Shutting backdoors with tools and processes

Next story
Tony Anscombe, Global Security Evangelist and Industry Partnerships Ambassador, ESET

A backdoor, in relation to software and hardware, is the ability to gain access to an endpoint, server, device or network by bypassing authentication as well as other standard security procedures and mechanisms.

By leaving alternate and unpublished methods of access when writing code, sometimes developers create backdoors to bypass authentication or as a backup means of access in case everything goes wrong. Edward Snowden revealed in 2013 that a number of companies had been pressured into installing backdoors into their products by government spy agencies.

Popular with cyberattackers, backdoors on targeted systems allow them to come and go as they please. These may be symmetric: accessible by anyone aware of their existence or finds it. Or, it could be asymmetric: accessible only to the attacker or developer who is controlling it.

How it is done by malicious professionals – a look at Gazer

Regardless of the motive behind the backdoor, the unfettered access it allows for is a huge potential security risk that most companies would prefer to avoid.

ESET researchers have recently discovered maliciously installed backdoors believed to be the work of the notorious Turla cyberespionage group. The malware, named “Gazer”, has been actively deployed in targeted attacks against governments and diplomats since at least 2016. More details on this specific attack can be found here.

Malicious backdoors often use common methods to create the opportunity for installation, probably better termed as an infection. For example, the Turla group runs watering hole and spear-phishing campaigns to acquire targets.

These are set up by utilizing vulnerabilities in browsers or extensions and are used to start the process of infecting a device with malware, eventually leading to a backdoor being created.

Spear-phishing is a targeted phishing attack—an email campaign that looks legitimate but has the intent of delivering a malicious payload via an attachment or by encouraging the user to click on a link that takes them to an infected or fraudulent web page.

Learn how ESET Endpoint Security protects against phishing and other threats.

When one door closes, another one will open

Once the malware is on network it will look for methods to communicate, look for an open server port and “bind” to it. Once bound, the attacker can gain command and control of the target network. Ideally, firewalls and perimeter security technology have blocked attempted connections from external sources, while traffic from internal sources using open ports can be less restricted.

However, once a backdoor is operational it can be used to create other backdoors, building a maze that becomes hard to detect and destroy. Thus, protecting against an incursion through backdoors requires both technology and employee participation since attacks are often begun via targeted, socially engineered attacks such as spear-phishing.

Educating employees to identify phishing emails and not click on them is an ongoing task for many companies. People are curious, and social engineering attacks leveraging news, topical events or emails can masquerade as legitimate.

Education, focus and best practice

To counter these threats, vigorous network monitoring looking for unusual traffic patterns or connections should be standard operating procedure. That is preferred since discovering active use of your devices or network requires a high level of technical knowledge.

Updating systems to reduce the number of vulnerabilities that the attacker can exploit is a best practice. This should not be limited to software; hardware operates with software, and ensuring the latest versions are installed important. Monitoring software versions across the network will allow for easy identification of systems and hardware with known vulnerabilities.

Up-to-date anti-malware software protecting endpoints, servers and services significantly reduces opportunities for attackers to make a first incursion. Anti-phishing protection assists in removing risk that curious employees (and their clicking behavior) add to the company’s risk.

I recommend taking a look at ESET technologies available to help protect against these risks; the business security products can be found here. Remote and patch management are also essential tools to defend the network. ESET Remote Management (ERA) is award-winning solutions worth considering.