Through its research labs, Quick Heal Technologies has come across a new malware sample that is able to breach the advanced threat protection offered by sandbox-based gateway appliances. According to the lab’s findings, the malware can successfully work its way around a sandbox gateway appliance to reach a user’s email inbox without detection.
The malware named APT-QH-4AG15 was first detected in the Philippines, where it targeted the country’s financial institutions. Detailed analysis of the malware sample by Quick Heal reveals that it had been designed to infect highly protected networks, with several anti-virtual machine and anti-sandbox schemes implemented within it.†
“While the network breaches of the last few years have raised concerns about the effectiveness of endpoint security protection, future breaches are also sure to raise questions about the reliability of sandbox gateway appliances for preventing advanced persistent threats (APTs),” says Sanjay Katkar, CTO, Quick Heal Technologies.
According to a post on the company’s blog, over the past few years spear phishing attacks via highly targeted messages have been the primary attack vector of successful data breaches, and more than 90 percent of attacks on enterprise networks are the result of spear phishing methods. This has led to the rise of sandbox-based gateway appliances, which offer advanced malware detection for incoming emails. These solutions launch incoming email attachments in a secure virtual environment to monitor their runtime behavior.
“The early success of many sandbox-based appliances can be attributed to the fact that malware variants were never designed with such protection mechanisms in mind,” says Katkar. “Instead, these samples were focused toward breaching traditional antivirus and firewall solutions. This enabled them to breach traditional security solutions with zero-day attacks very frequently. But now that the use of these APT sandbox-based appliances is on the rise in the enterprise, new malware variants are being designed with the aim of penetrating this specific protection mechanism.”
“The best defense is layers of robust protection – from the network to the endpoints and across all mobile devices†– with continuous updates made to ensure that all levels of protection are current. For small to midsize enterprises (SME), working closely with IT service providers who are well versed in the latest threat protection strategies and solutions will add a strong measure of added protection as well,” says Farokh Karani director North American Sales and Channels, Quick Heal Technologies.
In addition to the blog post, a report describing the company’s initial findings is available as a complimentary download on the Quick Heal website.
