Mitigating the Risk of Backdoor Attacks

New Report Finds Wide Variety of Businesses Are Vulnerable
Mitigating the Risk of Backdoor Attacks

The exploit of backdoors has been linked to recent attacks waged against the retail industry, including the third-party attack on Target Corp.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

But as security firm Trend Micro notes in a new report about emerging backdoor attacks, and subsequent lateral movements from server to server, that it's not just retailers that are vulnerable; any business that uses backdoor applications is at risk.

These attacks are especially worrisome, Trend Micro says, because they often go undetected for several months. That mean hackers are maintaining an extended presence on corporate networks, allowing them ample opportunity to steal data and gain better insight into how systems communicate, the security firm points out.

The lesson for all businesses, says Trend Micro in its report, is that today's attacks are being waged against networks from multiple points of entry. And because hackers have figured out how to bypass standard security measures and intrusion detection capabilities, relying merely on firewalls and anti-malware solutions is not enough.

To effectively thwart server compromises, organizations must monitor their networks for anomalous activity, Trend Micro advises. In short, every business should continually operate under the assumption that it has already been compromised.

Backdoor Attacks

A backdoor is any port or application that allows access to a server or network by bypassing authentication and other standard security procedures and mechanisms. For example, backdoors can be used to facilitate remote access.

While backdoors have provided convenience and have improved network communications between servers, they also have provided hackers with new points of entry to command-and-control servers, security researchers say.

Tom Kellermann on why the emergence of cross-platform malware is facilitating lateral attacks.

"There are various techniques backdoors use to enable attackers to gain command and control of their target network," Trend Micro states in its report. "Understanding them can help IT administrators more effectively detect their presence and protect the networks they manage from targeted attacks."

Attackers are increasingly using new tools, such as cross-platform malware, to exploit multiple backdoors simultaneously, says Tom Kellermann, Trend Micro's chief cybersecurity officer. Once inside the network, this cross-platform malware searches for the command-and-control server through a process known as "port binding," he says.

Port-binding ultimately enables the lateral movement within the network, so that attackers can move, undetected, from one server to another, Kellermann says.

Targeted Attack on a Corporate Network

Source: Trend Micro

"They are using your infrastructure against you," Kellermann explains. "Multiple backdoors is the key here. The point of this white paper is to show how we can improve incident response."

Improving incident response hinges first on the timely detection of intrusions, Kellermann says. From there, organizations need to have enough visibility into their networks to ensure they have the ability to block backdoors that hackers could use.

"Blocking backdoors that can use various protocols and ports to communicate with their C&C [command-and-control] servers requires certain firewall settings to ensure that only the necessary ports are open to certain protocols," Trend Micro states in its report. "IT administrators could, for instance, block all ICMP [Internet control message protocol] traffic from coming into or going out of their networks."

Endpoint security, to ensure ports are not reused for malicious activity, also is critical. "IT administrators need to know every possible means by which their network can be breached and must then find a way to protect it," the report states.

Finding Vulnerabilities

By definition, port-binding involves the configuration of information to determine where and how messages among servers connected to a network are sent and/or received.

"This technique could allow attackers to configure a backdoor to directly communicate or 'bind' with a specific server port, allowing them to more easily take control of the affected server," Trend Micro states. "Once a connection is established, the backdoor can spawn a simple shell to execute commands."

The report specifically mentions vulnerabilities linked to Radmin Server software - a common remote access application that uses port binding. According to Trend Micro's research, hackers have successfully modified Radmin Server components to infiltrate targeted networks.

"[Hackers] typically modify the software so it would not display a GUI [graphical user interface]," Trend Micro states. "Although firewalls are now basic components of corporate networks, those that do not employ them remain vulnerable to port-binding abuse."

When asked by Information Security Media Group for a comment about Trend Micro's findings, Radmin technical support responded by saying: "They said that sometimes hackers modify Radmin and use a modified version for control." The company did not comment about its alleged server software vulnerabilities.

Threat researcher Andrew Komarov, CEO of cyber-intelligence firm IntelCrawler, says backdoors are the primary tools criminals use to compromise networks. Everything from cyberespionage to the theft of payment card data has been linked to backdoor compromises, he says.

"This is really very visible trend," he says. "In this white paper, it mentions modification of Radmin, but we also see lots of self-crafted tools for remote administration used by many banking Trojans as well. ... There are lots of ways to organize a remote administration channel using non-standard ports and application protocols."

But attackers are more mindful these days about not being detected, Komarov says. This is why more are using legitimate applications, such as Radmin Server software, to mask their attacks, he adds.

And this trend is why picking up on an intrusion through conventional malware-detection techniques is so challenging, Kellermann says.

"You have to understand the behavior, and understand that you more than likely have two sets of backdoors," he says. "It's time to appreciate the tactics, such as the use of legitimate platform abuse."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.