Client-side attacks are nothing new, but the tools and techniques to execute them are getting better every day. This means the attacks are becoming easier to perform successfully and the increased success rate will fuel the desire for malicious attackers to continue using them for quite some time.

In traditional client/server architecture, the “client” is usually an operating system that the corporate end-user (employee) interacts with on a daily basis. These are often one of the various flavors of Microsoft’s operating systems found in networks today. The operating systems are usually loaded up with a bunch of fun applications required to help employees complete daily work tasks. Some example applications may include a PDF reader/writer, instant messenger application, and even commonly used applications such as Internet Explorer or Firefox web browsers.

These applications often contain vulnerabilities independent from the traditional operating system vulnerabilities we are so used to patching. Client-side attacks leverage the knowledge these vulnerabilities exist and make short work of running away with your company’s secrets.

How do the attacks work?

Well, this one is a tough one to answer – simply because there are so many ways they can work. Often the attacks will be used in conjunction with social engineering techniques by way of phishing or spear phishing attacks. These types of attacks are often delivered by using cleverly worded emails, sometimes with attachments such as Microsoft Word and PDF documents. Others emails can simply contain a few paragraphs of text and some hyperlinks. 

Let’s go through a couple quick examples of attacks:

Example 1:

You receive an email from what appears to be a legitimate user in your network. The email explains it is important for you to visit the new customer service link for your organization. You click on the link and are presented with a website appearing to be legitimate (malicious websites are pretty easy to make look legitimate). At this point, your system may have already been exploited and the attacker has access to your operating system. How you ask?

In this example, we assume you are not using the most recent version of your Internet Explorer or Firefox web browser. Unpatched browsers typically contain many vulnerabilities allowing attackers take full control of your system simply by having you visit a maliciously crafted website. This type of client-side attack is often referred to as a “browser-based” or “web-based”.

Upon visiting the malicious website, malicious code is executed taking advantage of a vulnerability present in your web browser. Potentially, the exploit used can “export” a system command prompt back to the attacker’s remote system via a reverse TCP connection. This connection allows the attacker to execute commands on the compromised systems under all the rights and privileges of the account associated with the victim’s web browser.

In case you were wondering, current techniques are very successful in bypassing egress filtering at the firewall. It is common for attackers to configure the payloads to appear as normal DNS or HTTP network traffic using standard ports which are not normally filtered as they leave your network.

Example 2:

You receive an email from what appears to be a legitimate user in your network. The email explains it is important for you to read the new HR policy in the attached PDF document. You open the document and start reading the contents of the document. At this point your system may have already been exploited and the attacker has access to your operating system. How you ask?

In this example, we assume you are not using the most recent version of Acrobat Reader. Many vulnerabilities have been identified in Acrobat Reader (and other PDF reader applications) allowing the attacker to successfully assume control of your computer without your knowledge. Similar to the last example, upon opening the document a system command prompt is exported to the waiting attacker.

It should be noted the attack does not always have to export a command prompt back to the attacker, but other tasks can be performed with the attacker’s payload. For instance, the attacker may simply generate a malicious payload that adds a user account to the local system. A little imagination goes a long way.

In most test cases, the local desktop anti-virus and firewalls do not detect the malicious activity at all. This is partially because some of the characteristics of the attacks may resemble normal system or network behavior and do not fall into the category of virus or malicious activities. This makes it a great reason to look closely at endpoint security configurations and solutions.

Defensive considerations

  1. First and foremost, always ensure your computer and applications are patched. Preventive controls and policies do pay and can help reduce the likelihood of the vulnerability being leveraged for a successful attack.
  2. Implement egress filtering to help prevent outbound connections to malicious websites and services using non-standard ports and protocols.
  3. Implement detection systems and log monitoring to help identify suspicious network activity.
  4. Educate employees on current attack trends and procedures to follow if they suspect they are a target of an attack.
  5. Review and adjust endpoint security controls to ensure they can identify malicious and suspicious activities.
  6. Enlist the help of a security assessment team to help you identify weaknesses and determine your organizations susceptibility to client-side attacks.