NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!

Cloud Workload Protection Products at Risk with New Cyber Attack

Security products are meant to prevent cyber attacks. What happens, then, when a cyber attack, namely malware, is used to uninstall security software designed specifically to prevent public cloud infrastructure compromise? This is precisely what happened with a new malware variant discovered by Palo Alto Networks’ Unit 42. According to the published report on the firm’s website, the so-called “Rocke” group created malware to exploit compromised Linux servers of five Chinese cloud workload protection platform providers, then used administrative privileges to uninstall the security software.

Unlike most malware, the attacker’s code did not attempt to subvert or compromise the security software. Rather, Unit 42 observed that the malware simply removed the agent-based security products, leaving the system more vulnerable to cloud-based cyber attacks while making detection more difficult. In this case, the goal was to install and run cryptomining software, but this technique could just as well have been a precursor to installing ransomware or any other malicious code. Attackers have used this technique in the past on private networks and traditional antivirus software. It is not surprising to see it evolve to specifically target cloud workload protection software on hosted networks.

As Occam's Razor states, the simplest solution is often the best. Trying to hide malicious activity from a security agent or masquerade as legitimate software can be difficult, requiring a lot of tinkering and testing against all potential targets. It's a lot easier to simply uninstall the software that stands in your way, if you can do it. And that's exactly what this latest Rocke malware does. Most security products do not protect against uninstallation as long as you have administrative privileges, nor do they flag this activity as something suspicious.

The attack methodology

The attack process detailed on Palo Alto’s site is pretty straightforward: Exploit a known vulnerability to establish a command and control connection, download a shell script, achieve persistence, kill any conflicting services, uninstall cloud workload protection software, cover tracks. What’s interesting here is that Rocke seemingly used uninstall instructions from the providers’ websites to carry out the attacks. This is not a sophisticated adversary attack, but a highly effective one nonetheless.

Stay on the cutting edge. Subscribe to our blog.

Although only a small number of cloud workload providers were identified as having been affected, it raises questions about the efficacy of cloud workload protection software—or any installed software—in an enterprise’s public cloud. In this case, the adversary exploited well-known and highly advertised vulnerabilities including the infamous Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion to achieve their mission. Getting in was the easy part. Since most mature security organizations assume compromise is inevitable, this is when additional layers of security are supposed to raise alarms. But if those detection products are uninstalled, uh oh.

Because this attack effectively penetrated north-south perimeter defenses and immediately gained administrative control, most traditional security products would have trouble stopping progression and limiting the “blast radius,” i.e., preventing the malware from removing the security software, in real time. Intrusion detection/intrusion protection systems may pick up on suspicious network behavior, but by then, the damage is likely done.

Establishing zero trust control

Edgewise has thought long and hard about this problem: How do we stop cyber attacks from progressing? It’s impossible to prevent vulnerabilities and therefore impossible to prevent attackers from gaining access to the network (whether that network is on-premises or in the public cloud) and installing malware. It’s not, however, impossible to prevent any new software or services from communicating and therefore causing damage on the network, even if those software and services have been installed using admin privileges.

The key is combining zero trust principles and software identity-based authorization and authentication. When new software or services appear on the network and try to communicate, Edgewise verifies their cryptographic fingerprint before a request is sent. But that’s not all; Edgewise uses symmetric verification to re-authenticate the legitimacy of the software or service again before it’s allowed to connect to the intended host/application/server. This process ensures that even if software is tampered with in transit it cannot connect and propagate an attack — malware would be contained and prevented from doing further damage. In the case of this Rocke attack, the command-and-control would have been prevented. All communication inside an Edgewise-managed network is treated as malicious and if it doesn’t match a verified identity, execution is denied. Moreover, the Edgewise agent employs tamper-resistance countermeasures and alerts on the backend should an agent be uninstalled or lose heartbeat.

In an article on Threat Post, researchers at Palo Alto question whether ”agent-based cloud security solution[s] may not be enough to prevent evasive malware targeted at public cloud infrastructure.” But Edgewise was built precisely for this purpose — to protect public cloud and other virtual infrastructures. Only Edgewise uses the cryptographic identities of software and services—as opposed to address-based information—as the basis for security control. This means that even when the attackers get in, they can’t use the network itself to further an attack.

Harry Sverdlove, Founder and CTO

Written by Harry Sverdlove, Founder and CTO

Harry Sverdlove, Edgewise’s Chief Technology Officer, was previously CTO of Carbon Black, where he was the key driving force behind their industry-leading endpoint security platform. Earlier in his career, Harry was principal research scientist for McAfee, Inc., where he supervised the architecture of crawlers, spam detectors and link analyzers. Prior to that, Harry was director of engineering at Compuware Corporation (formerly NuMega), and principal architect for Rational Software, where he designed the core automation engine for Rational Robot.