Are you sure to be well protected by your next‑gen antivirus solution?
"It all began at six o'clock in the morning, when one of our follow customer's CISO reached out to our CSIRT emergency line . This customer had just been hit by a ransomware that encrypted their file servers. The CISO was astonished by the extend of damage. He was particularly frustrated, as he thought to be well protected by its reputable anti‑virus & malware solution that should have blocked ransomwares, zero‑days and advanced attacks. He never thought such a malware could go break into its systems and knock them down so quickly." Approach CSIRT Consultant, David BLOOM.
"We conducted some investigations that revealed the antivirus was correctly installed, configured and was up‑to‑date. So what went wrong?" Approach CSIRT Manager, Marc STERN.
Can we really trust an antivirus solution when it claims to protect against unknown threats?
To provide a substancial answer to this question, we simulated a similar attack in our cyber lab. Meanwhile a few days had passed, so the ransomware was not a zero‑day any longer. Therefore we used an in‑house developed malware to simulate the attack: a quite simple python script packaged in an executable.
Watch the attack simulation conducted in our cyber lab
- The first tests with a classical ransomware were successful… from the perspective of an attacker. All targeted files were encrypted without any alert from the antivirus.
- So, we went a little bit deeper to test the effectiveness of the AV on a wider variety of attacks. We developed a malware implementing a remote shell and other functionalities, like an exploit based on a vulnerability known for several months. Then we executed it on an outdated Windows 10 workstation to check, if at least, one part of the malware is detected.
- We reproduced our customer’s antivirus environment with an up‑to‑date Sophos Advanced Endpoint Protection and Sophos Intercept X with all security features enabled.
We made similar tests with antivirus solutions from three other major vendors and only one performed better. It is certainly not our intention to pretend that the Sophos antivirus would have been worse than others, but it is for us difficult to understand meaningless claims like “protection against unknown threats” nor explicit claims about detection/blocking mechanisms that were proved to not be effective.
As demonstrated in this attack simulation, a security solution alone is not a sufficient warranty of effective protection if you don’t have, at least, an up‑to‑date system (in this case we exploited an old vulnerability), good technical policies, other layers of defense and user awareness.
Malware has been a major threat for many years; hackers and security researchers find new evasion techniques every day and antivirus companies do impressive work to help for a safer internet, but we deplore intensive marketing based on buzzwords and statistics that gives the end user a false feeling of total security. The user is, and will probably remain for a while, the weakest link in the security field.
Thanks to our various consulting, training and implementation services, Approach can help significantly increase your level of security.
Please contact our CSIRT team! We are happy to discuss your needs and concerns.
Description of our attack scenario
What we demonstrate in these tests is that it is possible to take the control of a remote computer by acquiring SYSTEM privileges. And the scenario is simple: a helpdesk employee downloads a game during his free time. Unfortunately, the downloaded executable is not a game, but a malware.
Here is the description of the steps, that you can follow in the video:
- As the user downloaded the malware, the antivirus warns him about a potential danger because it’s an executable. Of course, the user clicks on “Proceed” as this warning seems normal because it’s a game. From this moment, the antivirus puts the executable under monitoring. This is visible in the console under “Controlled Items”.
- The malware calls back the “command and control” server, ready to execute our commands. From that point, the malware silently run without the user even noticing it (the use of the mouse in the video is for demonstration purposes).
Then, we task the malware to:
- Execute some system commands (just for the demo): “dir” to list the working directory, then “ipconfig” to reveal the victim system network interfaces configuration.
- Take a screenshot of the victim desktop (for the demo also).
- Encrypt a folder and its subfolders using the AES algorithm, to simulate a targeted ransomware. In its “facts sheet” Sophos states that “Intercept X CryptoGuard technology detects spontaneous malicious data encryption to stop ransomware in its tracks”, so… we tested it.
- Execute a second instance of our malware with higher privileges (Admin). Indeed, in this scenario the employee is part of the IT Helpdesk, he is Administrator of the system. But as you probably know, Microsoft introduced the concept of user access control (UAC) to prevent processes from being executed as administrator without the user consent since Windows Vista. However, over the years many bypasses of UAC were discovered by security researchers. We used one of these bypasses known for long (eventvwr.exe) to gain admin privileges.
- Inject a Meterpreter shellcode in memory. In Active Adversary Mitigations of its “facts sheet”, Sophos states that it detects Meterpreter Shell. Meterpreter is an advanced remote shell written for the Metasploit Framework used by penetration testers and hackers over the world.
This is what we successfully tested: we generated a Meterpreter shellcode and injected it in the victim’s machine memory using our malware.
This confirms that most antiviruses still have difficulties to detect fileless attacks emerging these last years as mentioned by ZDNet. Fileless attacks are almost 10x more likely to succeed than file-based attacks.
The last step is also performed using Meterpreter:
- We launch the “getsystem” command to elevate once again our privileges and gain SYSTEM privileges on the victim. From that point, the system would accept any instruction given by us through Meterpreter.
About the tester and the test environment
- The tests were made by David Bloom, Cyber-Security Consultant - member of our CSIRT Team
- The tests were made on Sophos Demo version.
- Core Agent: 2.0.0
- Advance endpoint protection: 10.8.1.1
- Sophos Intercept X: 2.0.1