Vulnerabilities / Threats

4/11/2019
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

When Your Sandbox Fails

The sandbox is an important piece of the security stack, but an organization's entire strategy shouldn't rely on its ability to detect every threat. Here's why.

Working in cybersecurity is like fighting crime in Gotham City. You spend your day squaring off against faceless villains with names like WannaCry, Petya, and Red October, who are constantly coming up with new tactics, technology, and gadgets to get the upper hand. Then, after a good, hard fight, you think you've won the day, only to see old adversaries pop up a few days or even years later — stronger, smarter, and a lot more sophisticated.

For example, an old nemesis returned earlier this year with a new trick up its sleeve. The Emotet banking Trojan, initially introduced in 2014, reappeared on our radar screen, this time with an interesting twist. This new version was an XML document with a .doc extension, allowing it to potentially avoid detection because most sandboxes require true file type. Even though the true file type is XML, it's opened in Word on the endpoint.

Once open in Word, the macro within the XML file spawns a PowerShell script that calls out to a second-stage URL to download the Emotet payload. The payload then enumerates a list of installed apps and checks disk volumes to determine whether it is in a sandbox. If it is, it stops execution and shuts down. In addition, Emotet has long sleep and delay mechanisms to hinder dynamic analysis techniques, which are used by sandboxes to detect malicious activity. Genius!

Other recent threats have used similar tactics to avoid detection by a sandbox. Bebloh, a generic banking Trojan first detected in 2009, recently re-emerged as a variant targeting Japanese users. This specific variant is delivered via webmail as an Excel attachment that includes a macro, which spawns a silent command shell. Interestingly, this variant of Bebloh checks the locale and country settings at each stage of execution.

At first, the macro stops execution and quits the Excel application if the locale setting does not match Japanese. Once the command shell is activated, a PowerShell script is spawned to fetch remote content from a URL pattern that looks like a RAR file but is actually another PowerShell script that contains an embedded base64-encoded and encrypted DLL. The key used to decrypt this DLL is generated based on the country code from the culture set in the operating system. Finally, the decrypted DLL is reflectively injected into memory by another process using PowerShell, and the entry point of the DLL is called to start the malware.

The upshot is that the location settings in a sandbox would have to be set to JP (the code for Japan) throughout the entire environment to detect this infection chain — a highly unlikely configuration scenario. Bebloh checks for system uptime and physical system characteristics, and stops execution if it detects it is in a sandboxed environment.

Phishing is another area where sandboxes fail, because detection is dependent on a file exhibiting malicious behavior. Attackers can leverage a simple PDF file containing a single link to a malicious sign-in form to avoid detection. Documents with a single Uniform Resource Identifier have a very low footprint for sandboxes to detect, and the short TTL domain leaves little evidence for post-event analysis or threat intelligence services.

Emotet, Bebloh, and PDF phishing attacks are worrisome for one very good reason. They use sophisticated — ingenious, really — techniques to avoid detection in a sandbox environment. Sandboxing has traditionally been used as a tried-and-true method for protecting users from web-based threats by quarantining malicious content before it reaches a user's device. In the past, this has been enough. Attacks have been detected and then placed into a sandbox environment, where they can be walled off from the network and analyzed for future remediations. Up until now, this strategy has worked well.

However, sandboxing relies on detection. If a threat is able to mask itself, shut itself down, or evade detection in some way, it pretty much has free rein to infect users' devices, enabling it to eventually make its way into the network and critical business systems. And that's a problem. In a detect-and-respond cybersecurity strategy, once a threat gets past the front gates, it's game over.

This evolution of threat tactics and technology is nothing new. Malware and other web-based attacks are constantly evolving to counter traditional cybersecurity solutions. It seems that for every step forward we make as an industry, threat actors have a countermeasure in hand almost immediately — making cybersecurity a constant back and forth on the front lines.

Network separation and web isolation are two alternatives to a cybersecurity strategy based solely on detection. These solutions simply remove any connection between users' machines and the public internet. Network separation prevents users from accessing the public Internet on any computer connected to the corporate network — often requiring users to rely on two computers. Web isolation allows web browsing but moves the fetch and execute commands off of endpoints and onto a remote isolation server on-site or in the cloud. Rather than trying to detect whether content is safe or risky, network separation and web isolation assume everything is risky and never allow the user to connect directly to the web. (In full disclosure, my company, Menlo Security, along with others in the industry, markets web isolation technology.)

The sandbox is still an important piece of the security stack, but an organization's entire strategy shouldn't be reliant on its ability to detect every threat. Even Batman needs to accept that some attacks are a given and that the best security strategy is to contain the threat, away from the citizens of Gotham, in such a way that they don't even know there was an attack!

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-­founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Before Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChadL196
50%
50%
ChadL196,
User Rank: Author
4/12/2019 | 12:55:18 PM
Sandbox evasion
Hi Kowsik,

Thanks for the read. Sandbox evasion is what we live and breathe. We've published our own work on that, and have dealt with the use cases you describe. Of course, some of it is dependant on the customer ensuring their analysis environment matches their own target environment. Hence we support gold images as analysis targets for ex. And tailoring of the localisation settings and VPN settings for outbound communication: https://www.vmray.com/cyber-security-blog/sandbox-evasion-techniques-part-1/
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/11/2019 | 12:36:34 PM
On Time
State sponsored actors and hackers have one huge advantage - time.  And the ability to think.  All they do is think about ways to hack and break into systems being as innovative as this article indicates.  New will always happen and they time on their hands to do more wrong, hence their attacks increase in sophistication.  We shall always be 5 minutes behind them at the least.  WE have daily chores, work and fighting infections among them while hunting down particulars of the infection real fast .... and they just have to think it up and release it.  No need to fight it for them.  They have the advantage, always have and always will. 

And again email delivery to user.  If you don't need it, don't read it, delete it.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7303
PUBLISHED: 2019-04-23
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl(2) commands on a 64-bit platform; however, the Linux kernel only uses the lower 32 b...
CVE-2019-7304
PUBLISHED: 2019-04-23
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitrary commands as root. This issue affects: Canonical snapd versions prior to 2.37.1.
CVE-2019-0223
PUBLISHED: 2019-04-23
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1...
CVE-2017-12619
PUBLISHED: 2019-04-23
Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".
CVE-2018-1317
PUBLISHED: 2019-04-23
In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.