Enterprise Server Defenses Need to Catch-up to Modular Malwares

Like antibiotic resistant strains of bacteria give nightmares to medical epidemiologists, modular malware systems are doing the same to cyber defenders. New variations of modular malwares are appearing weekly, if not daily. They are designed to target Linux and Windows Servers. Xbash, AdvisorsBot, and Marap are a few examples of a modular malwares that doubled in 2018 and will further accelerate in 2019.

Discover, Compromise and Execute...

Malware systems discover new targets via port scanning of Internet-facing servers. Once in, a module scans for other targets within the intranet. These modules have advanced from simple IP/port scanning to now include URI scanning. Newer modules can potentially scan for other criteria and do so more quietly. This will make network-based detection and network isolation even more difficult.

These tools relentlessly and mercilessly exploit the mistakes of IT/Sec-Ops personnel: missing software patches, weak passwords, poor network segmentation, etc. These self-updating tools can also readily use a module for zero-day exploits. So, even a mistake-free environment is vulnerable.

Using various methods, malware compromises a legitimate app on the server (IIS, Apache, Redis, Hadoop, ActiveMQ, MySQL, MongoDB, etc). Once in, they utilize obscure script tools and polymorphic executables on the server to evade detection tools. They use tactics designed to evade EDR/behavior analytics and trick machine learning models. Most anti-exploit controls are too generic to prevent app exploitation. Evolving malwares use elevated privileges to uninstall security tools and hide their processes via rootkit tactics.  

Too many security tools rely on detect and react. But, there’s no ‘react’ once the security tool is uninstalled. Xbash has done this with a few tools. Newer modules will do so with more endpoint protection tools. With or without security tool removal, Xbash and other malwares use rootkit tactics to make malicious processes invisible.

After hijacking the system, different modules execute different purposes such as ransomware, crypto-mining, espionage, and/or proliferation. To detect these attacks/compromises, cyber defenders struggle to investigate half of the alerts their tools generate. EDR/behavior analytics agents must capture ever more data in hopes of detecting malice. This impacts server performance and further complicates network isolation.  

What Can Cyber Defenders do with the Tools they have?

Malware such as Xbash are highly dependent on C2 and active scanning. Aggressive external/internal default-deny network isolation helps. It doesn’t require guessing as to whether a packet or frame is good or bad. This is far from perfect, but the investment can prove more practical over time when compared with network intrusion detection data and alerts. Entity User Behavior Analytics (EUBA) and specialized database monitoring tools can help too. Like most detection tools, they are labor and skills intensive.

Effective patch management and robust authentication can be impactful solutions. On the flip side, how often have we read a forensics report pointing to a broken patch as the cause of a breach? And, if a malicious process does gain privileged run-time, those strong passwords may not save the day either.

Try Something Different: Apply Zero Trust WITHIN the Servers

Rapidly evolving modular malware such as Xbash use the legitimate resources already within the servers against the cyber defenders. Zero trust within the endpoint is based on the premise that applications, utilities, files, scripts, and even privileges might be used for malicious purpose at any moment. Consequently, it applies contain, isolate, default-deny and block those actions necessary for the attacks to be successful. Alternatives rely on far more labor and skills intensive work of distinguishing the infinite possibilities of good from bad and normal from abnormal. Zero trust within the endpoint equates to better protection at less operations.

If an Xbash-like attack hijacks a server app by exploiting a missing/broken patch or a zero-day vulnerability, or if it’s dictionary attack against a weak admin password - any attempted harmful file or memory actions are blocked, even if the acting process has elevated privileges. If an attack loads any script or executable files onto a server, they would not be considered trustworthy to launch.  

In addition to preventing any potentially bad App from harming the rest of the server, isolation prevents the server from harming or stealing from an App and its resources. A mission critical app will keep running safely despite the presence of some other malicious process on the server.

AppGuard’s zero trust endpoint protection, prevents termination, alteration, or uninstallation and extends this protection to other OS and security tools on the same server.

AppGuard can also deal with the lateral movement tactics of NotPety and Xbash-like attacks. Credentials in memory and files are inaccessible to the malware. Should a nearby server without AppGuard attempt a remote code execution attack, this would be blocked too.

All in all, AppGuard’s zero trust delivers better protection for less effort, and it does all this with the lightest server and network footprint in the industry.