In my line of work, people often ask why anyone would want their information. The threat environment has shifted from, “Look what I can do! Isn’t this fun?” hacks, to deliberate, concerted, concentrated efforts on a particular target to get financial information. It is a phenomenal shift and it requires a different way of thinking. However, some managers still operate with an old mindset and are unprepared for the new threat. In the federal space, senior officials with clearance can be educated on the current threat. In private industry, corporate officers are limited in their ability to receive threat briefings.
IT infrastructure is faster, more complex and more interconnected, and with cloud and managed services, the architecture has changed. We have gone from having a data center that can be hardened to cloud computing that turns that model on its head. The core is now your infrastructure and network and you are plugging in at cloud data centers. Now you have to be master of security and risk management, as well as master of change management because your environment is changing and evolving rapidly. The challenge in implementing stronger security in the future is the necessity to build a strong core infrastructure, strong governance and strong risk management in the organization. The skill sets and technology we are looking at are changing because of it. The only constant is the change and evolution of our business model.
Legislation
A recent step in the right direction was the focus on threat sharing in federal legislation. On the threat-sharing side, legislators are considering allowing people in business to get threat information. Early efforts such as the US Federal Bureau of Investigation’s (FBI) InfraGard program need to be expanded by the Department of Homeland Security (DHS). Should the Sarbanes-Oxley model be used to improve cybersecurity? After all, it forced authorizing officials in the financial sector to attest to the accuracy of the financial statement with criminal penalties for non-compliance.
I just reviewed the new US Federal Information Security Management Act (FISMA) guidance and was pleased that certification and accreditation remains, rather than scanning and patching your systems and hoping for the best. The US congress understood the importance of the risk management framework developed by the National Institute of Standards and Technology (NIST) and that ongoing diagnostics and mitigation are a subset of continuous monitoring.
Congress might consider reviewing the state of Texas’s privacy breach laws centered on health care information. Texas provides safe harbor if there is a breach of a health care organization that is certified in the High Trust framework. I think US legislators should consider rewarding those who implement good security practices like ISO 27000 or COBIT, rather than penalizing them when a breach occurs.
US Federal Programs that Work
FEDRAMP has done a great job of putting forward minimum baseline requirements that the industry recognizes from doing business with the government and creating large savings for agencies. The benefits are carried over to companies and the consumer in that what is done to meet government standards is eventually adopted by private industry. This is government buying power that positively influences consumer products like cell phones that now support full device encryption for free. I think the US government will set the bar for acceptable general security.
Staffing
A trend I currently see is organizations positioning the CISO over the CIO. The CISO already knows infrastructure and the business and has a privacy and risk management mindset. The CIO will do what they have always done—be the operations manager, build the infrastructure and manage cloud providers. We need risk management at the top. If you look at NIST SP 800-39, it emphasizes risk governance and if you do not have that from the top down, it is going to come back to bite you.
For my security positions, I am hiring MBAs with a strong emphasis on credentials in information security and assurance. I am looking for people who are flexible, have critical thinking skills and have the social and diplomatic skills needed to be able to converse with executives and make a clear case on why security controls are needed. I am an MBA and differentiated myself by getting credentials from CompTIA, (ISC)2 and ISACA.
Steve Hernandez, CISA, CISSP, CNSS CISO, Office of Inspector General at the U.S. Department of Health and Human Services
Network security management is a critical aspect of any security deployment. However, most administrators would agree that configuring and managing a complete security network could at best be described as a nightmare.
According to AlgoSec, 64% of organizations are consumed with complex management, such as time consuming manual processes, obscured security policies, poor change management, and more. Manual processes also mean a greater likelihood of human error. According to Infonetics, 25% of security network outages are directly related to human error — a scary statistic.
Most security vendors don’t pay much attention to streamlining and simplifying the network configuration and management aspects of deployment. In fact, most security deployments are separate from each other, with differing management consoles and independent rule bases, lacking the ability to communicate with each other.
Ask yourself the following questions to understand if you are spending too much time managing your security deployment:
How many UIs and security rule-bases (URL filter, IPS, firewall, etc) do I manage to keep my network security current?
Can I manage my distributed security network from a central location, or do I need local administrators for each firewall?
What tools do I have that help with reducing manual processes during network configuration or policy development?
Does my security network structure match my organizational structure for a more logical deployment of security policies, or is it unnecessarily complex?
At Palo Alto Networks, network security management is a critical part of a security deployment. This translates not only into efficient management of individual firewalls but also of large distributed networks using our Panorama network security management solution.
Palo Alto Networks next generation security platform offers the convenience of a single user interface, as well as a single security rule-base that can be used to manage security policies for your application control, threat prevention, URL filtering, and more. This significantly streamlines policy management.
Panorama also offers tools that help reduce manual tasks and human errors such as the utilization of template stacks that eliminate manual replication of configuration elements across a distributed network. The ability to import existing firewall configurations with the click of a few buttons eliminates manual re-typing of configurations.
Other focus areas include intuitive network and policy management that enables you to deploy a security network that matches your organizational structure, making management of the security deployment significantly easier and logical.
Click here to learn more about Palo Alto Networks network security management capabilities.
We are excited to announce that Telstra has become the first channel partner in Asia Pacific to achieve the highest level of Diamond Partner Status in our NextWave Partner Program.
Telstra has been a partner of Palo Alto Networks in Australia since 2012. Over the past several years, Telstra has been instrumental in successfully bringing Palo Alto Networks offerings to market in Australia, especially with large enterprise customers.
This recognition was marked with an official signing ceremony at 11 AM today at the Hilton Hotel in Melbourne, Australia. The event was attended by John Ieraci, Director of Security Practices and Euan Prentice, Director of Services Business Development from Telstra, and Steve Redman, Vice President of Asia Pacific and Armando Dacal, Vice President of Australia/New Zealand from Palo Alto Networks.
A June 23 FireEye blog post titled “Operation Clandestine Wolf” discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash. Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.
The UPS group has exploited several zero-day vulnerabilities, most recently using the zero-days released in the Hacking Team breach that we discussed in our July 10 blog post, “APT Group UPS Targets US Government with Hacking Team Flash Exploit”. However, the most recent original zero-day released by this group is tracked by CVE-2015-3113, which has similarities to the once zero-day vulnerabilities CVE-2014-1776 and CVE-2014-6332 exploited by UPS in May and November 2014, respectively. We’ll discuss here the similarities observed between the various components used to exploit these two vulnerabilities, specifically focusing on the malicious Flash files and the payloads delivered.
Malicious Flash Files
Recent zero-day vulnerabilities exploited by UPS exploit or leverage Adobe Flash to exploit other applications on the system. Unit 42 recently analyzed malicious Flash files that exploitedCVE-2015-3113, which was a zero-day vulnerability in Adobe Flash that was patched on June 23, 2015.. During the analysis, we noticed similarities between this malicious Flash file, those that UPS used to exploit CVE-2014-1776, and the proof-of-concept code for CVE-2014-6332, albeit these two Flash files were used to exploit zero-day vulnerabilities in Internet Explorer.
Overlaps within ActionScript
Unit 42 analyzed the ActionScript within malicious Flash files created by UPS that exploited CVE-2014-1776 and CVE-2015-3113 and discovered shared code between the two. First, both ActionScripts contain a function named “hexToIntArray”, which Figure 1 displays side-by-side for comparison. Not only do these files contain the same function name, but they also share the same exact operation codes (opcodes) to carry out its functionality. The existence of the hexToIntArray function in the CVE-2015-3113 sample is rather interesting, as it is never called or used within the ActionScript. We believe that the threat actor used the CVE-2014-1776 ActionScript as the basis for the CVE-2015-3113 file and forgot to remove the unused hexToIntArray function.
Figure 1. Side-by-side comparison of opcodes in hexToIntArray functions
Also, the Flash file exploiting CVE-2015-3113 had a main class named “flappyMan”. This class name was also used in the Flash file that Unit 42 analyzed and discussed in its November 26, 2014 blog titled “Addressing CVE-2014-6332 SWF Exploit”, as well as the proof-of-concept (PoC) for CVE-2014-6332 that is now publicly available in exploit-related forums. According to FireEye’s “Operation Double Tap“, UPS exploited CVE-2014-6332 in its November 2014 attacks; however, UPS used a VBScript to exploit the vulnerability instead of a Flash file. While purely speculation, this overlap in class names between the CVE-2014-6332 PoC and the Flash file exploiting CVE-2015-3113 may suggest that UPS also used Flash files to exploit CVE-2014-6332.
Shellcode Similarities
As with most remote code execution vulnerabilities, UPS’ malicious documents execute shellcode in the event of successful exploitation of either CVE-2014-1776 or CVE-2015-3113. The shellcode found in the UPS delivery documents exploiting both of these vulnerabilities are not the same, but have similarities worth noting.
First, the delivery documents share the same technique of locating API functions, which involves using the rotate right (ror 7 to be specific) instruction on the function name in kernel32.dll and checking it with a specific value. The use of the same rotate right algorithm results in several common constants, such as 0xC917432 that both shellcodes use to locate LoadLibraryA. Second, both shellcodes use a similar method of creating the Unicode string “kernel32.dll”, seen in Figure 2. The shellcodes use the Unicode string and the same method to find the base address of the loaded kernel32.dll module from the LDR structures obtained from the process environment block (PEB). Third, both shellcodes have similar single byte XOR algorithms used to decrypt and later execute the functional payload.
Figure 2. Comparison of Instructions in UPS Shellcodes that Builds Kernel32.dll Unicode String
Steganography to Conceal Payloads
While analyzing the malicious Flash file exploiting CVE-2015-3113, Unit 42 discovered that the ActionScript loaded an animated GIF image. The malware author used steganography to embed an encrypted payload within this animated GIF image. The payload in the CVE-2014-1776 was also embedded within an animated GIF. Ultimately, the shellcode executed in the event of successful exploitation of either of these vulnerabilities decrypt and execute the embedded payload, as mentioned in the previous section. While the animated GIFs themselves are vastly different, as seen in Figure 3 and 4 (payloads removed), the use of steganography and animated images as the carrier of the payload is common between the two campaigns.
Figure 3. Animated GIF “v.gif” from UPS Campaign Exploiting CVE-2015-3113 (click to see .gif)
Figure 4. Animated GIF “anyway.gif” from UPS Campaign Exploiting CVE-2014-1776
Payload Comparison
With the amount of overlap between the other components in these separate campaigns, we decided to compare the Pirpi payloads delivered by the UPS group using CVE-2014-1776 and CVE-2015-3113. From here on, we will refer to these two payloads as Pirpi.2014 (CVE-2014-1776) and Pirpi.2015 (CVE-2015-3113), whose details are listed in Table 1. Unit 42 discovered several similarities between the two Pirpi variants, as well as a few equally important differences, both of which are worth discussing. We also compared the Pirpi.2014 and Pirpi.2015 payloads to other known Pirpi samples in an attempt to determine which variant they most closely resemble.
Table 1. File Details of Pirpi.2014 and Pirpi.2015 Samples
Similarities in C2 Communications
Both Pirpi variants perform an initial check to see if a configuration file exists at %APPDATA%\vcl.tmp or %TEMP%\vcl.tmp depending on the operating system. If it finds one, it decodes it and uses the configuration data it finds inside for C2 communication, otherwise it uses hardcoded C2 domains encoded inside the binary. The malware then creates threads to begin C2 communication.
The Pirpi.2014 and Pirpi.2015 payloads communicate with their C2 by issuing HTTP GET requests to the C2 domain hardcoded inside the payload or within its “vcl.tmp” configuration file. While the structure of the C2 URL differs between the two variants, both use the HTTP Cookie field to transmit data in encrypted form to the C2 domain. Figure 6 shows examples of C2 communications from Pirpi.2014 and Figure 7 shows communication with the C2 of Pirpi.2015 malware variants, both containing data within the Cookie field.
Figure 5. Pirpi.2014 C2 Communication using Cookie Field for Exfiltration
Figure 6. Pirpi.2015 C2 Communication using Cookie Field for Exfiltration
The GET request will return a web page that the malware will parse, specifically looking for encoded commands within two of the HTML tags.
Command Loop Overlap
Once the two Pirpi variants successfully communicate with their C2 server and parse the returned HTML for commands, Pirpi enters a command loop that processes the commands and carries out the respective activities. The command loop for the backdoor remains largely unchanged between Pirpi.2014 and Pirpi.2015 with only two of the commands differing between the two. Table 2 shows the commands that each malware can accept with only the 35 and 36 commands differing between the two Pirpi variants.
Value
Pirpi.2014 Command
Pirpi.2015 Command
1
Launch Process
2
Process Listing
3
Terminate Process
4
Download a file from the C2, launch it, and then delete it
5
Exit the malware
6
Sleep
7
Update C2 configuration and save it to %APPDATA%\vcl.tmp
8
Download a file, load it into memory, then delete the file
9
Load a DLL from %APPDATA% and execute one of its exported functions
10
Do nothing
11
Do nothing
12
List all servers in the domain
13
Get network adaptor information
14
List TCP connection status (netstat)
15
Retrieve information about connected users
16
List servers in the primary domain
17
Locates DCs on a domain
32
Directory listing
33
Upload a file to the C2
34
Delete file
35
Copy file and delete original
Copy file
36
Download and save file
Do Nothing
37
Echo
38
Execute Process
49
Get location of configuration file and set as current working directory
Table 2. Commands Available within Pirpi.2014 and Pirpi.2015
Anti-Disassembly
The UPS threat group is a fan of one anti-disassembly trick that can be seen in both Pirpi.2014 and Pirpi.2015. It plays upon the order IDA Pro disassembles instructions. As you can see in the code sample in Figure 6 from Pirpi.2014 there is a “jump above” instruction, followed by a “jump below or equal” instruction which just falls through to the next instruction. This fall-through code path will never get executed since the jump occurs if 0x58693C96 > 0x0D7F31B4.
Figure 7. Code Showing Anti-Disassembly Technique used in Pirpi Tool
IDA Pro’s disassembly sequence follows the fall-through branch of conditional jumps first, and thus in the previous instruction sequence, IDA keeps disassembling one instruction after another. When IDA goes back to disassemble the jump target for 0x10009133, it finds it pointing to the middle of an instruction. This stops IDA from being able to draw function borders, view a function in graph mode, or decompile with Hex-Rays. To solve this, undefine all of the code that will not be executed, and define code starting from the target of the conditional branch (in this case 0x1000913E), as seen in Figure 7.
Figure 8. Fixing Anti-Disassembly Trick used by Pirpi Tool by Undefining Errant Instructions
You will now be able to create a function to improve your ability to do analysis. To make this easier, use an IDA Pro script to fix these anti-disassembly tricks. Please note that this script specifically targets the anti-disassembly used in Pirpi and other UPS samples. It may cause issues with malware that uses other anti-disassembly tricks. Use with caution.
Notable Differences
The first major difference between the Pirpi.2014 and Pirpi.2015 variants is in the way the command loop is executed in each backdoor. In Pirpi.2014, the malware uses a simple state machine that executes code blocks that correspond to a state value, which the malware updates at the end of each code block. Many of these code blocks include sleep functions, however, if the state value is set to the correct value, the malware executes a code block that contains the command loop. The purpose of this state machine is to intentionally delay the malware’s execution of the command loop.
In Pirpi.2015, the malware implements a second state machine that executes the Pirpi.2014 state machine as one of its code blocks. The second state machine introduces a large number of randomized sleep functions, causing the malware to take much longer to execute its command loop. The majority of code blocks in the second state machine either sleep, or create threads and wait for them to finish. The malware author likely implemented these state machines as an anti-debugging technique and to defeat most modern sandbox solutions.
The second difference between the two Pirpi variants involves the encoding algorithm, which has improved greatly in the past year. Contained in the binary is an invertible math function for encoding and decoding of data. In Pirpi.2014 this function is rather simple, involving a few mathematical operations. However, in Pirpi.2015, the algorithm when decompiled is more than 300 source code lines of mathematical operations.
Other Pirpi Samples
FireEye released two reports in 2014 about APT3 phishing campaigns, Operation Doubletap and Operation Clandestine Fox. Each report containins md5s of other Pirpi samples that were available on VirusTotal. In addition, simple VirusTotal searches resulted in a few more Pirpi samples that came from the same code base. Table 3 contains the file information for each of these Pirpi samples.
Table 3. Details of Pirpi Samples from FireEye Reports and Samples that Share the Same Code Base
The sample listed as “{FireEye Report Sample}” in Table 3 is simply a dropper and loader for msupd.dll sample. Unit 42 compared all of the DLL samples listed in the table above and found that they are most closely related to Pirpi.2014. Table 4 below shows the statistics from Zynamics BinDiff from comparing each of the DLLs with Pirpi.2014 and Pirpi.2015.
Sample MD5
Pirpi.2014 Bindiff
Pirpi.2015 Bindiff
Similarity
Confidence
Similarity
Confidence
FA3578C2ABE3F37DDDA76EE40C5A1608
89.5%
98.6%
29.8%
69.5%
1A4B710621EF2E69B1F7790AE9B7A288
92.7%
98.8%
29.4%
69.5%
F4884C0458176AAC848A911683D3DEF5
91.4%
98.7%
29.6%
71.6%
4CA97FF9D72B422589266AA7B532D6E6
93.7%
98.7%
30.7%
71.6%
B48E578F030A7B5BB93A3E9D6D1E2A83
100%
100%
34.3%
73.0%
1B0E6BA299A522A3B3B02015A3536F6F
34.3%
73.0%
100%
100%
Table 4. Resulting Similarity and Confidence Rates of Pirpi Samples
Conclusion
The UPS threat group continues to exploit zero-day vulnerabilities in their campaigns, which shows that this group is quite sophisticated and has access to significant resources. Within their attack campaigns involving zero-days, UPS has consistently reused delivery techniques and code within various components of the attack. UPS has relied on steganography to conceal the payloads delivered after exploitation of zero-days by embedding payloads, specifically the Pirpi backdoor within animated GIFs. This group also reuses portions of their ActionScript within their malicious Flash files used to exploit vulnerabilities, as well as sharing portions of shellcode that executes after exploitation.
In regards to similarities amongst payloads, UPS delivers variants of the Pirpi backdoor that are typically very similar to each other. The Pirpi backdoors we analyzed use the same configuration file, a common C2 communications channel and a similar command handler. Also, the author of Pirpi includes several notable fingerprints within the code, specifically using a unique state machine and anti-disassembly techniques. Organizations can use all of these overlaps and similarities to track and hopefully protect themselves from this advanced adversary. AutoFocus users can identify Pirpi payloads with the Pirpi tag (Figure 9). WildFire automatically classifies Pirpi samples as malicious and we have released IPS signature 14643 to detect Pirpi C2 communications.
Cyber attacks are on the rise and the costs to businesses are increasing – recent estimates show that this could be as much as $USD500,000 and take an average of 24 days to identify and resolve. These figures in isolation make the situation appear dire. But understanding the cyberattack lifecycle before it reaches your data center – how a breach occurs, what happens once it’s in, and even just how long it takes to resolve – means you’re in the best position possible to prevent a successful attack from taking place at all.
Think about securing your organisation not as a house, with your security at front and back doors, but as a hotel, with security segmented by rooms and access levels. Network segmentation means multiple layers of protection that prevent hackers from moving freely within the network should they break through one layer.
