How businesses can unwittingly become launch-pads for malware attacks

By Greg Sim, CEO at Glasswall Solutions
Published: 1 November 2017

In business, reputation is everything. So it is not hard to imagine the conversations that took place inside two law firms when they realised they had potentially become malware hubs spreading malicious code among clients and business-partners. The legal ramifications could have been catastrophic.

In the first incident, the PDFs created in the firm were found to contain code for which there was no explanation, while at the second, the document scanner was discovered to be incorporating unauthorised code into the structure of digital files it was generating. The incidents, although entirely separate, both involved pieces of code that could have been triggers for a massive cyber-attack on anyone receiving the documents as email attachments.

This was just what these firms did not need when they send out thousands of attachments every week. There was a strong possibility that their companies had been penetrated by cyber criminals and were in danger of taking their entire supply chains down with them.

It was only because both firms sent files to Glasswall, which provides file-regeneration technology (also known as Content Disarm & Reconstruction), that these pieces of code were detected. Since this technology examines files down to byte-level against the ISO or manufacturers’ standards before they are dispatched, the unexpected and potentially malicious code was quickly picked up.

Had they been deploying traditional anti-virus technology, what might have been code waiting to initiate a zero-day attack could have gone undetected for months, infecting more and more organisations or waiting to go off like a time-bomb when the criminals found the specific target they were looking for.

However, the code was found to be anomalous and the firms were able to sigh with relief. Instead of having their reputations vaporised, they only had to investigate flaws in the software responsible, a product used on a daily basis by all staff.

The detection of these code anomalies is a definite illustration of how cyber risk will start to move much more heavily into the supply chain. Criminals are fully aware that any major organisation they want to target is only as safe as its least secure supplier, which they can use as a backdoor means of illegal entry.

As such threats emerge, we are increasingly going to see malware in writers, in computer hardware and in the chip sets that power them. The UK government must surely be concerned that a leading UK chip-maker such as Imagination Technologies is now in the hands of Chinese state-backed private equity investors Canyon Bridge, who were barred by US President Donald Trump from buying an American rival because of security sensitivities.

A stern warning about relying on traditional methods
In fact the detection of these code anomalies by Glasswall should act as a warning to every business. There can hardly be a company that does not use email attachments throughout the working day and it is the structures of these common file-types such as PDFs that are increasingly used as vectors by criminals spreading malware. More than 90 per cent of successful cyber-attacks commence when someone unknowingly opens a common attachment such as a PDF, Word, PowerPoint or Excel file that has been subtly altered to act as a malware trigger.

Unrecognised by the anti-virus industry’s gatekeepers, these pieces of malicious code are also able to trick their way through sandboxing applications. The constantly evolving sophistication of such exploits leaves organisations hopelessly vulnerable if they rely on a combination of anti-virus solutions and encryption to maintain security. The threats within JavaScript, Flash, encrypted and embedded files may be well-known, yet the biggest sources of danger are inside the structures of common files such as PDFs, Excel and Word.

Research into PDF-borne malware by Glasswall has shown, for example, that in many organisations as little as 1.5 per cent of PDF files contain JavaScript. This means a remarkable 98.5 per cent of known PDF malware files were hiding payloads outside this well-known vector.

Aware of the danger of sending out infected documents, many businesses, especially in the professional sector, also rely on encryption to protect their business partners. Sadly this is mistaken. Encryption may protect a message’s contents from being intercepted and opened up by a third-party, but it will achieve little more than deliver infected files successfully.

Get your security down to byte-level
The only certain defence against these threats is file-regeneration which will conduct minute examinations of each document in fractions of second, generating a clean and sanitised version that can be used in total safety. With PDFs, the technology has detected a change of just two bytes which criminals hid inside the file structure in order to crash the recipient’s reader so that malicious code would trigger a malware attack.

Once files have been sanitised, outbound email attachments can be sent in full confidence, having been cleared of all malicious code. The intelligence derived from this technology also gives organisations vital insights into the nature of the threats they are facing and how criminals are adapting code or shifting vectors.

In a recent 30-day period, for example, almost three-quarters of all the threats eliminated through file-regeneration were zero-day attacks that would have been completely missed by standard anti-virus technology because they had not previously been assigned an identifying “signature”.

In the absence of Content Disarm & Reconstruction, organisations risk becoming the proxy malware hubs of criminals, facing potentially huge legal liabilities and the destruction of all reputation, which in modern business is equivalent to a death warrant. The only certain defence against this grizzly fate is innovation in the shape of file-regeneration.