CTB-Locker is a well-known ransomware Trojan used by crimeware groups to encrypt files on the victim’s endpoints and demand ransom payment to decrypt the files back to their original state. Earlier this week we detailed a new CTB-Locker campaign and why legacy security products won’t protect enterprise networks.
In this blog post we will detail how to protect yourself from CTB-Locker, even if you aren’t protected by Palo Alto Networks next-generation enterprise security.
Since our first blog post on the campaign, here are some updates:
We discovered another campaign that started on January 21, and you can see a few paragraphs below the malicious sites used.
We can see that during four campaigns over at least three months, attackers kept the IP 213.186.33.4 and 213.186.33.19 in three out of four campaigns. The other servers appear to have been used only for single campaigns.
Six of the 20 malicious sites we’ve identified are still live as of this posting, and this is the one of them:
There are two possible scenarios for sites like this:
The attackers have gained unauthorized access to those servers or specific websites and planted C&C inside a legitimate website.
The attackers bought this website and have added what appears to be “legit” content to disguise its real purpose.
User Awareness
Here are some things to watch out for:
The below icon is used by the attacker against at least two of our protected customers. (Of course, it can be easily replaced by the attacker.)
Suspicious file extension (SCR) is almost always malicious (especially if you received it from unknown sender).
New IOC
Additional Mutex 93031785
Full server list – you can block traffic to this sites on port 443:
One attack from the newest campaign called “industriestr_3-7_49832_freren.scr” (using joefel.com site) is unknown to VirusTotal. Sha256: 614f3d7ef084f12e9034f3723a8016783ced90240c0425fc9fc2324e7d1b5d2e
Conclusion
Earlier this week we identified new CTB-Locker campaigns. Palo Alto Networks Enterprise Security Platform protects from CTB-Locker in a way legacy security solutions can’t.
The above data should help in identifying and understanding CTB-Locker a bit better, but these are temporary solutions. Solving this endless cat-and-mouse game means upgrading to next-generation security. Learn more about Palo Alto Networks Enterprise Security Platform here.
Malware is code that is written to accomplish a malicious purpose. In most cases the malware also has the ability to spread or infiltrate other systems or programs. Sometimes the malware’s purpose is just to show off the author’s hacking prowess, but more recently the purpose has typically been to make money, steal information or cause damage. In some cases, the scope of the malicious intent and damage has been to such an extent that we call it cyberterrorism or cyberwarfare. Think of the recent attack on Sony, which appears to be prompted by the film The Interview.
Over the years, types of malware are often given colorful and even scary names. Viruses, worms and Trojan horses were terms coined in the 1980s for various types of malicious code. More recently, we have described certain attacks as advanced persistent threats (APTs) and advanced malware. Advanced malware tends to be targeted, stealthy, evasive and adaptive. This compared to previous types of malware that generally tried to spread to as many programs or systems as possible, often in an indiscriminate and “noisy” fashion.
APTs are advanced malware which The US National Institutes of Standard (NIST) defines as follows:
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
The definition is a bit heavy, but completely in line with the concept that advanced malware has a clear “who” behind it that is writing the code to attack a specific target and carry out a specific mission. The attack is likely to be against a targeted enterprise or even certain individuals like systems administrators within an enterprise. Moreover, the malware is likely to be multipronged with a variety of different ways and techniques to infiltrate a system and extract the desired information. It can be patient and wait for some time before attacking. Also, it will adapt to conditions and try different methods automatically.
Finding and blocking this type of code can be difficult for traditional antivirus software because chances are the attack will never have been seen before. This means that no antivirus signature will have been created for the malware. Behavior blocking and reputation-based antivirus techniques might be somewhat effective. For instance, since the malware will likely try to extract and send confidential data somewhere, that type of unusual behavior might be discoverable and blocked. However, the people creating advanced malware are likely to test their creations’ evasive and stealth capabilities against most popular antivirus and security products.
So who writes this stuff? While individual hackers might write advanced malware, more often it is the product of dedicated teams from nation states, organized crime groups or terrorist organizations. Advanced malware is built and tested with a degree of professionalism and dedication similar to that found in legitimate software product teams.
Scared? You’re not alone. One in five respondents noted that their organization has already experienced an APT attack in a recent ISACA survey, and 66 percent believe it is only a matter of time before their organization is hit by one. Additionally, 92 percent believe that APTs are a serious threat.
So what can an organization do to protect against advanced malware? Improved training and multiple layers of security are clearly part of the answer, and ISACA’s Cybersecurity Nexus (CSX) has a helpful guide on the subject available.
I also discussed the reality of advanced malware in an article for Processor. Read the full article here.
Forget the hotel Wi-Fi. Now that the Federal Communications Commission is cracking down on hotels and other businesses trying to force you to use their networks, it’s time to consider a more secure way to connect to the Internet.
The FCC warned businesses Tuesday that Wi-Fi blocking violates the Communications Act, and it’s an illegal move that it will be “aggressively investigating.”
“Protecting consumers from this kind of interference is a priority area for the FCC enforcement bureau,” said Chairman Tom Wheeler in astatement.
Wi-Fi blocking made headlines last October, after Marriott International agreed to pay a civil fine of $600,000 to resolve such an FCC probe. The investigation found that employees at Marriott’s Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, had prevented guests from connecting to the Internet via their own Wi-Fi hotspots, while charging them for access to the hotel’s network.
According to the American Hotel and Lodging Association, just 11 percent of hotels charge for in-room Internet access, down from 23 percent in 2012. Fees can vary widely, with prices starting as low as $4 per day, or ranging up to $25 as part of a broader resort fee.
Some properties offer basic access for free, with a charge for more bandwidth; at Marriott, Rewards club members get free basic access and can pay $5 to $7 per day, depending on the market, for premium access.
The hotel group later petitioned the FCC for the ability to block guests’ personal Wi-Fi. “Marriott has a strong interest in ensuring that when our guests use our Wi-Fi service, they will be protected from rogue wireless hot spots that can cause degraded service, insidious cyberattacks and identity theft,” it said in a statement after the October ruling.
But after criticism from guests as well as companies including Googleand Microsoft, the hotel group backtracked earlier this month and said it would not block guests’ access.
Security experts say the FCC’s reinforcement of consumer choice bodes well for those looking to keep their data secure. “Any time you’re connecting to a public network, whether it’s in a coffee shop, a bookstore or a hotel, there are some basic things you need to think about,” said Geoff Webb, senior director of solution strategy for security management firm NetIQ. Namely, whether there’s someone else with malicious intent using the same network to grab some of the data you’re transmitting.
“A lot of these connections are relatively secure,” he said. But “there’s a risk that you don’t know who’s listening in.”
More hotels are expected to offer free Wi-Fi to guests this year. Marriott began offering all Rewards club members basic free Wi-Fi earlier this month, with elite members getting a faster connection.Starwood Hotels & Resorts and Hyatt Hotels also have plans to expand guest access to free Wi-Fi access this spring.
Consumers planning to use one of those hotel or other public networks could benefit from a virtual private network, or VPN, said Ryan Olson, Unit 42 intelligence director for security firm Palo Alto Networks. VPNs encrypt all data going to or from your computer, helping protect you from anyone eavesdropping.
Plenty of companies offer that protection for traveling employees to secure business communications; consumers can sign up for free or low-cost VPN services such as Hotspot Shield Elite, proXPN or VPN Direct.
A better option might be the one that businesses have tried to block: Turning your phone into a personal hot spot to connect a laptop or other device to the Internet. (The logistics and cost will depend on your device, wireless carrier and data plan.) If you configure the connection securely, “those are definitely a better choice,” said Luke Klink, a security programs strategy consultant for Rook Security.
If you must use a public Wi-Fi network, make sure you have the right one. “There are tools out there that [hackers] can use to create access points that look just like the one you’re trying to get onto,” said Klink. Ask a hotel or coffee shop employee for the right network name and password to avoid joining a like-named rogue that will capture all the data you transmit.
Regardless of how secure you think the connection is, use caution when surfing anywhere that’s not home or work, said Olson. Skip online banking and other financial transactions, and avoid sending sensitive documents and emails. “If all you’re going to do is watch Netflix, that’s fine,” he said.
Today marks Data Privacy Day, and ISACA is proud to be a champion of this initiative. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. The debate over privacy seems to have shifted to a larger discussion about new types of personal information, such as location information, browsing history, Internet of Things data, individual rights and enterprise use of personal data. This expanding debate results from the proliferation of technologies, opportunities for enterprises to gain value by leveraging new data items and government’s interest in e-government initiatives. This includes taking action to protect citizens and promoting the economic opportunities that personal data use brings. The volume of personal, and often sensitive, data being collected and shared by organizations today is growing exponentially—largely because of technology advances, lower data storage costs, the rise of the Internet of Things and the emergence of major data brokerage companies.
To help the global community implement a corresponding privacy management program, ISACA created a Privacy Guidance Task Force. Its first task was to conduct a survey regarding enterprises’ privacy governance structures and how various privacy issues and concerns are addressed. Clearly, one of the main obstacles is the complex international legal and regulatory landscape. While everybody may be in agreement on the principles, their implementation through laws and/or regulation differs across the world and, in some cases, in the same country, by state and industry sector. Obviously, business may only influence the lawmakers to try to harmonize their position. This will be difficult as privacy is a cultural issue. ISACA’s survey was recently conducted, and results will be published in the near future.
Enterprises need to embed privacy as an integral component of their overall governance, risk management and compliance (GRC) frameworks. Embedding privacy into GRC frameworks requires a holistic approach. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and information.
As a result, the next Task Force action is to create practical guidance explaining how the COBIT 5 enablers may be used for implementing privacy in practice. It will provide specific guidance related to all enablers:
Information privacy policies, principles and frameworks
Processes, including personal data privacy—specific details and activities
Privacy-specific organisational structures
In terms of culture, ethics and behaviour, factors determining the success of privacy governance and management
Privacy-specific information types for enabling information security governance and management within the enterprise
Service capabilities required to provide privacy and related functions to an enterprise
People, skills and competencies specific for privacy
This will constitute a framework that can be tailored to any organization. Large companies with locations in multiple jurisdictions may need to consider different internal oversight mechanisms than small or medium sized companies with a single establishment. Similarly, programs for companies that deal with large volumes of personal data will need to be more comprehensive than those of companies who handle only limited amounts of personal data. The sensitivity of the data processed may also impact the nature of a privacy management program, as even a very small company may handle extremely sensitive personal data.
With the survey and practical guidance targeted to be published in 2015, ISACA will continue on its mission to contribute effectively to the promotion of privacy and data protection best practices.
Yves LeRoux, CISM, CISSP
Principal Consultant at CA Technologies
The Cybersecurity Canon is official, and you can now see our website here. We modeled it after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have 20 books on the initial candidate list but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Remember: public Internet voting begins on February 1, and your vote counts!
Book Review: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter
Executive Summary
Operation Olympic Games is the US military code name that refers to the first ever act of real cyber warfare. Many journalists have told bits and pieces of the story since the attacks became public back in 2010, but none have come close to telling the complete story. In Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, Kim Zetter changes that situation. She takes an extremely complicated subject in terms of technical detail, political fallout and philosophical conundrums and makes it easy for the security practitioner to understand. It is a masterful bit of juggling and storytelling. It is Cybersecurity Canon-worthy and you should have read it by now.
Introduction
Kim Zetter has been at Wired Magazine since 2003 and has become one of the cybersecurity community’s go-to journalists to explain what is really happening within the space. When I heard that she was writing a book about the Stuxnet attacks, I was thrilled. I knew if anybody could take on this complicated subject, Zetter could.
One of the annoying truisms of keeping up with cybersecurity events in the news is that journalists rarely go back and attempt to tell a complete story. When cybersecurity events occur – like the Target breach, the Sony breach, and the Home Depot breach to name three — news organization print the big headlines initially and then trickle out new information over the next days and weeks as it becomes available. For cybersecurity professionals trying to remain current, we rarely get the opportunity to see the big picture in one lump sum. We are not going to get that kind of story in a news article. You need a book to cover the detail and there have been some good ones in the past. Mark Bowden’s Worm — about the Conficker Worm and the cabal that tried to stop it — is one good example. Cuckoo’s Egg – about the first publically documented cyber espionage attack back in the late 1980s – is another one. Zetter’s book,Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, is the latest in this line and it is really good.
The Story
Operation Olympic Games is the US military code name that refers to the first ever act of real cyber warfare. Many journalists have told bits and pieces of the story since the attacks became public back in 2010, but none have come close to telling the complete story.
In both the articles and the book, he gave details about the cyber operation called Operation Olympic Games that I consider to be the first act of cyber warfare in the world. But because the story was so new and so complicated, many of the technical details surrounding the attacks did not fully emerge until well after Sanger published his book. I have tried to keep up with the story myself over the years and even presented versions of it at DEFCON and RSA, based on the information available. But I do not have the journalistic chops to tell the complete story and this is where Zetter’s book shines.
Where Sanger’s book focused on the US foreign policy implications of offensive cyber warfare using government insiders as the main source, Zetter’s book fills in the technical story behind the attacks by interviewing everybody in the public space that was involved in unraveling the Stuxnet mystery. Zetter writes clearly and succinctly about the timing of key researchers discovering new facts, describes how the researchers determined when the attackers first used key pieces of the attack code and then feathered those technical events with what was happening in the political arena at the same time. It is a masterful bit of juggling and storytelling.
The Code
Because of Countdown to Zero, we now have a complete picture of how the attack code worked. Zetter goes into great detail about how the malware proliferated within the Iranian power plant at Natanz and after it escaped into the wild. She puts to bed the question of how may zero day exploits the attackers used in the complete code set, what they were and how effective they all were. She covers all of the versions of the malware from Stuxnet, to DuQu, to Flame and to Wiper. She even covers some of the researcher’s Tools-of-the-Trade that they used to decipher the code base.
SCADA
In Countdown to Zero, Zetter explains the significance of the critical and mostly unsecured SCADA (Supervisory Control and Data Acquisition) environments deployed in the US today. These systems automatically control the flow of all power, water, and gas systems used within the US and throughout most of the world. According to Zetter,
“There are 2,800 power plants in the United States and 300,000 sites producing oil and natural gas. Another 170,000 Bottom of Form facilities form the public water system in the United States, which includes reservoirs, dams, wells, treatment facilities, pumping stations, and pipelines. But 85 percent of these and other critical infrastructure facilities are in the hands of the private sector, which means that aside from a few government-regulated industries—such as the nuclear power industry—the government can do little to force companies to secure their systems.”
In my experience, the SCADA industry has always been at least 10 to 15 years behind the rest of the commercial sector in adopting modern defensive techniques. From Zetter,
“Why spend money on security, they argued, when none of their competitors were doing it and no one was attacking them?”
The significance of that statement becomes obvious when you realize that the same kinds of Programmable Logic Controllers or PLCs that the US exploited to attack Iran are deployed in droves to support the world’s own SCADA environments. The point is that if the US can leverage the security weaknesses of these systems, then it is only a matter of time before other organizations do the same thing and the rest of the world is no better defended against them than the Iranians were.
(And by the way, Palo Alto Networks expert Del Rodillas has done plenty of strong analysis into securing ICS and SCADA networks and what it’s going to take to protect these specialized networks going forward. Go here to read some of Del’s thoughts.)
The Philosophical Conundrum
In a broader context, Countdown to Zero highlights some philosophical conundrums that our community is just now starting to wrestle with. We have known about these issues for years but Zetter’s telling of the story makes us reconsider them. Operation Olympic Games proved to the world that cyber warfare is no longer just a theoretical construct. It is a living and breathing option in the utility belt for nation states to use to exercise political power. With Operation Olympic Games, the US proved to the world that it is possible to cause physical destruction of another nation state’s critical infrastructure using nothing but a cyber weapon alone. With that comes a lot of baggage.
The first conundrum is the intelligence dilemma. At what point do network defenders stop watching adversaries misbehave within their networks before they act to stop them? By acting, we tip our hand that we know what they are about. This will most likely cause the adversary team to change their tactics. Intelligence organizations want to watch adversaries as long as possible. Network defenders only want to stop the pain. This is an example of classic Information Theory. I first learned about Information Theory when I read about the code breakers at Bletchley Park during WWII. Because the allies had broken the Enigma cipher, the Bletchley Park code breakers collected German war plans before the German commanders in the field received them. But the Allies couldn’t act on all of the information because the Germans would become suspicious about the broken cipher. The Allies had to pick and choose what to act on. This is similar to what the Stuxnet researchers were wrestling with too. Many of them had discovered this amazing and dangerous new piece of malware. When do they tell the world about it?
The next conundrum involves the national government and vulnerability discovery. Zetter discusses the six zero-day exploits used by Operation Olympic Games in the attacks against Iran. That means that the US government knew about at least six high-impact vulnerabilities within common software that the entire nation depends upon and did nothing to warn the nation about them. If another attacker decided to leverage those vulnerabilities against the US critical infrastructure in the same way that the US leveraged them against Iran, the results could have been devastating. The nation’s ethical position here is murky at best, and added to that is the well-known practice of the private sector selling zero-day exploits to the government. Should the government even be in the business of buying weapons grade software from private parties? Zetter offers no solutions here but she definitely gives us something to think about.
Conclusion
Zetter fills in a lot of holes in the Stuxnet story. In a way, it is a shame that it has taken five years to get to a point where the security community can feel like we understand what actually happened. On the other hand, without Zetter putting the pieces together for us, we might never have gotten there. I have said for years that the Stuxnet story marked the beginning of a new era for the cybersecurity community. In the coming years, when it is common practice for nation-states to lob cyber-attacks across borders with the intent to destroy other nation’s critical infrastructure, we will remember fondly how simple defending the Internet was before Stuxnet. Zetter’s book helps us understand why that is possible. She takes a complicated subject and makes it easy to understand. It is Cybersecurity Canon-worthy and you should have read it by now.
