The Mask, Attacks on Trust, and Game Over

BY KEVIN BOCEK, VP, SECURITY STRATEGY & THREAT INTELLIGENCE, VENAFI

Breached Enterprises Will Be Owned by The Mask operation for Years to Come

For over a year, Venafi has been charting the course of attacks on the trust established by keys and certificates. The dramatic rise in attacks has led Microsoft to declare “PKI is under attack” and Intel Security-McAfee to “question the validity of digital certificates as a trust mechanism.” From key and certificate stealing trojans to stolen certificate marketplaces, the cybercriminal community has woken up to a whole slew of new vulnerabilities and powerful attacks.

It now appears that in fact a monster has woken up! Kaspersky Labs hasidentified and documented what it terms as “one of the most advanced threats.” Known by its Spanish name “Careto,” The Mask operation is a sophisticated, organized attack using multiple attack methods to steal data. Its alarming set of targets include a variety of SSL, VPN, and SSH cryptographic keys and digital certificates.

The impact of this revelation is simple: breached organizations are now owned by The Mask operation. Cleaning up malware, reimaging servers, and resetting password won’t help. The attackers now own keys and certificates that provide the fundamental trust that is used to know if a server, cloud, or administrator is to be trusted. The attackers can decrypt communications and data formerly thought secure and private. The likely inability to remediate all of the compromised keys and certificates will leave the attacked breached for years, and in many cases decades.

Breached enterprises might as well bulldoze their data centers to regain ownership if they can’t replace all—not some—but all of their keys and certificates.

How can this be? Mask’s operations are known to steal SSH keys used to authenticate administrators, servers, virtual machines, and cloud services. SSH keys provide root-level access and don’t expire—ever. Steal an SSH key and you likely have perpetual backdoor access. That bleak outlook is why Forrester Consulting simply previously concluded, “Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates that can provide an attacker trusted status that evades detection.”

Breached organizations must now identify all keys and certificates and immediately replace them. Based on industry research and Venafi’s experience in securing Global 2000 enterprises and governments, the breached will likely have no visibility in to the scope of the problem facing them and no ability to respond to these attacks on keys and certificates by replacing all of them. They need to take quick action now as the true intentions and impact of The Mask operation are yet to be seen. Otherwise, they might as well invest in bulldozers instead of malware cleanup or new firewalls.

The analysis is troubling. The details to follow are even more troubling. The impact and seriousness of The Mask on the breached cannot be understated or underestimated. For those not involved, it serves as another lesson that attacks on keys and certificates are very, very real and every enterprise must gain visibility, controls, and response mechanisms now.

Attacking Trust: Ownership for Life

Mask’s operations to steal keys and certificates is alarming. By stealing and leveraging trusted status, The Mask organization can now impersonate, surveil, collect, and decrypt its targets’ communications and data. Essentially, The Mask operators own the breached and for a very long time to come.

In a masterful criminal effort, Mask’s team didn’t just create powerful weapons—they attacked where they know their targets have no visibility and no ability to respond. Yes, the breached can now clean up malware infections, reimage servers, and reset passwords. But, as research has shown, Mask’s targets will not be able to identify and replace the tens of thousand of SSL, SSH, and other keys and certificates stolen.

Mask’s targets are like fish just caught and hauled on to a fishing boat. Fish will struggle to get back in the water, but will slowly suffocate on the boat’s deck with no hopes of escaping and returning to the water. With the ability to impersonate, surveil, collect, decrypt its targets communications and data, and their targets inability to respond and remediate to the attacks already committed with keys and certificates there may be little hope for the breached as they wait to potentially be attacked and suffocated by the blind trust they relied upon is turned against them.

Mask’s Attack on Trust

Mask’s methods of attacking trust make it a monster. Stuxnet, like 27% of Android malware, used stolen certificates today, to enable its attack. SpyEye, Zeus, and over 800 other Trojans are known to steal keys and certificates. Mandiant and others have well documented the use of self-signed certificates and SSLin enabling the APT1 group to exfiltrate stolen intellectual property. What makes Mask so special is that it uses all of these methods, improves on them, and adds new innovations. It’s a perfected weapon.

Evading Detection With Trusted Status

As reported by Kaspersky, Mask’s Windows malware was digitally signed with a valid certificate. Just like the hundreds of certificates used in malware attacks tracked by the CCSS Forum, the valid certificates enabled the malicious code to run trusted.

Like some other attacks using certificates, Mask’s certificate are believed to have been purchased legally from VeriSign by representing a fictitious company TecSystem Ltd of Bulgaria. Once again, Gartner’s prophetic statement on the state of IT security and certificate comes true: “Certificates can no longer be blindly trusted."

Stealing trust

What makes Mask so devastating now and for years to come is its hunger for stealing keys and certificates. SSL keys and certificates, SSH keys, disk encryption keys, and others have all been stolen. Even more troubling is that Mask’s malware not only ran on Windows but also on Linux, Mac OS, and likely mobile platforms. The theft of both server, administrator, user, and device keys and certificates for everything from SSL for websites, to administrator access to servers with SSH, to VPN access from a remote site places the breached in jeopardy now and a troubling sign for everyone else of what’s to come.

The theft of so many keys and certificates is what’s likely to make Mask remembered for many years to come. Just as Stuxnet signaled to the cybercriminal community the benefits of using stolen certificates, Mask will signal the power in stealing as many kinds of keys and certificates that establish trust as possible. While a SSL key might be replaced and certificates will expire, SSH keys never expire. They will exist as a perpetual vulnerability until they are replaced and no longer trusted. SSH key rotation is something that few, if any, enterprises actually do. As more cybercriminals learn from Mask and accelerate the theft of keys and certificates, the less trust we’ll have in everything from servers, to clouds, to mobile devices.

Changing what's trusted

If not troubling enough, Kasperky’s research has identified even more powerful capabilities in Mask’s toolset. Mask’s command set indicates that the malware could add and delete certificates to a system. This allows the attackers to set what certificates or Certificate Authorities could be trusted. These methods have been seen in the wild already going back to 2010 just as the Mask operation was gearing up. Changing what websites and software that’s trusted is a powerful weapon. Not only does it allow users and security systems alike to be tricked in to connecting to fake websites or running malicious software, it allows the encrypted communications to be decrypted.

Surveillance and monitoring today and well in to the future

Mask is also able to monitor and potentially capture network traffic. Kaspersky reports that multiple plugin modules are capable of intercepting network traffic. With stolen keys and certificates, Mask’s operators may have been able to easily monitor encrypted communications thought to be private and secure. Unfortunately, even with Mask’s known, active operations shutdown, the attacker will still be able to decrypt network communications that can be intercepted.

Escaping detection: flying under the radar with encryption

The Mask operator’s understood that exfiltrating data can be risky business and raise alarms. However, using encrypted traffic allowed Mask to keep its activities under the radar of detection. Kaspersky reports that Mask’s team used various methods including encrypting communications directly with RC-4 and also could use HTTPS. While the increased use of SSL/TLS to keep communications private is one of the reasons the BBC declared “2014: The Year of Encryption,” it also means attackers will be able to hide easier. The use of SSL and other encrypted traffic is a sign of things to come. Gartner predicts that by 2017, over 50% of all network attacks will use encryption.

Attackers Intent

The targets for Mask’s operation are reported to include government agencies, foreign-service operations, energy, oil, and gas companies, and private equity. Targets have been identified in Brazil, UK, and United States with Kaspersky’s analysis finding Spain, France, and Morocco among the most commonly targeted in terms of IP addresses and victim IDs.

With such powerful weaponry either enabled by or designed to attack trust established by keys and certificates, it appears at least one of the attacker’s intentions is to impersonate, surveil, collect, and decrypt its targets’ communications and data. And, the attackers intended to keep it that way for a long time to come. Stealing keys and certificates provides permanent access to data or systems until keys are replaced. Unfortunately, this will be years for most attacked organizations. And even worse, SSH keys never expire and will provide Mask’s attackers near perpetual root-level access inside of breached organization.

Immediate Action: Fight Back or Be Owned

For organizations attacked by Mask, action must immediately be taken to respond and remediate the attacks on trust established by keys and certificates. Breached organizations must identify all keys and certificates on networks, in servers, on endpoints, and on mobile devices. Remediation can then proceed to generate new SSL keys and certificates, generate new VPN keys and certificates, and generate new SSH keys and removing previously trusted keys from authorized key lists. However, only with complete intelligence on all keys and certificate can remediation be considered successful.

For all other organizations, Mask is another warning that demonstrates the devastating impact attacks on keys and certificates can have. Organizations must have the ability to identify all keys and certificates, enforce a known good state, detect anomalies, and respond and remediate incidents. Organizations will then be able to change keys and certificates frequently, eliminate human intervention that can open the door for malware to steal keys and certificates, and be able to respond immediately.