like what Web server itself it is running, which might have default issues with it or a particular outdated version of an open sourced package with remote file includes built into it). Using that as a steppingstone, the malware attempts to execute the command on the user on your corporate intranet's behalf. If the attack is successful the machine behind the firewall is compromised.

It has a higher chance of being successful than on the Internet because rarely do corporations patch up internal machines. I mean, why would a company bother to secure its intranet portal? It's just an intranet server and not Web-accessible, right? That's true in principle, but very wrong in practice.

As a side note, most companies almost always alias to http://intranet/YourCompanyNameHere, making the attacker's job extremely easy. This even shortcuts having to scan IP ranges, since it's an easy single name to guess.

After scanning a corporate intranet, the next step is to execute commands on the machines the malware does find for the eventual purpose of gaining access to internal machines. Those internal machines will most likely run a series of commands to gain higher and more permanent access to the machine that was compromised which then could communicate back to a command-and-control node over IRC chat in the same way all botnets do.

The corporate firewall is helpless to protect against this sort of attack. Researchers like myself and others are looking into clever ways to fix the issue, but for now, the only fix is to isolate users from all machines on the corporate LAN. Hopefully there will be much more on this to follow. In the meantime, a text-based world isn't looking so bad after all, huh?

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

  • WhiteHat Security

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How Attackers Could Use Azure Apps to Sneak into Microsoft 365
    Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
    Malicious USB Drive Hides Behind Gift Card Lure
    Dark Reading Staff 3/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-03-27
    Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
    PUBLISHED: 2020-03-27
    Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
    PUBLISHED: 2020-03-27
    An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
    PUBLISHED: 2020-03-27
    The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
    PUBLISHED: 2020-03-27
    GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.