A Message from the Board Communications Committee on Board Elections
This year the (ISC)² Board of Directors election process emerges after a massive year-long facelift. Through the recommendations of last year’s Board of Directors and the tenacity of the (ISC)² Management team, this year marks an unprecedented shift as the organization adjusts election processes based on member feedback.
We really try to be problem-solvers, and with our emphasis on member service, making sure we aligned the election process to meet the changing demands of our membership was paramount this year. You asked, we listened, and we have some exciting changes to share.
This year’s election runs from November 16-30, 2014 and our goal is to have the highest number of members voting in history. Here’s what we’re doing to make that happen.
New official candidate forum.
First, you’ll have the opportunity to interact one-on-one with all the candidates through an open forum online. Members are encouraged to interact, ask questions and really engage with the candidates through this self-moderated platform. The forum is hosted on LinkedIn as a public group. With 260 million users across more than 200 countries, LinkedIn was an obvious choice for a professional discussion forum. You can access the (ISC)² Board of Directors Election Candidates’ Forum through (ISC)² Election Centralor directly on LinkedIn. You told us seeing bios and profiles on a website didn’t provide enough background on the candidates, and we agree! This new forum offers the platform to dive in to tough issues and get more background on your Board of Directors candidates. You can subscribe to email digests for the group or specific discussions, and you can post directly on the group 24×7.
Election Central.
Second, you’ll have a central place to access all the relevant information for this year’s election. The team is pleased to present the first Election Central, a portal to access candidates’ bios, candidate social media links, details about the election process, and informative overviews of what it means to be a Board of Directors member at (ISC)². Instead of logging in and clicking through several pages and menus to find pieces of information, we’ve put it neatly in one central place for you. You can useElection Central as your primary resource throughout the election process.
New voting platform.
Third, the team has worked tirelessly to move voting to a hosted balloting system that provides end-to-end auditable voting. This change is no small task for an organization with 100,000 members! Although the integrity of the voting process in years past was extremely high, the Board of Directors and Management took the extra step to migrate to a fully hosted, auditable voting platform. Results will still be validated by a third party as they’ve been in the past. We believe this change adds an extra layer of security and transparency by distancing the organization from the ballots and adding yet another layer of validation. Not only is the platform hosted and secured, but it leverages single sign-on for a streamlined login and seamless experience for members.
You, the members.
Last, but most certainly not least, our secret weapon is you – the member. You have the power to transform the future and be an active participant in choosing your representation on the (ISC)² Board of Directors. We believe this year marks an unprecedented level of participation, care and attention to, from and by the members. It takes an active membership to make elections meaningful, and we hope you’ll find these new changes empower you to be an active participant this year.
Is our new system perfect? I’m sure it’s not. Theodore Roosevelt said, “In any moment of decision, the best thing you can do is the right thing. The worst thing you can do is nothing.” And so we are doing something, and we view this year as the first big step toward meeting member demand, increasing member engagement, and bridging the gap between you, the organization, and your Board of Directors. We hope you’ll take advantage of the new resources available to you during this year’s election and of course, we welcome feedback as we continue to learn and grow.
On behalf of the (ISC)² Board Communications Committee and your (ISC)² Board of Directors, we welcome you to the 2015 election and ask for your participation in helping us grow and transform the organization to meet the challenges of a new year!
Jennifer Minella, CISSP
Chair, Board Communications Committee
(ISC)² Board of Directors
While Microsoft documents that leverage malicious, embedded Visual Basic for Applications (VBA) macros are not a new thing, their use has noticeably increased this year, thanks in part to their simplicity and effectiveness.
Some threat actors commonly use this class of malware to drop a second stage payload on victim systems. Even though Microsoft attempts to mitigate this threat by disabling macros by default, the percentage of users who explicitly bypass this protection and enable macros remains high.
Exploiting the human factor, the most effective attacker strategy is the tried and true spear phishing attack, ideally made to look authentic by appearing to originate from a legitimate organization/individual and containing role-relevant or topic-of-interest content to entice its intended target. This post examines an information stealer campaign that leveraged a VBA macro script, focusing on its progression, from delivery to Command and Control (C2), and its attribution to a malicious actor for context on objectives and motivation.
Delivery and Exploitation
The recent campaign started with an email sent to an employee responsible for processing financial statements at a global financial organization (Figure 1). The sender’s email address was spoofed as originating from an energy company. Subsequent analysis would show that this façade was very thin; yet, it is often all that is required to encourage a user to open an attachment or click on a link that then executes malicious code.
Figure 1: Delivery of a phishing message containing malicious DOC file
The above e-mail employs common pressure tactics for phishing messages. Specifically, it touches on two areas of potential concern for a target: financial responsibility and the introduction of a state of uncertainty and confusion. In this case, the role of the target as a processor of financial statements might mean that the target is accustomed to receiving similarly structured legitimate e-mails; accordingly, they may open a malicious attachment without a second thought.
The second factor is much broader and relates to how humans deal with uncertainty. Without specific awareness and training, some users may be inclined to open the attachment, wondering why the e-mail was sent to them. In psychology, this is referred to as the “Need for Closure” personality trap.
The next layer of this attack is found within the malicious DOC file once a victim opens it. With a system properly configured to protect against automatic execution of VBA macros, no malicious code has been run at this point. Figure 2 presents a screenshot of the malicious attachment’s displayed contents.
Figure 2: Displayed contents of malicious DOC file, TTAdvise.doc
This content further compounds the two points of concern for the target, and now presents a convenient option of clicking on “Enable Content” to obtain closure on the matter. Despite a security warning (Figure 3), a number of users still choose to enable respective content, allowing for malicious VBA macros to run on their system.
Figure 3: Often ignored Microsoft security warning against enabling macro content
After enabling macros, none of the promised data is shown to the victim; however, the malicious VBA macro script executes in the background without the user’s knowledge.
VBA Macro Script
The embedded VBA macro script is shown in Figure 4.
Figure 4: Embedded VBA macro script
This script operates as a downloader, pulling a second stage payload from the following URL (Note: at the time of this post, the referenced domain was no longer active):
hxxp://icqap.com/oludouble.exe
Installation and Persistence
Static analysis of the “oludouble.exe” binary is summarized in Figure 5.
Figure 5: Static analysis of downloaded second stage malware, oludouble.exe
Once executed, “oludouble.exe” drops two executables (Windows XP paths furnished):
C:\Documents and Settings\Administrator\Desktop\exchangepre.exe
C:\Documents and Settings\Administrator\Application Data\Windows Update.exe
Both binaries are exact copies (Figure 6).
Figure 6: Files dropped from second stage malware, oludouble.exe
The second stage malware also copies itself to the following directory (Windows XP) and deletes its original file:
C:\Documents and Settings\Administrator\Application Data\Temp.exe
Persistence (enabling the malware to reload after reboot and restart) is achieved through addition of the following registry key, set to the path for the “Windows Update.exe” binary (Figure 7):
Figure 7: Windows registry modification for persistence
Malware Capabilities
API Calls extracted from “Windows Update.exe” (b6275be58a539ea9548d02ab6229c768) hints at associated capabilities (Figure 8).
Figure 8: API calls found in “Windows Update.exe” binary
Based on these API calls, the malware appears to support enumeration of a variety of system information. Additionally, the use of “GetAsyncKeyState”, which obtains key press status, could be indicative of keylogging capabilities.
Further investigation and research revealed that this malware leverages the Predator Pain keylogger, a favorite tool of this threat actor. Overall, this malware functions as an information stealer (Infostealer), including capture and exfiltration of the following types of information:
Website credentials
Financial information
Chat session contents
Email contents
Command and Control (C2)
Once installed, this malware determines its Internet-facing IP address and then establishes a connection with the following domains:
The first two domains are legitimate public IP verification services. The latter two are C2 servers run by the malicious actor, which use SMTP and FTP communications, respectively.
Attribution
E-mail headers are a valuable source of intelligence when investigating these types of attacks (Figure 9).
Figure 9: E-mail headers for phishing message
In this example, when the victim opened the phishing message, it appeared to originate from a legitimate organization. However, closer inspection revealed that the sender address was spoofed through the ‘X-Env-Sender’ header. In an attempt to slide past cursory examination, the malicious actor used an open mail relay, server[.]edm.sg. Another important e-mail header field for this message is ‘Reply-To’, which contains a valid e-mail for this malicious actor:
cimaskozy(at)yahoo.com
Setting the ‘Reply-To’ email header field to a valid address is another common threat actor tactic. It supports elicitation activities by that actor should a target respond to the message (i.e., further social engineering). Yet, this technique should also present a red flag to a user, as the initial façade of the originating e-mail address is removed at that point.
Research on the above email address reveals that this actor has been active in the cybercrime underground since at least 2010. Specifically, this actor goes by the handle “Skozzy” and is a known carder, seller of compromised credit card information, and facilitator of related services. Accordingly, we categorize “Skozzy” as primarily a cybercrime actor motivated by financial gain, although roles across nation state, cybercrime, hacktivist and ankle-biter/script kiddies are not mutually exclusive and – in fact – continue to become fuzzier over time.
Figure 10 is a screenshot of a YouTube post by “Skozzy” (skozzy11) from 2010.
Figure 10: YouTube post from “Skozzy”, 2010
Figure 11 is a screenshot from a Pastebin post, also from 2010.
Figure 11: Pastebin post from “Skozzy”, 2010
“Skozzy” is also active on HackForums[.]net and has shared thoughts and experiences related to keylogging tools like Limitless Logger and Predator Pain (Figure 12). Of particular note, the infostealer/keylogger tools that “Skozzy” prefers are able to steal much more than what has been observed so far for this actor.
Figure 12: Posts on HackForums[.]net regarding keyloggers
“Skozzy” also shares that Predator Pain is a preferred tool, as it offers great support (Figure 13).
Figure 13: “Skozzy” prefers the Predator Pain keylogger
Deeper analysis and correlation across domains and samples that we believe related to this threat actor will be covered in subsequent blog content.
Conclusion
This case epitomizes how easy it has become these days to steal sensitive information from victims who fall prey to such campaigns. Associated tools can be bought online for less than $100, which often also includes support packages that rival those of mainstream commercial software.
Stolen information can be used for more than standard credit card fraud. The crossover between malicious actor objectives may include opportunistic aspects of cyber espionage, extortion, identity theft, intellectual capital theft, and much more. It is also important to note that none of the major anti-virus (AV) vendors detected this threat at the time it was delivered. The natural gap between creation of these threats and a corresponding signature for their detection by traditional AV remains a sweet spot for successful malicious campaigns. Therefore, it is increasingly important to properly architect and deploy network and endpoint protections to ensure thorough and effective defense of computing and information assets.
The Palo Alto Networks Enterprise Security Platform is a prime example of technology meant to address and minimize the risk associated with emerging threats. Learn more about the platform here.
PAN-DB is our URL and IP database, designed to fulfill an enterprise’s web security needs. PAN-DB is tightly integrated into PAN-OS, providing you Advanced Persistent Threat (APT) protection with high-performance beyond traditional URL filtering.
Traditional URL filtering is intended to control unwanted web surfing such as non-business or illegal sites, but it usually doesn’t cover up to the minute malicious web sites such as newly discovered malware site, exploit site or command and control sites. Let me explain how PAN-DB works for you.
How PAN-DB maximizes your URL lookup performance
Figure1. PAN-DB classification and cache system
PAN-DB Core: The PAN-DB Core, located in the Palo Alto Networks threat intelligence cloud, has a full URL and IP database to cover web security needs.
Seed database: When the PAN-DB is enabled on your firewalls, a subset of the full URL database is downloaded from the Palo Alto Networks threat intelligence cloud to firewalls based on the selected geographic region. Each region contains a subset of the URL database that includes URLs most accessed for the given region. This regional subset of the URL database allows the firewalls to store a much smaller URL database, in order to greatly improve URL lookup performance. You can download a seed database by region to the each firewall from our Panorama centralized management system as well.
Figure 2. Seed database by regions
Management plane cache: The seed database is placed into the management plane (MP) cache to provide quick URL lookups. The MP cache will pull more URLs and categories from the PAN-DB core as users access sites that are not currently in the MP cache. If the URL requested by a user is “unknown” to Palo Alto Networks, the URL will be examined, categorized, and implemented as appropriate.
Dataplane cache: A dataplane cache (DP) contains the most frequently accessed sites for quicker URL lookups.
Malicious URL database delivered from WildFire
Millions of URLs and IPs are classified in a variety of ways. In addition to the “Multi-language classification engine” and the “URL change request from users,” PAN-DB receives malicious URL and IP information from WildFire. Examples of malicious URL and IP database are shown below.
Malware Download URL and IP address: Prevent from downloading malware.
C&C URL and IP address: Disable malware communications.
The malicious URLs are generated as WildFire identifies unknown malware, zero-day exploits and APTs by executing them in a virtual sandbox environment.
PAN-DB will block malicious URL with low latency
PAN-DB has a superior mechanism to lookup URL faster, and then you will get URL category information without sacrificing the throughput.
The malicious URLs are generated as WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) and executes them in a virtual sandbox environment. The ongoing malicious URL updates to PAN-DB allows you to block malware downloads and disable malware command and control communications.
By utilizing malicious URL database, you can block variety of malicious web access and communication without compromising web access performance.
“It takes two flints to make a fire” has been attributed to noted author Louisa May Alcott and it truly symbolizes the teamwork that goes into delivering ISACA’s activities and resources, and specifically, theISACA Journal. Thousands of members have shared their time and expertise with the Journal since it was introduced in 1973 as a quarterly publication named The EDP Auditor Journal.
Since then it has grown in size and circulation and has earned a reputation as a highly respected global peer-reviewed source of practical knowledge. The Journal is consistently rated as one of the top member benefits and value and satisfaction are high across all job functions and global regions. According to the ISACA Member Needs Survey, 83 percent of members are satisfied with the Journal and 81 percent believe it is of value to members.
A cover of the ISACA Journal
from 2005
A cover of the ISACA Journal
from 2014
This is possible only because of the dedication of article authors and other volunteers, including contributing editors and editorial reviewers, who have been instrumental every step of the way. Two of these volunteers hit milestones this year—Steve Ross is marking his 15th year as author of the Information Security Matters column and after volume 6 (and nine years of contributions) Tommie Singleton is retiring from writing the IS Audit Basics column. Both of these columns are widely read and respected and have contributed to the knowledge and lively debate among many ISACA constituents.
Steve and Tommie are great representatives of the many members around the world who volunteer their time and help propel ISACA’s valuable publications, events, translations, research, certification programs and other resources, which are created to serve our constituents. This teamwork is priceless and I thank you all for making ISACA a worldwide leader and innovator.
Robert E Stroud, CGEIT, CRISC, international president of ISACA
Tor exit node in Russia spotted downloading malicious code.
Users of the Tor network now have one more reason to be cautious when using the service to browse the Internet or to download executable code anonymously.
A security researcher last week uncovered a malicious Tor exit node in Russia being used by unknown attackers to insert malicious code into files being downloaded by Tor users. Tor administrators have since flagged the node as a BadExit, meaning that Tor clients now know to avoid using the server.
Still, its presence on the network shows how Internet users are not immune to malicious downloads when using Tor, said Josh Pitts, security researcher at Leviathan Security Group who discovered the malicious node.
Tor is a network that allows users to browse the web anonymously. It uses a series of encrypted connections to route data packets in such a manner as to hide the true IP address of the person using the service. Instead of routing traffic via a direct path to a destination, Tor routes traffic through a series of servers distributed around the world with an exit node serving as the last server on the network before the public web. Between 1,100 and 1,200 servers currently serve as exit nodes on the Tor network.
Pitts discovered the malicious node while doing research on the threat to Internet security posed by unencrypted binary files. In a presentation at the DerbyCon security conference earlier this year, Pitts showed how binary files hosted without any transport layer security encryption on the web could be easily intercepted and tampered with when they are being downloaded.
According to Pitts, some 90% of the sites from which downloads are available do not use SSL/TLS encryption nor use digital signatures to prevent such tampering. As a result, hackers are likely inserting malicious code into binaries via man-in-the-middle attacks, Pitts had maintained at his DerbyCon presentation.
Pitts decided his best chance of catching binaries being maliciously tampered with during download was to look at traffic coming out of known Tor exit nodes. Using, a tool called exitmap, Pitts checked the nodes for traffic modifications and quickly discovered the malicious server in Russia.
Though this was the only malicious node that Pitts discovered, it is quite possible there are others similar nodes. “I may not have caught them, or they may be waiting to patch only a small set of binaries,” Pitts said.
The key takeaway here is that binary files hosted in the clear without any digital signature pose a danger and should be avoided, he said in an email exchange.
“Companies and developers that host static, compiled binaries and source code need to host it via SSL/TLS so that nobody can patch them [maliciously],” he said.
Though such binaries pose a threat to everyone, Tor users need to pay attention, he said. Users should be careful particularly about download Windows executables or raw binaries over Tor, he said,
“Tor is risky because you need to have good information security awareness when using it. Tor is not a beginner network. You need to have some sort of understanding that every exit node could be out to get you,” Pitts said.
The issue discovered by Pitts is not an indictment of Tor security or of the strength of its anonymity protocols. Even so, it is the second time the Tor Project has been in the news over something similar in the past one year. Last year, some people questioned whether the FBI had found a way to exploit an vulnerability in Firefox to disable Tor’s privacy protections.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including Big Data, Hadoop, Internet of Things, E-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, IL.
