Closing the backdoor

Next story

by Tony Anscombe, Global Security Evangelist

A backdoor, in relation to software and hardware, is the ability to gain access to an endpoint, server, device or network by bypassing authentication and other standard security procedures and mechanisms.

Developers sometimes leave alternate, unpublished methods of access when writing code, creating a backdoor to bypass authentication or act as a backup means of access in case everything goes wrong. In 2013 Edward Snowden revealed that a number of companies had been pressured into installing backdoors into their products by government spy agencies. Backdoors are also popular with cyberattackers, because by installing their own backdoor on a targeted system they can come and go as they please.

A backdoor may be symmetric: accessible by anyone that knows it exists or finds it. Alternatively, it could be asymmetric: only accessible by the attacker or developer who is controlling it. As this is unauthorized, it is likely to avoid the procedures and auditing that legitimate access would adhere to.

Whatever the motivation behind the backdoor, the unfettered access it creates is a huge potential security risk most companies would prefer to avoid.

ESET researchers recently discovered maliciously installed backdoors believed to be the work of the notorious Turla cyberespionage group. The malware, named “Gazer,” has been actively deployed in targeted attacks against governments and diplomats since at least 2016. More details on this specific attack can be found here.

Malicious backdoors often use common methods to create the opportunity for installation, probably better termed as an infection. For example, the Turla cyberespionage group mentioned above is known to run watering hole and spear-phishing campaigns to pinpoint their targets.

A watering hole attack compromises websites that are likely to be visited by targets of interest. By utilizing vulnerabilities in browsers or extensions, they are able to start the process of infecting the device with malware, eventually leading to a backdoor being created.

Spear-phishing is a targeted phishing attack—an email campaign that looks legitimate but has the intent of delivering a malicious payload through an attachment or by encouraging the user to click on a link that takes them to an infected or fraudulent web page.

Once the malware is inside the network it will look for methods to communicate, look for an open server port and “bind” to it. Once bound, it offers the attacker the ability to gain command and control of their target network. Firewalls and perimeter security technology block attempted connections from external sources, while traffic from internal sources using open ports can be less restricted.

Once the backdoor is operational it can then be used to spawn other backdoors, possibly creating a labyrinth that becomes hard to detect and eradicate from a network. As one door closes due to detection, stopping the leak of information, the attacker will simply switch to the alternate backdoors created by the first one.

Protecting against an incursion through a backdoor requires technology and employee participation. As mentioned above, an attack can often be started through a targeted, socially engineered attack such as spear-phishing.

Educating employees on how to identify phishing emails and not click on them is an ongoing task for many companies. People are curious, and social engineering attacks leveraging news, topical events or emails can masquerade as legitimate. This entices the victim to click and take actions, allowing the cyberattacker to engage in the first action toward implementing a backdoor.

Robust and frequent network monitoring looking for unusual traffic patterns or connections should be part of standard operating procedures. Discovering whether someone is actively using your device or network requires a high level of technical knowledge, as many applications communicate in the background. Therefore, deciphering the traffic to identify unauthorized connections is complex.

Keeping systems updated to reduce the number of vulnerabilities that the attacker can exploit is a best practice. This should not be limited to software; hardware operates with software, and ensuring the latest versions are installed on all connected devices is important. Monitoring software versions across the network will allow the easy identification of systems and hardware that may have known vulnerabilities.

Up-to-date anti-malware software protecting the endpoints, servers and services will significantly reduce the opportunity for the attacker to make the first incursion. Anti-phishing protection will assist in removing the risk that curious employees (and their clicking behavior) add to the company’s risk.

I recommend taking a look at the ESET technologies available to help protect against these risks; the business security products can be found here. Remote and patch management are essential tools to defend the network. ESET Remote Management (ERA) and ESET Multi Platform Patch Management Solution (Flexera) are award-winning solutions worth considering.