Active monitoring of file system integrity to detect attacks

According to a blog post by Brian Krebs, the attackers that compromised Bit9 earlier this month initiated their attack on the application whitelisting firm back in July 2012 by exploiting a SQL injection (SQLi) vulnerability on an employee run virtual machine instance.

Krebs states “[Bit9] believes that the trouble began last July, when an employee started up a virtual machine that was equipped with an older Bit9 signing certificate which hadn’t been actively used to sign files since January 2012.” The SQL injection vulnerability was used to plant the HiKit rootkit and open a backdoor on the system. This backdoor was then used to digitally sign custom malware with the Bit9 key, a process that ensured the Bit9 detection engine would implicitly trust the malware.

Krebs also mentions “It’s not clear why the attackers waited so long to use the stolen certs, but in any case Bit9 says the unauthorized virtual machine remained offline from August through December, and was only turned on again in early January 2013.”

This attack further echoes the need for host security, especially on dynamic server instances. In this instance, as in many similar situations, it seems that additional controls could have better protected the server.

According to research conducted by Mandiant in August 2012, the HiKit rootkit tampers with the “sethc.exe” binary by overwriting it with “cmd.exe” to provide unauthenticated access during Remote Desktop Protocol (RDP) logon. Similarly, Mandiant’s investigations uncovered a dynamic-link library (.dll) file and a Windows system file (.sys) that are were created in succession within the same hour as the initial attack. Mandiant’s malware analysis team determined that “C:WINDOWSsystem32wbemoci.dll” was a dropper and loader for rootkit driver code in “C:WINDOWSsystem32driversW7fw.sys”.

Active monitoring of file system integrity can alert system administrators and security personal to unauthorized file changes, like installation of the HiKit rootkit. File integrity monitoring could have detected changes to the contents of the “C:WINDOWSsystem32drivers” directory, including creation of new files and changes to existing files.

File Integrity Monitoring

Figure 1 – Sample of “oci.dll” and “W7fw.sys” detection

The overwriting of the “sethc.exe” executable with “cmd.exe” would certainly change the metadata of the binary, causing an alert to be generated by a FIM tool such as CloudPassage Halo.

File Integrity Monitoring

Figure 2 – Sample detection of “sethc.exe” being overwritten by “cmd.exe”

IP-based access controls, in the form of firewall rules, can be used to limit remote access to the server and even restrict access to the running web application. Using a firewall capability that is bi-directional can also stop some rootkits and malware dead in their tracks by denying inbound connections by the malware operators, or outbound calls to command-and-control servers. Network access can also be tightly restricted to authorized users using dynamic firewall rules and two-factor authentication. Authorized users validate their identities using something they know (a password) and something they possess (an SMS device or hardware token), allowing the firewall to open access to their specific IP address only, with the user or an automated timeout mechanism closing that IP’s access when tasks were completed. This process would nullify the “sethc.exe” replacement attack vector, as the attacker would not have a network access vector to leverage or operate the malware.

Firewall rules

Figure 3 – Sample of dynamic firewall rule creation to limit remote access

To help prevent the SQLi attack vector, application stack and database configuration hardening and monitoring, in addition to proper application code review, reduces the attackable surface area of the web application and the server. Web application firewall tools could have also been employed on the host and their configuration settings managed and monitored in accordance with vetted and trusted security policies. The monitoring of web application, security tool, and operating system logs would have also pointed to indicators that an incident responder could have followed up on.

Hopefully people look to this Bit9 breach as a lesson on how to deploy and monitor security controls for effective host security. The easiest way to ensure that the security policies and procedures are automatically enforced is to bake the security tools into the server machine images. This ensures that every time a server instance is launched, it automatically adheres to the organizational security policies. Any server launched by employees, for any purpose that allows it to interact with business assets or data, should be subject to the same security and configuration scrutiny as any other server in the organization – regardless of whether the host has a dynamic lifetime or not.

Related Posts