Weaponised Malware Poses New Security Threat

The headlines seemed all too familiar – “New malware attack”. How many times have we seen this before? Digital security threats have become commonplace in our interconnected and IT-dependent world. Something was different with this news, however. The attack occurred at an Iranian nuclear facility. Okay so now I am hooked. What was going on? What is the so-called Stuxnet virus? Where did it come from, who was behind it, how did it work, when will it show up on other systems, and what can be done to defend against this form of attack in the future?

This was no ordinary attack. As researchers later discovered, the attack utilized four different Zero Day exploits on Windows platforms. In addition to the Zero Day attacks, the payload included a stolen digital certificate that was issued by Verisign. The virus was self-propagating and spread to numerous machines, and was to locate and operate a valve or control module that was a critical part of the nuclear facility’s infrastructure, with the intent of disabling or damaging the facility. In other words: to act as a weapon.

The traditional, malicious approach to damaging the facility would have been a conventional weapon (i.e. a bomb). The astonishing difference is that this malware, the Stuxnet virus was attempting to do mechanical damage to the facility without supplying the destructive mechanical force on its own. The virus was designed specifically to accomplish the work of a weapon and has therefore earned the dubious classification as Weaponized Malware.

The Stuxnet malware is estimated to have taken ten man-years to develop, and has an extremely sophisticated code base. The tools used, the timestamps on the binaries and the number of modules all suggest multiple development teams working in tandem. The origin of the malware is unverified but the security community has concluded that it was probably developed by a nation state or states attempting to disrupt the Iranian nuclear program.

It is a well-established fact that many weapons developed by nation states for military use eventually become available to other non nation-state entities, like terrorists and criminal organizations. Examples include night-vision goggles, GPS systems, airborne drones, fully automatic rifles, Kevlar body armor, and shoulder-launched missiles. These are just a few of the technologies developed for national militaries that are now routinely employed by criminal gangs, terrorists, and rogue nation states.

The pertinent question is: when will the Weaponized Malware and its derivatives will be used by these entities to destroy, disable or steal valuable assets and information from other nations, utilities, banks, or telecommunication companies? The answer is that we do not know when but we are sure that it will happen. How can threatened organizations assess and address this new security risk?

The Stuxnet weaponized malware utilized multiple zero day vulnerabilities to infect the facility’s systems, and employed a valid but stolen, signed digital certificate to authenticate itself in the environment. The certificate allowed the malware to act as a trusted application and communicate with other devices. This is the first reported incident of the utilization of a digital certificate in this type of attack, and is an ominous sign, and signals the beginning of a new era of cyber warfare and cybercrime. The implications are enormous. Zero day vulnerabilities are by definition impossible to defend against using classic defenses. The use of unauthorized digital certificates by Weaponized Malware in a networked environment is another matter. There are steps organizations can take to significantly reduce the risk of a successful attack.

The first consideration is to ascertain what digital certificates are active in a network. Most organizations do not know how many they have, where they are installed, who installed them, their validity, or their expiration dates on devices and applications within their network. Here’s a parallel analogy in the world of physical security. This is the same as not knowing which people in a secure building are authorized to be on the premises. Imagine a bank where no one knew which people in the building were authorized to be there or not. This is not an exaggeration, nor is it an acceptable situation to anyone who takes security seriously. This is clearly an unquantified risk. The only acceptable practice is to continually and actively discover certificates on the network.

Additionally, the certificates must be validated to insure that they are functioning as intended and that they are monitored throughout their lifecycle so that they can be expired and replaced as dictated by the security policies of the organization. Most organizations are deficient in this regard. This is an unmanaged risk and can be easily brought under management. A failure to manage this kind of risk exposes organizations to increased vulnerabilities like the Stuxnet attack.

Why are organizations exposing themselves to this unquantified and unmanaged risk? The reason is simple enough to understand. Before Stuxnet, a lackadaisical knowledge and management of digital certificates was viewed as acceptable. Additionally many C- level executives are not currently familiar with digital certificates, how they work, their role in security, or with their management best practices and policies. This has to change. There is not one C-level exec that misunderstands or underestimates the importance of ensuring that only authorized individuals can enter a secure building. Those same C-level execs naively allow unauthorized or unknown certificates to enter and operate on their networks.

The Stuxnet Weaponized Malware is a loud wakeup call to IT security. Implementing practices and policies for the management of digital certificates is an important and necessary component of a broad and wide security strategy. It is the one strategy that can detect the appearance of malware that utilizes digital certificates for authentication. Weaponized Malware has or will be aimed at every company in the Global 2000. The mandate is to act before the weapon strikes.