Convenience is a great motivator. The search for greater conveniences for businesses and consumers has created game-changing paradigm shifts. ATMs, online banking, movie streaming and even household appliances all transformed businesses. They opened up completely new markets, and at the same time, marked the end for businesses that didn’t innovate.
But each convenience, and each new service and technology comes with new, often uncharted risks. Mobile payments are no exception. The global mobile payment transaction market, including solutions offered by Apple Pay, Google Wallet, PayPal and Venmo, will be worth an estimated US $2.8 trillion by 2020, according to Future Market Insights.
These expectations are impressive and indicate that this is an area of potential growth and worth further exploration. A recent ISACA survey of more than 900 member security professional shows that an overwhelming majority (87%) expect to see an increase in mobile payment data breaches over the next 12 months, yet 42% of respondents have still used this payment method in 2015. The 2015 Mobile Payment Security Study suggests that people who use mobile payments are unlikely to be deterred by security concerns.
Other data from the survey show that cybersecurity professionals are willing to balance benefits with perceived security risks of mobile payments:
Only 23% believe that mobile payments are secure in keeping personal information safe.
Nearly half (47%) say mobile payments are not secure and 30% are unsure.
At 89%, cash was deemed the most secure payment method, but only 9% prefer to use it.
ISACA survey respondents also ranked the major vulnerabilities associated with mobile payments:
Use of public WiFi (26%)
Lost or stolen devices (21%)
Phishing/shmishing (phishing attacks via text messages) (18%)
Weak passwords (13%)
User error (7%)
There are no security vulnerabilities (0.3%)
According to those surveyed, currently the most effective way to make mobile payments more secure is using two ways to authenticate their identity (66%), followed by requiring a short-term authentication code (18%). Far less popular was an option that puts the onus on the consumer—installing phone-based security apps (9%).
All people using mobile payments need to educate themselves so they are making informed choices. You need to know your options, choose an acceptable level of risk, and put a value on your personal information. From my experience, the best tactic is awareness. Embrace and educate about new services and technologies.
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC ISACA International President
“Why don’t you go on west to California? There’s work there, and it never gets cold. Why, you can reach out anywhere and pick an orange. Why, there’s always some kind of crop to work in. Why don’t you go there?”
John Steinbeck, “The Grapes of Wrath”
I am one of the lucky ones. After a few twists and turns along the way, I landed a great job in my chosen discipline (cybersecurity)—the field I spent four years of my life studying. Like many recent college graduates, however, I entered the workforce unwittingly unprepared. What I did not realize then is that a college degree was the barest minimum requirement—it was only a ticket to get me inside a hiring manager’s office. When I graduated Stevenson University with my Bachelor of Science degree in Computer Information Systems, I lacked something that cybersecurity mangers place a great deal of emphasis upon: a certification.
Today’s college students are inundated with articles that promise lucrative careers in IT, cybersecurity, and the tech sector. The seemingly wide-open job market, combined with our generation’s affinity for computers and the Internet, makes a computer science degree seem like a logical choice. Many students however, forget to read the fine print . Like Steinbeck’s Dust Bowl tenant farmers, who arrived in California’s Promised Land only to discover a near-hopeless situation, today’s entry-level graduates are smacked with the reality that most tech jobs require several years of experience and certifications.
For some, the best way to earn valuable experience is through a paid (or unpaid) internship at a tech company. It is true that stellar performance at an internship could ultimately lead to a full-time, salaried position. There is another way, however, for savvy job-seeking professionals to overcome some of their relative inexperience; they can earn certifications in their specialized field. Unlike the knowledge gained via college degree, which atrophies over time, cybersecurity certifications show potential employers that a candidate’s skills are current and, most importantly, relevant to the advertised job position.
Most of today’s cybersecurity certifications are designed to reflect current operational realities in the tech world. In particular, ISACA’s recently released CSX Practitioner certification requires candidates to demonstrate more than mere knowledge of advanced cybersecurity concepts; this new certification tests how candidates apply their knowledge and skills against an actual network. This means that a college graduate—who earns the CSX Practitioner certification—can level the playing field by demonstrating the same level of cybersecurity and network proficiency as a more experienced professional.
At first glance, my advice to entry-level graduates might seem unreasonable. Many graduates are already struggling with record levels of student loan debt; for them, the cost of cybersecurity certifications can be overwhelming. However, some federal and state-level programs in the US and similar programs around the world offer grants that cover the cost of cybersecurity certification trainingand testing. Joining an organization such as ISACA can provide reduced fees for cybersecurity certification and training. An added benefit to joining certification organizations is for young job seekers to network more effectively and to become a part of the cybersecurity discussion. ISACA’s local chapters frequently offer announcements for job openings on their respective websites.
Every day, I watch my company’s tech recruiters send out email after email looking for qualified candidates to place in cybersecurity job openings. The job descriptions all have one thing in common: they require some form of cyber certification and/or experience. For recent college grads, the path to cyber employment is not printed on a handbill, and, it does not necessarily lead to Silicon Valley. Nevertheless, earning a cybersecurity certification could make the road to a rewarding career far shorter and straighter.
Adeline Heuchan Digital Forensics Instructor at TeleCommunication Systems, Inc.
On Sept. 17, I hosted our first NextWave Huddle, a global channel partner webcast and a key component of my commitment to deliver more clear and consistent communications to you, our partners in FY16.
If you couldn’t attend, click here to listen to the replay and click here to review the presentation.
Together in FY15 we drove phenomenal results: we had nearly 500 partners double their business in FY15, we had more than 12,000 partner security professionals earn technology or sales certifications and we added a record-breaking, 2,000-plus new customers in Q4 FY15, bringing our total number of customers to more than 26,000 worldwide.
Make no mistake, we wouldn’t be the company we are today without you, our partners, and we can’t achieve our goal of becoming the largest enterprise security company in the next two years without expanding the scale and productivity of our partner ecosystem. To achieve this we will focus on three key pillars:
Building a channel partner ecosystem that provides the coverage, capacity and capabilities to elevate our leadership position in the enterprise security market.
Optimizing our channel programs, training, tools, systems & initiatives to strengthen partner differentiation & profitability.
Remaining committed to those partners that are investing in us.
By focusing on these pillars we have an opportunity to drive unprecedented success, as long as we keep you aware and informed. With this in mind, let me highlight a couple of key items for Q1 FY16:
We have a new evaluation tool for you to use with customers, called the Security Lifecycle Review (SLR). Click here to download the Quick Start Guide for Partners today.
On Sept. 15, we announced Aperture, a new SaaS security offering. Make sure youunderstand Aperture and the opportunity to expand your security business.
We have a huge opportunity ($80B) to help transform the data center with VMware, make sure you understand the VMware NSX plus Palo Alto Networks
If you aren’t already, start following us on Twitter @NextWavePartner for real-time updates.
I couldn’t be more excited about the opportunity in front us. We are in the right market with the right strategy, philosophy, platform and partnerships. I am confident we are building a world class channels organization, which includes you, our partners, and look forward to accelerating together in FY16.
In the last few years, a decades-old problem has taken on a new name: cyberattacks. This is now in the top five global risks in terms of impact and probability [1]. The reason for this is well-documented: attacks have become far more personalized, leveraging the techniques and tactics first seen in nation-state APT attacks. For cybercriminals, focusing on getting a hold of the golden nuggets that make each business uniquely profitable, such as intellectual property, businesses process, and data, has far greater impact than the traditional generic attacks.
Likewise, we are sprinting toward a hyper-connected society, and companies’ dependency on technology in order to function and be profitable is increasing. Concerns around BYOD are being overridden by concerns of the much broader Internet of Things, whether that is wearables, mobile payments or connected cars.
It’s easy to see why this has become a topic that is high on national and global risk registers. There is a growing perception that failure is inevitable, breaches will happen, and attackers will get in. My question is: are we giving in too easily?
Human nature means we make mistakes, but, more importantly, that we learn from them. One of the most significant traits we have is determination. We cannot and should not overly focus on recovery. We must find a better way to prevent the problem in the first place. While we accept that road accidents happen, we don’t focus only on emergency recovery services. Instead we continue to evolve the safety measures to prevent harm and loss of life. As such, a key motivation for my joining Palo Alto Networks was to work for a company that is resolutely focused on innovating solutions to stop cyber incidents from occurring.
So what does the next evolution of preventing successful cyberattacks look like? We can learn a lot from technology’s own evolution. Historically, technology was built with a purpose in mind, but the implementation all too often failed, as it was built by engineers for engineers. Usability has become the key to success – if we cannot intuitively use the technology today, the likelihood is that it will fail.
Over decades we have built a broad spectrum of security components that each solve parts of the problem, some of which, I would challenge, are no longer fit for this purpose, while others still have significant value. However, the major challenge is drawing these pieces of the security puzzle together to detect and block the attack. This is a requirement, as most incidents today leverage multiple components in their lifecycle, and the challenge is being able to piece together the jigsaw puzzle to see the entire picture, when so much information is being generated by so many component parts. We have effectively evolved to something so unwieldy and complex that it is unusable. Fragmented solutions, creating so much noise that we become immobile, take too long and use too much processing power to give the complete view, causing the solution to become ineffective.
If we are to be as agile and dynamic as the adversaries we face in cyberspace, we must focus on usability and automation because our most scarce resource is undoubtedly people. Time and efficacy must be key metrics, as should the ability to recognise and gather multiple indicators of modern attacks across the diverse IT ecosystem. It is also necessary to dynamically correlate these against our own and our peers’ intelligence to quickly and accurately stop an incident before harm occurs.
As cars went faster, safety had to evolve. At no point did we give up and simply get more ambulances or insurance; life is too precious. In the same way, the cyber world is becoming increasingly dynamic and precious to society. We should not accept that breaches have to occur, but should strive instead to evolve our capabilities to ensure a safe online experience.
On May 6 and May 11, 2015, Unit 42 observed two targeted attacks, the first against the U.S. government and the second on a European media company. Threat actors delivered the same document via spear-phishing emails to both organizations. The actors weaponized the delivery document to install a variant of the ‘9002’ Trojan called ‘3102’ that heavily relies on plugins to provide functionality needed by the actors to carry out on their objectives.
The 3102 payload used in this attack also appears to be related to the Evilgrab payload delivered in the watering hole attack hosted on the President of Myanmar’s website in May 2015. Additionally, we uncovered ties between the C2 infrastructure and individuals in China active in online hacking forums that claim to work in Trojan development.
Palo Alto Networks WildFire detected the payload delivered in these spear-phishing attacks as malicious, and the payload was also tagged in Palo Alto Networks AutoFocus as 9002.
Delivery Document
The delivery document attached to the two spear-phishing attacks was an Excel document that exploits CVE-2012-0158, specifically exploiting a vulnerability in the MSComctlLib.TreeView ActiveX control. The malicious Excel document had a filename of電郵名單.xls, which translates from Chinese to “email list.xls”. Upon successful exploitation, the malicious Excel document installs a payload and opens a decoy document. The decoy document displays a list of names and email addresses of individuals allegedly associated with the Hong Kong Professional Teachers’ Union.
9002 Trojan: 3102 Variant
The threat actors weaponized the malicious Excel spreadsheet to extract and execute an initial payload, which is a dropper with a filename DW20.dll that we track as DoWork. This DoWork variant writes a second sample to the %TEMP% folder with a temporary filename and executes it.
Figure 1. Malware Execution Flow
The second payload extracts shellcode from a resource named “RES” and decrypts it by subjecting the resource to the RC4 algorithm twice, first using a key of “Oq9n01Ca9g” and then using the key “12345678”. The shellcode then installs the actual payload of this attack by saving the 3102 payload to “C:\Program Files\Common Files\ODBC\Mshype.dll” and adding persistence via a registry key “HKCU\Software\TransPan\RunPath”. The second payload is also responsible for writing the 3102 Trojan’s 504-byte configuration to the registry, specifically in the key “HKCU\Software\TransPan\mshtm”.
The actors use a clever anti-analysis trick that stores the configuration in the registry, as the 3102 sample does not contain the configuration itself and relies on the second payload mentioned above to be operational. The second payload deletes itself from the system after it executes, suggesting that the malware authors added the configuration saving functionality in the second payload to thwart researchers seeking to extract C2 information from the 3102 sample itself.
The functional payload uses the string “3102” as the first four-byes of its network communications with its C2 server, which is the basis for the name ‘3102’. In May 2014,Cylance published an article on a targeted attack against a Chinese national that delivered the 3102 variant of 9002. When comparing the attacks, we found the following commonalities:
Same Mshype.dll filename and file system path for the payload.
Mshype.dll is signed using the same digital certificate belonging to A’digm, Inc.
Same registry key for persistence: HKCU\Software\TransPan\RunPath: “rundll32.exe “C:\Program Files\Common Files\ODBC\Mshype.dll”,Process32First”
Saves its configuration to the same registry key: HKCU\Software\TransPan\mshtm
Uses the same key logging plugin.
Shares common C2 communication protocols.
While similarities exist to the payload discussed in Cylance’s article, it is worth exploring some specific attributes and behaviors of the 3102 payload used in the May 2015 attacks on the U.S. government and the European media organization to gain a better understanding of the treat actors involved.
This 3102 payload saves the configuration seen in Figure 2 to the registry. The C2 domain “ericgoodman.serveblog[.]net” exists within this configuration; however, the configuration also contains the domain “fordnsdynamic.no-ip[.]org” that does not appear to be used anywhere within the Trojan’s code.
Figure 2. 3102 Configuration Saved to the Registry
The Trojan also contains several debug messages that reference the domain “www.aestheticismwoods[.]com”, which is a C2 domain referenced in the Cylance article. This 3102 sample never communicates with this domain, suggesting that the malware author did not remove debugging messages introduced in previous samples of 3102 when compiling the particular sample used in these attacks. The unnecessary inclusion of these two domains suggests that the author of this 3102 sample is rather sloppy with code changes and lacks a sense of operational security.
C2 Communication
To interact with compromised systems, the actors rely on the 3102 Trojan to communicate with its C2 server using one of two different communication methods. The Trojan’s primary method involves using a custom protocol that has a static string of “3102” as the first four bytes of each transmission and uses LZO to compress its data. Each transmission contains the size of the LZO compressed data immediately after the “3102” string, followed by the length of the decompressed data, and finally the compressed data itself. Figure 3 shows a sample of the custom protocol beacon sent from the 3102 variant and the response received from its C2 server.
Figure 3. Custom Protocol Used by 3102 to Communicate with C2 server
The second method 3102 used for C2 communications employs basic HTTP POST requests. Figure 4 shows an example HTTP request sent from the 3102 Trojan to its C2 server. The URL within the POST request is a hexadecimal value that increments with each request. The content in the HTTP POST, specifically the “AA” string, the content-length of 2 and the user-agent of “lynx” are hardcoded into the 3102 Trojan.
Figure 4. HTTP POST Request Created by 3102
Once communications are established between the 3102 Trojan and its C2 server, the threat actors can interact with the compromised system and act on their objectives.
Capabilities and Plugins
The 3102 Trojan by itself does not contain much in the form of functional capabilities; rather, it is a modular Trojan that requires external plugins to provide capabilities. Therefore, the threat actors must provide plugins in the form of dynamic link libraries (DLL) that the Trojan will load manually. The author of 3102 chose to manually load the libraries in an attempt to evade antivirus engines that scan libraries loaded using the conventional LoadLibraryA and LoadLibraryW API functions.
During these two attacks, the actors used two different methods to load plugins in the 3102 Trojan. A third method existed in the code base, but was unused. We will discuss the three loading techniques and the plugins that the actors loaded onto compromised systems.
Embedded Plugins
3102 can load embedded plugins by manually loading a DLL that exists within the Trojan without saving the plugin to the file system. The sample used in the attacks described in this article contained only one plugin with the filename of “KeyLogger.dll.” We obtained the filename “KeyLogger.dll” from the ‘OriginalFilename’ field in the VERSIONINFO resource of the DLL. As this filename suggests, this plugin provides key logging functionality for the 3102 Trojan by monitoring keystrokes and logging them to a file named “temp_k.ax”. The keylogger also encrypts the logged keystrokes saved to temp_k.ax by using an XOR algorithm with 0x56 as the key.
Plugins over the Wire
3102 can also load plugins provided directly from the C2 server. This method manually loads a DLL from the network communications without saving the DLL to the disk, making it difficult for antivirus products to detect its malicious functionality. After manually loading the plugins, 3102 will run the plugin by calling the function “CreatePluginObj” within the plugin’s export address table (EAT).
During analysis of the attacks, we observed the threat actor sending three different plugins to the 3102 Trojan from the C2 server. The 3102 Trojan loaded these plugins, which allowed the actor to use the added functionality to interact with the compromised system. The plugins are not saved to disk, so we extracted and decompressed each plugin from a packet capture and obtained their filenames from the ‘OriginalFilename’ field in the VERSIONINFO resource of the DLL.
The first plugin has a filename of “DownFileS.dll” and enables 3102 to carry out file system activities, such as reading, writing and searching for files, as well as enumerating storage devices and volumes. The second plugin is called “FileManagerS.dll” and has a great deal of functionality overlap with the DownFileS.dll plugin, but it contains the added ability to remove folders and execute files. The third and final plugin provided by the C2 server is called “ScreenSpyS.dll” and allows for screen capture and allows the operator to interact with the system by sending key strokes, mouse movements and mouse clicks.
Plugins from the File System
Lastly, 3102 can manually load plugins directly from a file named “temp_plugin.ax”. This plugin loading method allows the Trojan to save plugins to disk so they persist system reboots. The “temp_plugin.ax” file can contain multiple plugins, as 3102 will read the entire temp_plugin.ax file and parse its contents for plugins stored in the following structure:
Offset
Description
0-1
Single byte XOR key
4-8
Length of cipher text
8
Filename of plugin in unicode
528
Beginning of cipher text
We did not observe the threat actors using this method in this attack; however, it is possible that the threat actors could use the “DownFileS.dll” or “FileManagerS.dll” plugins obtained from the C2 to install plugins that use this loading method.
Connection to Watering Hole Attack and Chinese Threat Actors
As previously mentioned, the malware author signed the 3102 sample delivered in the attacks discussed in this article using a digital certificate issued to A’digm, Inc. The same digital certificate was used to sign a separate 9002 malware sample, which also shared the C2 domain “dns.mailpseonfz[.]com” with a second 9002 sample that was not signed with the A’digm Inc. certificate. The unsigned 9002 sample was also configured to use the domain “dns.websecexp[.]com” as an additional C2 server. This domain was the C2 server used by the Evilgrab payload delivered in the watering hole attack on the President of Myanmar’s websitethat we discussed in a blog post on June 11, 2015. Figure 5 shows the relationship between the spear-phishing and watering hole attacks.
Figure 5. Link Between Samples Signed by A’digm, Inc Certificate and the Watering Hole on President of Myanmar’s Website
While it should be noted that dissimilar groups can sign their Trojans using the same digital certificate, we believe that the same threat group is likely involved with both the spear-phishing attacks discussed in this article and the watering hole attacks hosted on the President of Myanmar’s website. We believe this as it appears that a common malware author may be involved because the compile times for the 3102 sample (2014-02-28 07:40:37 UTC) and 9002 sample signed by A’digm, Inc. (2014-02-28 08:07:48 UTC) were less than a half hour from each other.
Additionally, we have not found many other malware samples signed with this certificate, indicating it is not in widespread use.
While researching the mailpseonfz[.]com and websecexp[.]com domains that created the correlation between the watering hole and spear-phishing attacks, we noticed that these two domains had historic registrant email addresses that were also used in online forums, primarily in Chinese, discussing hacking, Trojan development, and website defacements. The domain websecexp[.]com was originally registered in 2013 with the email ‘bychinahacker@gmail.com’. It has since been updated, but the domain has been actor controlled the entire time. Research on this email shows it has been tied to multiple website defacements and is also used a contact email within multiple Chinese hacking forums as well as for a company located in Guangzhou.
Figure 6. Screenshot of one of the website defacements.
For a brief period in late 2011 and early 2012, the registrant email for mailpseonfz[.]com was ‘bubai2012@163[.]com’. The domain was under actor control the entire time, but currently has the registrant information hidden using a registrant protection service. When researching the registrant email we found ties to a Chinese forum advertising for a Software Security Engineer position in Shanghai in 2007. One responder requested to be contacted at that email address and said he or she worked in “Trojan testing.”
Conclusion
Unit 42 detected a cyber espionage group attacking the U.S. government and a European media organization within days of each other using a spear-phishing attack to deliver a variant of the 9002 Trojan called 3102. During the attack, the threat actor provided the 3102 Trojan with three plugins, which allowed the actors to interact with a compromised system’s file system, log keystrokes and perform screen-capturing activities.
The threat actors signed the 3102 payload with a digital certificate that was also used to sign a 9002 sample that has ties to the Evilgrab payload delivered by the watering hole hosted on the President of Myanmar’s website. Because that certificate doesn’t seem to be in widespread use and the samples were compiled within thirty minutes of each other, we believe the same threat group conducted both of these attacks. The threat group uses both spear-phishing and watering hole attack vectors, along with different families of malware to target individuals and groups of interest. However, while they use different attack vectors and malware, this threat group also seems to reuse significant portions of their infrastructure between attacks, which aides in detection and proactive mitigation.
Research on registrant information used to set up infrastructure for these attacks led to ties within the hacking community in China, indicating the threat group behind this activity is likely Chinese-based. Interestingly, the tie to a private Chinese company further indicates they are likely being hired as contractors, in contrast to threat groups like APT1 that are associated with the Chinese military.
The files used in this attack are properly classified as malicious by WildFire. Users of Palo Alto Networks Traps advanced endpoint protection are protected from exploitation of the CVE-2012-0158 vulnerability if they have not been able to patch their systems. AutoFocus users can find more information on samples and indicators related to this attack by viewing the 9002 tag.
