Cyberthreat surprise

12 October 2016

You might have seen the August news story about how UK phone network O2 sent its business customers free USB drives, only to discover that some were carrying malware. While this was clearly done with the best intentions, issues like this are a big headache for corporate cybersecurity. No amount of staff training guarantees that someone, somewhere, won't absent-mindedly use an infected USB drive, and then you're at the mercy of your anti-virus software: if it's not up to date, or not up to the job, you could be looking at a lengthy cleanup, or worse a battle with ransomware.

While the O2 virus was old and it's not clear that anyone was actually infected, it's a reminder that malware can enter the organisation from any direction - and it often finds a seemingly reputable route. Here are five other cases when bugs or malware came from a reputable source.

1) Adobe Creative Cloud update

In February 2016, hundreds of Mac users of the cloud backup service Backblaze started to get error messages relating to missing files. Quick to react, the company soon created a fix which worked for many, before discovering that all the affected users had one thing in common: Adobe Creative Cloud.

It transpired that Backblaze was innocently falling foul of a bug in the update to Creative Cloud v3.5.0.206, which in some cases was deleting files from the system root directory. Adobe pulled the update, and within three days had issued another.

2) Puush Windows Client

It's become standard practice for developers to push app updates out to users, but it's vital that the mechanism for doing so isn't compromised. In March 2015, the developers of screenshot sharing app Puush discovered what can happen when it is. According to Puush's own summary, the problem began when an update server was breached, and a malicious file planted. At that time Puush's app didn't verify the authenticity of updates, so some clients began receiving updates carrying a remote access trojan.

Again, Puush responded quickly, shutting down the server within three hours, and rolling out an updated client with a built-in cleaner within another three hours. The company has since introduced an opt-out for updates - and file verification.

3) Dell PowerEdge motherboard malware

Even the best hardware fails. When it does it's reassuring to see the vendor turn up and replace it, but spare a thought for a handful of Dell PowerEdge customers. In 2010, some who had received replacement motherboards for their servers began being scheduled for another replacement. The reason? Embedded flash storage on the first replacement had been found to contain malware.

The issue affected only a small number of replacement motherboards sent via Dell's service and replacement service, and the malware - the W32.Spybot worm - could only infect Windows systems, but this has to rank as one of the unlikeliest ways we've seen spyware get into a business.

4) Sony BMG copy protection

In the early 2000s, worried by the threat it perceived to its music revenue from the mass sharing of MP3s, Sony BMG began adding copy-protection for Windows PCs to its music CDs. While the legitimacy of the software's purpose was debatable, the methods of the two chosen utilities soon caused alarm. Both used rootkit-like behaviour to hide from the user and resist attempts to be uninstalled, and both were discovered to create security risks - with at least some of these being exploited by the malware community.

Unsurprisingly, Sony BMG was forced not only to withdraw the software, issue patches to remove it and replace many of the affected CDs, but it faced multiple investigations and lawsuits. It's astonishing today that the company went ahead with the idea: innocent customers, many of whom were left unprotected by unsophisticated anti-virus programs, ended up with unauthorised software compromising the performance and security of their PCs.

5) HDDCryptor ransomware

Our final example is slightly different: HDDCryptor is a particularly effective bit of ransomware, able to encrypt the contents of local, removable and network drives and to lock the drives. It's clearly malicious, but interestingly, security researchers at Trend Micro have found that it exploits some legitimate software to achieve its ends.

Among these, a slightly altered version of netpass - a freeware network password recovery utility - is used to extract the credentials being used to access network drives. Later in the infection process, an unmodified version of DiskCryptor - an open-source encryption program - is used to encrypt disks and overwrite the master boot record of the infected device.

While it's conventional for legitimate looking software to include hidden malware, HDDCryptor's twist is to use apps that may well be whitelisted to achieve its nefarious purposes. It shows that used maliciously, even legitimate tools can cause great damage, and it highlights the need for an intelligent, next-generation security platform that can not only recognise malware, but also understand and react when the vulnerabilities in legitimate software are being exploited.

AV is Broken

Conventional anti-virus solutions are no longer fit for purpose. As a component of the Palo Alto Networks Next-Generation Security Platform, Ideal believes that Traps endpoint protection is the right solution to provide protection against the new era of cyberthreat.

Ideal is the first partner in the UK to have completed its full certification in Traps, which uses multi-method protection to block both known and unknown threats - wherever they originate. Subscribed devices and endpoints share and receive threat intelligence with the WildFire cloud-based malware analysis environment, where unknown threats are identified, and new protections are automatically created and distributed to subscribed customers.

To discover what this means in practice, and to learn more about the threat landscape currently facing businesses, why not join us and Palo Alto Networks for Defeat ransomware, an event at our Brighton offices on 5 April.

Spend a day with us at the seaside and you'll leave with an expert's view of the cyber-threat landscape, and the knowledge of how to keep your organisation safe from the latest and most sophisticated threats and exploits. More than that, you'll be fully briefed on the threat of wasting a fortune on the ineffective and outdated protection offered by conventional anti-virus solutions. 

Places on Defeat ransomware are free but strictly limited. Reserve yours now.


Header image: Brad/Flickr, Creative Commons