Cases for applying network anomaly analysis tools: attacks through browser plug-ins

4 min


Attacks on browsers are a fairly popular vector for attackers who, through various vulnerabilities in surfing programs on the Internet or through weakly protected plug-ins for them, try to penetrate inside corporate and departmental networks. This usually starts on completely legal and even whitelisted sites that have vulnerabilities used by cybercriminals. Add-ons, extensions, plugins, once installed even for good purposes, begin to monitor user activity, “merge” the history of visited sites to developers, introduce annoying ads into the visited pages, sometimes malicious. Users often don’t even realize that the banner ad that they see on the site’s page is added by the plugin they installed, and is not initially implemented on the page. And sometimes such plug-ins and extensions even serve as an entrance door for attackers to users’ computers, from which a victorious march through the enterprise’s internal network begins. It is through these extensions that attackers can install malicious code, track data, or steal it. At the same time, we are not always able to force all users to properly configure their browsers and monitor their configuration. What to do in such a situation when only one user can become the weakest link and open the “gate to hell”? Network traffic monitoring solutions can help in this case.

image

One of Cisco’s research units, Cisco Cognitive Intelligence, which appeared after the purchase of the Czech company Cognitive Security many years ago, revealed that many malicious browser plug-ins have unique characteristics that can be detected and monitored as part of the analysis of network traffic. The only difference that is present compared to the previous three cases examined earlier (leak detection, malicious code, and the DNSpionage campaign) is to detect the activity of plugins that introduce adverts in which adversaries earn money or who merge your data, you need to do a lot of research yourself (we spent about a year analyzing several thousand plugins to identify patterns of behavior and describe them), or trust the manufacturer of the NTA class solution, which contains such opportunity.

Here’s what this feature looks like in the Cisco Stealthwatch solution. We see that from two addresses of the internal network with the addresses 10.201.3.45 and 10.201.3.108, activity associated with click fraud, the introduction of ads into pages (Ad injection), and malicious advertising is recorded.

image

Obviously, we want to investigate this activity:

image

We see that the node in the corporate network interacts with the domain located on the legal Amazon (therefore, it will not work to block by IP address; if you are not Roskomnadzor, of course). However, application of various machine learning algorithms to traffic shows that this activity is malicious.

image

An even deeper dive allows us to understand even more details about the threat.

image

For example, case # CADP01 is associated with the malicious code AdPeak, which injects additional advertising into the visited web pages and for showing them the attackers earn money.

image

Case # CDPY01 is associated with a potentially unwanted application that injects ads into a browser session and can lead to subsequent infection of the computer.

image

Since the detection of malicious browser activity may be a sign of an infection that has already happened, we need to conduct an investigation that will show who the compromised node interacts with on our network, what kind of node it is, what its role is, what user works for it, etc.

image

For example, the mentioned node 10.201.3.45 belongs to the Development group (development or software development). We also see all the data streams associated with this node and the main security events.

image

Interestingly, the node we are interested in most often interacts with local DNS servers, which leads to thoughts of a possible attack on DNS or through DNS (recall DNSpionage or Sea Turtle described in a previous post).

What do we see in the list of security events? Flow Denied. What it is? The answer to this question depends on the context, since the connections of the internal nodes with the internal ones are very different from the connection of the internal nodes with the external ones, and can mean very different things. For example, if the internal node has many forbidden connections (flows) with the internal resource through the same port, then this is probably the wrong configuration for any application. A lot of forbidden flows with different ports or internal nodes, says, most likely, about intelligence, one of the first stages in any attack. Blocked flows from inside to external Internet sites can characterize the operation of malicious code, remote access utilities (RATs), information leakage, and many other “interesting” events that your security policy defines as prohibited. And since they are detected by your network traffic analysis system, it means that something is wrong with you.

This case is interesting in that it slightly changes the look at the capabilities of systems of the NTA class, which rely on the analysis of Netflow (or other flow protocols) in their work. It can be seen that such systems can not only operate at the network level, but also allow us to rise much higher and detect attacks at the application level, which are far from always visible to the firewall or even the means of protection of terminal devices.


0 Comments

Leave a Reply