HB Gary names SQL injection as real ShadyRAT threat

Can network defenders distinguish between a ‘normal’ and ‘human’ threat?

The inability for network defenders to tell between a human-led attack and one that was led by automated malware is crucial to defending against advanced persistent threats (APTs), according to US security firm, HB Gary.  

Spear-phishing, which makes up very little of the spam consumers receive every day, has had a huge impact on enterprise security, according to the firm which recently suffered an embarassing data breach at the hands of hackers rallying under the Anonymous banner 

The company warned that organisations that may be worried they had fallen victim to McAfee’s so-called ShadyRAT threat should first be worried about spear-phishing aimed at staff.

“In almost all cases we have investigated, spear-phishing was the initial point of infection,” wrote HB Gary’s CEO and co-founder, Greg Hoglund.

He claimed that a group called the “Comment Crew” were associated with the style of attack mentioned in McAfee’s recent ShadyRAT exposé

“It is very clear that the hacking group is using stolen email to learn about their targets before crafting a very convincing email.”

Spear-phishing, which involves convincing a specific target to cough-up their  credentials, was the gateway for the attacker to “laterally move” in the target’s systems once they had been compromised, he argued.
“This underscores why the recent spate of [SQL injection] attacks over the last few months pose a far greater threat than most people realise.”

An SQL injection flaw  was the same vulnerability that allowed Anonymous’ subscribers to compromise HB Gary's systems.

Much like security vendor RSA’s compromise, which relied on an email containing a rigged Excel file, the Comment Crew’s multi-stage attack used “droppers” as a first step that were installed on a corporate network. These were “detonated” by a staff member opening the attachment. In doing so, they unwittingly downloaded a second, more potent backdoor to the network.

“Once the dropper has established a beachhead into the network, a hacker will access the host and uninstall the original backdoor, replacing it with a new and more powerful backdoor,” explained Hoglund.

The attackers then exploit port 80 or 443 because it is often allowed to make outbound connections by most firewall polices.

“Once the outbound connection is made, the attacker can use the established [Transmission Control Protocol] session to interact with the host, download tools, run command line programs, and laterally move about the network.”

The real problem for network defenders was discovering whether the attack was launched by a real human or a machine. Real humans did not typically employ software “packers”, designed to hide malware from antivirus engines.

Instead, humans interacted with the network, which can be gleaned from logs of the last time they accessed the “master file table” and browsing history from Internet Explorer files under “index.DAT”. 

“This is a fast and easy way to discern the difference between a non-targeted external threat (which over 80% of all adverse events will fall into this category) and external targeted attacks (of which APT is included, probably less than 2% of all adverse events),” said Hoglund. 

Join the CSO newsletter!

Error: Please check your email address.

Tags HB GaryShadyRATmcafeespear-phishingfirewall policiesSQL infectionhackingAnonymousnetwork defenders

More about etworkExcelMcAfee AustraliaRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts