Cyber Security Attack Mitigations with BIG-IP features
ArvinF is back to share mitigation options for Cyber Security Attacks with BIG-IP features! This article aim to bring these attack mitigations options much more visible and available. Cyber Security Attacks There are many types of Cyber Security Attacks. I will limit to the types that BIG-IP mostly encounter. Network Attacks Network attacks are aimed at compromising, disrupting, or gaining unauthorized access to an organization’s internal or external network, usually targeting communication protocols, devices, or services within the network. Web Application Attacks Web application attacks target weaknesses in web-based applications to gain unauthorized access to data, manipulate functionality, or exploit users. Web Application and Network Attacks are common and these can affect the Web application and network traffic processed thru F5 Virtual Servers and in some cases, affect the availability of the BIG-IP device itself. Malware Attacks Malware (malicious software) includes viruses, worms, Trojans, ransomware, and spyware designed to damage or gain control over a computer system. BIG-IP Cyber Security Attacks Mitigations But First, Finding "Help" I have always found it helpful to review the Help Tab of the feature and configuration. While logged in on the BIG-IP Configuration utility for the specific BIG-IP Application Security Manager (BIG-IP ASM/Adv WAF) or BIG-IP Advanced Firewall Manager (BIG-IP AFM) menu, the "Help" tab contains details of the relevant configurations. If you hit Launch, it opens on a new window. You can also click on Expand All to view each options documentation. On to the mitigation options.. Bot Defense Profile We have here the description of the Bot Defense Profile Templates where it provides details of each template - Relaxed, Balanced and Strict - on the Verification and Mitigation it will provide. Take note of the Relaxed template Browser verification as it uses "Challenge-Free Verification". This means clients that do not support Javascript such as mobile applications will not be prevented due to verification and is less intrusive. From K42323285: Overview of the unified Bot Defense profile https://my.f5.com/manage/s/article/K42323285 Challenge-Free Verification—The default value when Profile Template is set to Relaxed. The system performs header-based verification but does not perform JavaScript verification. The Balanced and Strict offers more stringent client verification. For the mitigation from Bot Defense to take effect, it should be in blocking mode. Relaxed Mode Defines a permissive security policy that performs basic non-intrusive verification of Browsers, strong verification of Mobile Apps using Anti-Bot Mobile Security SDK, blocks Malicious Bots and allows all other clients. Malicious Bots are detected mostly by using bot signatures. The mode provides basic protection level with very low risk of false positives. Balanced Mode Defines a moderate security policy that performs advanced verification of Browsers, strong verification of Mobile Apps using Anti-Bot Mobile Security SDK, blocks Malicious Bots, initiates CAPTCHA challenge for Suspicious Browsers, limits the total request rate produced by Unknown bots and allows Trusted and Untrusted Bots. Malicious Bots and Suspicious Browsers are identified by using both anomaly detection algorithms and bot signatures. This mode provides an advanced protection level with reduced latency impact because Browser verification is performed by injecting challenge in HTTP response. Strict Mode Defines a strict security policy that performs advanced verification of Browsers, strong verification of Mobile Apps using Anti-Bot Mobile Security SDK, and blocks all bots except Trusted Bots. This mode provides the most advanced and strict protection level using all capabilities of Bot Defense. Browser clients are not allowed to access unless they pass proactive verification. Mobile clients security access requires the use of Anti-Bot Mobile SDK. Here is a sample log for Bot Defense it is detecting a client that is classified as a "Suspicious Browser". The Bot Defense Profile that detected this bot request was configured with the "Relaxed" profile template. Here are sample Bot Traffic detected and actioned by a Bot Defense profile. Notice the Alarm and Block events. A detected "Suspicious Browser" is not blocked but generates an Alarm. A "malicious bot" is blocked DoS Protection Profile For the DoS Protection profiles, detection and mitigation can be configured thru TPS , Behavioral and Stress-based. The threshold for each configuration can be configured with Manual or Automatic thresholds. Manually configured TPS based detection looks at defined conditions and thresholds by Source IP, Device ID, Geolocation, URL and Site Wide and when exceeded, configured mitigation will take effect. The DoS Protection profile should be in Blocking mode for the mitigation to take effect. When using automatic threshold configuration in BIG-IP ASM/Adv WAF DoS Protection profile, the system sets the values using a wide range to begin with, then calculates the values using 7 days of historical data and sets threshold values to the highest levels during normal activity (to minimize false positives). Reference: K000138529: Understanding Automatic Threshold in BIG-IP ASM/Adv WAF DoS Protection profile The by Device ID detection option uses JavaScript to detect clients and requires a Bot Defense profile with Device ID mode to be configured. Here is the description of conditions from the TPS based detection configuration ================== Consider an IP as an attacking entity if either of the following conditions occur: Relative Threshold: TPS increased by: <traffic percentage> and reached at least <TPS> transactions per second OR Absolute Threshold: TPS reached: <TPS> transactions per second ================== Here is the description of conditions when TPS based detection is configured with Automatic Threshold ============== Consider an IP as an attacking entity if TPS reached an auto-calculated threshold in range <minimum TPS> - <upper limit TPS> transactions per second ============== For environments that have a mix of web and mobile application clients, only the Request Blocking option does not use Javascript to mitigate attacking clients. The Behavioral and Stress-based detection threshold can also be configured as Manual or Automatic and have the same configuration options TPS based detection. The difference is Server Stress is a requirement in this detection mode. Ensure that the DoS protection profile is in blocking mode. From the Online Help ============ Behavioral & Stress-based Detection In this area you can configure the system to prevent DoS attacks based on the server’s health condition. An attack is detected if the system finds the server to be under stress and either of the TPS thresholds are crossed. =========== Similar mitigation options are also available. Another section of Behavioral & Stress-based Detection is the Behavioral Detection and Mitigation where Bad Actor detection and mitigation can be configured From the Online Help ========= Bad actors behavior detection: Enables traffic behavior, server's capacity learning, and anomaly detection. Request signatures detection: Enables signatures detection. Use TLS fingerprints identification: Allows the system to distinguish between bad and good actors behind the same IP (NAT). When disabled (default), any attack behind the NAT treats all users behind the NAT as attackers. ========= Do take note of Request signatures detection and Use TLS fingerprints identification as these options are useful in identifying attacking clients behind a NAT device by way of TLS fingerprint and clients with specific HTTP signatures. Here is the Bad actors behavior detection mitigation descriptions. Review the protection levels and use what is appropriate as per your needs. Mitigation: No mitigation:Learns and monitors traffic behavior, but no action is taken. Conservative protection:If «Bad actors detection» enabled, slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server's health. If «Request signatures detection» enabled, blocks requests that match the attack signatures. Standard protection:If «Bad actors detection» enabled, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server's health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the servers health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server's health. If «Request signatures detection» enabled, blocks requests that match the attack signatures. Aggressive protection:If «Bad actors detection» enabled, slows down requests from anomalous IP addresses based on its anomaly detection confidence and the server's health. Rate limits requests from anomalous IP addresses and, if necessary, rate limits all requests based on the servers health. Limits the number of concurrent connections from anomalous IP addresses and, if necessary, limits the number of all concurrent connections based on the server's health. Proactively performs all protection actions (even before an attack). Increases the impact of the protection techniques. If «Request signatures detection» enabled, blocks requests that match the attack signatures. Increases the impact of blocked requests. Regarding Server Stress There are a couple of locations where Server Stress can be observed. A spike in Server Stress will trigger Behavioral and Stress-based DoS detection and mitigation if configured. Protected Objects List This is under Security ›› DoS Protection : Protected Objects : Protected Objects List This menu is available when you have BIG-IP AFM provisioned in this sample, notice the Server Stress is at 100/100 - this means the backend server is Stressed and the latency of Server response is High. The protected object's attack status is "red" signaling an attack is ongoing and being mitigated. On this sample, the detected attack is ongoing and the server stress value has gone down to 55/100. The request rate also shows the connections per second and has gone down. Behavioral DoS Dashboard Under the Statistics menu, click on Dashboard Select Behavioral DoS in the Dashboard options Review Server Stress Here are sample DoS Application Events generated thru a DoS protection profile TPS Based detection and mitigation Behavioral detection and mitigation It provides insight which DoS "Threshold condition" was exceeded and what "Mitigation" was applied to the detected "Attack (Attack ID)" also noting the start and end of the attack. Inspecting these events will help in figuring out a threshold you may apply. DoS Dashboard under Security Reporting When looking for details of the attack, the DoS Dashboard under Security Reporting provides insight on the detected attack and related entities and statistics. In this sample, the detected attack was triggered thru App Behavioral and mitigated with Behavioral mitigation In this sample, notice the "transaction outcomes" shows "Blocked Bad Actor" which means the transactions were blocked by Bad Actor detection and mitigation configuration in the DoS protection profile. IP reputation , IP Intelligence license - must have! During DDoS attacks, it is very likely that the some of the source IP addresses will have bad IP reputation. Having the IP Intelligence license available in the BIG-IP will provide mitigation for matched IP addresses. IP Intelligence can be used in BIG-IP LTM (iRules and LTM Policy), AFM (IP Intelligence Policy) and ASM/Adv WAF (Security Policy) configurations. Refer to the following links on sample iRule configurations. https://clouddocs.f5.com/api/irules/IP__reputation.html https://clouddocs.f5.com/api/irules/IP__intelligence.html Note that the IP intelligence feature requires an add-on license.Contact your F5 or Partner salesperson for details on ordering the license. Cyber Security Attack Scenarios and Recommendations As introduced earlier, here are Cyber Security Attack Scenarios that BIG-IP deployments encounter and corresponding mitigation options and configuration recommendations. These sample scenarios will be helpful in finding initial mitigation options using BIG-IP features should it match your deployment configuration. Scenario: DDoS attack on a F5 Virtual Server fronting a web application and the BIG-IP have ASM/Adv WAF license. There are no DoS protection and Bot Defense profile configured on the Virtual Server. Recommendations: For the DoS Protection profile, configure TPS and Behavioral and Stress based Detection. Set Detection Thresholds and mitigations for both options as per your needs. You can monitor the traffic pattern on the Virtual Server you are protecting. Consider the clients that access the web application. If the clients are web browsers and mobile application users, use non Javascript (JS) based detection and mitigations. This will allow mobile application clients that do not support Javascript challenges to access the protected web application and ensure they are not blocked by Javascript challenges or mitigations. Another detection method is thru Bad Actor detection configuration under Behavioral and Stress Based Detection menu. This feature slows down and rate limits requests from anomalous IP addresses based on its anomaly detection confidence and the server's health. Automatic Threshold can also be configured for TPS based detection. For more information on HTTP enabled DoS Protection configured with Automatic Threshold, refer to K000138529: Understanding Automatic Threshold in BIG-IP ASM/Adv WAF DoS Protection profile For the Bot Defense profile, configure the Relaxed Profile template. This does not use Javascript challenges for detecting end clients and will allow mobile application clients that do not support Javascript to access the protected web application. Configure a logging profile that logs remotely to trusted logging server for DoS protection and Bot Defense events. Scenario: DDoS attack on a F5 Forwarding IP or Performance Layer 4 Virtual Server processing network traffic. Recommendations: Ensure DoS mitigations are available to protect the network traffic. BIG-IP AFM have DoS Attack types for Network Based DoS and can be set to Mitigate to detect and mitigate/drop excess packets for the matched attack type. These DoS Attack types can be configured with Fully Manual or Fully Automatic threshold. You should set detection and mitigation thresholds as per your needs. It is important to review traffic statistics and pattern on the Virtual Server you are protecting. AFM threshold values are in EPS - Events Per Second, synonymous to Packets Per Second and the observed traffic pattern can be the basis of the manually configured thresholds. Another method of defining the threshold is thru "Threshold Sensitivity" where the BIG-IP system CPU usage and traffic pattern is the basis. When AFM DoS attack types are configured with Fully Automatic, it uses the "Threshold Sensitivity" configuration. For BIG-IP Advanced Firewall Manager (AFM) systems protecting networks against Distributed Denial of Service (DDoS) attacks, DoS Auto Threshold sensitivity can be configured for system-wide thru Device Protection and per DoS Protection Profile. A setting of High will be more sensitive to changes in BIG-IP System CPU usage and traffic. A setting of Medium is the default configuration. A setting of Low will be less sensitive to changes in BIG-IP System CPU usage and traffic. From the BIG-IP Configuration utility, navigate to: For System Wide: Security ›› DoS Protection : Device Protection per DoS Protection Profile: Security ›› DoS Protection : Protection Profiles .. select the specific profile Reference: K000141430: Configuring BIG-IP AFM DoS Protection Threshold Sensitivity https://my.f5.com/manage/s/article/K000141430 Scenario: DNS DDoS attack on F5 DNS listener Virtual Server Recommendations: BIG-IP AFM have DNS Attack types to detect and mitigate DNS DDoS attacks. If your BIG-IP does not have BIG-IP AFM licensed, it would be beneficial for the DNS service processed thru the F5 DNS listener VS to have mitigation options available from the DNS Attack types in the AFM DoS device or DNS enabled protection profile. Configure thresholds as per your needs. Here is a sample configuration from a lab device where DNS A Query Attack type in Device Protection is configured in Mitigate state and Fully Manual detection and mitigation thresholds. Bad Actor Detection can also be configured with thresholds. It is also possible to configure it for Fully Automatic threshold and will be dependent on the Threshold Sensitivity configuration. Scenario: DDoS attack on F5 Virtual Server and attacking IP addresses needs to be blocked Recommendations: BIG-IP AFM has Network Firewall Policy and rules where it can be configured to match a source address list and drop its traffic. This can also be done thru iRules, however, AFM firewall rule configuration is a native feature and is built for such operations. The F5 SIRT created a playbook for HTTP brute force mitigation and the LTM mitigation options includes such configurations should you decide to use iRules and BIG-IP LTM features. HTTP Brute Force Mitigation Playbook: BIG-IP LTM Mitigation Options for HTTP Brute Force Attacks - Chapter 3 HTTP Brute Force Mitigation Playbook: BIG-IP LTM Mitigation Options for HTTP Brute Force Attacks - Chapter 3 | DevCentral F5 also have K30534815: Attack mitigation matrix using F5 security products and services which lists existing F5 Support articles for attack mitigation. https://my.f5.com/manage/s/article/K30534815 During DDoS attacks, it is very likely that the some of the source IP addresses will have bad IP reputation, it will be beneficial to have IP Intelligence license available and use it in BIG-IP LTM (iRules and LTM Policy), AFM (IP Intelligence Policy) and ASM/Adv WAF (Security Policy) configurations. Refer to the following links on sample iRule configurations. https://clouddocs.f5.com/api/irules/IP__reputation.html https://clouddocs.f5.com/api/irules/IP__intelligence.html Note that the IP intelligence feature requires an add-on license.Contact your F5 or Partner salesperson for details on ordering the license. Scenario: BIG-IP device is suspected to be compromised. Recommendations: BIG-IP can be affected by malware and it finds it's way to it by exposing the BIG-IP management and self (self-IP) IP addresses and configured with insecure or easy to guess BIG-IP user password. BIG-IP product had previous Critical CVEs where authentication was not needed to exploit the vulnerability. F5 has the article K11438344: Considerations and guidance when you suspect a security compromise on a BIG-IP system to provide guidance on handling suspected compromised BIG-IP devices. https://my.f5.com/manage/s/article/K11438344 To minimize the attack surface of a BIG-IP device against CVEs and unauthorized access, ensure that only trusted authenticated users and networks have access to the BIG-IP management and self (self-IP) IP addresses and the BIG-IP device is running the latest BIG-IP software version. Do review the "Major Release and Long-Term Stability Release versions supported with active software development" of K5903: BIG-IP software support policy as it notes BIG-IP 15.1.x version reaches "End of Technical Support" this December 31, 2024. Note: For BIG-IP Next (BIG-IP 20.x and later), refer toBIG-IP Next software support policy. Major Release and Long-Term Stability Release versions First customer ship End of Software Development End of Technical Support Latest maintenance release 17.1.x March 14, 2023 March 31, 2027 March 31, 2027 17.1.1 16.1.x July 7, 2021 July 31, 2025 July 31, 2025 16.1.5 15.1.x December 11, 2019 December 31, 2024 December 31, 2024 15.1.10 K5903: BIG-IP software support policy https://my.f5.com/manage/s/article/K5903 F5 Distributed Cloud "F5 Distributed Cloud Services are SaaS-based security, networking, and application management services that enable customers to deploy, secure, and operate their applications in a cloud-native environment wherever needed–data center, multi-cloud, or the network or enterprise edge." https://www.f5.com/products/distributed-cloud-services F5 Distributed Cloud have many mitigation options for DDoS attacks. Volumetric DDoS can be handled by F5 Distributed Cloud DDoS Mitigation Service. F5 Distributed Cloud Bot Defense mitigates complex bot attacks. It provides integration option with your mobile application so it can be properly classified and detected as a trusted client. see Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator https://www.f5.com/products/distributed-cloud-services/bot-defense https://www.f5.com/products/distributed-cloud-services/l3-and-l7-ddos-attack-mitigation Conclusion The Cyber Security Attack Scenarios and recommendations using BIG-IP features shared are not exhaustive. There are more complex environments and scenarios that BIG-IP deployments may have opportunity to mitigate network and application attack traffic and it is important that the appropriate BIG-IP licenses are available so the relevant modules can be provisioned and related features and configuration can be enabled. This will help your environment's network and application traffic to be resilient against DDoS attacks when BIG-IP is properly licensed, positioned and configured. I hope the sample configuration, logs and configuration help details have been useful and helpful as you consider the BIG-IP features mitigation options and improve your network, application and BIG-IP device security posture. Until next time! The F5 SIRT creates security-related content posted here in DevCentral, sharing the team’s security mindset and knowledge. Feel free to view the articles that are tagged with the following: F5 SIRT series-F5SIRT-this-week-in-security TWIS
“Phishing you say, well that’s not my problem.”
Yes, I heard this at a meeting with the CISO of a well-known establishment just the other day. This was a commonly held belief, just a few years ago, and by many that are now eating crow. When do you recognize that Phishing is ‘Your’ problem and could be a costly one at that to ignore? Efforts to help customers and employees learn how to self-protect and not become victims of deception are important, but not nearly enough. Google did some research that showed 45% of folks are still fooled by the best phishing scams – having their accounts hacked within 30 minutes. According to the report, even the least successful of phishing scams, with success rates of around 3%, can be very dangerous when targeting millions with phishing emails. Protecting your brand from the results of phishing threats (i.e., costly data breaches, wide-spread system infiltration, and unauthorized transactions) bears a greater responsibility. It requires an ongoing effort to identify and overtake attackers, and shutdown malicious services before you suffer what could be crippling losses. It is certain that phishing attacks have played a key role in attributing to the vast number of credentials (over 300 million), banking information and personal (or corporate) identities for sale on the underground internet. Although keylogging, form grabbing and other spyware are commonly used tactics, there is an increase use in fake phishing website designed to look like a legitimate log in pages. These fraudulent websites successfully attract unsuspecting users into volunteering information. Supplemented by email or social media lures, phishing tactics have become a weapon of choice by many attackers and is also used to deploy malware packages to not only gather valuable information, but to ensure the success of larger exploits by controlling devices, evading detection, and gaining access to protected, high valued information and assets and executing a transaction or full attack on a specific application. Verizon estimates that two-thirds of Cyber espionage has a phishing component. Given what was reported about the Sony attacks, a phishing attack may have been instrumental in one of the prominent data breaches of all time – resulting in a loss estimated to have reached 15 million dollars. The point, however, is that guarding against phishing threats (and client-side credential theft) should be an area of focus for companies, institutions and agencies alike. Attackers are monetizing credentials, seeking high-valued information, and are seizing the assets of businesses of all sizes and types. Don’t hold off protecting your users against threats that target them in order to breach your systems or execute fraudulent transactions. Here are 4 best practices that can protect your customers, employees, and brand Protect your customers, employees and your brand 1. Obfuscate form fields: Slow the progress of attacker by obscuring form fields on internet facing login pages and other forms where users input confidential information -- making such fields ambiguous or unknown to attackers 2. Encrypt information at rest in the browser: Protect information while users type within form fields, even before information is submitted then transmitted via SSL 3. Protect against client-side malware: Identify at-risk devices that have been unlocked, are considered vulnerable or which contain malware 4. Identify phishing sites before emails go out: Be informed when your website has been copied, uploaded to spoofed host servers, and when your customers have fallen victim to related phishing lures. Give serious thought to this and don’t wait until price tag to resolve such matters reaches $15,000,000.00. Consider taking the above actions to improve your overall security posture and to protect against phishing threats and credential theft. You cannot expect employees or customers to always make the right choice when exploring the web. Additionally your security strategy and its effectiveness should not be dependent upon your users, nor require their involvement. Put measures in place to provide a degree of confidence that the information behind the internet facing apps your customers and employees use is protected against attackers that may target them to gain access. Visit https://f5.com/products/modules/websafe for more information about F5 solutions that extend application security to the client
IT安全性不能以一種方案「一體適用」
This is adapated from the original post by Matt Miller. 今天的安全局勢具有高度複雜化的傾向,原因大致上可以歸咎於日益複雜化的網路攻擊本質,特別是從管理者的觀點來看。例如,分散式拒絕服務攻擊(DDoS)現在已達到400Gbps速度,目標包括網路和應用層。很顯然的,攻擊者持續進化,開發其他方法來繞過包括防火牆等傳統安全防護。 對於面對應用層DDoS攻擊威脅的企業而言,必須克服的挑戰在於如何區分人類流量與魁儡(bot)流量。 再者,攻擊背後的動機越來越複雜,特別是從政治與經濟觀點而言。例如,美國國家安全局(NSA)洩密案 - 前僱員Edward Snowden洩漏了包括美國、英國、澳洲、加拿大和紐西蘭等國政府的機密資訊 - 此一事件確實提醒了我們必須重視駭客活動。另外,現在IT安全的最大威脅之一就是組織化的網路竊盜與詐欺,因為那些聰明的犯罪者越來越了解可以藉由線上犯罪獲取可觀的財務利益。 因此,確保擁有適切的防護以杜絕網路攻擊,已成為企業的一項關鍵課題。一個有效的安全策略必須涵蓋員工存取的所有裝置、應用程式和網路,並且跨越企業本身的基礎設施。傳統安全方法例如新一代防火牆和被動回應的安全措施,已無法有效的對抗新類型的攻擊。現在的安全性非常重視對於應用程式的保護,以及使用者身分識別的加密和保護措施,而比較不偏重於基底的網路基礎設施。這是因為網路基礎設施已演變得比較沒那麼靜態,並且也已被證明它只是用來運行複雜應用程式的一個載具。 企業需要的是一個彈性且完整的安全策略,必須有能力將DNS安全性與DDoS保護、網路防火牆、存取管理、應用安全性等結合智慧型的流量管理。 Frost & Sullivan的一項報告(Frost Industry Quotient)指出,市場呈現了朝Web應用防火牆(Web Application Firewall; WAF)與應用交付控制器(Application Delivery Controller; ADC)平台整合的發展趨勢,而這促使F5針對應用交付市場開發了一個稱為F5新融合架構(F5 Synthesis)的新觀點。此一觀點提供了一個高效能分散網路架構(high performance network fabric),為一個應用的基本單元(網路、DNS、SSL、HTTP)提供保護以防範複雜的DDoS攻擊威脅。 F5新融合架構透過業經測試的參考架構,在客戶朝軟體定義資料中心(software defined data centres; SDDS)轉移的過程中確保應用安全與可用性。再者,F5的DDoS防護方案提供目前市場上最完備的攻擊防護。DDoS攻擊的平均速度達到2.64 Gbps,而升級到F5的BIG-IP平台後,伺服器將能處理高達470 Gbps的攻擊威脅。這不僅提供了充裕的頻寬以舒緩DDoS攻擊,而且其額外的容量讓線上公司可以維護正常的商務營運 - 即使是在遭受攻擊的期間。 安全性不再是一種「一體適用」的方案。終端使用者期望擁有高效能服務,而企業必須確保他們所部署的安全方案不會變成一個瓶頸。我們可以預期見到多維(multi-dimension)或「雞尾酒」式的攻擊出現,亦即DDoS攻擊結合應用層攻擊與SQL安全弱點威脅。因此,傳統防火牆不再是一個有效的安全防衛,企業需要採行一種多堆疊的安全方法,並結合內部控管程序。面對來自不同裝置和多重面向的攻擊威脅,單一用途安全設備將被高功能的多用途設備取代。
Slave Malware Analysis
During the last couple of weeks, Nathan Jester, Elman Reyes, Julia Karpin and Pavel Asinovsky got together to investigate the new “Slave” banking Trojan. According to their research, the early version of the Slave performed IBAN swapping in two steps with great resemblance to the Zeus “man-in-the-browser” mechanism. First, the host header is compared to a hard-coded bank name. If the match is successful, the hard-coded HTML tag is searched throughout the request body and the content is swapped if it matches the IBAN pattern. Then, After the browser infection which takes place in the exact manner as the later version, the malware places hooks on the outbound traffic functions. The latest version of the Slave is, of course, much more sophisticated than the first one and include creation of registry keys with random names, IE, Firefox and Chrome infections, kernel32.dll hooks and more. However, one of the most interesting capabilities of the Slave is the timestamp check. As can be seen in the screenshot below, the malware is conditioned to run before April 2015 and not after that so the sample is basically "valid" for two weeks only, probably to avoid research and detection. Click here to download the full technical Malware Analysis Report. Or here for the Executive Summay Report. To learn more about F5 Security Operation Centers, visit our webpage. -- Editors Note: F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.Slave – IBAN swap, persistency and Zeus-style webinject
Slave is a financial malware written in visual basic. It was first seen around March 2015 and has undergone a significant evolution. Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping and fraudulent fund transfers. Two weeks before the discovery of ‘Slave’, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers – a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that ‘Slave’ started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects. If you want to deep-dive into the ‘Slave’ internals click here to read the full technical Malware Analysis Report by F5 SOC. --- Editors Note : F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.
UAE Cybersecurity Threat Landscape Growing in Intensity and Complexity
Leading UAE IT decision-makers agree that cybersecurity threats are growing in intensity and scale across the region. According to a new survey commissioned by F5 Networks,81% of surveyed IT decision-makers believed their organisation was more vulnerable than ever to cybersecurity threats. 82% ranked their organisation’s vulnerability to cybercrime, hacking and “hacktivism” as “very” or “extremely” vulnerable, and 79% agreed that it is more difficult than ever to protect their organisations from associated security threats. Worryingly, only 8% are completely confident their organisation has consistent IT security measures across its entire IT network. 34% said their marketing and sales efforts were most vulnerable to attacks, 28% cited email, 27% employee data and 24% customer information.Common cybersecurity threats include distributed denial of service (DDoS) attacks, phishing/spear-phishing emails, data theft, “zero-day” software assaults, web application exploits, and website defacement. The top cybersecurity challenges listed in F5 Networks’s survey include changing motivations for hacking (33% of respondents), the virtualization of server desktops and networks (31%), difficulty in managing a variety of security tools (29%), the increasing complexity of threats (29%), the shift from datacentre-focused infrastructure to the cloud (25%) and the move from traditional client-server applications to web-based applications (24%). In order to adapt and cope, 57% of decision-makers wanted a better understanding of the different types of security threats, 24% called for consolidated management of their different security tools, and 20% wanted a stronger focus on security issues from management.آخر تطورات مشهد تهديدات الأمن الالكتروني في المملكة العربية السعودية "الهجمات أصبحت أكثر قوةً وتعقيداً من أي وقت مضى"
: أقر كبار صناع القرار في قطاع تقنية المعلومات بالمملكة العربية السعودية بأن التهديدات الالكترونية تتنامى بشدة وعلى نطاق واسع في جميع أنحاء المملكة، ما يعرض الشركات لمخاطر إصابة سمعتها ومكانتها وبنيتها الأساسية. وقد أظهرت نتائج الدراسة الجديدة التي قامت بها شركة F5 نتووركس بأن حوالي سبعة من بين كل عشرة من الشركات التي شملتها الدراسة (68%) تصنف الجرائم الإلكترونية بأنها تهديد "خطير". في حين أفاد 75% من المستطلعين بأن عمليات البيع والتسويق التي تقوم بها شركاتهم ستتأثر بالدرجة الأولى من الهجمات. وعلى نحو مثير للقلق، فقط 15% من المستطلعين يثقون بامتلاك مؤسساتهم لتدابير أمنية متينة في تقنية المعلومات على امتداد كامل شبكة تقنية المعلومات. وأفاد 84% من المستطلعة آراؤهم إلى أنه كان من الصعب بمكان الحفاظ على نهج أمني شامل خلال السنوات الثلاث الماضية. ويعزى ذلك بشكل جزئي إلى ظهور تقنيات السحابة، وتقنية المعلومات عن بعد، والعديد من التوجهات الأخرى بما فيها جلب الأجهزة الخاصة BYOD. و وصف 58% من المستطلعين درجة ارتفاع المخاوف من تهديدات الأمن الإلكتروني خلال العامين الماضيين بأنها "هائلة" أو "كبيرة جداً"، بينما أفاد 66% منهم بأن مهمة حماية مؤسساتهم ضد تهديدات الأمن الالكتروني أصبحت أكثر صعوبة من أي وقت مضى. هذا وتتضمن قائمة تهديدات الأمن الإلكتروني الشائعة هجمات الحرمان من الخدمة DDoS، وعمليات الاحتيال عبر رسائل البريد الإلكتروني، وسرقة البيانات، وهجمات البرمجيات الخبيثة "اليوم صفر"، واستغلال تطبيقات المواقع الالكترونية، وتخريب المواقع الالكترونية. وفي هذا السياق قال ممدوح علام، المدير القطري لدى شركة F5 نتووركس في المملكة العربية السعودية: "بدأت الأساليب الأمنية التقليدية كالجيل القادم من جدران الحماية وغيرها من تدابير الرد على الهجمات بخسارة المعركة لصالح سلاسل الهجمات الجديد الصاعدة". "اليوم، أضحت الحلول الأمنية ترتبط بدرجة كبيرة بحماية التطبيقات، وتطبيق بروتوكولات التشفير، وحماية هوية المستخدم، ولكنها ترتبط بدرجة أقل بدعم البنية التحتية للشبكة. لذا، فإن المؤسسات بحاجة إلى استراتيجية أمنية مرنة وشاملة، تمتلك القدرة على الجمع ما بين أمن نظام اسم النطاق DNS، والحماية ضد هجمات الحرمان من الخدمة DDos، والجدران النارية للشبكة، وإدارة الوصول، والتطبيقات الأمنية المزودة بإمكانية الإدارة الذكية لحركة البيانات". وينظر إلى حجم سوق الأمن الإلكتروني المزدهر في المملكة العربية السعودية باعتباره مؤشراً على المشهد الجديد لتهديدات الأمن الإلكتروني، فوفقاً لتقرير صادر عن مؤسسة مايكروماركيت مونيتور لأبحاث السوق، من المتوقع أن ينمو السوق من 1.51 مليار دولار في العام 2013، ليصل إلى 3.48 مليار دولار في العام 2019، أي بمعدل سنوي مركب نسبته 14.50% خلال الفترة ما بين 2013 حتى 2019. أما على نطاق أوسع، فإن تقرير مؤسسة مايكروماركيت مونيتور يشير إلى أن سوق الأمن الإلكتروني في منطقة الشرق الأوسط في طريقه لينمو من 5.17 مليار دولار في العام 2014، ليبلغ 9.56 مليار دولار في العام 2019، وذلك بمعدل سنوي مركب نسبته 13.07%. وفي العام 2014، صنفت دراسة الجريمة الاقتصادية العالمية 2014، الصادرة عن مؤسسة برايس ووتر هاوس كوبر، الجرائم الإلكترونية كثاني الجرائم الاقتصادية الأكثر شيوعاً التي أعلن عنها في منطقة الشرق الأوسط. أما أكبر التحديات المرتبطة بالأمن الإلكتروني والمدرجة في دراسة شركة F5 نتووركس فتتضمن تعقيدات إدارة مجموعة متنوعة من الأدوات الأمنية (50%)، والتحول من مراكز البيانات التي تركز على البنية التحتية إلى السحابة (48%)، والمحاكاة الافتراضية لسطح المكتب والسيرفرات (42%)، جلب الأجهزة الخاصة BYOD (40%)، والرغبة والمرونة المتنامية في تطبيقات المواقع الالكترونية (33%)، والتطور المتزايد للتهديدات (32%). نتيجةً لذلك، دعا 61% ممن شملتهم الدراسة إلى ضرورة وجود إدارة مركزية للأدوات الأمنية، كما أراد 61% منهم التركيز بشكل أكبر على الأمن انطلاقاً من الإدارة. بالمقابل، عندما تم سؤال صناع القرار عن حلول الإدارة المطلوبة، تضمنت قائمة رغباتهم تحسين عمليات التتبع، وتطبيق إجراءات أكثر صرامة ضد مجرمي الإنترنت من قبل السلطات (54%)، وإيجاد فهم أفضل لتشكيلة واسعة من التهديدات الأمنية الشائعة (43%)، وتحقيق وعي أكبر بالمحيط بالنسبة للأجهزة التي تصل إلى الشبكات (28%). وأضاف ممدوح علام قائلاً: "مع انتشار الهجمات متعددة الأبعاد أو الأساليب، كهجمات الحرمان من الخدمة DDoS المدمجة مع هجمات طبقة التطبيقات ونقاط ضعف لغة الاستعلام الهيكلية SQL، فإن المؤسسات بحاجة ماسة للأخذ بعيد الاعتبار إتباع نهج أمني متعدد الطبقات، المدمج ضمن عملية شاملة لإدارة الرقابة الداخلية". كما أشاد ممدوح علام ببنية حلول Synthesis من شركة F5 نتووركس باعتبارها من الطرق الناجحة التي بإمكان الشركات تبنيها للبقاء في الطليعة، فهو يوفر أداءً عالياً في بنى الشبكات من أجل حماية العناصر الأساسية للتطبيق (الشبكة، نظام اسم النطاق DNS، طبقة المقابس الآمنة SSL، والـ HTTP) ضد الهجمات المتطورة. وبفضل دعمها لبنية خدمات مرنة ومتعددة الاستثمار وعالية الأداء، فإنها تتيح للعملاء خدمات سريعة واقتصادية من الطبقة 4 حتى 7 لأي شخص، وفي أي زمن، ودون أي قيود. كما تعمل خدمات التطبيقات المعرفة بالبرمجيات SDAS على ترسيخ الطبقة من 2 حتى 3 في الشبكة، والجهود القائمة على الحوسبة عن طريق ملء الفجوة في دعم الطبقات الحرجة من خدمات الطبقة 4 حتى 7. وتقوم مجموعة شاملة من مستويات الإدارة والتحكم بواجهات برمجة التطبيقات API بضمان التكامل والعمل البيني مع الشبكات المعرفة بالبرمجيات والأنظمة الافتراضية، بالإضافة إلى السحابة.Saudi Cybersecurity Threat Landscape “More Intense and Complex Than Ever”
Leading Saudi IT decision-makers agree that cybersecurity threats are growing in intensity and scale across the Kingdom. The situation is putting businesses at risk of hits to both reputation and bottom line. A new survey commissioned by F5 Networks found that nearly seven in ten of surveyed businesses (68%) regarded cybercrime as a “severe” threat. 75% of respondents said that their business’ sales and marketing efforts would suffer most from an attack. Worryingly, only 15% are confident their organisation has consistent IT security measures across its entire IT network. 84% claimed that it has become harder in the past three years to maintain a consistent security posture. This is partly due to the rise of cloud, off-premise IT and trends such as Bring Your Own Device (BYOD). 58% of respondents described the degree to which fear of cybersecurity threats had increased in the past two years as “tremendous” or “very strong”, whereas 66% reported that it is more difficult than ever to protect their organisation against cybersecurity threats. Common cybersecurity threats include distributed denial of service (DDoS) attacks, phishing/spear-phishing emails, data theft, “zero-day” software assaults, web application exploits, and website defacement. “Traditional security methods such as next generation firewalls and other reactive measures are losing the fight against a new breed of attacks,” said Mamduh Allam, Saudi Arabia Country Manager, F5 Networks. “Security is now very much about the protection of the application, enforcement of encryption the protection of user identity, and less about the supporting network infrastructure. Organisations need a security strategy that is flexible and comprehensive, with the ability to combine Domain Name System (DNS) security, DDoS protection, network firewalls, access management, and application security with intelligent traffic management.” The Kingdom’s burgeoning cyber security market size is indicative of the new cybersecurity threat landscape. According to MicroMarket Monitor, the market is expected to grow from US$1.51 billion in 2013 to US$3.48 billion in 2019 at a CAGR of 14.50% for the period 2013 to 2019. For the wider region, MarketsandMarkets suggests that the Middle East cybersecurity market is on course to grow from US$5.17 billion in 2014 to US$9.56 billion in 2019 at a CAGR of 13.07%. In its 2014 Global Economic Crime Survey, PrincewaterhouseCooper identified cybercrime as the second most common form of economic crime reported in the Middle East. The top cybersecurity challenges listed in F5 Networks’s survey include the complexity of managing a variety of security tools (50%), the shift from data-centre focused infrastructure to the cloud (48%), desktop and server virtualisation (42%), BYOD (40%), the growing desirability and flexibility of web-based applications (33%) and the increasing complexity of threats (32%).As a result, 61% called for greater consolidation of security tool management. 61% also wanted to see a stronger focus on security from management. When asked about desired coping solutions, the decision-makers’ wish-lists included improved tracking and tougher actions on cybercriminals by authorities (54%), better understanding of the wide variety of live security threats (43%) and more context-awareness for devices accessing networks (28%). “With multi-dimensional or 'cocktail' style attacks - DDoS attacks combined with application layer attacks and Structured Query Language (SQL) vulnerabilities –organisations really need to look at a multi-stack security approach, combined with a process to handle internal control,” said Allam.Dyre Malware Analysis
Dyre, also known as Dyreza, is a banking Trojan that was first seen around June 2014. With the combination of its ability to steal login credentials by browser hooking and bypassing SSL, its man-in-the-middle (MITM) proxy server, and its Remote Access Trojan (RAT) capabilities, Dyre has become one of the most dangerous banking Trojans. The Dyre Trojan is designed to steal login credentials by grabbing the whole HTTPS POST packet, which contains the login credentials sent to a server during the authentication process, and forwarding it to its own server. The malware downloads a configuration file containing a list of targeted bank URLs. Each URL is configured to be redirected to Dyre’s MITM proxy server, on a different port for each bank. This allows the attacker to make a MITM attack by forwarding any user request to the bank and returning bogus data, including fake login pages, popup windows, and JavaScript/HTML injections. After all the information has been acquired by the attacker, he can remotely access the victim’s computer using a built-in VNC (Virtual Network Computing) module and perform transactions, data exfiltration, and more. How it works malware downloads a configuration file containing a list of targeted bank URLs. Each URL is configured to be redirected to Dyre’s MITM proxy server, on a different port for each bank. This allows the attacker to make a MITM attack by forwarding any user request to the bank and returning bogus data, including fake login pages, popup Malware behavior on a Win7-32bit system Surprisingly, the malware behaves differently on Win7-32bit, most likely due to security implementation differences. The method of registering itself as a system service is implemented on WinXP and 64bit systems (tested on Win7-64bit). On Win7-32bit, Dyre operates more similarly to the known Zeus malware by injecting code in the Explorer.exe process and operating from there. Man-In-The-Middle (MITM) Attack When a user enters his bank’s URL in the browser line, the Trojan is triggered and forwards the URL to the corresponding proxy server as stated in its configuration file. · The MITM proxy server forwards requests to the banks and disguises itself as the real user. · The returning response from the bank is intercepted by the proxy server. · Instead of the real response, the user receives a fake login page which is stored on the proxy server, and contains scripts and resources from the real bank’s page. The scripts and resources are stored in folders named after the unique port configured for each bank. · The information entered by the user is sent to the proxy server and then forwarded to the real bank server, allowing the attacker to log in instead of the user and perform operations on his behalf. The fake login page The fake page contains a script called main_new - , which is responsible for handling the objects presented to the user on the fake page and performing the MITM attack. The fake page contains an array of configuration parameters in the header. Some of the more interesting ones are: · ID. The unique identification of the bank, which is the same as the port number in the configuration file. · Incorrect login error. On each login attempt to the bank, the proxy server will forward the request to the real bank’s server and perform the authentication. If the authentication fails, it will also present an error to the user on the fake page. · Block message. If the MITM attack succeeds, the attacker is able to perform a transaction and block the user from accessing his account. This parameter stores the presented message. The F5 Solution Real-time identification of affected users - F5 WebSafe and MobileSafe are able to detect the user is affected by a Trojan and that the information provided by it to the customer is also sent to an unauthorized drop zone. Identification of malicious script injection – once downloaded to the client’s browser, WebSafe and MobileSafe make sure there has been no change to the site’s HTML. If such a change is detected, the customer is notified immediately. Protection against Trojan-generated money transfers - the combination of recognizing affected users, encrypting information, and recognizing malicious scripts is key to disabling Trojans from performing unauthorized actions within the account. WebSafe and MobileSafe detect the automatic attempts and intercept them. Malware research - F5 has a dedicated Trojan and malware R&D team that searches for new threats and new versions of existing ones. The team analyzes the programming techniques and methodologies used to develop the malware in order to keep the F5 line of products up to date and effective against any threat. To get the full technical detailed Malware analysis report click here. To download the executive summary, click here.iBanking Malware Analysis
Co-Authored with Itzik Chimino. --- iBanking is malware that runs on Android mobile devices. It is delivered via a new variant of the computer banking Trojan Qadars, which deceives users into downloading iBanking malware on to their android device. It can be used with any malware used to inject code into a web app. The malware enables cybercriminals to intercept SMS and bypass the two-factor authentication methods used by several banks throughout the world to authorize mobile banking operations. iBanking malware acts as a spy that can also of grab contact lists, steal bank account details, forward incoming voice calls, and record the victim’s voice, which enables it to overcome voice recognition security features that financial institutions are beginning to implement. Cyber criminals ultimately utilize iBanking malware to transparently complete money transfers on behalf of the infected targeted users. How the attack works Focusing specifically on the new variant of iBanking malware that targets Facebook users, the attack begins by infecting users’ devices with the Qadars banking Trojan via a drive-by download from an unsuspecting website. Qadars then intercepts the webpage and uses JavaScript to inject code into the webpage—in this case, a Facebook page—that presents users with a fake verification pop-up page upon initial login. This page requests the victim’s phone number and Android device confirmation. The victim then receives an SMS message on the verified device, which directs him to a page with instructions to download added security. Once the victim installs the iBanking malware, it cannot be removed if it was given admin rights during the install process. Remote control of the infected device Once the malware is activated by the user on his smartphone, the attacker gains administrator permissions on his device. The attacker can now control a vast amount of functions such as: 1. Allows applications to change network connectivity state. 2. Allows an application to send/read SMS messages. 3. Allows an application to automatically start when the system boots. 4. Allows an application read-only access to phone state. 5. Allows an application to access approximate location derived from network location sources such as WiFi and cell antennas. 6. Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed. 7. Allows an application to open network sockets. 8. Allows an application to write to external storage such as modify/delete SD card contents. 9. Allows an application to read the user's contacts data. 10. Allows an application to record audio such as phone calls and voice messages. Click here to read the full technical iBanking Malware Analysis Report by F5 SOC. To read more about F5 Global Security Operation Centers click here.
