Month: January 2015

Posted on

Newest CTB-Locker Campaign Bypasses Legacy Security Products

Introduction

CTB-Locker is a well-known ransomware Trojan used by crimeware groups to encrypt files on the victim’s endpoints and demand ransom payment to decrypt the files back to their original state, but most antiviruses detect it by mistake as CryptoLocker (only one vendor correctly detects it as CTB-Locker). The attack vector is very basic and repeats itself: It begins with a spear phishing email sent with SCR attachments (double zipped). Once executed by the user the first stage malware downloads and executes the ransomware from a fixed hardcoded server list.

The Origins

The first known campaign was launched by Crimeware on November 2014. The first stage downloaded the ransomware from these sites:

  • pubbliemme.com (5.134.122.150)
  • agatecom.fr (213.186.33.19)
  • n23.fr (213.186.33.4)
  • baselineproduction.fr (213.186.33.4)

The Attack: A Legacy Nightmare

A very serious campaign was launched between January 19, 2015 and January 20, 2015, and 
Palo Alto Networks Enterprise Security Platform has discovered more than 1000 unique attacks since. The attacker used a polymorphic malware builder to generate malware with a unique hash for each victim, preventing signature-based solutions from detecting the new attacks before it was too late for the victim. This tactic is a nightmare for legacy security products that are based on legacy techniques such as bytes signatures, since they can only detect attacks after the damage is done instead of preventing it as a true preventive solution should. 
Palo Alto Networks Enterprise Security Platform offers multilayer protection to prevent this attack along with other attacks without the need for prior knowledge of the specific attack.

Some IOCs and statistics

  • breteau-photographe.com (213.186.33.150)
  • voigt-its.de (188.93.8.7)
  • maisondessources.com (213.186.33.19)
  • jbmsystem.fr (213.186.33.3)
  • pleiade.asso.fr (213.186.33.19)
  • scolapedia.org (213.186.33.19)

We can see here that server hostnames were changed but they didn’t change the server IP address – see the attached file with results for files from last week’s campaign fromVirusTotal. Most legacy security programs could not detect this malware at the time it was posted. If you re-test these hashes again from last week you can see an average of 49/57 engines that detect last week’s threat – but that’s too little, too late for anyone who already lost data.

The new (currently ongoing) campaign

This campaign started earlier today, and the malware uses the same techniques and even the same IOCs:

  • same mutex name: wuqntwklyxwhac
  • same job name: cderkbm.job

And only added two new hostnames:

  • joefel.com (64.71.33.177)
  • m-a-metare.fr (213.186.33.4) – same IP as before.

By now you shouldn’t be surprised that one of them is on the same known malicious IP address. We found 147 new unique pieces of malware today alone, two of them fully undetectable by the legacy security solutions in VirusTotal and most of them barely detected by one vendor (few have 4/57 detection rate).

See below:

So basically you have two choices:

  1. Update hashes every week and pray … (see hash list section, we’re happy to help those still trapped using legacy solutions)
  2. Implement next generation security products that can actually prevent this from happening.

IOCs for the latest campaign

The most surprising fact about this campaign is that almost all the IOCs haven’t been changed:

  • Same mutex name: wuqntwklyxwhac
  • Same job name: cderkbm.job .
  • New IOC: additional mutex name – 87281673

For those still using legacy solutions we’ve attached two lists of SHA256 hashes in a text file format for reference. One list shows the new campaign, which continues to progress. The other list is of last week’s campaign by the same attackers (exhaustive or close to it).

Conclusion

Palo Alto Networks Enterprise Security Platform would have stopped this ransomware attack campaign thanks to the platform’s unique integration between the network, endpoint and the cloud to maximize security. Attacks aren’t getting any less sophisticated, so it is time to leave legacy security solutions behind and upgrade to real, prevention-based security.

[Palo Alto Networks Blog]

Posted on

Standard Web Security Won’t Keep the Internet of Things Safe

The “Internet of Things,” or “IoT” is a fascinating field of technology representing growth of interconnected devices that can be controlled and managed remotely through mobile devices or many other means.

The Internet of Things spans all areas of life and work, especially if we consider:

  • Smart homes with refrigerators ordering groceries, remote controlled HVAC equipment, or smart lighting
  • Connected industries and cities with remote meters, automatic analytics, or robotics.
  • Wearables such as smart watches, fitness bands or smart glasses
  • Connected cars with automatic driving technology, remote diagnostics, or fleet management.

and much more.

From a business perspective, the IoT offers incremental revenue opportunities as well as productivity and cost savings to companies across the globe. According to analyst firm IDC, the number of IoT devices will grow from approximately 6 billion in this decade to 28 billion in 2020 — a staggering number. The market for wearable smart devices alone is expected to increase at an average rate of 60% per year to $20 billion in 2017.

What is the common characteristic of all of these devices? Connectivity to the Internet through applications. And with this connectivity comes increased exposure to cyber threats. Think of it as today’s mobility market on steroids.

While it will become increasingly important (and common) for most companies to enable Internet-connected devices, a key goal for IT and security departments will remain the safe enablement of the applications that power those devices.  Neither Web nor email security will be able to appropriately protect against future attacks from cybercriminals targeting your organization through the IoT. Many of these applications will most likely utilize more than Web channels to access data and can easily circumvent web security solutions by utilizing uncommon ports.

Now is the time for companies to start thinking about security strategies against tomorrow’s cyber attacks through the Internet of Things. No one has all the answers to the security-related questions posed by the IoT in the coming years, but it helps to ask, at the very least, the following 5 questions to prepare for the onslaught of Internet enabled devices facing your company in the near future:

  1. What IoT devices are likely to be used in your organization in the next decade?
  2. What types of data will these devices access?
  3. What types of devices will your employees own or utilize?
  4. How do these devices interact with your corporate network?
  5. How do you currently ensure safe application enablement across all ports?

The answers to these questions will have a significant impact on your organization’s security strategy in the next few years. The best you currently can do to prepare for the fast approaching army of networked devices is to deploy the best possible application control with a solution monitoring all ports in and out of your network. Palo Alto Networks Enterprise Security Platform not only protects companies against applications utilizing a few common ports, but also offers complete visibility into all enterprise network traffic. Learn more about our approach here.

[Palo Alto Networks Blog]

Posted on

Unpatched Flash Vulnerability CVE-2015-0311 Blocked by Palo Alto Networks Traps

On January 22 Adobe confirmed the existence of a Zero Day affecting Adobe Flash Player 16.0.0.287 and assigned CVE-2015-0311 to it. This is the classic zero day scenario of exploitation in the wild before any vendor patch was available and in this blog post we will explain how the uniqueness of Palo Alto Networks Traps blocks this vulnerability.

Let’s start with a brief background on CVE-2015-0311 security implications.  Successful exploitation could result in an attacker compromising data security, potentially allowing access to confidential data, or could compromise processing resources in a user’s computer. All versions of Internet Explorer or Firefox, with any version of Windows with Flash up to 16.0.0.287 (included) installed and enabled, are exposed.

Following the disclosure, several security companies reported encounters with attacks utilizing this zero day, as well as a considerable surge in Angler EK activity, mainly in the United States.

Zero days such as CVE-2015-0311 illustrate why signature-based solutions are a dead-end when facing the current advanced threat landscape. Prior knowledge is futile when encountering an attack that is, by definition, unknown. Reliance on vendor patching is also insufficient both from security and operational perspectives – we all know large enterprises do not easily pause company-wide IT activity in favor of mass updates.

Traps Advanced Endpoint Protection is designed to proactively block attacks targeting endpoints, including unknown zero-day exploits. Traps automatically detects and blocks the core set of techniques that every attacker must link together in order to accomplish exploitation. Because of the chain-like nature of an exploit, preventing just one technique in that chain is all that is needed in order to block the entire attack even before a payload is dropped.

The exploitation of CVE-2015-0311 is no different than other exploitations in the essential phases it needs do go through. Traps blocks it.

To further illustrate how, let’s reflect on a common exploitation pattern.  First, there are preparation acts intended to expand the victim machine’s memory attack surface. What usually follows next is an attempt to actually seize a memory portion, and circumvent standard protection means. Upon accomplishing these stages, the exploit still needs to access certain OS functions to gain the required resources for malicious activity. Once all these steps are successful the attacker can remotely run its code on the victim’s machine.

There are several techniques attackers deploy to perform each one of these stages. Obstructing any of these stages terminates the exploitation. Posing obstructions to each and every one of the core techniques creates a powerful multilayered defense which proactively prevents any exploitation attempt from maturing into an ongoing attack.

Moreover, such defense will succeed, regardless of the utilized CVE and regardless of specific exploit prior knowledge since it relies on obstructing the core techniques all exploits utilize.

Applying this defense paradigm to CVE-2015-0311 reveals that despite it being a zero day, and supposedly an unknown attack vector, it is blocked by Palo Alto Networks Traps. Traps prevents the exploit from writing to memory and from accessing OS functions. Each of these is sufficient for successful prevention. Even if the attack is a zero day and not a known exploit, it poses no additional challenge to Traps.

Traps users are exempt from emergency patching and from the concern that an unknown attacker is crawling undiscovered in their endpoints. Traps users were actually protected from CVE-2015-0311 way before it has even existed.

Learn more about Advanced Endpoint Protection here.

[Palo Alto Networks Blog]

Posted on

Malvertising: The Dawn of a New Attack Era

In September 2014, two news sites in Israel fell victim to a malvertising campaign that affected thousands of viewers. One month later, Yahoo! and AOL became victims of a similar campaign. Malvertising concerns me more than the average attack method for a several reasons:

  1. It utilizes ad space on any web page that hosts third party ads… so basically most of the Internet.

Have you counted how many ads are on each web page as you casually browse news articles, or look up that film with what’s-her-name and so-and-so? This article states that the average user saw over 1,000 ads per month in 2012, and one can only assume that this number has increased since then. There’s no easy escape. Malvertising grants attackers access to hundreds of millions of users. Makes you want to install some ad blocking software, doesn’t it?

  1. Malvertisements are indistinguishable from legitimate ads.

You’d be pretty hard-pressed to pick out a malicious ad at first glance even if you have “cyber intuition.”

A strict “no-click” policy for web ads isn’t enough to protect you because some malvertisements, like pop-up ads, don’t even require users to click— malware is installed when the ad loads on the page, and the malware could be anything from bots (think zombie computer) to ransomware.

  1. Repercussions are basically nonexistent because the hosting web site has no control over the ads placed, and the attacker is several times removed from the ad network.

Attackers take advantage of the way an advertising network functions, with its low prices, automatic bidding process, potential for very large audiences via “trusted” sources, and almost nonexistent means for tracking them down.

This is how it works: The attacker, along with legitimate ad buyers, submits advertisement code and the highest price they’re willing to pay to an ad publisher who then uses an ad network to bid on ad space on third-party web sites. The ad network sells each space to the highest bidder on behalf of the web site — this is an automatic selling process that takes milliseconds, and prices are typically less than a dollar. An attacker’s “ad” code is then placed on the web site.

Attackers will typically build a solid reputation for themselves by placing ads with clean code for a few months before injecting them with attack code. Once this happens, the attack has a widespread reach and the potential to inject hundreds of thousands of users and generate hundreds of thousands of dollars for an initial cost was a mere fraction of that. The malvertisement only needs to be posted for a few days or a few hours before the attacker has the victims he needs, so he’ll then remove the ad altogether.

Creating an industry safeguard against malvertising requires the coordinated effort of ad networks and publishers, as well as pressure from ad hosting web sites. Such cooperation between many parties is difficult to orchestrate unless the problem greatly affects profits. But because ad networks are still being paid for ad space sold to attackers, the impact on the bottom line is revealed much more slowly. Attackers use this process because it’s easy and it works.

  1. Malvertising as a consumer-based attack method is a shift from the sketchiness seen in spear phishing and packet sniffing to one that’s almost legitimate because it leverages a real business process to do all the hard work normally involved in delivering malware.

Gone are the days when malware only hung out on the bad side of the internet. Cyber threats are out in the open, hiding on real web pages that we trust and frequently visit, using methods honest people intentionally created to improve business, and we must continue to adapt in order to protect our cyber valuables. Attackers are upping their game and focusing their guile on identifying loopholes in commonplace business processes.

Luckily, there are things we at Palo Alto Networks already do to thwart malvertising threats:

  • Drive-by download protection alerts users that a download is attempting to take place and requires the user to either allow or deny the download. If a malvertisement tries to auto-download malware, this mechanism gives the user an opportunity to nix it before it happens
  • File-blocking profiles restrict the types of files that can be downloaded to only the files that are needed and expected by the user
  • WildFire creates new anti-virus protections for unknown malware immediately after it’s seen. Malvertisements attempting to deliver known or unknown malware are detected and blocked
  • URL Filtering stops traffic to known malicious web sites and uncategorized web sites. If a malvertisment is clicked, resulting web page is blocked
  • Even if malware succeeds in downloading onto your machine, Traps prevents it from installing itself

Security isn’t something that stops with network architecture and coding practices. Business-to-business processes need it, too. Anything that uses the internet, or an intranet, in the slightest way must be included on the list of potential threat vectors, poked at with a cyber-stick by someone wearing their “if-I-were-a-hacker” hat, and secured accordingly.

For more information on what can happen as a result of a successful malvertisement, check out Dan Kaminsky’s interview with USA Today staff writer, Elizabeth Weise.

[Palo Alto Networks Blog]

Posted on

Degrading Security Diminishes Privacy

Privacy has been getting a lot of attention lately. And with good reason, given the increasing occurrences of privacy breaches, personal information records breaches, all the many new types of smart devices being used by more and more people, and the collection of more personal and associated data than ever before. It would appear that the 2014 Sony hack was the tipping point that motivated US President Barack Obama to propose the Personal Data Notification & Protection Act and the Student Digital Privacy Act on 12 January this year. It was encouraging to see this new interest in taking steps to better protect personal information—not only for improving personal privacy of US residents, but also to help show the rest of the world that the US is moving beyond having a patchwork set of privacy laws and being considered as an “inadequate” privacy protections country by the rest of the world, to moving forward with actions to better protect personal information throughout all industries, and not just a chosen few that exist in the US today.

However, on 16 January, the White House released a statement showing their support of an announced UK goal to outlaw encrypted messages and other communications unless the government is given a backdoor to decrypt such communications. These two messages from 12 and 16 January are in direct conflict with each other. You cannot achieve privacy without strong information security, and you cannot have strong information security when tools have backdoors built into them. This is an Information Security 101 lesson that has been taught for decades, but seems to have been lost (or never learned) by leaders making decisions that impact everyone’s privacy and information security. It is also something that all information security professionals need to make sure their own organization leaders understand.

Here are five important and compelling facts that government and other types of organizational leaders need to know:

  1. Backdoors can often be exploited accidentally, resulting in great harm. Backdoors in technologies are nothing new. Hearken back to 1988 when the Morris worm became the first widespread Internet attack. It spread quickly and destructively to infect systems and spread widely by using backdoors purposefully built into technologies. The backdoors in that case were a set of secrets then known by a small technically proficient group of Internet users. One error resulted in a large-scale attack that disabled many systems and brought the nascent Internet to a virtual standstill. Lessons were not learned, were they, if leaders still want to build backdoors into technology systems. As a systems engineer at a large multi-national organization at the beginning of my career, I saw fellow programmers building in backdoors and hardcoded passwords that “only they knew” (and of course anyone else examining the code) at the urging of their managers, many of which resulted in significant systems outages and program mistakes once they were put into production through accidents, which caused unforeseen problems.
  2. Backdoors will not remain a secret. Backdoors will be discovered and used by the adversaries and crooks they were established to find in the first place. This is not a new truth. History demonstrates that so-called “secret” technology backdoors are dangerous, put the associated systems at risk, and lead to breaches and security incidents. And the more people that know about each backdoor, the more dangerous having such backdoors will become. Consider another real-life example. In 2013, the security company Barracuda had an undocumented backdoor in its security tool that allowed high levels of access from the Internet addresses assigned to Barracuda. However, when it was publicized, as of course secrets will be when humans are entrusted with them, it became extremely unsafe and Barracuda’s customers said they didn’t want it. There is no such thing as a “secret” backdoor if even one human knows about it.
  3. Backdoors created to fight crime will be used to commit crime. Proficient enemies who are looking for vulnerabilities in security technologies know how to exploit the weaknesses when they find them. It has happened many times before. One example of how attackers can use backdoors placed into systems occurred in Greece’s largest commercial cellular network operator. Switches installed in the system came with built-in wiretapping features created specifically for authorized law enforcement agencies. A yet-to-be-identified attacker was able to install software, use these embedded wiretapping features to secretly, and of course illegally, collect the calls from many cell phones, including those belonging to the Prime Minister of Greece, a hundred high-ranking Greek dignitaries, and a US Embassy employee in Greece. The crooks are also willing to pay large amounts for the details on such built-in backdoors and other types of unpublished vulnerabilities. An undisclosed vulnerability in widely used commercial software reportedly sells for US $160,000, on average, on the black market.
  4. Backdoors and other types of weakened security create opportunities for malicious insiders and the authorized unaware. Humans are the weakest link in information security, and trusted insiders present the greatest threat to systems and information. Edward Snowden has become the poster child for the high risks and consequences of trusted insiders that break their promises to keep the secrets entrusted to them. Even though he started releasing his pilfered data in June 2013, he still continues to trickle out large chunks of stolen data, such as the F-35 blueprints he recently posted that had already been obtained by Chinese hackers.
  5. Backdoors in technology hurt business success and thwart technology advances. If weakened security in commercial products and services is the result of a national policy (as opposed to other causes, such as human error or corporate interests), this weakened security harms the nation economically. After having so many privacy breaches impact hundreds of millions of individuals, consumers justifiably want products and services from companies that they believe are building secure technology and that do not build in backdoors, regardless of who told them to do so. Implementing such policies could have a significant negative impact on competitiveness in the information technology sector. For example, Forrester Research Inc. estimates that recent allegations about US data surveillance activities may have reduced US technology sales overseas by as much as US $180 billion, or 25 percent of information technology services, by 2016. The government could be significantly damaging the economy even more if they would require such backdoors to be installed within security technology products that are used by consumers throughout the world.

Governments and other entities with goals of creating backdoors in security technologies, by a well-intended but fatally flawed attempt to improve security, could ultimately compromise information security and privacy and make systems and data more vulnerable. Data Privacy Day on 28 January is an opportune time to point out, to government leaders, business leaders and individuals, that privacy protections are weakened when information security protections are weakened. There are ways to ensure a country’s security without making security tools, such as encryption, weak and vulnerable to exploitation.

Rebecca Herold, CISA, CISM, CIPM, CIPP/IT, CIPP/US, CISSP, FLMI
CEO of Rebecca Herold & Associates and partner of Compliance Helper
Member of ISACA’s Privacy Task Force

[ISACA]

English
English
Exit mobile version