This attempted attack demonstrates attacker persistence. Emails containing malicious attachments, sent over the course of two days from a compromised heavy plant manufacturer based in Iraq, show that when an attackers attempt fails the first time, if they are motivated enough, they will have another go. On Day 1 of the attack, the attacker had most likely, and inadvertently, repurposed malware previously used in another attacker that was already on the ‘known bad’ list. Despite this, the malicious attachments targeted at two people in Finance reached Glasswall, showing weaknesses in all up stream protection layers. However, Day 2 was very different. Using exactly the same base file, an Excel spreadsheet, the attacker had this time customised the malware payload, and reinserted this into the file – this time it was later classified as a zero day threat, totally unique, and unknown to the security industry. This demonstrates not only attacker persistence, but the speed they can react, adapt and repeatedly make attempts to achieve their goals.
How we protected our customer
The excel file, the same used over the two day attack, was so corrupted and removed from the original specification that it simply could not be regenerated into a safe, clean and benign version on the original. The outcome of this process is for Glasswall to hold the file, allowing the user to be protected, whilst giving security teams valuable time to check file and sender integrity. This demonstrates the need for full CDR technologies, as unlike other technologies that may only remove active code such as Macros and would’ve allowed all these malicious files to enter, the full regeneration process unique to Glasswall captured the file and held it safely. This protected our customer from a payload designed to exploit a Windows vulnerability that gains privileged access, and rewards attackers with a beach head into the organisation to go anywhere they desire, and access any data they wish to obtain.