Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/11/2019
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

When Your Sandbox Fails

The sandbox is an important piece of the security stack, but an organization's entire strategy shouldn't rely on its ability to detect every threat. Here's why.

Working in cybersecurity is like fighting crime in Gotham City. You spend your day squaring off against faceless villains with names like WannaCry, Petya, and Red October, who are constantly coming up with new tactics, technology, and gadgets to get the upper hand. Then, after a good, hard fight, you think you've won the day, only to see old adversaries pop up a few days or even years later — stronger, smarter, and a lot more sophisticated.

For example, an old nemesis returned earlier this year with a new trick up its sleeve. The Emotet banking Trojan, initially introduced in 2014, reappeared on our radar screen, this time with an interesting twist. This new version was an XML document with a .doc extension, allowing it to potentially avoid detection because most sandboxes require true file type. Even though the true file type is XML, it's opened in Word on the endpoint.

Once open in Word, the macro within the XML file spawns a PowerShell script that calls out to a second-stage URL to download the Emotet payload. The payload then enumerates a list of installed apps and checks disk volumes to determine whether it is in a sandbox. If it is, it stops execution and shuts down. In addition, Emotet has long sleep and delay mechanisms to hinder dynamic analysis techniques, which are used by sandboxes to detect malicious activity. Genius!

Other recent threats have used similar tactics to avoid detection by a sandbox. Bebloh, a generic banking Trojan first detected in 2009, recently re-emerged as a variant targeting Japanese users. This specific variant is delivered via webmail as an Excel attachment that includes a macro, which spawns a silent command shell. Interestingly, this variant of Bebloh checks the locale and country settings at each stage of execution.

At first, the macro stops execution and quits the Excel application if the locale setting does not match Japanese. Once the command shell is activated, a PowerShell script is spawned to fetch remote content from a URL pattern that looks like a RAR file but is actually another PowerShell script that contains an embedded base64-encoded and encrypted DLL. The key used to decrypt this DLL is generated based on the country code from the culture set in the operating system. Finally, the decrypted DLL is reflectively injected into memory by another process using PowerShell, and the entry point of the DLL is called to start the malware.

The upshot is that the location settings in a sandbox would have to be set to JP (the code for Japan) throughout the entire environment to detect this infection chain — a highly unlikely configuration scenario. Bebloh checks for system uptime and physical system characteristics, and stops execution if it detects it is in a sandboxed environment.

Phishing is another area where sandboxes fail, because detection is dependent on a file exhibiting malicious behavior. Attackers can leverage a simple PDF file containing a single link to a malicious sign-in form to avoid detection. Documents with a single Uniform Resource Identifier have a very low footprint for sandboxes to detect, and the short TTL domain leaves little evidence for post-event analysis or threat intelligence services.

Emotet, Bebloh, and PDF phishing attacks are worrisome for one very good reason. They use sophisticated — ingenious, really — techniques to avoid detection in a sandbox environment. Sandboxing has traditionally been used as a tried-and-true method for protecting users from web-based threats by quarantining malicious content before it reaches a user's device. In the past, this has been enough. Attacks have been detected and then placed into a sandbox environment, where they can be walled off from the network and analyzed for future remediations. Up until now, this strategy has worked well.

However, sandboxing relies on detection. If a threat is able to mask itself, shut itself down, or evade detection in some way, it pretty much has free rein to infect users' devices, enabling it to eventually make its way into the network and critical business systems. And that's a problem. In a detect-and-respond cybersecurity strategy, once a threat gets past the front gates, it's game over.

This evolution of threat tactics and technology is nothing new. Malware and other web-based attacks are constantly evolving to counter traditional cybersecurity solutions. It seems that for every step forward we make as an industry, threat actors have a countermeasure in hand almost immediately — making cybersecurity a constant back and forth on the front lines.

Network separation and web isolation are two alternatives to a cybersecurity strategy based solely on detection. These solutions simply remove any connection between users' machines and the public internet. Network separation prevents users from accessing the public Internet on any computer connected to the corporate network — often requiring users to rely on two computers. Web isolation allows web browsing but moves the fetch and execute commands off of endpoints and onto a remote isolation server on-site or in the cloud. Rather than trying to detect whether content is safe or risky, network separation and web isolation assume everything is risky and never allow the user to connect directly to the web. (In full disclosure, my company, Menlo Security, along with others in the industry, markets web isolation technology.)

The sandbox is still an important piece of the security stack, but an organization's entire strategy shouldn't be reliant on its ability to detect every threat. Even Batman needs to accept that some attacks are a given and that the best security strategy is to contain the threat, away from the citizens of Gotham, in such a way that they don't even know there was an attack!

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-­founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Before Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChadL196
50%
50%
ChadL196,
User Rank: Author
4/12/2019 | 12:55:18 PM
Sandbox evasion
Hi Kowsik,

Thanks for the read. Sandbox evasion is what we live and breathe. We've published our own work on that, and have dealt with the use cases you describe. Of course, some of it is dependant on the customer ensuring their analysis environment matches their own target environment. Hence we support gold images as analysis targets for ex. And tailoring of the localisation settings and VPN settings for outbound communication: https://www.vmray.com/cyber-security-blog/sandbox-evasion-techniques-part-1/
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/11/2019 | 12:36:34 PM
On Time
State sponsored actors and hackers have one huge advantage - time.  And the ability to think.  All they do is think about ways to hack and break into systems being as innovative as this article indicates.  New will always happen and they time on their hands to do more wrong, hence their attacks increase in sophistication.  We shall always be 5 minutes behind them at the least.  WE have daily chores, work and fighting infections among them while hunting down particulars of the infection real fast .... and they just have to think it up and release it.  No need to fight it for them.  They have the advantage, always have and always will. 

And again email delivery to user.  If you don't need it, don't read it, delete it.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...