Jeff Hudson, Chief Executive Officer, Venafi: Weaponised Malware - how criminals are using digital certificates to cripple your organisation
January 2011 by Jeff Hudson, Chief Executive Officer, Venafi
The recent cyber attack on an Iranian nuclear facility using the Stuxnet virus should worry all of us - not just those in close proximity who were in danger of being blown into the next world by the actions of a computer virus.
The headlines around the story of the Stuxnet attack on an Iranian nuclear facility were familiar: “New malware attack”. Digital security threats and sometimes the hype surrounding them have become commonplace in our interconnected and IT-dependent world. However, this was no ordinary attack. Apparently malware was introduced into the Iranian nuclear facilities local area network. It entered between the internet and the internal network. The other possibility was a trusted insider who was an agent of the organisation which carried out the attack.
As researchers later discovered, the attack used four different Zero Day exploits on Windows platforms. In addition to the Zero Day attacks, the ‘payload’ included a stolen digital certificate that was issued by Verisign. The virus was self-propagating and spread to numerous machines. The mission of this virus was to auto-propagate in the wild (there was no back channel to a command and control host as this was an isolated network). It was then to locate and operate a valve or control module that was a critical part of the nuclear facility’s infrastructure, with the intent of disabling or damaging the facility. In other words: to act as a weapon. This is a significant step forward in the development of malware.
The traditional, malicious approach to damaging the facility would have been to use a conventional weapon (i.e. a bomb). The astonishing difference is that this malware was attempting to do mechanical damage to the facility without supplying the destructive mechanical force on its own. In other words, this was malware designed specifically to accomplish the work of a weapon. It has therefore earned the dubious classification as weaponised malware.
This particular malware is estimated to have taken 10 man years of effort to develop. It is sophisticated. The tools used in development, the timestamps on the binaries, and the number of modules with different coding styles suggest multiple development teams. The origin of the malware has not been verified but the most popular theory is that it was developed by a nation state or states that were attempting to disrupt the Iranian nuclear program.
Iran has the largest percentage of known instances of the Stuxnet virus. However it has also been found on systems in many other countries. Experts predict that numerous, undetected instances are still active.
It is a well-established fact that many weapons developed by national military programs become available to non-nation state entities, such as terrorists, rogue nation states and criminal organisations. It is just a matter of time. Examples are; night-vision goggles, GPS systems, airborne drones, fully automatic rifles, Kevlar body armor and shoulder launched missiles, to name just a few.
The questions are, A) when will Weaponised Malware and its derivatives be used to destroy, disable or steal valuable assets and information from other nations, utilities, banks, or telecommunication companies, and B) what can we do about it?
The Stuxnet weaponised malware utilised multiple zero day vulnerabilities to infect, and employed a signed digital certificate to authenticate itself in the environment. The certificate allowed the malware to act as a trusted application and communicate with other devices. This is the first reported incident of the utilisation of a digital certificate in this type of attack, and is a very ominous and worrying development. The level of threat has moved from downtime and a damaged reputation because your certificate has expired to physical damage to you and your employees if the virus successfully makes a manufacturing or utility process go critical.
The use of four zero day vulnerabilities and a stolen digital certificate signals the beginning of a new era of cyber warfare and cybercrime. The implications are enormous. This is not the first occurrence of this species. The Aurora virus was a first generation variant and Stuxnet represents a significant evolutionary leap in complexity and sophistication. Additionally the potential costs to the targeted organisation in the event of a successful attack are higher than ever.
Zero day vulnerabilities are by definition impossible to defend against. The use of unauthorised digital certificates by weaponised malware in a networked environment is another matter. There are steps organisations can take to significantly reduce the risk of a successful attack.
The first consideration is the knowledge of digital certificates that are active in a network. Most organisations do not know how many they have, where they are installed, who installed them, their validity, and the expiration date of the digital certificates in their network. Here’s a parallel analogy in the world of physical security. This is exactly the same as not knowing which people in a secure building are authorised to be on the premises and which ones are unauthorised. Imagine a bank where no one knew which people in the building were authorised to be there or not. This is not an exaggeration. This is an unacceptable situation to anyone who takes security seriously. This is an unquantified risk. The only acceptable practice is to continually and actively discover certificates on the network.
Additionally those certificates must be validated that they are functioning as intended and that they are monitored throughout their lifecycle so that they can be expired and replaced as dictated by the security policies of the organisation. Most organisations are deficient in this regard. This is an unmanaged risk and can be easily brought under management. A failure to manage this kind of risk exposes organisations to increased vulnerabilities like the Stuxnet attack. This is not scaremongering – it is a real threat which will affect an organisation sometime soon.
Why are organisations exposing themselves to this unquantified and unmanaged risk? The reason is simple enough to understand. Before Stuxnet, the lackadaisical knowledge and management of digital certificates was viewed as acceptable. Additionally many board - level executives are not familiar with digital certificates, how they work, their role in security, and the management practices and policies. This has to change. There is not one board - level executive that misunderstands or underestimates the importance of ensuring that only authorised individuals can enter a secure building. Those same executives naively allow unauthorised or unknown certificates to enter and operate on their networks.
In summary there is unquantified and unmanaged risk that allows Stuxnet to propagate and operate on a network. This represents bad management practice of a critical part of a layered security model. Digital certificates are widely used to authenticate and identify entities in a network. Poor management practices render digital certificates ineffective for their intended purpose. In fact poor management in some cases creates an exploitation opportunity.
The Stuxnet Weaponised Malware is a very loud wakeup call as it has exploited the poor management practices of digital certificates that exist in many firms today. Implementing practices and policies for the management of digital certificates is an important and necessary component of a broad and wide security strategy. It is the one strategy that can detect the appearance of malware that utilizes digital certificates for authentication. Weaponised Malware has or will be aimed at every company in the Global 2000. The responsibility is to act before the weapon strikes.