When someone describes a cyber attack – or more accurately – a cyber attack vector as “undetectable” it is time to take note. When the attack is targeted at Critical National Infrastructure and the Energy sector alarm bells should be ringing. That is exactly what happened when news broke last week of a spear-phishing campaign targeting the HR departments of CNI and Energy companies. The attack takes the form of a phishing email containing a Microsoft Word attachment purporting to be the CV of an industrial control engineer. The attachment contains no active code (VBA macros or scripts) and no reliable signature that can be used by email filtering products to “detect” it.

In short, it appears to be totally clean. In reality the Word attachment contains a reference to an external Microsoft Word template. When the document is loaded, the reference tries to connect to the attacker’s server via Server Message Block (SMB) to download a malware laced Word template – which then tries to harvest user credentials from the target of the attack.

It is good practice to ensure that the organisational firewall is configured to block outbound SMB requests except where necessary. However, the very existence of this exploit suggests some organisations don’t adhere to good practice. In any event this particular exploit has another trick up its sleeve in the shape of a fallback mechanism. If SMB is not available, the template reference will attempt a connection to the attacker’s server over port 80.

At the time of writing the attacker’s server was down and it has not been possible to analyse the payload(s) being served up by the template file on the SMB server but the ramifications of such an exploit are certainly serious. One of them is that the connection to the SMB server provides the threat actor with the user’s credentials. This enables the perpetrator to exfiltrate data from the IT network and potentially, use the compromised workstation and credentials as a bridgehead from which to mount an attack on the industrial control system (ICS) networks.

Targeted attacks focussed on CNI and Energy organisations have the potential to do immense damage, as the Stuxnet malware did to Iran’s Natanz nuclear facility in 2010. So what’s to be done about so-called “undetectable” attacks and the threat they pose?

The Deep Secure Content Threat Removal platform works by using a process of transformation to prevent any exploit contained in seemingly valid business communication from entering an organisation via email, Web or file transfer. The platform enforces a protocol break at the boundary and removes the business information, before creating wholly new data from scratch on the other side of the protocol break and sending it forward to its destination. Only business information passes end-to-end so any embedded active code – like the one used in this attack – are automatically discarded.

Content Threat Removal Always Defeats Undetectable Threats

Content Threat Removal Always Defeats Undetectable Threats

This approach always foils “undetectable” attacks in content. It does not need to maintain a list of known attacks and attack techniques. It works without needing to interact with the vendor. There is no need for signature updates to be brought in regularly from the Internet. There is no need to report behaviour to a central control system for correlation. Using this approach you don’t need to “detect” the threat, you just remove it.

Here at Deep Secure we believe that the term “detection” highlights the fundamental flaw in the way entire cyber security industry thinks and reacts. Detection is always going to fail, and the answer is to build defences that do not rely on detection. This is why Deep Secure have pioneered Content Threat Removal.

View all posts