Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

Protect the endpoint

Protect the endpoint 

 Reign is a stealthy, top-tier espionage tool. As Symantec published on their blog, “It is likely that its development took months, if not years, to complete and its authors have gone to great lengths to cover its tracks. Its capabilities and the level of resources behind Regin indicate that it is one of the main cyberespionage tools used by a nation state.”

This sophisticated malware is multi-stage. The first stage decrypts and loads another, with this process continuing until up to five stages are loaded. It is also modular, allowing the tool to be tailored to individual targets. According to Symantec, “The threat’s standard capabilities include several Remote Access Trojan (RAT) features, such as capturing screenshots, taking control of the mouse’s point-and-click functions, stealing passwords, monitoring network traffic, and recovering deleted files.”

Reign’s design makes it quickly adaptable to different targets. Symantec reports finding various infection vectors. This suggests that the first stage was likely designed to allow many different exploits to be used. In other words, this is very expensive malware used for targeted attacks.

Other revelations have exposed an array of cyberweapons targeting the endpoint. In November 2014, Dutch media outlet NRC reported that the NSA had infected more than 50,000 computer networks worldwide with malware designed to steal information. Other leaked documents suggest that malware has been delivered by impersonating social media sites such as Facebook and LinkedIn as well as through email spamming.

“This week, a number of media outlets reported allegations that the National Security Agency has intercepted IT equipment while they were in transit from manufacturers to customers. While the reports included a photograph purportedly showing a Cisco product being modified, this issue affects an entire industry that depends on a global supply chain and global shipments. We ship our products from locations inside, as well as outside the United States, and if these allegations are true, these actions will undermine confidence in our industry and in the ability of technology companies to deliver products globally.”

Government agents and criminals are attacking systems using the same basic methodologies. Some have significantly larger budgets, but the fundamentals remain the same whether the adversary is a government intelligence agency or a criminal gang seeking payment card information. Endpoint exploration is the goal.

Attacks against endpoints will continue to escalate for four reasons:

1. Properly implemented strong cryptography works. While it is theoretically possible to break any encryption system by applying enough computing power, the proposition quickly becomes cost and time prohibitive.

2. Endpoints have access to a lot of information that is not transmitted. Turning on a PC’s camera and microphone, keystroke and screen recording, and searching files on the local system provides access to information that is not usually found traversing the network.

3. Advanced threat agents seek to dominate their victim’s IT infrastructure and this requires lateral movement. Infecting an endpoint — especially one used by a privileged user — is the easiest and fastest way to accomplish this.

4. Some threat agents desire the ability to destroy an adversary’s data, shut down, or even destroy their systems in addition to spying on them. Integrity and availability attacks are much easier to commit once an organization has been infiltrated by malware.

An overwhelming threat faces endpoints and existing defences are not stopping advanced threats. Better approaches are necessary to combat targeted malware, secure firmware, and protect the endpoint.

Related posts