Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/14/2017
02:19 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cloud AV Can Serve as an Avenue for Exfiltration

Black Hat USA researchers show how bad guys can use cloud AV connections to bypass air-gaps and extremely segmented networks to keep stolen data flowing.

Over the past few years, security researchers have been drawing increasing attention to the fact that under the right circumstances security products could potentially be used to attack the very machines they're meant to protect. For the most part, the body of work on this front tends to fixate on authentication bypasses and attack techniques early in the attack lifecycle. 

Later this month at Black Hat USA in Las Vegas, a pair of researchers will show that security product vulnerabilities can be leveraged late in an attack as well. Vulnerable cloud antivirus products can not only be used to get attackers in to a target network, they can also be used to get stolen data out. In their The Adventures of AV and the Leaky Sandbox talk, the researchers will demonstrate how cloud-enhanced AV agents can be used as a vehicle for exfiltration on very secure and isolated endpoints.

Amit Klein, vice president of security research for SafeBreach, and Itzik Kotler, co-founder and CTO, dug into their research to challenge the assumption that there's no downside to moving to AV systems that leverages the cloud to incorporate up-to-date intelligence from multiple sources. They found that it's possible to subvert the Internet connection of AV products that use in-the-cloud sandbox technology to turn it into a rogue connection for getting stolen data off the target's network and onto the criminal's server.  

This can be a very powerful attack tool against enterprises that have enforced strong controls through egress filtering, whitelisting, and even airgaps with no other Internet connections.

Klein and Kotler plan to also release at Black Hat a tool to carry out their new technique, and they'll offer evidence about how a number of prominent AV products fared against the new attack. Klein says that even before digging into the troubling issues of insecure security products opening new lines of attack, the even more important lesson is to consider every possible angle of attack when it comes to the bad guys filching data from systems.

"Exflitration from the enterprise can take some very surprising and unexpected forms. With that in mind, security personnel should consider all possible ways of data to leave the enterprise and analyze them as potential exfiltration vectors," he says. " In our particular case it was the connection between AV agents and their cloud servers, but there are many other ways, to be sure."

As Klein explains, security product vulnerabilities are hardly a new phenomenon. For example, just last year at Black Hat, two researchers from enSilo presented techniques that leverage flaws in AV hooking engines to start an attack by bypassing ASLR protections in 32-bit and 64-bit systems.

In addition to Klein and Kotler's presentation, there will be a couple other new findings presented at Black Hat that show how attackers can break the mathematical engines that govern machine-learning based detection models. In one presentation, researchers at the Intel Science & Technology Center for Adversary-Resilient Security Analytics (ITSC-ARSA) at Georgia Tech will demo a tool they call AVPASS that can effectively spy on Android anti-malware detection models and manipulate malicious apps' APKs in such a way that it can disguise Android malware from the security software

Klein says all of this research should get practitioners to keep in mind that security products are very appealing attack targets.

"They usually have high privileges in the operating system on which they run - typically they run with administrator rights - and visibility access to enterprise network traffic," he says. "They also employ complex logic, interacting with a lot of file formats, protocols, and operating system features. This complexity translates into a broad attack surface."

As such, it's incumbent upon CISOs and other practitioners to stay on top of new research about this field and keep the pressure up on their vendors to keep their security tools hardened from attack. 

"I'm pretty sure that once vendors feel the pressure from major customers, their response time will improve, and they will also invest more time in internal research to predict and circumvent yet-unknown attacks," he says.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8071
PUBLISHED: 2019-10-17
Adobe Download Manager versions 2.0.0.363 have an insecure file permissions vulnerability. Successful exploitation could lead to privilege escalation.
CVE-2019-10752
PUBLISHED: 2019-10-17
Sequelize, all versions prior to version 4.44.3 and 5.15.1, is vulnerable to SQL Injection due to sequelize.json() helper function not escaping values properly when formatting sub paths for JSON queries for MySQL, MariaDB and SQLite.
CVE-2019-12611
PUBLISHED: 2019-10-17
An issue was discovered in Bitdefender BOX firmware versions before 2.1.37.37-34 that affects the general reliability of the product. Specially crafted packets sent to the miniupnpd implementation in result in the device allocating memory without freeing it later. This behavior can cause the miniupn...
CVE-2019-13657
PUBLISHED: 2019-10-17
CA Performance Management 3.5.x, 3.6.x before 3.6.9, and 3.7.x before 3.7.4 have a default credential vulnerability that can allow a remote attacker to execute arbitrary commands and compromise system security.
CVE-2019-15626
PUBLISHED: 2019-10-17
The Deep Security Manager application (Versions 10.0, 11.0 and 12.0), when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability.