New Indicators of Compromise for APT Group Nitro Uncovered

In mid-July of this year, we noticed yet another legitimate website had been compromised by APT actors and was serving malware. In this case, it was a group commonly referred to as “Nitro,” which was coined by Symantec in its 2011 whitepaper.

As we dug deeper, we found additional compromised legitimate websites and malware from the same group back through March of this year. In most instances, the malware is one commonly referred to as “Spindest,” though we also found “PCClient” and “Farfli” variants in use by the group. We don’t have enough data to say for certain that all of the malware in this blog was delivered via compromised legitimate websites.

Historically, Nitro is known for targeted spear phishing campaigns and using Poison Ivy malware, which was not seen in these attacks.  Since at least 2013, Nitro appears to have somewhat modified their malware and delivery methods to include Spindest and legitimate compromised websites, as reported by Cyber Squared’s TCIRT.  Our findings indicate they are continuing to evolve with the addition of PCClient and Farfli variants.  The Maltego screenshot below shows the activity we describe in this blog.

These events impacted at least the following industries, across four waves:

  • A US based IT Solutions provider;
  • The European office of a major, US based commercial vendor of space imagery and geospatial content;
  • A European leader in power technologies and automation for utilities and industry;
  • A US based provider of medical and dental imaging systems and IT solutions.

In July, Nitro compromised a South Korean clothing and accessories manufacturer’s website to serve malware commonly referred to as “Spindest.”  Of all the samples we’ve tied to this activity so far noted in this blog, this is the only one configured to connect directly to an IP address for Command and Control (C2).  This IP address has been in use by this group for some time, which is interesting since they have evolved other components of their kill chain over time to ensure malware delivery, but oddly not altered their C2 infrastructure. It is simple for companies to block any outbound traffic to this IP, which would negate the effort Nitro put into successfully delivering the malware.

37 AV vendors within VirusTotal properly identify it, and the PE timestamp shows the day before we saw it. In addition, the following three samples were found roughly a week apart from each other, possibly indicating the timing of the waves of activity.

Table 1

SHA256 0a1103bc90725d4665b932f88e81d39eafa5823b0de3ab146e2d4548b7da79a0
MD5 7915aabb2e66ff14841e4ef0fbff7486
File Name update.exe
File Size 106496
First Seen 2014-07-24 11:54:02
C2 IP 223.25.233.248

The next sample we found is commonly known as PCClient, which is not malware previously tied to this group.  We discovered this, and many of the following samples, through historic IP resolution overlap between the same domains alternately resolving to either the 223.25.233.248 or 196.45.144.12. The second IP has also not been reported as tied to this group before.  However, this shifting of IP resolutions back and forth indicates Nitro is in control of these domains. It also makes is fairly easy for any Infosec team to reach the same conclusion we did, which again negates their use both of a previously unreported domain and IP for C2, as well as a new family of malware. 25 AV vendors within VirusTotal properly classify this sample as malware.  Its PE timestamp was 8 July, almost a week prior when we first saw it.

Table 2

SHA256 8aef92a986568ba31729269efa31a2488f35920d136ab41cb6fce55fd8e0b4b7
MD5 7522baef20df95eeeeafdf4efe3aac3c
File Name lsm.exe
File Size 65536
First Seen 2014-07-15 11:48:33
C2 URL xenserver.ddns[.]net
Resolution 196.45.144.12

The next sample was another Spindest variant and had the same timestamp as the aforementioned PcClient sample.  In addition, Nitro chose to use the same C2 for this sample, making it easy to both find and tie to the group. 41 AV vendors within VirusTotal properly classify this sample as malware.

Table 3

SHA256 995bc16a5c2c212b57ba00c2376ac57c8032c7f2b1d521f995a5e1d49066d64d
MD5 6527ba8baab0f86b0ffb6178247772c4
File Name install_reader11_en_aaa_aih.exe
File Type PE
File Size 81920
First Seen 2014-07-09 16:31:26
C2 URL xenserver.ddns[.]net
Resolution 196.45.144.12

The next wave of activity we found took place in mid-May. Both samples were Spindest variants with the same PE timestamp of 15 May. While neither MD5s for C2 match, the aforementioned link to a post by Cyber Squared’s TCIRT did document Nitro using Spindest variants with the same file name starting late December last year. In that case they used the historic C2 IP we note in Table 1 in this blog. 34 AV vendors within VirusTotal properly classify the first sample as malware, and 40 AV Vendors the second sample.

Table 4

SHA256 e7f2af8c48f837da57000c068368d77bc9b06eba1e077edfab58df6aa2ea40ec
MD5 271e6a4d45c2817f86148ca413f97604
File Name mdm.exe
File Size 118784
First Seen 2014-05-20 08:43:15
C2 URL zipoo.redirectme[.]net
Resolution 196.45.144.12

Table 5

SHA256 e601da16f923b33465dbafbff9d47195e8fc50099fd0581a16a1745bf890afb6
MD5 be765cd5723e4366d35172aaf13fad44
File Name CitrixReceiverWeb.exe
File Size 135168
First Seen 2014-05-15 16:34:10
C2 URL zipoo.redirectme[.]net
Resolution 196.45.144.12

The malware dropped was configured to use good.myftp[.]org as the C2 URL, and the IP resolution was 223.25.233.248.  Both of these are known Nitro Indicators of Compromise (IOCs). In this case, the malware was a Farfli variant, again not a malware previously tied to this group. 39 AV vendors within VirusTotal properly identify the file as malware.  The PE timestamp on the file was 1 April, about two weeks before we saw the file. Continuing the activity, we discovered the actors had compromised a legitimate website belonging to an international technology company that provides Software Configuration and Change Management (SCCM) solutions in mid-May. (It is a well regarded company and partners with large companies such as Microsoft.)

Table 6

SHA256 184c083e839451c2ab0de7a89aa801dc0458e2bd1fe79e60f35c26d92a0dbf6a
MD5 ec519d709c0582346741fe0094208216
File Name update.exe
File Size 159744
First Seen 2014-04-15 01:13:14
C2 URL good.myftp[.]org
Resolution 223.25.233.248

The final sample, from mid-March, was also hosted on a compromised legitimate website, this time a small, US based IT company.  The IP resolved by the C2 URL was changed two days after we saw this file to overlap with good.myftp[.]org for a month before returning the below resolution. The filename matches that of the sample in Table 5, which had a very similar third level C2 domain and the same IP resolution. This is also a Spindest variant with a PE timestamp of the same day we saw it. 39 AV vendors within VirusTotal properly identify the file as malware.

Table 7

SHA256 ffbddfb536e8e604c880ec977d06f804a500fc0396899bd2c195fb1f5b74207a
MD5 a3b2e34973691ad320b70248bd67fbd2
File Name CitrixReceiverWeb.exe
File Size 192512
First Seen 2014-03-12 06:58:22
C2 URL zip.redirectme[.]net
Resolution 196.45.144.12

As this post and previous cited research show, APT groups such as Nitro will continue to evolve their techniques within the kill chain to avoid detection.  However, they also demonstrate the value of tracking these threats over time, as this allowed us to uncover and properly attribute the new IOCs because Nitro was still re-using old C2 infrastructure with their new malware.

For Palo Alto Networks customers, all of these files were properly identified by WildFire as malware and all of the C2 domains are labeled as threats in both Threat Prevention and URL Filtering systems.

[Source: Palo Alto Networks Research Center]

5 Truths of HIPAA Security Risk Assessment

Risk assessment should serve as the foundation for any Health Insurance Portability and Accountability Act (HIPAA) security compliance effort, and for that matter, the cornerstone for the overall information security program. Consider these five truths to help grasp the criticality of the security risk assessment to achieving and demonstrating HIPAA compliance:

  1. It is not optional. All organizations deemed covered entities or business associates under HIPAA are required to perform an accurate, thorough and periodic risk assessment in to demonstrate compliance with the HIPAA Security Rule. No matter the level of security employed, an organization cannot be compliant without a documented risk assessment. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments, and to implement reasonable and appropriate security measures to protect against anticipated threats or hazards to the security or integrity of electronic protected health information (e-PHI). Risk analysis is the first step in that process.
  2. It is not black and white. Risk analysis is generally a subjective undertaking, and there are a number of available risk frameworks that provide a methodical approach to complete a risk assessment. While the Office of Civil Rights has not outlined a prescriptive risk analysis framework, it has issued guidance that outlines essential elements of an acceptable risk assessment. In a nutshell, an organization must systematically identify and document: all electronic media touching e-PHI; all threats and vulnerabilities which could result in inappropriate access to or disclosure of the organization’s e-PHI; the implementation and effectiveness of security measures; and the determination of threat occurrence likelihood, impact, resulting risk level and risk mitigations.
  3. It is not easy. The Security Rule is comprehensive and inclusive of all e-PHI created, received, maintained or transmitted within the IT environment. A risk assessment cannot simply consist of a checklist, but must demonstrate the totality of systems inventoried in scope, e-PHI identified, and risk decisions. Also, the scope of the security risk assessment most often exceeds just electronic health records (EHR) application data, as it must cover all e-PHI maintained within other systems (consider legacy, shadow, and end-user systems).
  4. Documentation is key. All information considered, compiled and reviewed will form the basis for risk assessment and demonstrates the rationale for risk decisions. Documentation of data collection efforts, security controls evaluation, analytical procedures performed, and methodology for risk prioritization evidences a thorough and comprehensive risk assessment. Further, risk assessment documentation is a must if using control rationalization to demonstrate why an organization opts not to implement any HIPAA addressable controls.
  5. Build it into process. Organizations should continuously explore all areas of technology risk facing the business with an integrated risk analysis approach, including the implementation of new technologies and the ongoing management of central applications holding e-PHI. While an EHR application should have security controls embedded within, actual implementation of the EHR is critical, as is a secure integration into the overall IT infrastructure. It is imperative to consider security essentials, such as encryption and access controls, during design and implementation phases, and in subsequent changes and upgrades. An integrated risk analysis process enables the proactive identification of risks and facilitates timely risk management.

True risk assessment does not simply entail the completion of a compliance checklist that is locked away in a file cabinet until the auditor arrives. Comprehensive risk assessment must fully evaluate the relevant threats, vulnerabilities, risks and related controls over the security of all e-PHI, and all systems handling this sensitive data. Accurate risk assessment represents a worthy challenge to any organization, but done well, it pays dividends in the management of enterprise risk and demonstration of HIPAA compliance.

Gary Miller, CISA, CCSA, CIA, CISSP, CRMA, ITIL
Information Security Manager
Dell SecureWorks
gary_m@dell.com

Gary will discuss this concept at ISACA’s North America Information Security and Risk Management (North America ISRM)Conference this November, in his presentation titled, “HIPAA Security Risk Assessment.”

[Source: ISACA]

Side-step Shellshocks the “5+2” Way—3 Lessons for You

Security professionals were largely blindsided by Shellshock. Was there a process by which it could have been more easily found? Yes, 3 lessons can help business and IT leaders help their security teams get ahead—and protect the public from the attack of the high tech toaster oven.

Shellshock is a popular name for a new security exploit in the UNIX Bash shell (first released in 1989). One meaning of “Bash” is “Bourne again shell” where “Bourne” refers to the shell created by Steven Bourne in 1977 to replace an earlier shell. A “shell” provides a way—originally a command line—for a person to access operating system functions.

Lesson #1: Be “old school,” use what you know to ask “how?” and “why?”

Tech-savvy business and even IT leaders can feel intimidated by new tech. Yet, old school often helps. Shellshock attacks a code gap that seems to be over a decade old. Further, many people forgot that a key feature of the Bourne shell was scripting—similar to scripts for automating simple tasks in word processing and spreadsheet documents.

Scripting should ring a bell as one of the first tools used by hackers. That is why black hat newbies are called “script kiddies.” Script kiddies wanting to do damage with other scripting languages will easily find this group of scripting tools, even in dusty IT books.

The black hat systematic search for knowledge must be answered by your systematic race to find that knowledge first. Controls are the wrong tool for the job.

Lesson #2: Shell games and war games

“Shall we play a game?” You might have been puzzled by this question from Black Widow to Captain America in Captain America: The Winter Soldier (2014). If you are a film buff, you would remember the question in War Games (1983) posed by the nuclear missile computer to a young gamer played by Matthew Broderick.

The world was saved because Broderick’s character grasped how the code worked. This reminds us to know “how it works,” confirm old code is good code, and war game our way to prevention with the systems-aware 5+2 Risk Management Cycle. For more film lessons see, Managing Risk in Reel Time.

Lesson #3: Evaluate your environment and capabilities

Step 1 in the 5+2 Risk Management Cycle is “Evaluating Environment and Enterprise Capabilities.” Business leaders often say “Know your business!” For IT pros, it is “know your code,” including the environment variable.

Shellshock amplifies its power from how Bash can be tricked through the environment variable and a bit of scripting—black hats knew the system better than white hats.

The error in so many risk management processes is they skip steps—failing to use the 5+2 Risk Management Cycle to be systematic. This was a key point in the recent workshop at the ISACA San Francisco Chapter.

The 5 continual steps of the 5+2 Risk Management Cycle are:

  1. Evaluate the environment and enterprise capabilities—“Know the business.”
  2. Seek scenarios—rigorously ask, “What if?”—the heart of managing risk
  3. Watch for warnings
  4. Prioritize
  5. Improve position in environment and/or capabilities

The “+2” are about reacting to warning signs and recovering.

The 5+2 Risk Management Cycle applies to business strategy and product management as well as cyber war. Thus, business leaders can use a familiar approach to guide their IT teams.

We’ll be discussing this at the New York Metro Joint Cybersecurity Conference (7 October) and ISACA Curacao Chapter Conference (15-17 October). Join us. Together, we can make a difference.

Brian Barnier, ValueBridge Advisors, has served ISACA in a range of roles. He is the author of The Operational Risk Handbook, at the ISACA Bookstore. Brian@valuebridgeadvisors.com

[Source: ISACA]

Palo Alto Networks Again Revolutionizes Enterprise Security with the Introduction of Advanced Endpoint Protection Offering

Offers Preventative Approach to Stop Cyber Threats at the Endpoint

Palo Alto Networks Santa Clara, CA , Sep 30, 2014 at 5:00:00 AM
Santa Clara, Calif., September 30, 2014 – Palo Alto Networks® (NYSE: PANW), the leader in enterprise security, today announced the availability of Traps, a revolutionary and unique Advanced Endpoint Protection offering designed to prevent sophisticated cyber attacks on endpoints, sparing IT security teams from cumbersome remediation, patching, and often futile recovery scrambles.

Despite major advances in network security, endpoints remain vulnerable to many advanced attacks, especially as increasingly mobile workforces move outside protected enterprise networks.  Legacy endpoint security products require prior knowledge of a threat in order to prevent it, or worse, use an approach that only identifies a new threat after it has compromised the endpoint.

This reactive model results in a never-ending chase after the thousands of new malware attacks that emerge each day, as well as the expanding number of software vulnerabilities that can be used to exploit an endpoint.  These approaches offer little hope or possibility of recovering data that has already been hijacked by an attacker.  Putting an end to the reactive run around, Traps proactively prevents attacks on the endpoint, including unknown malware and zero-day exploits, before they do any damage.

QUOTES

  • “The key differentiator with Traps is its ability to automate the process of protecting the endpoint. Most of the products in the industry today largely deal with informing us that there’s a problem and little more; that leaves us to manually deal with the effort of remediating the endpoint, takes time and leaves us vulnerable.  With Traps, that is done automatically and it is done nearly instantaneously, which is a major win.”

— Golan Ben-Oni, CSO and SVP Network Architecture, IDT

  • “The proven effectiveness of the Traps endpoint capability over other heuristic and signature-based approaches, together with Palo Alto Networks WildFire and next-generation firewall, makes the secure enablement of our entire business possible.”

— Dr. Andres Rohr of RWE Supply & Trading

  • “With the introduction of Traps, we are redefining the endpoint security market much like we did the network security market with our next-generation firewall.  Traps and our platform as a whole are designed to revolutionize enterprise security by putting prevention front and center, closing the door on cyber threats before they can get in and cause damage.”

— Lee Klarich, senior vice president of Product Management at Palo Alto Networks

Since the acquisition of Cyvera and the technology behind Traps, Palo Alto Networks has expanded global support and services operations to meet enterprise customer needs, and completed several key enhancements, including:

  • Integration with Palo Alto Networks WildFire – Traps blocks malware by leveraging the full knowledge of Palo Alto Networks Threat Intelligence Cloud;
  • Added exploitation and malware prevention modules – extends Traps support to include the latest attack techniques; and
  • Enhanced forensics – provides a rich set of reporting for better visibility and understanding of attacks that were prevented.

Natively Integrated Platform Extends Protection Enterprise-wide

The integration of Traps with the Palo Alto Networks Threat Intelligence Cloud brings security of the network and endpoint together under a single common architecture, known as the Palo Alto Networksenterprise security platform, and delivers unparalleled enterprise-wide security and automated threat prevention capabilities, reducing risk across an organization at every stage in the attack kill chain.  It also eliminates management complexity and myopic point product-related security silos that can leave gaping holes in an organization’s security posture.

Availability 

Traps Advanced Endpoint Protection, offered as a subscription service, is available now from authorized Palo Alto Networks channel partners.  The offering is inclusive of all functionality including exploit prevention, malware prevention through WildFire integration, forensics, and premium support.

To learn more about Traps Advanced Endpoint Protection from Palo Alto Networks, visit:

About Palo Alto Networks

Palo Alto Networks is leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats.  Unlike fragmented legacy products, our security platform safely enables business operations and delivers protection based on what matters most in today’s dynamic computing environments: applications, users, and content.  Find out more atwww.paloaltonetworks.com.

Palo Alto Networks and the Palo Alto Networks Logo are trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names or service marks used or mentioned herein belong to their respective owners.

Media Contacts:
Jennifer Jasper Smith
Head of Corporate Communications
Palo Alto Networks
408-638-3280
jjsmith@paloaltonetworks.com

Bob Nelson
Voce Communications
408-201-2402
bnelson@vocecomm.com

The Time Has Come: Advanced Endpoint Protection is Here!

POSTED BY: on September 30, 2014 5:15 AM

FILED IN: Announcement, Cybersecurity, Endpoint, Mobility
TAGGED: ,

It’s not often a company has an opportunity to disrupt an entire industry…. twice.  When we introduced the first next-generation firewall back in 2007 we set out on a path to redefine the network security market.  Today, over 19,000 organizations rely on Palo Alto Networks to protect their networks against the most sophisticated, targeted attacks.

We take our responsibility to those organizations very seriously, and today we’re announcing an important next step: Advanced Endpoint Protection.  If we’ve learned anything from the recent round of breaches, it’s that endpoints remain highly vulnerable to attacks.  Even the most advanced network security architectures can’t protect against every threat vector.  And legacy endpoint security approaches that rely on prior knowledge of the threat, or active scanning, are simply ill equipped to protect organizations from this new era of attacks.

Today marks the official launch of Traps, an Advanced Endpoint Protection solution that truly tears the covers off traditional approaches and exposes them for what they are: misguided attempts at addressing a very real problem.  This isn’t just a product launch. This is the beginning of a new market: a market defined by its ability to turn the tides and rebuild lost confidence, and a market grounded on the principle that attacks can be prevented.

This new Advanced Endpoint Protection market will be defined by solutions that can deliver on the following:

  • Must be able to prevent all exploits, including those utilizing unknown zero-day vulnerabilities
  • Must be able to prevent all malware, without requiring any prior knowledge
  • Must provide detailed forensics against prevented attacks to strengthen all areas of the organization by pinpointing the target and techniques used
  • Must be highly scalable and lightweight to seamlessly integrate into existing operations with minimal to no disruption
  • Must integrate closely with network and cloud security for quick data exchange and cross-organization protection

Carry this list in your back pocket.  As you consider the different approaches to endpoint security we hope you evaluate the underlying technology against these five criteria.  And of course we hope you take the time to evaluate Traps and see for yourself how we’ve delivered not only one of the most advanced approaches in the market, but also one that integrates natively into our Enterprise Security Platform.

 

[Source: Palo Alto Networks]

ISACA International President: Ongoing Diligence is Key to Address Vulnerabilities Such as the One in Bash

Diligence may not be the most exciting items on our to-do lists, but it is a time-honored practice and should be a staple. This thought rises to the top as we read news reports about the security vulnerability in the Bourne Again Shell (Bash), which is now being referred to by many as Shellshock.

Some experts counsel that the impact of this vulnerability will only be moderate and that patches will be applied appropriately. At the same time, the potential severity of this vulnerability is high—it could allow hackers to take control of affected systems, thus allowing unauthorized disclosure of information, unauthorized modification and disruption. In addition, its severity is ranked as 10, while its complexity is considered low, which might not make it a “perfect” storm but at least a “close-to-perfect” storm.

I think we all agree that our future will contain many more vulnerabilities, bugs and other incidents with varying repercussions. Human error, changing times and needs, updates to technology and the ever-present desire in some people to cause havoc will ensure that we are all kept on our toes. A combination of planning, reviewing, monitoring and ongoing diligence is needed so we can be both proactive and prepared for rapid response when needed.

Diligence includes frequently reinforcing that processes and techniques must be in place to ensure that systems are appropriately patched and upgraded. This needs to be extended to the supply chain, including vendors and partners. We need to monitor complex interconnected environments to ensure that devices in manufacturing lines and elsewhere are maintained. Penetration testing is critical and should be regularly undertaken to ensure entry points to the organization are secure and monitored. Security awareness programs should be reviewed to ensure they are thorough, updated and—even more important—exist.

The fact remains that we will never be able to entirely prevent cyber incidents. The only secure machine is the one in the box not yet connected to a network. And even then it is subject to physical theft. If steps aren’t taken, though, the impact is potentially catastrophic—harm to people, compromised systems, lost data/intellectual property/revenue and perhaps even an end to the business. This is one reason ISACA offers the Cybersecurity Nexus (CSX), which provides cybersecurity guidance, career development, education and community for professionals at every stage of their careers.

There was a time, not that many years ago, that security was not a primary issue. Many programs and systems were vulnerable to hacking, and it was still assumed that they were still safe. We now know better.

Robert E Stroud, CGEIT, CRISC
International President of ISACA

[Source: ISACA]

English
Exit mobile version