blog.morphisec.com
Open in
urlscan Pro
2606:2c40::c73c:67e1
Public Scan
Submitted URL: https://engage.morphisec.com/e3t/Ctc/T5%20113/c9M6y04/VWW6TW2PWwfrVnPcbF85LMh4W3LfLlX4Q19dWN6ybcY53q3n_V1-WJV7CgMp0W7h-1Tv6PY...
Effective URL: https://blog.morphisec.com/anti-tampering-in-cyber-security?utm_campaign=Monthly%20Newsletter&utm_medium=email&_hsmi=226302...
Submission: On September 16 via api from US — Scanned from DE
Effective URL: https://blog.morphisec.com/anti-tampering-in-cyber-security?utm_campaign=Monthly%20Newsletter&utm_medium=email&_hsmi=226302...
Submission: On September 16 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
/hs-search-results
<form action="/hs-search-results" data-hs-cf-bound="true">
<input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Search">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1534169/37b11fda-a2aa-4805-9c0e-bae8eaccd6b7" enctype="multipart/form-data"
id="hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" method="POST"
class="hs-form stacked hs-custom-form hs-form-private hsForm_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7 hs-form-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_5c7ca47c-4eda-47e8-9561-9ea9bb11bf8b"
data-form-id="37b11fda-a2aa-4805-9c0e-bae8eaccd6b7" data-portal-id="1534169" target="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" data-reactid=".hbspt-forms-0" data-hs-cf-bound="true">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0"><label id="label-firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" class="" placeholder="Enter your "
for="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" data-reactid=".hbspt-forms-0.1:$0.0"><span data-reactid=".hbspt-forms-0.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.$firstname"><input id="firstname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" class="hs-input" type="text" name="firstname" required="" value="" placeholder="FIRST NAME*"
autocomplete="given-name" data-reactid=".hbspt-forms-0.1:$0.$firstname.0" inputmode="text"></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$1"><label id="label-lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" class="" placeholder="Enter your "
for="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" data-reactid=".hbspt-forms-0.1:$1.0"><span data-reactid=".hbspt-forms-0.1:$1.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$1.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$1.$lastname"><input id="lastname-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" class="hs-input" type="text" name="lastname" required="" value="" placeholder="LAST NAME*" autocomplete="family-name"
data-reactid=".hbspt-forms-0.1:$1.$lastname.0" inputmode="text"></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$2"><label id="label-email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" class="" placeholder="Enter your "
for="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" data-reactid=".hbspt-forms-0.1:$2.0"><span data-reactid=".hbspt-forms-0.1:$2.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$2.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$2.$email"><input id="email-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" class="hs-input" type="email" name="email" required="" placeholder="EMAIL*" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$2.$email.0" inputmode="email"></div>
</div>
<div class="hs_company hs-company hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$3"><label id="label-company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" class="" placeholder="Enter your "
for="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" data-reactid=".hbspt-forms-0.1:$3.0"><span data-reactid=".hbspt-forms-0.1:$3.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$3.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$3.$company"><input id="company-37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" class="hs-input" type="text" name="company" required="" value="" placeholder="COMPANY*" autocomplete="organization"
data-reactid=".hbspt-forms-0.1:$3.$company.0" inputmode="text"></div>
</div><noscript data-reactid=".hbspt-forms-0.2"></noscript>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="SUBSCRIBE" class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":2314.8999996185303,"rumServiceResponseTime":2578.8999996185303,"rumFormRenderTime":2.799999237060547,"rumTotalRenderTime":2583,"rumTotalRequestTime":262,"lang":"en","isLegacyThemeAllowed":"true","embedAtTimestamp":"1663350296909","formDefinitionUpdatedAt":"1599753512862","pageUrl":"https://blog.morphisec.com/anti-tampering-in-cyber-security?utm_campaign=Monthly%20Newsletter&utm_medium=email&_hsmi=226302970&_hsenc=p2ANqtz-8Ikz33rkJ4SEBevhi1BGkaakhH4FR31tLJ8siVrhZRlIO9j9xHyKKHkNrlO2tolfBXQ3P86sgg8v2kFc1uQyvkQ8h7yg&utm_content=226302970&utm_source=hs_email","pageTitle":"Tampering in Cyber Security Solutions is Rife","source":"FormsNext-static-5.530","sourceName":"FormsNext","sourceVersion":"5.530","sourceVersionMajor":"5","sourceVersionMinor":"530","timestamp":1663350296915,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.125 Safari/537.36","originalEmbedContext":{"portalId":"1534169","formId":"37b11fda-a2aa-4805-9c0e-bae8eaccd6b7","formInstanceId":"1471","pageId":"84946646299","region":"na1","pageName":"Tampering in Cyber Security Solutions is Rife","inlineMessage":true,"rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"ef43e2af6a4680b709b0d356119af68f","target":"#hs_form_target_module_1541132004988163","contentType":"blog-post","formsBaseUrl":"/_hcms/forms/","formData":{"cssClass":"hs-form stacked hs-custom-form"}},"canonicalUrl":"https://blog.morphisec.com/anti-tampering-in-cyber-security","pageId":"84946646299","pageName":"Tampering in Cyber Security Solutions is Rife","formInstanceId":"1471","urlParams":{"utm_campaign":"Monthly Newsletter","utm_medium":"email","_hsmi":"226302970","_hsenc":"p2ANqtz-8Ikz33rkJ4SEBevhi1BGkaakhH4FR31tLJ8siVrhZRlIO9j9xHyKKHkNrlO2tolfBXQ3P86sgg8v2kFc1uQyvkQ8h7yg","utm_content":"226302970","utm_source":"hs_email"},"renderedFieldsIds":["firstname","lastname","email","company"],"rawInlineMessage":"Thanks for submitting the form.","hsFormKey":"ef43e2af6a4680b709b0d356119af68f","formTarget":"#hs_form_target_module_1541132004988163","correlationId":"8eff4ece-1b7f-44cf-b239-03b35ea69276","contentType":"blog-post","hutk":"1cd942e76cbf74c1b4b16b956e333c8e","captchaStatus":"NOT_APPLICABLE","isHostedOnHubspot":true}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_37b11fda-a2aa-4805-9c0e-bae8eaccd6b7_1471" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form>/hs-search-results
<form data-hs-do-not-collect="true" action="/hs-search-results">
<input type="text" class="hs-search-field__input" name="term" autocomplete="off" aria-label="Search" placeholder="Keyword...">
<input type="hidden" name="type" value="SITE_PAGE">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="type" value="LISTING_PAGE">
</form>Text Content
* Search
* Support
* Partners
* Contact Us
* Products
* Product Overview
* Morphisec Guard: Zero Trust Endpoint Security
* Morphisec Knight for Linux: Server Protection
* Morphisec Keep for Windows: Server Protection
* Morphisec Scout: Vulnerability Management
* Incident Response Services
* About Moving Target Defense
* Solutions
* By Industry
* SMB
* K-12 Education
* Manufacturing
* Finance
* Technology
* Healthcare
* Legal
* By Use Case
* Microsoft Defender AV
* Microsoft Defender for Endpoint
* Virtual Desktop Protection
* Cloud Workload Protection
* Remote Employee Security
* Ransomware Prevention
* Virtual Patching and Compliance
* Supply Chain Attack Protection
* Browser Attack Protection
* Company
* About Us
* News
* Events
* Careers
* Resources
* Blog
* Collateral
* Customer Stories
READ THE BLOG
Get a Demo
BREACH PREVENTION BLOG
CYBERSECURITY NEWS, THREAT RESEARCH, AND MORE FROM THE LEADER IN MAKING BREACH
PREVENTION EASY
IS YOUR CYBER SECURITY TAMPER-PROOF?
Posted by Assaf Yariv on September 16, 2022
Find me on:
LinkedIn
*
* Share
*
Cyber security solutions like next generation anti-virus (NGAV), endpoint
detection and response (EDR), and endpoint protection platform (EPP) face abuse,
tampering, and exploitation to achieve initial access and persistence. Threat
actors know it's often easier to undermine these defenses to get to what they
want. But how many teams prioritize anti-tampering in cyber security?
Imagine a small bank in your town. The bank invests in state-of-the-art security
equipment, with top quality cameras and sensitive alarms which communicate to a
central system. A big, hard biometric lock on the main safe box is secured
behind heavy steel doors.
Everything feels very secure until one day—the power shuts down. Suddenly no
electricity = no network = no security. Apparently all you had to do to bypass
this state-of-the-art security system is flick the switch that powers the bank’s
electricity.
Schedule a demo
TERMINATING SERVICES TIME
We've all seen these scenes in movies, but in the cyber security world it’s
actually not far from reality. Cyber criminals are always researching, and try
to terminate all monitoring tools and security solutions like EDR, NGAV, EPP
etc. before they start an attack. Worryingly, this is not usually very
complicated to do. You just need to terminate system processes and services.
How hard is this? If an attacker has already compromised admin privileges, they
can run a simple script to kill all processes. If this doesn’t work, they can
install a compromised/vulnerable kernel driver to do the work from kernel space.
Furthermore, attackers can also use hook tampering methods to avoid monitoring.
To bypass security vendors belonging to the Microsoft Virus Initiative (MVI) and
shipped with Early Launch Anti Malware (ELAM) drivers (which allow better
protection and isolation of services through Microsoft), threat actors may
install a weaker security vendor that competes for the same security category
and can be used to eliminate ELAM services. The Morphisec Labs threat research
team has found a number of popular tactics in the wild used by threat actors,
one of which is to deploy Malwarebytes sub-components as part of the attack
vector.
GENERAL VS. TARGETED TAMPERING
We can divide tampering techniques into two categories: generic and targeted.
THE GENERIC APPROACH TO TAMPERING
Modern malware often tries to shut down services in a system before moving to
the next step in an attack vector. Windows Service Control Manager (SCM)
provides a recovery mechanism that can re-spawn services after termination. But
the SCM recovery mechanism by itself is not a super effective remedy for
protecting critical services. The problem is there’s always a time gap—even if
very small—in which a service is not running. Even if the service recovers
quickly, security systems are usually “stateful” services, so it’s critical to
recover the previous “state” of the service for accurate recovery.
A persistent attacker can also use a DOS (Denial Of Service) attack against a
system. This runs an infinite loop of terminate/recovery, so the service is busy
with its own recovery instead of detection and prevention.
TARGETED TAMPERING
Cybercrime groups acquire popular security software, both free and premium, and
research how it works. They often find specific bugs in a product which allow
them to terminate it gracefully. Another way to terminate some security products
is to hijack the flow by abusing DLL hijacking vulnerability bugs. One example
of this is the Mcafee antivirus vulnerability discovered in 2019.
Unfortunately, security solutions with the greatest market share are more prone
to tampering than smaller vendors. An example of this is the recent Indutroyer2
attack against a Ukrainian energy provider. The ESET Research blog found “Before
connecting to the targeted devices, the malware terminates a legitimate process
that is used in standard daily operations. In addition to that, it renames this
application by adding .MZ to the filename. It does so in order to prevent
automatic restart of this legitimate process.”
When red teams evaluate tampering, they usually start with termination from
user-mode application, or manually shut down specific processes. The above quote
illustrates how attackers are sophisticated and aware of recovery options.
KERNEL MODE VS. USER MODE TAMPERING
Much has been written about preventing process termination from user mode
applications such as Process Explorer, Task Manager, PowerShell, and Process
Hacker.
Process Hacker ships with a signed kernel mode driver, which has elevated access
to terminate any user mode process. Unfortunately the Process Hacker driver can
be used for malicious purposes. This attack technique is called Bring Your Own
Vulnerable Driver.
Not much information exists today about kernel mode tampering. As cybercrime
groups become more sophisticated, recent attacks show malicious code is getting
to the lower levels of an operating system. Code which runs in kernel mode is
usually trusted code with extensive system permissions. This means it can
terminate processes, delete system callbacks, and in some cases, modify the
actual behavior of the Windows kernel. Microsoft introduced its PatchGuard
technology a few years ago to deal with kernel hooking. However, it’s still not
bulletproof and doesn't protect against tampering with all kernel structures.
ENSURING ANTI TAMPERING IN CYBER SECURITY IS EFFECTIVE
To assess cyber tools’ anti-tampering effectiveness, some things to look for
include whether processes can be terminated by various tools, if the files can
be modified or renamed on disk, and if the protection is active in "safe mode"
boot.
As mentioned earlier, another important factor to be aware of is—perhaps
counter-intuitively—the size of the cybersecurity vendor. Small vendors are
significantly less likely to be tampered with than large vendors, while open
source EDRs are an easy target. For example, OpenEDR can easily be terminated
with Process Hacker, despite its self-defense feature.
It's important for cyber security vendors to stay alert to preventing tampering
with their products. The world would benefit if cybersecurity vendors could
collaborate with operating system vendors to standardize a unified anti-tamper
solution. It would enable them to agree on how trusted security solutions can be
identified as system critical by an operating system. MITRE also has a couple of
very important recommendations for vendors.
Morphisec is very serious about protecting our products from tampering. All our
products and services are bulletproof against tampering, and we’re always
looking for new ways to harden the integrity of our endpoint solutions. To learn
more about Morphisec’s revolutionary Moving Target Defense technology, which
stops cyberattacks in-memory at runtime, please contact us.
SUBSCRIBE TO OUR BLOG
Stay in the loop with industry insight, cyber security trends, and cyber attack
information and company updates.
SEARCH OUR SITE
RECENT POSTS
* Is Your Cyber Security Tamper-Proof?
* How Do You Prioritize What to Patch?
* Why Should You Care About In-Memory Attacks?
* Most Important Healthcare Cyber Threats for 2022
* Top Linux Insights From Gartner's Market Guide for CWPP
* APT-C-35 Gets a New Upgrade
* How Do You Stop Supply Chain Attacks?
* Healthcare Data Needs to Become Safer
* The World's Top Cybersecurity Conferences for 2022
* How to Resolve the Ransomware Security Gap
POSTS BY TAG
* Moving Target Defense (120)
* Cyber Security News (116)
* Morphisec Labs (102)
* Threat Post (56)
* Morphisec News (52)
* Threat Research (51)
* Anti-tampering (1)
* Healthcare cybersecurity (1)
* Linux cyber security (1)
* in-memory attacks (1)
* patch management (1)
* runtime attacks (1)
* threat and vulnerability management (1)
See all
Contact SalesInquire via Azure
* Products
* Morphisec Guard
* Morphisec Knight for Linux
* Morphisec Keep for Windows
* Morphisec Scout
* Incident Response Services
* Solutions By Industry
* Banking & Finance
* Healthcare
* Technology
* Manufacturing
* Legal
* K-12 Education
* SMB
* Solutions By Use Case
* Microsoft Defender for Endpoint
* Ransomware Prevention
* Supply Chain Attack Protection
* Cloud Workload Protection
* Remote Employee Security
* Collaboration Application Hardening
* Virtual Patching & Compliance
* Point-of-Sale Protection
* Browser Attack Protection
* About Us
* News
* Events
* Careers
* Customer Success Stories
* RESOURCES
* Blog
* Support
* Partners
* Contact Us
* Privacy & Leagal
* Products
* Solutions
* Company
* News & Events
* Careers
* Partners
* Resources
© 2022 Morphisec Ltd. | All rights reserved | Privacy Policy
*
*
*
*
*
*