Target: Consumers

Tags: Zero-Trust, Isolation, Policy, CDR, Trust No File

On July 16, 2023, researchers at DOCGuard [1] uncovered an incidence of a ZIP Bomb malware attack. Despite being scanned by 61 different detection vendors on VirusTotal, only one initially flagged the malicious file. A ZIP Bomb, colloquially known as a decompression bomb or zip of death, is a malicious archive file engineered to cripple or even crash the program or system that attempts to access it. Its prime use is typically to disable antivirus software, thereby paving the way for additional malware threats to breach the system.

At the time of this article’s writing, the detection ratio has slightly improved to 10 out of 61 engines. While it is important to note that no detection method is infallible or offers 100% accuracy, this instance serves as a crucial reminder for security professionals. It highlights the persistent need for vigilance, and how critical it is to continually reassess and recalibrate endpoint security strategies in an era where threats are both diverse and highly sophisticated. However, The ZIP Bomb is just one case and many other evasive attacks from various file formats are used to attack the endpoint. The attacks may come from browsing, file download, file sharing, removable media, and email messages.

The Problem with Malware Detection

Malware detection relies on identifying known patterns, signatures, behaviors associated with malware and may use advanced Artificial Intelligence (AI) detection engines. However, this model struggles with newer and more innovative forms of malware that are designed to evade detection. For instance, the ZIP Bomb mentioned is a prime example of such a threat, demonstrating the challenge in detecting harmful payloads disguised or hidden within compressed files. This highlights the need for a change in thinking away from a sole reliance on detection-based defenses to proactive and isolation-oriented defenses and the need to add them as part of your new security stack.

Introducing Application Isolation and Advanced Policy

Endpoint security has seen a transformative approach through the introduction of application isolation, a method deeply rooted in the zero-trust model. This strategy aims to quarantine individual applications or programs from the broader system environment, effectively containing any potential threats and preventing their interaction with other “trusted” applications within the organization or the underlying system. This significantly curtails the possible ramifications of a security breach.

Consider, for instance, a web browser operating within this isolated environment. In a web-based attack, malicious activity is restricted within this isolated sphere, preventing any potential spread to the operating system or other applications. Therefore, even if a sophisticated piece of malware like a ZIP Bomb eludes initial detection, the damage it could inflict is confined to the isolated environment, neutralizing the threat.

Underpinning this approach is the integral role of endpoint security policies. These policies help to shrink your attack surfaces, thereby reducing the areas where your organization may be vulnerable to cyber threats and attacks. For example, application control settings can be employed as a proactive defense strategy, limiting the types of applications users can run and controlling the code that executes in the system’s core, or kernel. This level of regulation over application behaviors minimizes the overall exposure to potential threats. Furthermore, BUFFERZONE proprietary Firewall enables to control the endpoint communication network efficiently.

Taking this a step further, policies such as those enabled by BUFFERZONE can provide even greater specificity and control. For instance, they can allow for the installation of a certain verified file certificate, enabling the use of Microsoft’s proprietary applications while denying access to others, or blocking all user-downloaded applications altogether. This nuanced approach to application isolation further elevates the effectiveness of endpoint security.

Summary

In conclusion, given the rapidly evolving nature of cyber threats, adopting a security strategy that combines robust policy enforcement with application isolation is an effective approach. It allows an organization to not only defend against known threats but also mitigate the potential impact of unknown threats that evade traditional detection methods. This combination shifts the security paradigm from reactive detection to proactive containment, providing a more resilient defense against emerging threats.

References

[1] DOCGuard Zip Bomb Analysis, Docguard | Detects suspicious files!

Target: Consumers

Tags:  Content Disarm and Reconstruction (CDR), Malware, Images, Steganography, Zero-Trust

In our initial blog post, we explored the technique employed by malware authors to hide malicious code within images, known as steganography. In this blog, we will focus on advanced detection tools designed named steganalysis. We will delve into the limitations of these tools and explore how the innovative approach of zero-trust Content Disarm and Reconstruction (CDR) prevention can address these challenges. Our upcoming blog (Part-3) will provide insights into reverse engineering evasive malware discovered within images.

Steganalysis refers to the field of study and techniques used to detect the presence of hidden information within digital media, such as images, audio files, or videos, that has been concealed through steganography. Steganography involves the covert embedding of data within a carrier medium, making it imperceptible to casual observers. Steganalysis aims to uncover and analyze the hidden data, identify the steganographic algorithms or methods used, and determine if a given media file contains hidden information. It involves the application of statistical analysis, signal processing, machine learning, and other computational methods to reveal the presence of steganography and distinguish between innocent media and steganographic content. Steganalysis plays a crucial role in digital forensics, security, and counterintelligence, providing means to detect covert communication and potential malicious activities.

Steganalysis Methods

Muralidharan et al [1] provided detailed survey about state-of-the-art image steganalysis. We can divide steganalysis two three categories:

1. Statistical Analysis: Statistical analysis is a fundamental approach in steganalysis. It involves analyzing the statistical properties of images to detect hidden information. Common techniques include histogram analysis, spatial domain analysis, and frequency domain analysis [4].
2. Machine Learning-Based Methods: With the advent of machine learning algorithms, steganalysis has witnessed significant advancements. Various machine learning models, such as support vector machines (SVM), artificial neural networks (ANN), and deep learning architectures, have been applied to steganalysis tasks. These models learn from a vast amount of data and can detect subtle patterns indicative of steganography.
3. Rich Model Features: Steganalysis methods can leverage rich model features to enhance detection accuracy. These features encompass higher-level image characteristics, such as texture, color, and spatial relationships. By extracting and analyzing these features, steganalysis algorithms can effectively distinguish between regular and steganographic images.

However, steganalysis is far from being perfect and the following limitations exists:

1. Single Dataset Limitation: Many steganalysis methods are created, tested, and utilized only on a single dataset [1]. This can lead to a lack of versatility, potentially limiting the effectiveness of these methods when faced with different datasets. The methods might fail to generalize well across diverse scenarios and image collections, which may affect their real-world applicability.
2. Specificity of Targeted Steganography Schemes: The paper [1] points out that many steganalysis methods seem to target only specific steganography schemes. This means that while they might be effective in detecting and analyzing certain steganographic methods, they might be inefficient or entirely ineffective against others. This narrow focus might limit the overall effectiveness of such steganalysis methods.
3. Difficulty with Advanced Steganography Methods: The paper [1] highlights that some steganography techniques, such as coverless and Generative Adversarial Networks (GAN) based steganography, are not adequately countered by current steganalysis methods. These more advanced methods present a significant challenge for steganalysis, indicating that the field may struggle to keep pace with the evolution of steganography techniques.
4. High Embedding Rates: Steganography techniques that employ a high embedding rate can pose challenges for steganalysis. When a large amount of data is hidden within an image, it becomes more difficult to detect the presence of hidden information. Steganalysis algorithms may struggle to differentiate between legitimate image noise and the embedded data. Especially if the original image is unknown.
5. Adaptive Steganography: Adaptive steganography techniques dynamically adjust the embedding process based on specific image characteristics. These methods can evade traditional steganalysis methods by exploiting vulnerabilities in the detection algorithms. As a result, detecting adaptive steganography becomes a daunting task for steganalysis systems.
6. Low-Bit Attacks: Attackers employing low-bit steganography techniques embed a minimal amount of data into the cover image. This method aims to stay below the detection threshold of steganalysis algorithms, making the hidden information less noticeable. Steganalysis methods optimized for higher embedding rates may fail to detect such subtle alterations, rendering them ineffective against low-bit attacks.

Steganalysis is a trust-based detection solution and based on the drawbacks evasive malware can bypass steganalysis. As a result, a zero-trust prevention based on CDR is needed.

How Image Content Disarm and Reconstruction Works?

A recent study [2] examines an alternative approach for neutralizing steganography and malware attacks within images. Our method shares similarities and relies on transcoding.

Image transcoding involves converting an image file from one format to another, which may entail modifying the resolution, color depth, and format of the image data. In the broader context of digital media, transcoding refers to the direct conversion of encoding between different formats [2].

Transcoding is typically performed when the target device lacks support for the original image format or has limited storage capacity, necessitating a reduction in file size [2]. For instance, a high-resolution JPEG file might be transcoded into a lower resolution PNG file for improved website loading speed due to its smaller file size.

The process of image transcoding consists of two steps. Initially, the original data is decoded into an intermediate uncompressed format, after which it is encoded into the desired target format. This transcoding process can be either lossy or lossless. In lossy transcoding, certain information is lost during the conversion, resulting in a potential degradation of image quality. This method is commonly employed when the target device has limited storage capacity. Conversely, lossless transcoding retains all information and preserves image quality [2]. Typically, scaling modifications are utilized during transcoding.

It is important to note that transcoding differs from compression and trans-muxing/rewrapping. Compression involves reducing file size without altering the format, while trans-muxing/rewrapping changes the container format while keeping the data intact [2].

In summary, image transcoding plays a vital role in modern digital workflows by facilitating the conversion of images to the most suitable format for their intended use. It enables consistent viewing of image content across a diverse range of devices with varying capabilities and constraints [2].

Image Content Disarm and Reconstruction (CDR) employs transcoding and scaling techniques to fortify image files against evasive steganography and concealed metadata. This approach generates a new image file with a different format, devoid of metadata and extraneous information. The transcoded file can later be converted back to the original format. Transcoding has been proven as a secure measure against malware attacks [2].

Summary

The prevalence of steganography attacks is escalating [3], and present detection methodologies exhibit notable limitations. Consequently, Content Disarm and Reconstruction (CDR) emerges as a dependable solution, assuring absolute security without substantial visual alterations [1]. Therefore, integrating CDR into your security infrastructure merits consideration.

Pictorially, the images below represent a ‘before’ and ‘after’ application of CDR, with the former on the right and the latter on the left. It is discernible that there are no visual discrepancies perceptible to the naked eye.

To encapsulate, adopting a zero-trust approach to file prevention demonstrates remarkable efficiency and efficacy in countering elusive threats that traditional detection methods may overlook.

In the next blog we will reverse engineer malicious images.

References

[1] Muralidharan, T., Cohen, A., Cohen, A., & Nissim, N. (2022). The infinite race between steganography and steganalysis in images. Signal Processing, 108711.‏

[2] Eli Belkind and Ran Dubin and Amit Dvir, Open Image Content Disarm and Reconstruction}, 2023, https://arxiv.org/abs/2307.14057ץ

[3] Security Boulevard, Steganography in Cybersecurity: A Growing Attack Vector,

https://securityboulevard.com/2022/05/steganography-in-cybersecurity-a-growing-attack-vector/

[4] Muralidharan, Trivikram, et al. “The infinite race between steganography and steganalysis in images.” Signal Processing (2022): 108711.‏

Target: Consumers

Tags:  Content Disarm and Reconstruction (CDR), Malware, Images, Steganography, Zero-Trust

Throughout this blog series, we will delve into the following topics: understanding steganography (part 1), exploring steganalysis and enhancing prevention techniques (part 2), and unraveling the process of disarming and reversing malicious malware concealed within image metadata (part 3).

Image steganography is a technique that can hide evasive code in plain sight, such as within an image file. The practice of concealing messages or information within another non-secret text or data, referred to as the “carrier,” allows malicious actors to compromise devices just by hosting an image on a website or sending an image via email [1].

This process becomes particularly effective as digital images are merely streams of bytes, like any other file. As a result, they become an excellent medium for concealing secret text and other data. When people open a picture on a device, they seldom look beyond the visual presentation displayed to see what lies hidden inside the image file format [1].

One simple method of image steganography is appending a string to the end of the file or inside the image metadata information. This action does not prevent the image from being displayed normally nor change its visual appearance. For example, appending “hello world” to the end of the file does not alter the image, but the output from the hex dump shows the extra bytes added. A program can easily read the plain text string [1].

In more complex methods, malware can be injected into digital photos that appear to be perfectly normal, a process known as steganography. The technique takes advantage of the hidden data that comes with an image, which is not necessarily translated into pixels on your screen. Malware code can be embedded in an image in many ways, including attaching it to the end of a file, tweaking individual bits of the code, or changing the metadata associated with the file [1].

However, injecting malware into an image is not as simple as it may first seem. There are two main challenges:

• Image Distribution: Steganography in digital media often requires subtly manipulating the image’s pixels or metadata to encode the malicious code. This manipulation is not visually perceptible to the human eye but can cause havoc when decoded by the machine. Yet, this process becomes even more challenging when sharing these manipulated media files via social media networks. These platforms often resize, recompress, strip metadata, and sometimes crop or color-correct images. These manipulations restructure the image and may disarm the attack, challenging the attackers [1].

• Execution: Although image files carry malware, they cannot automatically infect the system when opened. The exploitation occurs when there is a software vulnerability that the hidden malicious code can exploit, or the user enables an embedded macro that triggers the malware. For example, please review our previous blog about

Therefore, while image steganography serves as a potential medium for malware delivery, the complexity of execution and the need for certain user actions or system vulnerabilities make it challenging as an attack vector; however, from recent attacks, we see malware steganography on the rise [2].

How Steganography Attack Works:

Steganography is the process of concealing secret information within an ordinary, non-secret file or message to avoid detection. The two most common image steganography methods are the Least Significant Bit (LSB) method and the method based on style transfer.

1. Least Significant Bit (LSB) Method

The Least Significant Bit (LSB) method is the most common and simplest form of image steganography. This method involves altering the least significant bit of the pixel values in a digital image. In this process, the cover image is selected, and the least significant bits of the pixel values are replaced with the bits from the secret data.

The basic idea behind the LSB method is that changes to the least significant bits of the pixel values will have a minimal effect on the color and appearance of the image. This makes the alterations to the image hard to detect for the human eye.

The LSB method can be used with diverse types of images, including grayscale, colored, and true color images. The data size that can be hidden using this method depends on the size and the type of the image. For further reading about state-of-the-art LSB steganography attacks please find this paper by Liu et al [3].

2. Image Steganography based on Style Transfer

Recently, a novel approach to image steganography has been proposed which makes use of neural networks and style transfer techniques. Style transfer is a process that manipulates a digital image or video to adopt the visual style of another image.

In this method, the secret message is embedded into the cover image while the image’s style is being transformed. The secret information is integrated into the latent representation of the cover image to generate the steganography images. The steganography images generated this way are indistinguishable from normal stylized images. This method leverages the power of neural networks and takes advantage of the complex transformations involved in style transfer to hide the secret message [4].

The two methods have their advantages and disadvantages. The LSB method is simple and easy to implement but can be vulnerable to steganalysis techniques if not done properly. On the other hand, the style transfer-based method can provide high security, but it requires more computational resources and a deeper understanding of neural networks and style transfer techniques.

Summary

To sum up, image steganography serves as a valuable and invisible asset for threat actors for ensuring secure and concealed communication or hiding malicious code. Given the progress made in technology and the emergence of advanced techniques such as style transfer-based steganography, the future of image steganography appears promising and remains an essential field of study [4] and it use by threat actors is on the rise.

In our upcoming blog post, we will explore the concept of steganalysis (the detection of steganography) and its inherent limitations. Furthermore, we will present Content Disarm and Reconstruction as a potential solution to overcome these limitations.

References

[1] Ran Dubin Image steganography (TODO – add link)

[2] Security Boulevard, Steganography in Cybersecurity: A Growing Attack Vector

https://securityboulevard.com/2022/05/steganography-in-cybersecurity-a-growing-attack-vector/

[3] J. Liu et al., “Recent Advances of Image Steganography with Generative Adversarial Networks,” in IEEE Access, vol. 8, pp. 60575-60597, 2020, doi: 10.1109/ACCESS.2020.2983175.

[4] Hu, Donghui, et al. “Image Steganography based on Style Transfer.” arXiv preprint arXiv:2203.04500 (2022).

[5] https://arxiv.org/pdf/2307.14057.pdf‏

Target: Cybersecurity specialist

Tags:  Malware, Polymorphic, Generative AI (Artificial Intelligence), Zero-trust, Application Isolation

Polymorphic malware is a malicious software variant that possesses the capability to alter, or “morph,” its own code without affecting its core functionalities or characteristics. This special attribute enables it to slip past antivirus and other security software, positioning it as a particularly formidable and stealthy form of cyber threat. Here is a step-by-step overview of its operation:

1. Infiltration: Polymorphic malware usually initiates its attack similarly to conventional malware – it may coax a user into clicking a malicious link, downloading a compromised file, or opening a deceptive attachment harboring the malware.
2. Activation: Following successful infiltration, the malware springs into action, carrying out its malevolent deeds. These may span a wide spectrum, including pilfering confidential data, encrypting files for a ransom demand, or even establishing a backdoor for remote system access.
3. Metamorphosis: The distinguishing feature of polymorphic malware lies in its subsequent action. Post-activation, it employs a range of techniques to mutate its code. These can encompass changing variable names, adjusting execution paths, adopting varying encryption methods, or even rearranging the order of instructions, all while preserving the original malicious intent.
4. Proliferation: The malware, having metamorphosed, then disseminates its newly transformed variant to other systems. Its fresh code rendering is often unrecognizable to security software, thereby evading detection. With each new infection, the malware continues its process of transformation, thereby generating countless unique variants.

Central to the polymorphic malware’s operation is an intricate piece of code called the mutation engine. Its role is to rewrite the malware’s code with each propagation instance. As it persistently alters its identifiable traits while its malicious payload remains unchanged, the polymorphic malware can bypass traditional signature-based detection strategies. This attribute presents it as a persistent, ever-evolving threat in the cybersecurity realm.

The Past & Future of Polymorphic Malware

The first polymorphic virus, named 1260 or V2PX, was detected in the 1990s. It was part of a research program aiming to reveal the limitations of antivirus scanners at that time. While it was designed to serve as a warning, it inadvertently inspired a wave of criminal activity exploiting its capabilities. Since then, countless polymorphic viruses have been created [2].

Some well-known examples of polymorphic malware include:

1. The Storm Worm: This was a multi-layered attack where users were tricked into downloading a Trojan via social engineering techniques. The Trojan would infect the computer and turn the system into a bot. This campaign disrupted internet service to hundreds of thousands of users, infecting more than a million endpoints [2].
2. VirLock: Known as the first example of polymorphic ransomware, VirLock spread through shared applications and cloud storage. It acted as typical ransomware, restricting victim access to the endpoint and altering files [2].

Polymorphic viruses present a significant challenge to cybersecurity, as their mutating nature makes them difficult to detect with traditional security tools. As noted, nearly all malware attacks today involve some form of polymorphic techniques [2]. The continued evolution and proliferation of such viruses underline the need for robust and innovative cybersecurity measures.

The future of Polymorphic malware is here. Hyas [3] a Threat Intelligence company released a Proof of Concept for Polymorphic Generative AI malware called BlackMamba. This POC-Malware is a type of polymorphic keylogger created using ChatGPT, demonstrating the potential risk posed by artificial intelligence in the creation of polymorphic malware [3].

What can we do

While modern organizations are armed with advanced detection systems, the threat of zero-days and elusive malware remains a significant concern, affecting organizations worldwide. At BUFFERZONE®, we passionately believe in the power of simplicity and clarity in deploying effective security controls to protect an organization.

While it is possible to limit user access to activities such as browsing, file downloads, and opening attachments – all major potential attack vectors – this approach would drastically hinder the user experience at work. Thus, our security strategy takes a markedly different direction.

BUFFERZONE® Safe Workspace^® is a comprehensive suite of preventive tools rooted in application isolation technology. It comprises Safe Browsing, SafeBridge® (featuring Content Disarm and Reconstruction (CDR) capabilities), and Safe Removable (for USB attack prevention), all fortified with clipboard security. A kernel driver forms the Safe Workspace^® virtual container, which virtually bifurcates the operating system into two logical areas.

The first area, known as the trusted zone, is linked to all an organization’s networks and the operating system’s files. The second area, deemed the untrusted zone, serves as a buffer where various applications can operate securely, isolated from the trusted zone’s memory, files, registry, and processes.

This innovative approach provides several benefits, including minimal CPU and memory usage, a high-quality user experience, and the ability to work seamlessly within the virtual container, oblivious to the protective shield against browsing and USB threats.

BUFFERZONE® stands alone as the only virtual containment solution operating based on six patented technologies. Utilizing Safe Workspace^® safeguards you from phishing attacks, malicious downloaded files, and potentially dangerous email attachments and links (via an outlook extension). In our view, security should be straightforward and user-friendly.

Security should be simple – do not pass what you do not trust!

Try us now!

References:

[1] The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center, Top 10 Malware Q1 2023, https://www.cisecurity.org/insights/blog/top-10-malware-q1-2023.

[2] CrowdStrike, what is a polymorphic virus?
Detection and best practices, https://www.crowdstrike.com/cybersecurity-101/malware/polymorphic-virus/

[3] Jeff Sims, Blackmamba: using ai to generate polymorphic malware, https://www.hyas.com/blog/blackmamba-using-ai-to-generate-polymorphic-malware

Target: Cybersecurity professionals

Tags: Microsoft Office, OneNote, Content Disarm & Reconstruction, Zero-Trust

Microsoft OneNote [1] is a versatile application included in the Microsoft Office suite, specifically designed for effortless information collection and seamless multi-user collaboration. It allows users to capture and organize their thoughts, ideas, and notes in a free-form manner. OneNote organizes information into pages, further structured into notebooks sections.

OneNote offers extensive functionality, enabling users to enhance their notes with multimedia recordings, file attachments, scripts, and hyperlinks. This versatility empowers users to create dynamic and interactive content within their notebooks.

However, it’s important to be cautious while using OneNote due to emerging security concerns. Recently, there has been an increase in the delivery of OneNote malware via email, as reported by Proofpoint [2]. Malware authors have exploited the file format associated with OneNote, which uses the extension “.one.” As a result, it is crucial to exercise caution when handling OneNote files received via email or other external sources to prevent potential security risks.

Figure. 1 illustrates the file format structure based on specification [1]:

Figure 1. The figure is taken from [1].

The oneNote file structure is described in Figure 1; a “Section” is a container for specific sets of pages, metadata, and properties. The Metadata and properties are included in the section name. A “Page” is a container for user-defined content consisting of text, lists, tables, page titles, images, and note tags. An “Outline” is a container for most user-defined content such as text, lists, tables, etc. A “Property” set is a collection of properties representing some content. File Data Object is a binary data block containing pictures, embedded files, or audio/video content. “Notebook” is a collection of Section files stored in the same directory.

Recently Microsoft Researcher named Malwrologist released an open-source OneNote analyzer called pyOneNote [6]. The library makes it simple for researchers to research the file.

pyonenote –f 9c337d27dab65fc3f4b88666338e13416f218ab75c4b5e37cc396241c225efe8.one -o malonenote

It will open all embedded objects inside the malonenote folder, as shown in Figure 2.

Figure 2. pyOneNote embedded files output.

We can observe that file_0.png and file_2.png are the lure images that try to convince the user to click and run the command line (file_1.cmd), as shown in Figure. 3.

Figure 3. Main Lure image extracted from OneNote file.

Lure images are frequently employed in malware attacks to deceive users into clicking on malicious links, disabling security measures, and disregarding alerts. Despite the existence of notifications that aim to alert users upon clicking, research indicates that users often overlook them.

Malware can adopt various hiding techniques, such as concealing itself within file metadata [3], utilizing embedded images through steganography [4], residing within embedded files [2], or leveraging hyperlinks to redirect to remote sites [5]. Since detection methods are not 100% accurate, we at BUFFERZONE® advocate for a zero-trust approach to file security through Content Disarm and Reconstruction (CDR). CDR operates by comprehending the file format and all its potential attack vectors. Consequently, a CDR solution must sanitize different metadata sections of the file, disarm images, and recursively apply CDR to embedded objects like documents based on a predefined policy that disarms/sanitizes or removes suspicious content.

As depicted in Figure 4, the behavior exhibited after employing BUFFERZONE® CDR was successful in CDR the embedded images and removing the malicious script (CMD file).

Figure 4. PyOneNote output after CDR

Figure 5 demonstrates the outcome of the file after undergoing Content Disarm and Reconstruction (CDR), revealing that the modified file retains its similarity to the original while ensuring enhanced security. This aspect holds significant importance as CDR is consistently applied to every file, regardless of detection outcomes, ensuring a proactive security approach.

With BUFFERZONE®, organizations can choose between automatic CDR for files or allowing users to work on files within the secure virtual isolation of the BUFFERZONE Safe Workspace™. Later, when a user wishes to transfer an untrusted file to the trusted zones within the organization, this can be effortlessly accomplished using BUFFERZONE SafeBridge® along with its CDR capabilities.

Figure 5. The resulting OneNote main lure image file After CDR is similar to the original lure image but is secured.

References:

[1] https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-one/73d22548-a613-4350-8c23-07d15576be50

[2] https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware

[3] https://techunwrapped.com/how-cybercriminals-hide-malware-in-photo-metadata/

[4] https://www.bleepingcomputer.com/news/security/worok-hackers-hide-new-malware-in-pngs-using-steganography/

[5] https://answers.microsoft.com/en-us/msoffice/forum/all/security-warnings-for-hyperlinks-in-onenote-365/886d448c-7a62-45d4-8ebe-fd42be6c8c1d

[6] https://github.com/DissectMalware/pyOneNote

Tags: Malware Analysis, CDR, Zero-Trust, Detection 

Audience Tag: Feature Spotlight 

Over 92% of cyber-attacks start with seemingly harmless emails or links? According to a report [1], the number of malicious new files per day has increased by 5.7%, reaching a staggering 380,000 malicious new files per day. With detection methods not being 100% foolproof, a new file security solution is urgently needed. 

The ever-increasing volume of malicious files being circulated poses a significant threat to organizations. Cybercriminals are constantly finding new ways to disguise malware and evade detection, making it crucial for organizations to adopt advanced security measures. Relying solely on traditional antivirus software and other conventional security measures may not provide adequate protection against these rapidly evolving threats. 

To effectively combat this growing menace, organizations need innovative solutions to reduce the attack surface and Content Disarm and Reconstruction (CDR) is a powerful solution. CDR takes a proactive approach by dissecting files and documents, analyzing their components, and reconstructing them to remove potentially harmful elements. By neutralizing potential threats in files, CDR helps prevent malware from infiltrating systems through evasive lure emails, links, or file attachments. 

In the following Figure we can observe a typical file that contains different attack vectors. 

Fig. 1 Typical document illustration that contains attack vectors [2]. 

 The attack vectors may be hyperlinks, macros, known exploits, images and other media components. 

 While Content Disarm and Reconstruction (CDR) is an effective cybersecurity technique, it does have some limitations. During the disarm process, certain file objects may be removed, and active components may be disabled, which can impact the functionality of the resulting file. However, recent academic research [2] has shown that CDR is highly effective in terms of malware disarm rate and is able to remove threats based on detailed validation against multiple antivirus engines, such as VirusTotal. 

One concern with CDR technology is the similarity between the original file and the CDR-reconstructed file. Some studies have shown that the resulting files after CDR may be highly similar, which could raise concerns about potential residual threats. However, it is important to note that CDR solutions are continuously evolving, and newer techniques are being developed to mitigate this concern and improve the similarity between the original and reconstructed files. 

Another limitation of CDR is that some solutions may require internet access (Software-as-a-Service or SaaS), which could raise concerns about privacy and data security. In certain scenarios, private files may be shared with third parties during the CDR process, which may not be desirable for organizations that prioritize data privacy and confidentiality. 

It is important for organizations to carefully evaluate and choose CDR solutions that align with their specific security requirements and risk tolerance. While CDR can be a valuable addition to a comprehensive cybersecurity strategy, it is essential to be aware of its limitations and choose solutions that offer the right balance between security and functionality and comply with privacy and data protection requirements. 

 BUFFERZONE SafeBridge™ CDR 

Currently, Content Disarm and Reconstruction (CDR) solutions are typically deployed in either public cloud or private cloud environments. However, BUFFERZONE CDR stands out as the only vendor that runs CDR within a secure isolated container. This approach reduces latency, eliminates the need for special connectivity, and is cost-effective. 

With BUFFERZONE CDR, downloaded files can be automatically subjected to CDR automatically or based on user desire since user may want to work inside the BUFEERZONE® secure container. Furthermore, BUFFERZONE offers Microsoft Outlook email plugin that CDR all incoming and outgoing emails based on organization configuration. This ensures that every email and downloaded file goes through CDR to remove potential threats and enhance security, without the need for any additional configuration. BUFFERZONE CDR works seamlessly with every downloaded file. 

One of the key advantages of BUFFERZONE CDR is its integration with BUFFERZONE Safe Workspace®, without incurring any additional costs. This means that organizations can benefit from a comprehensive security solution that combines CDR with isolated workspace protection, providing a robust defense against cyber threats. 

In conclusion, BUFFERZONE SafeBridge™ CDR offers a unique approach to content disarm and reconstruction. Running within a secure isolated container, on the host, and as an integral part of BUFFERZONE Safe Workspace™. This provides organizations with a highly effective and efficient solution for securing downloaded files and emails, without the need for special connectivity or additional configuration. Although detection solution exists, they are not 100%, as a result organization must reduce their attack surface based on smart endpoint isolation and CDR. It is proven that CDR can provide an additional layer of defense and significantly improve the organization defense methodology.  

 BUFFERZONE Safe Workspace® offers a novel and robust approach to content disarm and reconstruction, operating within a secure isolated container on the host. This innovative solution provides organizations with a highly effective and efficient means of securing downloaded files and emails, without the need for complex connectivity or additional configuration. While detection solutions may have limitations, organizations can augment their defense strategy by leveraging smart endpoint isolation and CDR, which has been proven to enhance overall security and significantly reduce the attack surface. 

[1] Kaspersky, “New malicious files discovered daily grow by 5.7% to 380000 in 2021”, 2021.  https://www.kaspersky.com/about/press-releases/2021_new-malicious-files-discovered-daily-grow-by-57-to-380000-in-2021 

[2] R. Dubin, “Content Disarm and Reconstruction of RTF Files A Zero File Trust Methodology,” in IEEE Transactions on Information Forensics and Security, doi: 10.1109/TIFS.2023.3241480.