Day: October 23, 2014

If you purchased an iPhone 6 recently, you probably received this email:

Some of you may have even clicked the “Verify Now” link and entered your Apple ID account information. I hope not, though, because this email is not from Apple. It’s a phishing email meant to trick recipients into giving sensitive information to the attacker who sent it.

This email illustrates two things:

1. Attacks are more sophisticated as cybercriminals get smarter and craftier.
2. An increased level of understanding regarding cyber attacks is needed, not just within the corporate community, but within the general public as well.

The market for enterprise network and cybersecurity grows each year highlighting the emphasis companies are putting on preventing modern threats from infiltrating their internal networks. However, the impetus is focused on technological preventative measures. Could an education in cybersecurity — who the attackers are, what they’re after, and the appropriate level of scrutiny that should be practiced — significantly bolster an enterprise’s cyber defense?

Yes. In 2011, RSA was the target of a spear phishing attack made successful by at least one employee opening the malicious attachment even after their spam filter had correctly placed the email in the “junk” folder. RSA suffered a data breach as a result.

“At least RSA’s SPAM filters were working, even if their social engineering training for employees was not,” -Avivah Litan, Gartner Analyst

More recently, a spear phishing attack targeting physicians at a Tacoma-based medical groupled to the breach of 12,000 patient records. Emails were crafted to appear as though they were sent from the group’s parent company, and prompted targets to click on a link and enter their email account username and password. The group has since rolled out a company-wide phishing prevention system, including retraining the employees who fell for the initial phishing email.

Spear phishing attacks are:

Lucrative. The black market for data is huge, estimated at multiple billions of dollars, meaning that the person or organization behind the attack may not actually use what they steal to make money. Unfortunately, this also means they’re more difficult for authorities to track down.

Successful. Because hackers take pains to get their targets to fall for their schemes, they know what company and department you work for, what applications you use, who you report to, and what kinds of projects you’re likely working on. They know which job titles are likely uninformed or unwary of potential threats. This makes spear phishing campaigns one of the most highly-favored APT attack methods.

Simply a means of getting in. Once a target is duped into clicking a link, opening a file, etc., the attacker can carry out his mission, whether it’s stealing personal information, using a target’s personal account to transfer money, extract intellectual property or insider information.

A real threat to both corporate and consumer spheres. Both have data that attackers want to use to make money, and most people who work for targeted companies have a home computer or mobile device for personal use that is not protected by enterprise network or endpoint security policies.

Recognizable… sometimes, if you know what you’re looking for.

• Check the sender’s email address to make sure it’s someone from whom you should be receiving emails. If you’re still not sure, email clients like Outlook and web mail applications like Gmail usually have options to view email messages with the headers included, so you can make sure the “From” field matches the “Reply-to” field.
• Look for patterns of misspellings and incorrect grammar.
• Ask yourself if links and attachments within the message are expected information from the sender and work-related. Do the domain name or file name make sense? View the email with formatting turned off to view a link’s actual URL.
• Check the attachment’s file extension. Odds are that unless you’re in the IT or engineering department, you shouldn’t be receiving or opening file types with extensions .exe, .dll, .scr, or .class. According to Symantec, these file types were used in more than 50% of last year’s spear phishing attacks.
• If you’re still unsure that an email is legitimate, ask your company’s IT security folks.

Cyber best practices like these aren’t just for those who deal with security as part of their daily job duties. They need to be taught company-wide.

What kind of corporate policies and programs promote a healthy balance between paranoia and productivity?

I’ve heard of one corporate program where basic cybersecurity best practices are taught as part of the new hire training class for every employee. Another IT-run program periodically assesses its employees by sending fake phishing emails to different groups within the organization; those who fall for the faux scam by either opening an attachment or clicking a link are then required to take a cybersecurity seminar. The goal of these programs is to arm the company’s workforce with knowledge and deploy them as another layer of cyber defense.

Using the right tools to prevent attacks is key, and one of those tools is familiarity with the kinds of tactics cyber criminals are using, and how to recognize and avoid them. What processes or programs have you seen put in place that educates employees and encourages cyber scrutiny?

[Palo Alto Networks Blog]

The latest development in the ransomware world is CryptoWall 2.0, a new version of this malware family that uses the Tor network for command and control.

F-Secure was the first to spot this new version on October 1, but since then the attacks have ramped up and new variants of the malware are emerging daily. Our WildFire analysis platform has picked up 84 CryptoWall 2.0 variants since September 30, delivered primarily through e-mail attachments but also through malicious PDFs and web exploit kits.

CryptoWall 2.0 is similar to other ransomware attacks that have plagued users and businesses for nearly a decade. Once it is running on a system, CryptoWall 2.0 seeks out document files and encrypts them using the RSA encryption algorithm. The attacker holds the key necessary to decrypt the files unless the victim agrees to pay a $500 ransom.

Unlike previous versions of CryptoWall, 2.0 communicates with its command and control (C2) server through the Tor anonymization network. This allows attackers to hide their communications and avoid having their C2 servers shut down, but also makes it easy for organizations to block the threat. CryptoWall isn’t the only threat that communicates over Tor and if your network doesn’t have an explicit reason to allow anonymization networks, you should consider blocking the application altogether with your firewall.

If your system has already been infected with CryptoWall 2.0, you’ll see a pop-up just like this one shortly after the malware has encrypted your documents.

Note that the attacker has given you a few options for how to pay them the ransom. The green box contains four links that will work only for your system. These use four domains registered just today:

• torpaycash.com
• torpaycnf.com
• torpayeur.com
• torpayusd.com

All of the domains currently resolve to 151.248.115.146, a Russian IP address and have WhoIs records associated with the e-mail address “ladomfichisi1987@mail.ru”. This is the same address used to register two other payment domains registered earlier this month:

• tor2pay.com
• tor4pay.com

If these domains are confiscated or otherwise shut down, CryptoWall instructs the user to download the Tor Browser and access a website (paytordmbdekmizq.onion) that is only accessible over the Tor network.

Unlikely some of it’s more flexible competition, CryptoWall only accepts ransom in the form of BitCoin. To pay the ransom the user will need to acquire 1.33 BitCoins and transfer them to a specific BitCoin wallet that is associated with their specific infection.

History has shown that paying the ransom will likely allow you to retrieve your files, but the best defense against ransomware is having up-to-date back-ups or by preventing the infection all-together.

Infection Vectors

Since we detected the first CryptoWall 2.0 variant with our WildFire engine on September 29, we’ve seen over 85,000 separate attacks attempting to deliver the malware. The majority of these have come through e-mails with executable attachments, sometimes contained in .zip files. Most of the e-mail attacks used fake invoice, fax and voicemail themes with attachments named like the following:

• Complaint_IRS-Id-12839182.scr
• fax00415741732781728.scr
• VOICE387-778-3454.zip
• CH_Import_Information.exe

In the last week we’ve seen the attack vectors evolve to contain exploit kits as well. On October 19, the Kafeine posted a blog discussing the inclusion of CVE-2014-0556 in the Nuclear Pack exploit kit, which was installing CryptoWall 2.0.

Yesterday we picked up an e-mail campaign pretending to be a fax report that carried a .zip attachment with a PDF inside. The PDF  exploits CVE-2013-2729 to download a binary which also installed CryptoWall 2.0.

Protecting Yourself

The best way to protect yourself against ransomware is to keep up-to-date backups of your important files. A ransomware infection, which encrypts all of your files, is similar to a drive failure, except that for a small fee you have the chance to get your files back.

To protect against CryptoWall 2.0 we recommend taking the following actions:

• Block downloads of executable files from the web without specific user consent.
• Add a ‘continue’ page for all file downloads that can provide a reminder to users before they automatically install potentially impacting software.
• Employ an advanced detection system (like WildFire) to analyze all incoming executables, PDF files, and Microsoft Office Documents.
• Consider blocking the Tor application completely within your network unless it’s absolutely necessary.
• Ensure that only necessary users have write-access to network shares. CryptoWall will encrypt files in network shares if the share is mounted at the time of infection and accessible to the logged-in user.
• Disconnect or unmounts back-up drives when they aren’t being used, as CryptoWall can also encrypt your backups.
• Consider deploying an end-point protection system (like Traps) that prevents exploitation of known and unknown vulnerabilities.
• Deploy IPS signatures to detect CVE-2014-0556 and CVE-2013-2729 exploitation. For Palo Alto Networks IPS users these include:

Sig ID	Name	CVE ID
35811	Adobe Reader Embedded BMP Parsing Integer Overflow Vulnerability	CVE-2013-2729
36762	Adobe Flash Player Memory Corruption Vulnerability	CVE-2014-0556
36763	Adobe Flash Player Memory Corruption Vulnerability	CVE-2014-0556
36764	Adobe Flash Player Memory Corruption Vulnerability	CVE-2014-0556
36754	Adobe Flash Player Memory Corruption Vulnerability	CVE-2014-0556

 

Palo Alto Networks Advanced Endpoint Protection is a complete paradigm shift from identification to pure prevention. Our solution requires no definitions updates, protects unpatched systems, requires no hardware, is compatible with all physical or virtual Windows platforms including terminals, VDIs, VMs, and embedded systems, protects all processes including third party, and most importantly, doesn’t need prior knowledge of an attack in order to prevent it.

The Advanced Endpoint Protection solution uses a central Endpoint Security Manager to manage policy rules and distributes the security policy to endpoints in your organization. The Endpoint Security Manager communicates with the protection software, called Traps, that is installed on each endpoint in your organization.

To aid you in deploying Advanced Endpoint Protection in your network we have released the Advanced Endpoint Protection 3.1 documentation.

Advanced Endpoint Protection Release Notes

The Advanced Endpoint Protection Release Notes provide important information about Advanced Endpoint Protection 3.0 and 3.1 including new features, limitations, and known issues.

The Release Notes are available in both HTML or PDF formats.

Advanced Endpoint Protection Administrator’s Guide

The Advanced Endpoint Protection Administrator’s Guide provides comprehensive information for setting up your endpoint infrastructure. In addition, this guide provides best practices and instructions for installing Traps on the endpoints and provides instructions that detail how to use the Endpoint Security Manager to manage endpoint security policies and Traps settings.

Like the Release Notes, the Administrator’s Guide is also available in HTML and PDF formats.

Search the Advanced Endpoint Protection Documentation

You can search for Advanced Endpoint Protection content using the facets on the Document Search page. Use the Advanced Endpoint Protection product category to see all endpoint documentation and narrow your results by OS Version (3.0 or 3.1), Feature, and Information Type.

To view release note information, select the Release Note facet under Information Type. For information on a specific known issue, use the identification number to search.

Keep in Touch!

We hope the new Advanced Endpoint Protection documentation enables you to protect your endpoints with ease and confidence. Let us know what you think by leaving a comment below or by emailing us at documentation@paloaltonetworks.com.

Happy reading,

Your friendly Palo Alto Networks documentation team

[Palo Alto Networks Blog]