Posted on Apr 03rd, 2014 by Ofer Or

There's an enduring myth in many organisations that the more money you spend on firewalling IT systems, the better protected you are from data breaches and malicious cyber attacks. It's a myth that has been cheerfully perpetuated by vendors of both traditional and next-generation firewalling and threat-detection products, who clearly have a financial interest in maintaining customer delusion.

But while they may hope this myth keeps their cash registers going ka-ching, a recently revealed cyber-attack known as Ke3chang explodes it with an almighty ka-boom…

In December 2013, security firm FireEye reported it had been monitoring an advanced cyber-attack labelled Ke3chang. This targeted high-profile government and private-sector networks between 2010 and 2013; focusing on finance and foreign affairs ministries across Europe as well as aerospace, chemical, consulting and high-tech companies.

Because the attack focused on geopolitical targets immediately prior to multiple G20 summits, Ke3chang is strongly suspected to be an example of state-level cyber espionage. The language found in the malicious code identified by researchers suggests China is the likeliest culprit, although the sophistication of the attack makes this nigh impossible to prove beyond doubt.

What is beyond doubt, though, is that hackers are now using highly advanced methods which can often render traditional approaches to malware detection helpless. Ke3chang is just the latest example that demonstrates how attacks are becoming more sophisticated.

The attacks comprised several stages:

  • First, a target would be sent a seemingly innocuous email purporting to be from a known contact.
  • Attached to this would be a file that appeared relevant to the recipient, increasing the likelihood they would open it – for example, diplomats were sent documents containing information relating to public opinion on the US military involvement in Syria. Luring users to open a malicious attachment like this is a common tactic in cyber attacks.
  • The attachments, which appeared perfectly normal, contained malicious code that exploited what's known as 'zero day' vulnerabilities in software (security holes discovered by hackers but not yet included in the malware databases of security products). Once an attachment was opened, so was a back-door into the system.
  • From there, hackers would later install further malicious software on the compromised machines – such as keystroke loggers to extract administrative credentials that let them reach deeper into the network. Meanwhile, the compromised users had no reason to suspect anything was awry.

Ke3chang used at least three zero-day vulnerabilities, covering all manner of systems and devices, to force entry into target systems without raising any alarms.. And since data was smuggled out through (at least) 22 remote command and control (CnC) servers, it is impossible to detect the real identity and location of the attackers.

Ke3chang represents a type of attack that's being seen more commonly by security researchers – sophisticated, highly targeted and very difficult to stop by traditional means.

However, you can limit the damage attackers can do by following some fairly basic procedures. For example, by properly segmenting your networks you can stop an attacker's lateral movement across your network and reduce the overall impact of a security breach. The aim is to limit the communication between different network segments to ensure a vulnerable system or device cannot be used as a launch-pad to reach sensitive areas in the network.

Using tools like Tufin's Unified Security Policy (part of the Tufin Orchestration Suite) you can ensure different zones of your network are only ever accessible to the people and systems that need to access them, monitor any changes automatically and make certain you don't inadvertently open any access hatches. That will at least limit any breach to the originally compromised system, rather than allowing attackers to use it as a launch pad into other areas of your network.

Professional hackers are becoming more sophisticated and Ke3chang represents the kind of threat that will increasingly be faced by any organization with valuable data. The myth that firewalls and malware-detection systems alone can protect you has been exploded yet again. In fact, analyst firm, Gartner said in a recent webinar that every organization should assume they 'can be, have been and probably will be' hacked. Based on this assumption, you need to minimize the damage that any successful attacker can do once they've gained access to part of the system. So if you want to minimize the effects of cyber breaches within your organization, better act now.

Webinar on Demand