Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media

On May 6 and May 11, 2015, Unit 42 observed two targeted attacks, the first against the U.S. government and the second on a European media company. Threat actors delivered the same document via spear-phishing emails to both organizations. The actors weaponized the delivery document to install a variant of the ‘9002’ Trojan called ‘3102’ that heavily relies on plugins to provide functionality needed by the actors to carry out on their objectives.

The 3102 payload used in this attack also appears to be related to the Evilgrab payload delivered in the watering hole attack hosted on the President of Myanmar’s website in May 2015.  Additionally, we uncovered ties between the C2 infrastructure and individuals in China active in online hacking forums that claim to work in Trojan development.

Palo Alto Networks WildFire detected the payload delivered in these spear-phishing attacks as malicious, and the payload was also tagged in Palo Alto Networks AutoFocus as 9002.

Delivery Document

The delivery document attached to the two spear-phishing attacks was an Excel document that exploits CVE-2012-0158, specifically exploiting a vulnerability in the MSComctlLib.TreeView ActiveX control. The malicious Excel document had a filename of電郵名單.xls, which translates from Chinese to “email list.xls”. Upon successful exploitation, the malicious Excel document installs a payload and opens a decoy document. The decoy document displays a list of names and email addresses of individuals allegedly associated with the Hong Kong Professional Teachers’ Union.

9002 Trojan: 3102 Variant

The threat actors weaponized the malicious Excel spreadsheet to extract and execute an initial payload, which is a dropper with a filename DW20.dll that we track as DoWork. This DoWork variant writes a second sample to the %TEMP% folder with a temporary filename and executes it.

Figure 1. Malware Execution Flow

The second payload extracts shellcode from a resource named “RES” and decrypts it by subjecting the resource to the RC4 algorithm twice, first using a key of “Oq9n01Ca9g” and then using the key “12345678”.  The shellcode then installs the actual payload of this attack by saving the 3102 payload to “C:\Program Files\Common Files\ODBC\Mshype.dll” and adding persistence via a registry key “HKCU\Software\TransPan\RunPath”. The second payload is also responsible for writing the 3102 Trojan’s 504-byte configuration to the registry, specifically in the key “HKCU\Software\TransPan\mshtm”.

The actors use a clever anti-analysis trick that stores the configuration in the registry, as the 3102 sample does not contain the configuration itself and relies on the second payload mentioned above to be operational. The second payload deletes itself from the system after it executes, suggesting that the malware authors added the configuration saving functionality in the second payload to thwart researchers seeking to extract C2 information from the 3102 sample itself.

The functional payload uses the string “3102” as the first four-byes of its network communications with its C2 server, which is the basis for the name ‘3102’. In May 2014,Cylance published an article on a targeted attack against a Chinese national that delivered the 3102 variant of 9002. When comparing the attacks, we found the following commonalities:

  1. Same Mshype.dll filename and file system path for the payload.
  2. Mshype.dll is signed using the same digital certificate belonging to A’digm, Inc.
  3. Same registry key for persistence: HKCU\Software\TransPan\RunPath: “rundll32.exe “C:\Program Files\Common Files\ODBC\Mshype.dll”,Process32First”
  4. Saves its configuration to the same registry key: HKCU\Software\TransPan\mshtm
  5. Uses the same key logging plugin.
  6. Shares common C2 communication protocols.

While similarities exist to the payload discussed in Cylance’s article, it is worth exploring some specific attributes and behaviors of the 3102 payload used in the May 2015 attacks on the U.S. government and the European media organization to gain a better understanding of the treat actors involved.

This 3102 payload saves the configuration seen in Figure 2 to the registry. The C2 domain “ericgoodman.serveblog[.]net” exists within this configuration; however, the configuration also contains the domain “fordnsdynamic.no-ip[.]org” that does not appear to be used anywhere within the Trojan’s code.

Figure 2. 3102 Configuration Saved to the Registry

The Trojan also contains several debug messages that reference the domain “www.aestheticismwoods[.]com”, which is a C2 domain referenced in the Cylance article. This 3102 sample never communicates with this domain, suggesting that the malware author did not remove debugging messages introduced in previous samples of 3102 when compiling the particular sample used in these attacks. The unnecessary inclusion of these two domains suggests that the author of this 3102 sample is rather sloppy with code changes and lacks a sense of operational security.

C2 Communication

To interact with compromised systems, the actors rely on the 3102 Trojan to communicate with its C2 server using one of two different communication methods.  The Trojan’s primary method involves using a custom protocol that has a static string of “3102” as the first four bytes of each transmission and uses LZO to compress its data. Each transmission contains the size of the LZO compressed data immediately after the “3102” string, followed by the length of the decompressed data, and finally the compressed data itself. Figure 3 shows a sample of the custom protocol beacon sent from the 3102 variant and the response received from its C2 server.

Figure 3. Custom Protocol Used by 3102 to Communicate with C2 server

The second method 3102 used for C2 communications employs basic HTTP POST requests. Figure 4 shows an example HTTP request sent from the 3102 Trojan to its C2 server. The URL within the POST request is a hexadecimal value that increments with each request. The content in the HTTP POST, specifically the “AA” string, the content-length of 2 and the user-agent of “lynx” are hardcoded into the 3102 Trojan.

Figure 4. HTTP POST Request Created by 3102

Once communications are established between the 3102 Trojan and its C2 server, the threat actors can interact with the compromised system and act on their objectives.

Capabilities and Plugins

The 3102 Trojan by itself does not contain much in the form of functional capabilities; rather, it is a modular Trojan that requires external plugins to provide capabilities. Therefore, the threat actors must provide plugins in the form of dynamic link libraries (DLL) that the Trojan will load manually. The author of 3102 chose to manually load the libraries in an attempt to evade antivirus engines that scan libraries loaded using the conventional LoadLibraryA and LoadLibraryW API functions.

During these two attacks, the actors used two different methods to load plugins in the 3102 Trojan. A third method existed in the code base, but was unused. We will discuss the three loading techniques and the plugins that the actors loaded onto compromised systems.

Embedded Plugins

3102 can load embedded plugins by manually loading a DLL that exists within the Trojan without saving the plugin to the file system. The sample used in the attacks described in this article contained only one plugin with the filename of “KeyLogger.dll.” We obtained the filename “KeyLogger.dll” from the ‘OriginalFilename’ field in the VERSIONINFO resource of the DLL. As this filename suggests, this plugin provides key logging functionality for the 3102 Trojan by monitoring keystrokes and logging them to a file named “temp_k.ax”. The keylogger also encrypts the logged keystrokes saved to temp_k.ax by using an XOR algorithm with 0x56 as the key.

Plugins over the Wire

3102 can also load plugins provided directly from the C2 server. This method manually loads a DLL from the network communications without saving the DLL to the disk, making it difficult for antivirus products to detect its malicious functionality. After manually loading the plugins, 3102 will run the plugin by calling the function “CreatePluginObj” within the plugin’s export address table (EAT).

During analysis of the attacks, we observed the threat actor sending three different plugins to the 3102 Trojan from the C2 server. The 3102 Trojan loaded these plugins, which allowed the actor to use the added functionality to interact with the compromised system. The plugins are not saved to disk, so we extracted and decompressed each plugin from a packet capture and obtained their filenames from the ‘OriginalFilename’ field in the VERSIONINFO resource of the DLL.

The first plugin has a filename of “DownFileS.dll” and enables 3102 to carry out file system activities, such as reading, writing and searching for files, as well as enumerating storage devices and volumes. The second plugin is called “FileManagerS.dll” and has a great deal of functionality overlap with the DownFileS.dll plugin, but it contains the added ability to remove folders and execute files. The third and final plugin provided by the C2 server is called “ScreenSpyS.dll” and allows for screen capture and allows the operator to interact with the system by sending key strokes, mouse movements and mouse clicks.

Plugins from the File System

Lastly, 3102 can manually load plugins directly from a file named “temp_plugin.ax”. This plugin loading method allows the Trojan to save plugins to disk so they persist system reboots. The “temp_plugin.ax” file can contain multiple plugins, as 3102 will read the entire temp_plugin.ax file and parse its contents for plugins stored in the following structure:

Offset Description
0-1 Single byte XOR key
4-8 Length of cipher text
8 Filename of plugin in unicode
528 Beginning of cipher text

We did not observe the threat actors using this method in this attack; however, it is possible that the threat actors could use the “DownFileS.dll” or “FileManagerS.dll” plugins obtained from the C2 to install plugins that use this loading method.

Connection to Watering Hole Attack and Chinese Threat Actors

As previously mentioned, the malware author signed the 3102 sample delivered in the attacks discussed in this article using a digital certificate issued to A’digm, Inc. The same digital certificate was used to sign a separate 9002 malware sample, which also shared the C2 domain  “dns.mailpseonfz[.]com” with a second 9002 sample that was not signed with the A’digm Inc. certificate. The unsigned 9002 sample was also configured to use the domain “dns.websecexp[.]com” as an additional C2 server. This domain was the C2 server used by the Evilgrab payload delivered in the watering hole attack on the President of Myanmar’s websitethat we discussed in a blog post on June 11, 2015. Figure 5 shows the relationship between the spear-phishing and watering hole attacks.

Figure 5. Link Between Samples Signed by A’digm, Inc Certificate and the Watering Hole on President of Myanmar’s Website

While it should be noted that dissimilar groups can sign their Trojans using the same digital certificate, we believe that the same threat group is likely involved with both the spear-phishing attacks discussed in this article and the watering hole attacks hosted on the President of Myanmar’s website. We believe this as it appears that a common malware author may be involved because the compile times for the 3102 sample (2014-02-28 07:40:37 UTC) and 9002 sample signed by A’digm, Inc. (2014-02-28 08:07:48 UTC) were less than a half hour from each other.

Additionally, we have not found many other malware samples signed with this certificate, indicating it is not in widespread use.

While researching the mailpseonfz[.]com and websecexp[.]com domains that created the correlation between the watering hole and spear-phishing attacks, we noticed that these two domains had historic registrant email addresses that were also used in online forums, primarily in Chinese, discussing hacking, Trojan development, and website defacements. The domain websecexp[.]com was originally registered in 2013 with the email ‘bychinahacker@gmail.com’.  It has since been updated, but the domain has been actor controlled the entire time. Research on this email shows it has been tied to multiple website defacements and is also used a contact email within multiple Chinese hacking forums as well as for a company located in Guangzhou.

Figure 6. Screenshot of one of the website defacements.

For a brief period in late 2011 and early 2012, the registrant email for mailpseonfz[.]com was ‘bubai2012@163[.]com’.  The domain was under actor control the entire time, but currently has the registrant information hidden using a registrant protection service. When researching the registrant email we found ties to a Chinese forum advertising for a Software Security Engineer position in Shanghai in 2007. One responder requested to be contacted at that email address and said he or she worked in “Trojan testing.”

Conclusion

Unit 42 detected a cyber espionage group attacking the U.S. government and a European media organization within days of each other using a spear-phishing attack to deliver a variant of the 9002 Trojan called 3102. During the attack, the threat actor provided the 3102 Trojan with three plugins, which allowed the actors to interact with a compromised system’s file system, log keystrokes and perform screen-capturing activities.

The threat actors signed the 3102 payload with a digital certificate that was also used to sign a 9002 sample that has ties to the Evilgrab payload delivered by the watering hole hosted on the President of Myanmar’s website. Because that certificate doesn’t seem to be in widespread use and the samples were compiled within thirty minutes of each other, we believe the same threat group conducted both of these attacks. The threat group uses both spear-phishing and watering hole attack vectors, along with different families of malware to target individuals and groups of interest. However, while they use different attack vectors and malware, this threat group also seems to reuse significant portions of their infrastructure between attacks, which aides in detection and proactive mitigation.

Research on registrant information used to set up infrastructure for these attacks led to ties within the hacking community in China, indicating the threat group behind this activity is likely Chinese-based. Interestingly, the tie to a private Chinese company further indicates they are likely being hired as contractors, in contrast to threat groups like APT1 that are associated with the Chinese military.

The files used in this attack are properly classified as malicious by WildFire. Users of Palo Alto Networks Traps advanced endpoint protection are protected from exploitation of the CVE-2012-0158 vulnerability if they have not been able to patch their systems.  AutoFocus users can find more information on samples and indicators related to this attack by viewing the 9002 tag.

Files

Filename SHA256
電郵名單.xls 6ec4ec93409227e225d1d9fcf23ac3b73bbcf534e38628ca51e161efa1239f29
DW20.dll dd7bb7544d27114a3ac7c95302c215c1bbd4ddf7bcd8c5fdc3df1c9935c60359
%TEMP%\<temporary filename>.tmp 6f1b5f73bf33112737418b52b2f2de4e10747d979789531f8992691dda6a0dbb
Mshype.dll 4a4f4a1a0db0d8b169c214d495049dc7bc1a55d011c0db3ad2aea0e2587afab6

3102 Plugins

Filename SHA256
KeyLogger.dll 2656335c9faf75a29d47002f3a54c503cbeee419fa841de0d8f9a3d4dee19c89
DownFileS.dll bcba4361ba4d0344bb0ed1080fa2fcd3dbdf7e1e91b4d1c85ff8e7091de24ef7
FileManagerS.dll 7db917f8fdd62f321e7547d9bea572670051c44080b1df91f69fad9894fd4fff
ScreenSpyS.dll 084f01caf66abfd1f0f3669edfba9e07ea0b436820180d2af066d91642a79794

Indicators

Type Value
Mutex DATA_RUN_MYWAY
Certificate A’digm, Inc.
Domain ericgoodman.serveblog[.]net
Registry Key HKCU\Software\TransPan\mshtm
Registry Key HKCU\Software\TransPan\RunPath
Domain dns.websecexp[.]com
Domain dns.mailpseonfz[.]com
Registrant Email bychinahacker@gmail[.]com
Registrant Email bubai2012@163[.]com
Filename temp_k.ax
Filename temp_plugin.ax

and

[Palo Alto Networks Blog]

Guest Post: When There is No Magic Box, Try the Magic Sauce for Near 100 Percent Security

We are pleased to welcome guest blogger Lars Meyer of Consigas. Based in Dublin, Ireland, Consigas is a Palo Alto Networks Elite Authorized Training Center that specializes in consultancy and virtual training.

The whitepaper from the SANS Institute “Beating the IPS” shows that any Intrusion Prevention System from any vendor can be evaded. The same is true for any other threat prevention techniques from classic AntiVirus to newer technologies like Sandboxing as none of them provide total security on their own.

The good news is that hackers face exactly the same challengeas there isn’t a single attack technique that allows them to accomplish their final objective, of exfiltrating data or taking control of IT resources for criminal activity. Nowadays an attack is a sophisticated, stealthy and continuous process, compromised of a chain of multiple steps that an attacker has to successfully go through in order to accomplish his goal.

To achieve 100 percent security is not possible, but that’s not an issue as long as you keep your IT infrastructure defendable. A good analogy is the human immune system. A healthy lifestyle will keep us fit, but it doesn’t provide total protection from viral infections. However being sick isn’t the end of the world as long as the body is able, or with medical intervention,enabled to effectively defend itself and mitigate the impact of the infection. There is however a big difference between humans and an IT system. We know when we feel sick and we instinctively know when to go to the doctor. Getting this level of insight into an IT infrastructure is difficult, and at the same time there isn’t such a thing as a magic box which instinctively protects your network all on its own.

The solution is what I like to call the magic sauce, which is to put the right combination of threat prevention techniques together to make it close to impossible for an attacker to evade all of them. Palo Alto Networks Next-Generation Firewall isn’t a magic box either, but you can do magic with it if you use it in the right way, along with the other key components of the Palo Alto Networks security platform, including the Threat Intelligence Cloud and Advanced Endpoint Protection, and leverage its full potential.

For more information check out our Consigas blog post “Network Security Best Practices for Palo Alto Networks Next-Generation Firewalls” where we go through every single step of the Cyber Kill Chain to explain the most common attack techniques to infiltrate both data centers and end-user devices as well as the best practices to mitigate the attack.

[Palo Alto Networks Blog]

The Cybersecurity Canon: Future Crimes: Everyone Is Connected, Everyone Is Vulnerable and What We Can Do About It

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Jon OltsikFuture Crimes:  Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It (2015) by Marc Goodman

Executive Summary

Future Crimes by Marc Goodman details the dark side of technology, examining how new technologies are used and abused for criminal purposes.  In just under 400 pages, Goodman provides some basic historical background on computer security and then guides the reader through a cybercrime journey spanning consumer, industrial, medical, and various other technologies.

Fair warning to prospective readers: the story isn’t pretty.  The author starts with a wake-up call about data privacy and how a plethora of companies like Facebook, Google, and OkCupid, and the $150 billion dollar data broker industry regularly collect, sell, and abuse user data.  When it comes to Internet services, Goodman reminds readers, “you’re not the customer, you’re the product.”

Future Crimes also explores the current derelict world of cyber peeping toms, bullies, revenge porn, and extortion.  While these crimes are already rampant today, Goodman theorizes that things will get worse with the proliferation of surveillance cameras, geo-location services, RFID tags, and wireless networking technology.  The point is crystal clear: each technology innovation increases the attack surface, and cybercriminals are only too happy to exploit these vulnerabilities for profit.

Aside from level setting on the present, about half of this book examines the future of cybercrime with an in-depth analysis of cybercriminal organizations, cybercrime processes, divisions of labor, specialization, and the overall cybercrime marketplace.  This analysis is especially useful for cybersecurity professionals seeking to understand what motivates cyber adversaries and how they do what they do.  Goodman also does a good job of aligning cybercrime with the proliferation of Internet of Things (IoT) technologies.  The author succeeds in introducing IoT technologies, describing their potential benefits, and then providing numerous examples of how these innovations have or will be used for nefarious purposes.

Future Crimes can be verbose and even alarmist at times, but these are minor shortcomings within an otherwise extremely educational and informative book.  The author is especially adept at providing real-world examples, research points, statistics, and news stories to back up his points throughout the text.  And while experienced cybersecurity readers may be familiar with many of the events described in the book, Future Crimes goes beyond other books by covering a variety of territories like consumer, industrial, medical, and even military technology threats, vulnerabilities, and crimes.  In this way, Goodman weaves familiar cybersecurity events into a unique wide-angle lens of cybercrime.

I found Future Crimes extremely educational and believe it is a worthwhile read for cybersecurity professionals and even business managers interested in learning more about a broad range of cyber risks.  As such, Future Crimes should be included in the Cybersecurity Canon.

Review

Being an industry analyst, people often ask me a rather fundamental question:  What is the difference between information security and cybersecurity?  Some of my peers believe that any distinction between the two terms is nothing but semantics. I disagree.  In my humble opinion, information security is inexorably linked to the confidentiality, integrity, and availability of IT assets and infrastructure (i.e., applications, data, networks, servers).  Alternatively, cybersecurity is a broader topic that encompasses the confidentiality, integrity, and availability of all connected systems – industrial control systems, medical devices, consumer devices, etc.

With these discrepancies in mind, Future Crimes by Marc Goodman can be categorized as a comprehensive analysis of the state of cybersecurity, its implications on consumer safety and privacy, and the collective impact of cybersecurity vulnerabilities on our society at large.

The book is divided into three sections.  In Part One (A Gathering Storm), Goodman explores today’s cybercrime realities.  Part Two (The Future of Crime), looks at the cybercrime underworld and maps technology development to new types of burgeoning and creative criminal activity.  Finally, Part Three (Surviving Progress) provides some cybersecurity recommendations to consumers, government agencies and technology companies.

In the first chapter of the book (Connected, Dependent, and Vulnerable), Goodman provides a situational analysis describing the state of cybercrime today and how we got to this point.  Here, Goodman compares cybercrime to physical crime, explains the differences, and then gives the reader a historical review of computer security and basic malware tutorial.  The author then quickly fast-forwards to today’s dangerous threat landscape, illustrating his points by recounting examples of identity theft and data breaches while providing several ominous statistics on the explosion of malware.  By the end of the chapter, readers should be well-aware of Goodman’s in-your-face message:  ‘Think your online world is secure?  Think again!’

With the first chapter as a baseline, Goodman proceeds through the first part of the book by digging deeper into criminal activities associated with the technologies we all use in our daily lives for communication, entertainment, health care, our jobs, etc.

For example, Future Crimes exposes the dark side of all of the free Internet services we all enjoy, such as email, search engines, and social networks.  Goodman provides numerous examples of how companies like Facebook, Google, and LinkedIn provide these free services while playing fast and loose with user privacy and monetizing user data as they see fit – today and in perpetuity.  Of course, most users have no idea this is happening, as they are relatively defenseless against typical terms of service (TOS) agreements.  The author actually cites a Carnegie Mellon University study stating that the average American encounters thousands of privacy policies each year with an average of over 2,500 words.

As if this weren’t enough, the book proceeds with a creepier scenario: everyone is gathering and profiting from our data—cellular phone carriers, data brokers, dating sites, you name it.  I was particularly troubled by the story of a supposedly altruistic website, PatientsLikeMe, focused on connecting people with chronic illnesses.  As it turned out, PatientsLikeMe was actually selling this deeply personal patient information to a Nielsen subsidiary (BuzzMetrics), which then packaged the data for sale to drug companies, medical device manufacturers, and insurance companies.  This served as a strong example of cyber caveat emptor for consumers.

Once readers understand just how vulnerable they are, Goodman shifts the narrative from victims to perpetrators.  Part Two of Future Crimes specifies that criminals have always pioneered new ways to use new technologies for malevolent purposes, and this trend is only accelerating with accelerated innovation.   The author delves into the organizational structure of cybercriminals, looking at reporting structure, specialization, outsourcing, and the overall criminal marketplace.  These chapters act as a Cybercrime 101 course with details about things like the use of money mules, cybercriminal communication using the Dark Net, digital currencies like Bitcoin, and average prices for stolen merchandise like credit card numbers, documents, and even assassination services.

True to its name, the book also examines future crimes associated with evolving Internet of Things (IoT) technologies that combine compute, network, and storage resources with consumer and industrial capabilities.  Goodman is a fan of IoT and highlights its potential benefits but is also quick to identify a myriad of vulnerabilities.  For example, implanted medical devices (IMDs) like pacemakers and insulin pumps could be remotely controlled and monitored by physicians, improving care and reducing healthcare costs.  Alternatively, insecure IMDs could also be hacked and used for criminal acts.  Imagine if thousands of diabetics using a particular IoT insulin pump received an email threatening to give them a lethal dose of insulin unless they paid an extortion fee of $1000.  Future Crimes looks at many similarly frightening scenarios.

It is worth pointing out a core strength of Future Crimes: it is replete with countless real-world stories and copious data points that accentuate Goodman’s points throughout the book.  For example, the book recounts the 2008 attack in Mumbai and describes how terrorists took advantage of technologies like cell phones, GPS, and real-time access to news feeds.  Goodman also reveals incidents of cyberbullying, industrial espionage, revenge porn, and outright cyber vandalism.  For example, the 2001 hack of an Australian sewage treatment plant that “caused millions of litres of raw sewage to spill out into local parks, rivers, and even the grounds of a Hyatt Regency hotel,” really reinforced Goodman’s message on the cyber risks and consequences related to critical infrastructure.

Future Crimes is not without a few flaws.  Experienced cybersecurity professionals are all too familiar with many of the examples cited, and there are certainly other books providing more details about each individual topic.  Some may consider Goodman as a cyber “Chicken Little,” pummeling readers, page after page, with a dystopian diatribe about technological evils.  The author’s recommendations toward the end of the book are somewhat disappointing; those with cybersecurity policy and management experience won’t find anything new here.  Finally, Future Crimes can be a bit verbose and repetitive at times, exhausting even the most energetic reader.

In spite of these few shortcomings, however, I believe that Future Crimes is a very good book.  In truth, Goodman is really a technology optimist and does a fine job of explaining the use of technologies for good and evil.  While some of the stories are familiar to the cybersecurity community, I found the author’s reviews to be concise and relevant toward a variety of cybercrimes.  Future Crimes’ best quality is its breadth of coverage.  In just under 400 pages, Goodman seems to cover everything (consumer technology, industrial technology, medical technology, etc.), comes up with specific examples of criminal exploits, and offers intelligent insight about future criminal trends.  Well done, Marc!

In my humble opinion, cybersecurity professionals will advance their education by reading this book, so I recommend its inclusion in the Cybersecurity Canon.  I would also suggest that business executives read Future Crimes in order to expand their knowledge about cyber risks.  This will help CEOs and corporate boards realize that they need to consider cybersecurity vulnerabilities and threats as they relate to employees, products, and the cyber supply chain – not just their organization’s IT assets.

[Palo Alto Networks Blog]

English
Exit mobile version