When it comes to advanced threat protection many enterprises now a days are relying on Advanced Threat Protection sandbox based gateway appliances. Over past few years spear phishing attacks through highly targeted messages had been implemented in many data breaches. More than 90% of the successful attacks on enterprise networks are the result of spear phishing. This has given rise to a new breed of security solutions Sandbox based gateway appliance. These are advanced malware detection added to incoming emails in the form of easy to use sandbox appliance. This appliance processes each incoming email attachment by launching it in secure virtual environment and monitors its runtime behavior to detect if any malicious activity is being done. This approach did give good results and many of the zero-day Advanced Persistent Threats were successfully detected and blocked by this approach.
Does this mean it is end of APTs now or we don’t have to worry about breaches when implemented this security. The early success of these sandbox gateway appliances was because malwares were never designed with these protection mechanisms in mind. Most of the malwares only focused their efforts towards traditional anti-virus and firewall solutions to test and plan their attack which is why they were able to breach the traditional security with new zero day every time. Now that more and more enterprises are using the Advanced Threat Protection sandboxed based appliance, the newer malwares are being designed with aim to penetrate this protection mechanism and breach the network.
At Quick Heal Technologies Lab we have come across a new malware that was able to breach this sandbox appliance protection and land right into the user’s inbox, without getting noticed. Detail analysis of these samples revealed that they are more advanced threat designed to infect highly protected network with lot of anti-Virtual machine tricks and anti-sandbox tricks implemented in it. We call it APT-QH-4AG15 (as it was reported on 4th August).
We are further doing deep analysis of this APT threat and we will be releasing detail analysis report for it in next few days. With this APT attack which was able to breach through best of the sandbox appliance protection we can simply conclude that none of the protection approaches can be single out as best protection approach and one will need multiple layer protection approach to protect the networks. Last few years network breach have raised concerns if endpoint security gives enough protection on similar lines the future breaches will raise the question – Are the sandbox appliances reliable protection against the APTs?