Workload and Application Security Blog

Make Cyberattacks Like Hafnium Irrelevant

Written by Virsec | Aug 5, 2021 5:00:32 PM

Recent statements issued by the United States, European Union, and the United Kingdom have accused China of conducting a cyberattack against Microsoft’s Exchange Servers. China continues to deny the claims, but officials identified Hafnium, (a Chinese-backed hacker group), as the culprits behind the attack.

An estimated 30,000 organizations worldwide were compromised when the Hafnium hackers exploited a vulnerability in the Microsoft software. The BBC reported that what made the attack so notable was that instead of the Hafnium group being the sole perpetrators of the crime, they instead shared the details of the vulnerabilities with other China-based groups so they too could leverage the exploits against targets of their choosing.  

China and the Chinese Ministry of State Security (MSS) deny these claims. Lijian Zhao, a China government official, categorically rejected the allegations, accusing the United States and its allies of distorting facts for political gain.

Regardless of who is at fault, tomorrow it will be another attack, then another, and another. These attacks will continue to escalate and get ever more sophisticated and evasive. Groups like Hafnium pop up every day and with new vulnerabilities and malware being created at the rate of approximately 560,000+/day … Houston, we have a problem.

“We need to find a way to make cyberattacks irrelevant.” – Dave Furneaux, CEO, Virsec

It’s the Software, Stupid

Organizations have relied on established protocols, processes, and tools to manage security for decades. But as enterprises undergo digital transformation to cloud, hybrid, and container environments to streamline operations and improve the customer experience, the cloud attack surface has grown exponentially. Software and application workloads run our interconnected world, and they are a preferred and prime target.

Attacks like Hafnium highlight that legacy security products are unable to protect software and application code because they focus on the outside. They lack the visibility and depth of understanding of the software’s intended execution. When exploits target an application’s runtime, these tools are not equipped to handle these types of attacks and therefore, cannot effectively protect the application workloads.

Hafnium, SolarWinds, and REvil attacks all easily bypassed conventional endpoint and perimeter security tools to hijack software code. From there, they took their sweet time to extract or encrypt data, or took a leisurely tour of an enterprise’s network, or enjoyed lateral flights of fancy throughout the software infrastructure.

The reason for this boils down to one simple fact: attackers are targeting application and software runtime, and organizations are neither prepared nor protected against them.

“Attackers are targeting application and software runtime, and organizations are neither prepared nor protected against them.”

Critical Gaps in Cybersecurity Measures

Inadequate Defense Tools. Enterprises are operating across multiple environments – on-prem, cloud, containers, virtual and hybrid – and no longer reside behind identifiable, protectable perimeters.

Chasing the Infinite Bad. With an estimated 560,000 pieces of new malware released each day, that means that every EDR tool must have access to all 560,000 of those pieces of malware – daily. Then they must accurately identify how each individual piece of malware is running. It is a losing battle.

Impossible Patching Bar. Patching is a best practice every enterprise should follow. But some organizations, particularly critical infrastructure and those relying on legacy applications, can’t afford the down time and may not be able to implement some security patches. And for those who can, the average lag time between when a vulnerability patch is released and when it is implemented is approximately 60 to 150 days. Hardly a stalwart of defense.

Blind to Applications and Software Workloads. Applications and software workloads are the critical lifeblood of any organization, no matter where they reside. Yet, most security tools have no visibility from the inside into these areas, therefore cannot adequately derive insight into application or workload activity, especially when under attack.

No Protection for Memory and Runtime Processes. Memory and runtime are a hackers’ paradise. Here, they hijack legitimate code and insert their own code to run as the application executes. Without adequate insight or process controls, organizations are unable to distinguish malicious code from the developer’s intended code as an attack unfolds under their noses. 

How to Adequately Protect Software from Attacks

 

Virsec Security Platform (VSP) is designed to stop any attack targeting application workloads and systems during runtime. Continuous, automated, and self-reliant, VSP is the only single solution that safeguards the entire application surface, focusing visibility and protection across all runtime components throughout Host, Memory, and Web layers.

Virsec's patented AppMap® technology automatically maps applications across the entire stack, defining the correct files, scripts, directories, libraries, inputs, processes, and memory usage of each application in an enterprise’s IT infrastructure. This ensures comprehensive, application-aware protection for application workloads in any environment that is applied in real-time, as code executes. Any deviation from normal is immediately detected, treated as a threat, and blocked.

 

Rely On Deterministic Security

The result of an application-aware security approach is a deterministic stance that protects an organization’s application stack from the inside, with full contextual insight and control as each application executes at runtime. VSP protects the process integrity of the software with strict controls to ensure it only executes as intended. Even if the software contains vulnerabilities – unknown or otherwise – VSP will stop exploits at the earliest point in the threat cycle no matter how they manifest.

With VSP deployed, the next time you hear about another advanced, highly invasive attack on critical infrastructure, supply chains, enterprises, or government agencies, you can rest easy knowing that all your application workloads are wrapped up tight in a downy pillow of protection – making those attacks irrelevant.