In the not-too-distant past, service providers had a tough time convincing enterprise IT departments that cloud platforms were secure enough for corporate data. Fortunately perspectives on cloud have matured, and more and more organizations are migrating their sanctioned file sharing applications to the cloud. Fast forward to 2020, when Gartner predicts 95% of cloud security failures will be the customers’ fault. Skyhigh Network’s latest Cloud Adoption & Risk Report shows the stakes are high for preventing “cloud user error.”
Enterprise-ready services have extensive security capabilities against external attacks, but customers have the ultimate responsibility for ensuring sensitive data is not improperly disclosed. Just as attackers can circumvent perimeter defenses such as powerful firewalls in favor of stolen credentials or alternate vectors of attack, secure cloud services can incent attackers to target the vulnerabilities inherent in day-to-day use of applications. In addition to compromised accounts, in which attackers gain access to a cloud service via stolen user credentials, enterprises need to worry about malicious insiders, compliance violations, and even accidental mismanagement of access controls.
The report, which analyzes actual usage data from over 23 million enterprise employees, uncovered an epidemic of file over-sharing. Whether IT is aware or not, cloud-based file-sharing services serve as repositories of sensitive data for the average organization. According to the report, 15.8 percent of documents in file-sharing services contain sensitive data. The employees responsible for sensitive data are not a small group: 28.1% of all employees have uploaded a file containing sensitive data to the cloud.
Most concerning is the lack of controls on who can access files once uploaded to the cloud. 12.9 percent of files are accessible by any employee within the organization, which poses a significant liability given the size of the organizations analyzed. Employees shared 28.2 percent of files with external business partners. Given the critical role business partners have played in several highly publicized breaches, companies should closely monitor data shared outside the organization, even with trusted partners. Although they make up only 6 percent of collaborations, personal email addresses raise concerns over the recipient’s identity and necessitate granular access policies; companies may not want to grant the ability to download files to personal email domains, for example. Finally, 5.4 percent of files are available to anyone with the sharing link. These documents are just one forwarded email away from ending up in the hands of a competitor or other unwanted recipient.
Breakdown of Sharing Actions
What are the different profiles of sensitive data stored in the cloud? Confidential data, or proprietary information related to a company’s business, is the biggest offender making up 7.6 percent of sensitive data. Personal data is second at 4.3 percent of said files. Third is payment data at 2.3 percent, and last is health data at 1.6 percent. The majority of these files, 58.4 percent, are discovered in Microsoft Office files.
Files Containing Keyword in the File Name
Furthermore, a surprising number of workers violate best practices for securely storing important information in the cloud. Using keywords such as ‘passwords’, ‘budget’, and ‘salary’ when naming files makes it easy for attackers to locate sensitive information, and IT security professionals typically advise against this practice. Convenience all too often trumps security, unfortunately. Past breaches have revealed instances in which credentials for multiple accounts were kept in folders named “Passwords”. The report found that the average company had 21,825 documents stored across file sharing services containing one or more of these red flags in the file name. Out of these files, 7,886 files contained ‘budget’, 6,097 ‘salary’, and 2,217 ‘confidential’.
Lastly, data revealed a few “worst employees of the month. One prolific user was responsible for uploading 284 unencrypted documents containing credit card numbers to a file sharing service. Another user uploaded 46 documents labeled “private” and 60 documents labeled “restricted”. In all seriousness, while it’s easy to point the finger and call these users bad employees, it’s likely they were simply trying to do their jobs using the best tools available to them. The onus lies with IT to make the secure path the easy path.
With more companies migrating sensitive data to the cloud, attackers will increase their efforts to exploit vulnerabilities in enterprise use of cloud services. Tellingly, attacks against cloud services increased 45% over the past year. Locating sensitive data in file-sharing services is step one for companies aimed at preventing the next generation of cloud-based threats.
Sam Bleiberg, Corporate Communications Manager, Skyhigh Networks
As we look toward 2016, I think there’s good reason to consider several shifts that we’ve seen in tactics used in recent attacks. Developments in several of these areas will play a significant role in mobile workforce security planning strategies for the year to come.
Inverting the Hierarchy of Policy Enforcement
While many organizations are primarily concerned with perimeter security: controlling what people on the outside can do to the organization, there’s still a lot of work to be done about the flip side of the equation: controlling what people on the inside can do to the organization. It is all too common to think of internal security as a matter of what can attach to the network, rather than asking the deeper questions of what those people and devices connected to the network should be able to do.
Twenty years ago, organizations relied on physical security to secure their network (no access unless you can get into the building). This notion started to crumble with wireless networking, in which authentication became the gating factor to control who was on the inside.
In both cases, however, these measures stop short of addressing the questions of what can a person or machine do once connected, and which applications can they access. This is particularly true when looking at the lifecycle of a cyberattack, where compromised endpoints are often employed to conduct lateral movement and exfiltrate information, all because many organizations do not have controls that inspect traffic inside the organization.
Network segmentation provides a part of the answer because compartmentalization can establish borders. However, while segmentation is a good first step, more needs to be done to control what traffic crosses the boundaries between segments.
These changes have been a long time coming, but, in 2016, I foresee significantly more emphasis on these issues, driven by the growing diversity of mobile devices in use. It has never been sufficient to simply allow or block devices from connecting. The next step is making sure we know what these devices are doing, and that’s going to take better enforcement of security policy inside the network.
Attacking the Person Behind the App
When taking a look at some of the attacks employed against mobile devices – such as recent iOS attacks like XcodeGhost and WireLurker – what’s interesting is that the techniques were far more nuanced than they might appear. Instead of just developing a piece of malware, the people behind these attacks customized the delivery system that would get the malware onto the mobile device.
In the case of WireLurker, it was a matter of infecting the owner’s laptop – hijacking the process for synchronizing and backing up the mobile phone’s content. The attacker was able to insert the malicious content into the host and transfer the app via USB onto the mobile device.
In the case of XcodeGhost, the attackers went up the food chain and attacked the app developers themselves by distributing a modified version of the coding tools for building iOS apps. The resulting apps had dormant functionalities inside them that were not immediately visible to either the developer or the end user.
Both attacks were capable of inserting malware into non-jailbroken mobile devices. This is possible because mobile devices do not exist on an island. They are always connected to an interface with a variety of systems, some of which they inherently trust. When attackers are capable of inserting themselves into, and abusing these trusts, new threat vectors emerge.
With this in mind, in 2016, security teams will need to think about what they need to protect (e.g., endpoint, network and mobile devices) in a blended effort, rather than counting on each one separately. This is because the intelligence and protection in one area serves as the compensating control for the other. If it’s unknown whether a mobile device is compromised, then securing network traffic serves as a compensating control to catch malicious behavior. If malicious command and control traffic emerges from an endpoint, then any such traffic from a mobile device should also be closely scrutinized.
Pushing the Boundaries of Gray
Categorically, there is a growing amount of software that isn’t so easily defined as being safe or malicious. These grayware applications fall between the lines because the software typically interacts with a third party, and that third party’s motivations, intent, and even identity may be unknown to the end user. At times, the end user may not know there’s a third party involved at all. One person’s remote desktop application is another person’s remote access tool.
The prevalence of grayware in mobile app stores has weighed toward adware, especially from third-party ad networks. These packages include functions that the end user (and the developer in many cases) does not know about. In the haste to use an app, a user may not scrutinize the permissions given, thus providing advertisers with access to a treasure trove of data. These ad networks slip into the realm of grayware because, even though they may have the permission to access the data, there is no guarantee that the data will be used in an ethical manner.
It’s my belief that more apps will use the cloudy edges of the grayware definition to slip in more malicious activity than advertising. Early signs of this activity can already be felt from the discovery of Gunpoder. When an app store evaluates an app for security risks, it is often done without the full view of the dynamics of how the functionality branches in the real world. In addition, without the context of threat intelligence, other clues about the activity conducted by the third party may not be clear. The only way to truly understand how an app operates is to see what it’s doing on the network in real world conditions when it’s being used, and that’s the role of network security.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.
While researching new, unknown threats collected by WildFire, we discovered the apparent re-emergence of a cyber espionage campaign thought to be dormant after its public disclosure in June 2013. The tools and tactics discovered, while not identical to the previous Dark Seoul campaign, showed extreme similarities in their functions, structure, and tools. In this post, we will provide an overview of the original Dark Seoul campaign in 2013, the similarities and differences in tactics, the malware used, as well as attempt to answer the question of ‘why now’?
Overview
In March 2013, the country of South Korea experienced a major cyberattack, affecting tens of thousands of computer systems in the financial and broadcasting industries. This attack was dubbed ‘Dark Seoul’; it involved wreaking havoc on affected systems by wiping their hard drives, in addition to seeking military intelligence.
The attack was initially thought to be attributed to North Korea, by way of a Chinese IP found during the attack, but no other strong evidence of North Korea’s involvement has been produced since then. In June 2013, McAfee published a report detailing the chronology and variance of the Dark Seoul campaign, but renamed it ‘Operation Troy’. The report analyzed the entirety of the purported attack campaign, beginning in 2009 using a family of tools dubbed ‘Troy’. McAfee further attributed two groups to the campaign: the NewRomanic Cyber Army Team and The Whois Hacking Team; both groups believed to be state sponsored. Since the publication of that report, no other activity involving either group or the tools have been detected or shared publically.
That is, until now.
Dark Seoul Returns
Using the Palo Alto Networks AutoFocus threat intelligence platform, we identified several samples of malicious code with behavior similar to the aforementioned Operation Troy campaign dating back to June 2015, over two years after the original attacks in South Korea. Session data revealed a live attack targeting the transportation and logistics sector in Europe. The initial attack was likely a spear-phishing email, which leveraged a trojanized version of a legitimate software installation executable hosted by a company in the industrial control systems sector. The modified executable still installs the legitimate video player software it claims to contain, but also infects the system. Based on deep analysis of the Trojan’s behavior, binary code, and previous reports of similar attacks, we have concluded that these samples were the same as the original tools used in the Dark Seoul/Operation Troy attacks. It is likely the same adversary group is involved, although there is currently insufficient data to confirm this conclusion.
Malware Overview
The malicious code was delivered via the following two executable names, packaged together in a zip archive file:
[redacted]Player_full.exe
[redacted]Player_light.exe
Both executables present themselves as legitimate installation programs offered by the industrial control systems organization, providing video player software for security camera solutions. When either sample was executed, the malware dropped and subsequently executed the actual video player it disguised itself as.
The new malware variant, which we call TDrop2, proceeds to select a legitimate Microsoft Windows executable in the system32 folder executes it, and then uses the legitimate executable’s process as a container for the malicious code, a technique known as process hollowing. Once successfully executed, the corresponding process then attempts to retrieve the second-stage payload.
The second-stage instruction attempts to obfuscate its activity by retrieving a payload that appears to be an image file, but upon further inspection appears actually to be a portable executable.
The C2 server replaces the first two bytes, which are normally ‘MZ’, with the characters ‘DW’, which may allow this C2 activity to evade rudimentary network security solutions and thus increase the success rate of retrieval.
Once downloaded, the dropper will replace the initial two bytes prior to executing it. This second stage payload will once again perform process hollowing against a randomly selected Windows executable located in the system32 folder. The overall workflow of this malware is visualized below:
The final payload provides the following capabilities to attackers:
Command
Description
1001
Modify C2 URLs
1003
Download
1013
Download/execute malware in other process
1018
Modify wait interval time
1025
Download/execute and return response
Default
Execute command and return results
These commands are encrypted/encoded when transferred over the network, as we can see below.
The malware uses an unidentified cryptographic routine for encryption. Additionally, the following custom alphabet is used for base64 encoding that takes place after the encryption of the data:
Once decoded and decrypted, we see the following command being provided:
tick 7880 systeminfo & net view & netstat -naop tcp & tasklist & dir /a “%userprofile%\AppData\Local\Microsoft\Outlook” & dir /a “%temp%\*.exe” & dir “%ProgramFiles%” & dir “%ProgramFiles%\Microsoft Office” 1018; 60
The initial ‘tick’ string is hardcoded and must be present for the malware to accept the subsequent command(s). In this case, the initial commands are used to perform basic reconnaissance on the infected host and return the results to the attacker, then initialize a sleep period of 60 seconds.
We will publish more details about the TDrop2 malware variant in a follow up blog.
Malware Similarities
Analysis of the malicious code identified reveals the distinct similarities in behavior and functionality to the original Dark Seoul/Operation Troy toolset.
The use of the custom base64 alphabet was observed in the following twelve samples that were specified within the Operation Troy whitepaper:
The majority of these samples had debug strings that referenced the ‘TDrop’ malware family, which is likely the predecessor to the malware observed in this campaign and the source of the name ‘TDrop2’.
The new variant also uses a distinct string decryption routine, which was also observed in a number of Operation Troy samples.
The same string decryption routine was also observed in 64-bit samples from the Operation Troy campaign. The following samples were found to have this decryption routine present:
Network communications appeared identical to that described in a Korean blog post written in June 2013 regarding what appears to be a partial analysis of the Dark Seoul attack. The behavior of the analyzed malicious code made references to decoding a PE file from both a .gif and .jpg URL. Additionally, a unique POST separator string is identified (6e8fad908fe13c), which also matches the malware payload observed in TDrop2 samples.
The command and control (C2) servers used in these recent attacks are compromised websites located in South Korea and Europe. It’s not clear what led to the compromise of these four web servers (listed in the IOC section below), but they all appear to use shared hosting providers and operate on out-of-date software that may contain vulnerabilities and/or misconfigurations.
The Attackers
At this time, it is unclear if this attack is attributed to the same two groups previously outlined in McAfee’s 2013 report. There are obvious similarities in the malware used, as well as other tactics, but there are also some obvious differences. The targeting for example, is completely different in that this observed attack is not aimed at military, government, or financial institutions in the South Korea region. In addition, there has been no evidence of destructive functionality in the samples analyzed by Unit 42, although the malware is capable of downloading additional components so those simply may not yet have been observed.
The similarities in tactics however, do seem to outweigh the differences, and it is highly likely this is the same group or groups responsible for the original Dark Seoul/Operation Troy attacks, but with a new target and a new campaign.
Conclusion
It is not uncommon for threat actors to become dormant for some period of time, especially after public unveiling as the groups behind Dark Seoul/Operation Troy experienced. What we do know is that changing infrastructure and toolsets can be challenging, and it is not nearly as common that a very specialized tool developed for specific teams would be shared amongst threat actors.
There is insufficient data at this time to clearly state why Dark Seoul/Operation Troy would resurface at this time, but Unit 42 will continue to monitor the activity as the situation develops.
We have created the AutoFocus tag TDrop2 to identify samples of this new variant and have added known C2 domains and hash values to the Threat Prevention product set. At this time, WildFire is able to correctly identify the samples associated with this campaign as malicious.
Speakers from The Honest Company, PwC, University of Oxford, Microsoft, Google, SpaceX and Evident.io to Be Featured at the Upcoming Inaugural Event
Los Angeles, CA – November 17, 2015 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released the agenda for its augural CSA Summit Los Angeles 2015. The event will feature some of the world’s most recognized and respected cloud adopters and providers from across the entertainment and enterprise industries who will come together to share lessons learned in cloud security.
Co-hosted by the CSA LA/SoCal chapter, this year’s event will take place on Thursday, December 3. Wendy Frank, Principal, Advisory, Cyber security, Privacy and Risk at PwC, will deliver the opening keynote.
In addition to the keynote presenter, a number of experts will be on hand to give presentations or as participants in key panel discussions including Mikhael Felker, Director, Information Security, The Honest Company; Nick Reva, Information Assurance & Compliance Lead, SpaceX; Joel Sloss, Program Manager, Microsoft Azure Security, Privacy, Compliance, Microsoft; Jeffrey Ritter, External Lecturer, University of Oxford; Matthew O’Connor, Product Manager Compliance, and Anti-Abuse products, Google Cloud Platform; and Tim Prendergast, CEO and Co-founder, Evident.io.
The agenda will also feature presentations and discussions on some of the most emerging and critical topics facing cloud security including Top Security Challenges Facing the Cloud Adoption Enterprise, Information & Content Security, Achieving Digital Trust, and Securing & Auditing AWS. The event is expected to draw approximately 200 well-qualified attendees with an interest in cloud security from the local region.
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the “Security Guidance for Critical Areas of Focus in Cloud Computing”, the “Cloud Controls Matrix”, “Top Threats to Cloud Computing” and 50 other cloud security research artifacts.
