NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Flame is frightening but don’t hide under the bed

October 20, 2017

  • Blog
  • Archive

Cyber-weapons set the security bar uncomfortably high. But why make it easy for them?

Imagine a hacking enterprise free to develop malware on the back of an unlimited budget, a small army of elite coders and mathematicians, barely-documented programming, and a clutch of software vulnerabilities the world has never heard of. Stopping such a program would surely be nigh on impossible.

Until the discovery of a hugely sophisticated cyber-malware platform called ‘Flame’ three weeks ago this often-imagined security fantasy was just that – highly unlikely. Only large countries steeped in decades of computing development would have the resources to take on such a project and, it was argued, the political embarrassment of exposure would act as a deterrent.

Astoundingly, judging from the age of some Flame components it now looks as if the world crossed into the age of super-malware as far back as 2007 without even realizing it. Worse, Flame was not a lone warrior, having now been forensically linked to a second platform called ‘Stuxnet’ (discovered 2010), and a third, the enigmatic and frankly pretty odd ‘Duqu’ (discovered 2011).

Here is not the place to speculate on who created this software or why (although the targeting of Iran by the US Government looks like an open and shut case frankly), so much as trying to delve into the technical challenges the existence of such software poses for a security industry that is suddenly feeling less self-confident.

Is Flame a big deal? Conceptually, yes. Despite being the largest malware system ever uncovered, Flame went unnoticed for years, partly because it targeted small numbers of systems in countries such as Iran but also because it was so myriad and complex that security vendors were not able to join up enough dots when they encountered fragments of it.

It’s a backdoor, a Trojan, a worm, it compromises multiple programming elements seemingly at will and can even hijack the Windows Update mechanism using forged code signing and cryptographic cleverness that have been described by experts as working in ‘God mode’. The more we learn about Flame, the more it seems to draw attention to the apparent puniness of security systems ranged against it, be they firewalls, intrusion detection system, or anti-virus.

The first thing to say about Flame, Stuxnet and Duqu is that they are unusual – the chance of even large companies being hit by such a malware system right now are probably small. But that won’t last. Flame’s success will breed imitators with much more mundane motivations, including profit and subversion. This brings us back to assessing its real threat.

I’ve come to the conclusion that while Flame would have been impossible to stop in its entirety given the extremes its designers went to, defenders can still learn some lessons for the future.

Might patching have stopped it? Not on its own (it accessed at least five zero days over time), but rapid vendor release and application cycles clearly shorten the time period malware developers have in which to use each exploit. Given that patching is better in 2012 than in 2008, this is a good start.

How about blocking its infection route? Appealing, but unreliable. We now know that anti-virus alone couldn’t stop Flame jumping to its targets from infected USB sticks. Even seeing it on these drives would have been difficult as Flame hid itself by interfering with the FAT32 file system.

Here’s a small chink, however; Flame spread from USB sticks through a zero day exploit that caused a privilege escalation at Windows kernel level (probably patched in June 2009 as MS-209 025); this was the purpose of a module identified by one security vendor as ‘Resource 207’ common to both Stuxnet and Flame.

Would privilege management have helped? Answering this is complex and would depend on the state of the compromised system and what it was being used for – we know they were probably running XP and at least some of them were being used in a conventional, insecure Windows setup.

Removing admin rights from as many systems as possible would have forced the malware to look for other systems not defended in this way, a significant inconvenience and one that would have slowed its spread. In 2008, it is unlikely that the risk posed by the ability for software to elevate privileges on Windows was appreciated; in 2012 there is no excuse to ignore this weakness.

It is intriguing that the anti-virus defense designed to catch malware could fail so spectacularly while the less obvious approach of restricting what each system can do would have had more success. Unaccountably, privilege escalation is now used in a large number of relatively mundane exploits and yet the option to manage this dimension is still seen by some as unconventional.

As every security vendor will tell you, the answer is to layer security, but some layers are probably more important than others. Many organizations seem to over-invest in antivirus and firewalls when attackers have clearly figured out how to beat those long ago.

Flame tells us that the new front line is elsewhere; in privilege restriction, in allow listing and in a ferocious commitment by admins to strip out every conceivable weakness from their networks. If you were attacking your network, how would you do it?

John Dunn,

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.