A Thing
The Green SheetGreen Sheet

Friday, June 22, 2018

Vectra finds tunnels in encrypted web traffic

The 2018 Spotlight Report on Financial Services, published by Vectra Co. on June 20, describes how cybercriminals use hidden tunnels to access encrypted networks. Researchers believe this methodology may have been used in the 2017 Equifax data security breach, when hackers stole 145.6 million consumer records while remaining undetected for 78 days.

Chris Morales, head of security analytics at Vectra, observed that hackers mimic user behavior to blend into networks, which makes them difficult to expose. Once they are in a network, they burrow even further, escaping detection while setting up remotely accessible command and control centers to exfiltrate data.

"What stands out the most is the presence of hidden tunnels, which attackers use to evade strong access controls, firewalls and intrusion detection systems," he stated. "The same hidden tunnels enable attackers to sneak out of networks, undetected, with stolen data."

Chris Prevost, vice president, solutions at Prevoty Inc., has seen criminals use social engineering and remote command injection (RCI) to target protected networks. "Last year, we saw some very interesting RCI exploit payloads targeting web applications/web services that relied on old, vulnerable versions of the Struts 2 framework to execute unwanted commands on the victims' web servers," he stated. "Preventing attacks on web applications/web services often boils down to the basics ‒ make sure the code that you deploy is free from security bugs."

Prevost said it can be challenging to protect websites that use third-party, multilayered software. He recommends implementing code review and security testing using web application firewalls and runtime application self-protection technologies to improve protection and visibility. "A multilayered, defense-in-depth strategy targeting attacker reconnaissance, ingress, lateral movement and exfiltration is the best practice and really the only way to lower the risk of a serious breach," he said.

Implement post-breach protections

Robert Capps, vice president, business development at NuData Security, a Mastercard company, urges retailers and ecommerce companies to protect consumers from identity theft. "Bad actors continue to dig tunnels to access private data, but the real concern is, what are they doing with that data?" he said. "Account takeover is the main outcome of stealing personal data, so being able to protect users beyond their credentials is key to block post-breach damage." Advanced biometrics and behavioral analysis can stop fraudsters from using stolen data to log into someone else's account or to create synthetic identities, Capps noted. "Many global merchants have successfully incorporated passive and active biometrics and behavioral analytics to verify customer identities through the real-time analysis of hundreds of indicators derived from the user's online behavior," he added. "This approach isn't solely reliant on static data such as passwords and challenge questions, and it obfuscates much of what would attract bad actors seeking to steal and sell or reuse consumer data."

Plug hidden tunnels

Will LaSala, director of security solutions and security evangelist at OneSpan, said organizations sometimes unwittingly create vulnerabilities that become exploited by hackers. "Hidden tunnels should be protected at all times," he said. "Many app developers put holes through firewalls to make services easier to access from their apps, but these same holes can be exploited by hackers. Using the proper development tools, app developers can properly encrypt and shape the data being passed through these holes." LaSala advises developers to use secure application programming interfaces and encrypted data within an application before applying a network layer, suggesting it will protect apps from remote command injections. Rushing to implement a new feature to maintain customers or to increase business may lead to situations where a hidden tunnel is created and not secured, he noted.

A multilayered security approach to application development can be an effective deterrent to malicious hidden tunnel attacks, LaSala said. "By leveraging development tools that create end-to-end secure communications whenever a hidden tunnel is needed, developers can start with a solid foundation of security before hackers attack," he added. "Applying application shielding techniques can often harden the application from attack even further." end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing