Protecting Against “Red October”

  • Home
  • /Protecting Against “Red October”

Protecting Against Attacks Similar to “Red October”

Article authored by: Jarno Niemela @jarnomn

The targeted attack campaign dubbed Red October raises an interesting question for people working on the frontline of corporate security. How to defend one’s own organization against such attacks? And the good news is that at least for campaigns such as Red October, the information has been available for a long time already.

From a technical point of view, the targeted attacks used by Red October look very much like any other corporate espionage. The attackers need to get a user to click on an interesting looking document, and then the program being used to view the document needs to be vulnerable to attack, after which the system needs to allow a payload to be written to disk, after which the payload needs to be able to communicate back to a C&C server.

So in order to foil the attack, we as defenders need to be able to prevent any of the stages and then the attack is failure from a data stealing point of view, even as there might be need for cleanup.

The first and most obvious defense is of course user education, all users should be trained to be suspicious of any documents coming from external sources. Especially if they are not expecting that party to send a document. But unfortunately a moment of inattention is all that it required to open something that should have just been deleted. Thus education alone is not enough.

The second layer of defense is obviously up to date and well configured corporate security software. Our own F-Secure Client Security would have alarmed about actions performed by the Red October exploit payload. However, the important thing to remember is that in order for any modern security software to be its most effective, you should allow the software to talk to the back end servers. It is a very common and frustrating situation that a corporation allows Internet connected browsers, but configures the workstation’s security software so that it cannot be part of a real-time protection network.

A third layer of defense is to use Microsoft’s EMET application memory handling hardening and exploit mitigation tool. We tried running Red October associated exploit files with EMET enabled using the recommended settings and the exploit was stopped and was not able to take over the system.

EMET, Red October

A fourth layer of defense is to use Microsoft Applocker and prevent execution of files that are not signed or are not otherwise well known and trusted by system administration. With Applocker the payload dropped into %programfiles%\Windows NT\svchost.exe in Windows XP or %appdata%\Microsoft\svchost.exe in Vista/7 would not have been able to execute.

A fifth layer of defense is to use DNS whitelisting and allow only well known domain names to resolve without prompting it first from the user, preferably with CAPTCHA. We have done research in C&C domains used by known corporate espionage attacks, and DNS white listing has been ~99% effective in preventing exploit to C&C communication.

For the complete article visit: