Endpoint detection and response (EDR) tools are becoming more common on those networks which allow access to a wide variety of endpoints such as smartphones and tablets. Basically, these tools continuously monitor behavior on these devices to see if anything unusual is going on. The information collected through this monitoring is sent to a central database where it is analyzed. If something is found amiss, a report is sent to the network administrators so that they can look into the device or devices causing concern.
On the surface, the idea sounds pretty good. The problem is in the implementation. Any update being performed on a device, for example, could be assessed as possible malicious activity. There could be other reasons why an endpoint could be flagged for closer analysis, but the point here is that the central database can quickly become overrun with data from all these endpoints. The system may reach a point at which it takes so long to analyze the data that damage to the network is done in the interim. And that’s just the beginning of the problem.
It appears that, because of this pressure, some EDR companies may be using online file scanning sites to help them analyze unknown files. All antivirus firms maintain whitelists (good files/sites) and blacklists (bad files/sites). Each company will have different opinions on which files or sites are good and bad. Combining all these lists on one site, such as is done on the site, VirusTotal, means normal users and EDR services can more easily identify bad files.
Probably few companies would worry about their EDR services using these file scanning sites. Sure, the services may inform the companies that they can opt out of this additional connection, but why would they? Why would they opt out of an additional service that could potentially add another level of security to their network? The reason they might consider opting out is that these file scanning sites come with risks. These risks include the exposing of sensitive corporate data to potential hackers.
Security information firm, DirectDefense, has recently found that the EDR firm, Carbon Black, has accidentally been leaking corporate information through its use of VirusTotal. In its investigations, DirectDefense was able to uncover
“Cloud keys (AWS, Azure, Google Compute) – which could provide you with access to all cloud resources
App store keys (Google Play Store, Apple App Store) – letting you upload rogue applications that will be updated in place
Internal usernames, passwords, and network intelligence
Communications infrastructure (Slack, HipChat, SharePoint, Box, Dropbox, etc.)
Single sign-on/two factor keys
Proprietary internal applications (custom algorithms, trade secrets)”.
Yeah, that sounds pretty serious. Not only that, but the company also believes that many other EDR firms probably use VirusTotal, which means that a lot of potential information on numerous high profile companies may have been accidentally leaked to whomever may have wanted to have a look at it.
In past posts, I have warned about how good, online-security tool sites can be used by hackers. In a recent post, I showed how a good security service, Malware Hunter, could be used to remotely take over a computer.
VirusTotal is routinely used by hackers to see if their malware or infected website can be detected. If it is, they can continue using VirusTotal and tweaking their attack until it escapes detection.
Have I Been Pwned (HIBP) is another good website often used by people to see if they have been victimized by a hack. HIBP uses a site called, Dump Monitor, @dumpmon, to see what new hacks have occurred. Since many email/password dumps occur on Pastebin, HIBP goes there when Dump Monitor makes the dump public. HIBP then adds the information in the dump to its database.
Here’s the problem. I went to one of these recent dumps, retrieved an email and tested it on HIBP. Sure enough, I received the following information. (I removed the username in the email address.)
I now knew that the email was valid. The dump also gave me the password to this email. In other words, I, at least theoretically, could get into this person’s email account. It’s possible that the user had changed their password, but, nonetheless I had direct access to a number of emails. I could, therefore, use HIBP as a step in a hacking campaign and validate all emails in a dump before I hacked into the accounts. If I were a hacker and was able to get into someone’s email account, I could do all sorts of damage, least of which would be to search for any credit card information.
Thousands of recent dumps are made available on another very useful site maintained by security firm, HTTPCS. Here, you can watch cyber attacks as they occur and get a list of various types of attacks collected from a number of sites. Among these attacks are lists of recent email/password dumps. There are also lists of software vulnerabilities that are posted on a variety of somewhat obscure sites. Some of these vulnerabilities have been patched and some not. In any event, not all of the recent patches could have been applied by every organization or business that uses the software. Hackers, interested in using these vulnerabilities, will still have time to do so. Here is an example of a recent announcement of vulnerabilities found in Google Chrome announced on Seclists.org.
“Several vulnerabilities have been discovered in the chromium web browser. CVE-2017-5087
Ned Williamson discovered a way to escape the sandbox. CVE-2017-5088
Michal Bentkowski discovered a spoofing issue. CVE-2017-5091
Ned Williamson discovered a use-after-free issue in IndexedDB.”
Recently, hackers have begun repackaging free software security tools to include malware. This make the malware in such tools difficult to detect as dangerous by networks. The tools are legitimate so they may only be detected as being questionable and not dangerous. But they are dangerous. They have been modified to function as information stealing devices. It’s the old wolf in sheeps’ clothing angle. Worse yet, they are being used to attack government agencies. The brand of malware used in this attack has been termed, Netrepser, by Bitdefender. The malware included in these tools is used to infiltrate a network and do whatever the command and control center wants it to do. It appears that the command and control centers are in Russia.
And it gets worse. Earlier this year it was found that attackers were using a zero-day exploit to turn antivirus software into an attack vector. It relies on the fact that if you can’t trust your antivirus software, what can you trust? The attack has been appropriately named, DoubleAgent, as it uses your antivirus to mask its malicious activities.
There are numerous security sites and free software available to help you keep your device or network safe. Most of the time, they will give you the help you need, but keep in mind that there are always risks involved. You may be either installing malware on your device or giving away free information; information that may come back to haunt you. Even free services come with a price.
Note: Endpoints do not need to be monitored if protected by hardware separation architecture such as that produced by WorkPlay Technologies.