We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Ben Rothke: America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (2011) by Joel Brenner
Executive Summary
Speak to a civil engineer, and it won’t take long until the conversation turns to the sorry state of America’s infrastructure. The civil engineer will let you know that far too many bridges, canals, roads and highways, dams, tunnels, and more are in dangerous condition due to neglected maintenance. Much of America’s infrastructure is highly vulnerable, given that it’s over 50 years old and long overdue for an overhaul.
In America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare, author Joel Brenner, an attorney who was the senior counsel at the NSA until 2009, takes the conversation to a different infrastructure, namely the digital and network world. Brenner’s premise is that, since much of the digital world and information superhighway haven’t been adequately secured, much of the U.S. digital and critical infrastructure remains vulnerable to hackers, foreign governments, terrorists and numerous other threats and adversaries.
In this 250 page call to action, Brenner lays out, in detail, the dangers the U.S. faces to its freedom and national security if action is not taken – and taken quickly.
Review
In the movie Field of Dreams, a farmer repeatedly hears a voice whispering, “if you build it, he will come,” which leads the main character to build a baseball diamond. In the digital world, the reality is such that, if you don’t secure it, they will come and take your data and intellectual property. America the Vulnerable lays out the case that an insecure digital infrastructure almost begs adversaries to comes and attack it, which in turn places the entire nation at risk.
This book is 4 years old, and, while many of the events may have been yesterday’s news, the underlying message Brenner evangelizes is still highly relevant as our digital infrastructure is woefully insecure. Unless this changes, the number of attacks and breaches will only increase in both scope and magnitude.
A quick and fascinating read, Brenner does a great job of telling the story for the reader without a strong technical background. While there is a lot of finger pointing that could be done, Brenner rises above that and focuses on the issues and problems, rather than laying blame.
China plays a leading role in the book. While they have long denied any notion of state-sponsored hacking, even with evidence to the contrary, the book details China’s long view: namely, its attempt to regain its role as a world power. The book notes that China had the world’s largest economy for eighteen of the past twenty centuries. The two exceptions were those of America’s youth and rise to power. The last 200 years has seen a decrease in this dominance, but the book notes that China does not regard Western domination as normal. With that, China has made it a priority to reestablish its place in the international order. And a large part of the reestablishment process includes taking data and intellectual property from U.S. firms.
Part of the problem is that, while China has made it a priority to reestablish itself and that approach includes hacking, the U.S. has not conversely created a unified approach to dealing with the myriad digital threats. The U.S. response has been heavily fragmented. Part of the reason for this is that, as a democracy with 50 states, it’s much harder to create a unified security response. As a totalitarian state, China has it much easier. Perhaps that’s why they have been able to remotely download terabytes of data from U.S. Department of Defense networks on numerous occasions. The book also quotes, then NSA Director and a U.S. Army four-star general, Keith Alexander that, as far back as 2010, the U.S. found that their classified networks had been penetrated by China.
In every chapter, Brenner lays out the case and provides many examples of the problem of how vulnerable the U.S. is. Brenner is no Chicken Little, and, if anything, in the four years since the book was published, the information security sky has indeed been falling.
The underlying issue that Brenner so eloquently and clearly writes about is that, in the rush to get the U.S. into the digital age and to wire nearly everyone, every business, and every school to the Internet, it has created a network that is highly porous and vulnerable to attack.
This is not simply about networks ordering Girl Scout cookies; this is the critical infrastructure of the U.S. at risk, including everything from the networks that control the financial system and energy grid, to keeping planes in the sky, and much more.
In chapter after chapter, Brenner describes somewhat of a bleak future. Chapter 10 closes with a number of recommendations for both the government and private sector. While many of them are a good start, the reality is that a much more aggressive approach needs to be taken to stem the tide. The truth is that it’s much easier to write about the problem than detail comprehensive solutions.
Conclusion
The sound you hear is that of petabytes of proprietary and highly confidential data being stolen out from under our network noses – silence. This data is quietly being stolen, and the victims include many of the Fortune 1000, along with countless individuals. How big this breach is in the data dam is debatable; what’s eminently clear is that something must be done – and done quickly.
The fantasy once associated with science fiction films is becoming increasingly similar to modern life.
The first Terminator movie introduced some cybersecurity concepts. In addition to introducing the topics of social engineering, vulnerability management and computer malware, the latest film in the saga has introduced the topic of the Internet of Things (IoT). These movies reflect the significant improvements in technologies used by businesses. As a result, there are some lessons that can be learned from looking at the Terminator movies, one of which is to have a proactive, rather than reactive, approach to security.
Back in the factual world, an exciting example of some of the latest development work can be seen in the research being carried out at Newcastle University (United Kingdom),1 including:
Ambulances interconnected to the traffic lights enabling more efficient and faster journeys2
Most IT security or information security professionals face the constant battle of explaining to their executives why it is important to spend sufficient money, time and resources on such things as securing systems and networks, vulnerability management, penetration testing, antivirus software, social engineering and security incident response. Security professionals also must try to maintain an understanding of and manage the new and emerging technologies being introduced to support an organisation’s efficiencies.
What type of dynamic, real-world technology advancements are happening? Presently, scientists are reporting the advancement and development of the following exciting technologies:4
Emergent artificial intelligence (AI)—AI is the development of machines that can learn, adapt and respond to their environments. These machines are also known as ‘Intelligent Machines’.
Sense-and-avoid drones—Remote-piloted drones that can fly themselves, without any remote assistance from a pilot sitting in a bunker somewhere piloting the drone via a joystick and monitor
All of a sudden, the far-fetched components of the Terminator movies do not appear to be so far-fetched after all. Add IoT into the equation, and the potential dangers become a great deal more serious.
Kevin Ashton, cofounder of the Auto-ID Center at the Massachusetts Institute of Technology (MIT) (Cambridge, Massachusetts, USA), is associated with coining the phrase ‘Internet of Things (IoT)’ while delivering a speech at Procter & Gamble.5 ‘If we had computers that knew everything there was to know about things—using data gathered without any help from us—we would be able to track and count everything and greatly reduce waste, loss and cost’, he said. ‘We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best’.6
The advancement of technologies means that the devices capable of interconnecting to share data have reduced in size and increased in capacity, ranging from the 3 gigabyte (GB) random access memory (RAM), 128 megabyte (MB) smart phone to a 768 GB RAM, 21 terabyte (TB) computer, or any physical item capable of being fitted with a microchip (even people, as is reported as being carried out by a Swedish company).7
Such devices are only going to improve their ability to interconnect and share data without the need for human interaction or control. There is also an increasing number of systems being insecurely developed. The volume of interconnected devices is predicted to be between 50 and 75 billion8 by 2020 and 70 percent of the world is expected to be using smart phones.9 Both businesses and individuals rely on such data-sharing devices. But lack of control and appreciation for ensuring that such devices are adequately protected, through technical controls, user education and policies, can result in significant IoT insecurity.
Although it is unlikely that there will be a global machine uprising, there are some lessons to be learned from science fiction long before it ever gets close to being a fact, especially given the strong benefits that are being speculated from incorporating AI technology into IoT devices. Acting now can reduce the impact from IoT-originated data breaches.
It has never been more important for organisations across the globe to work together to ensure that future advancements in technology are carried out safely and securely. The potential seriousness of the risk associated with IoT breaches is highlighted in US automaker Chrysler’s recent recall of more than 1.4 million vehicles10 after significant vulnerabilities were identified within the Uconnect system, an Internet-connected computer that controls such things as the onboard navigation, telephone and Wi-Fi hot spot systems. During a controlled experiment, attackers were able to hack into a Jeep Cherokee travelling at 70 mph. The attackers took control of the entertainment, air conditioning and acceleration systems, whilst highlighting that they even had the capability of tracking a vehicle via the global positioning system (GPS) and disabling the brakes.
Given such alarming developments, IoT data security/safety must be put at the forefront in business environments. Some of the recommended measures should include:
Businesses recognising the importance for securing data devices, baselining themselves with suitable industry standards—These standards may include COBIT 5, ISO/IEC 27001:2013, the US National Institute of Standards and Technology’s (NIST) Cybersecurity Framework or NIST SP 800-53, to name a few. Businesses should also connect with reputable security services providers (e.g., consultancy, penetration testing, web application testing).
The adoption of a suitable security standard provides a consistent benchmark that ensures that all systems, people and processes are the same (i.e., standard), which promotes improved safety and security. This concept is extremely important in support of the development of the IoT world, in which multiple interconnecting systems share significant amounts of data, as this process ensures that these connections are carried out safely and securely.
It is useful to reference the series of articles written by the Council on Cyber Security,11 providing further detailed advice on securing the IoT through the application of the Critical Security Controls for Cyber Defense12—in essence a robust foundation upon which to forge the basis of a compliance program.
Vendors developing secure systems—Because of the urgency from vendors to develop and sell these new and emerging technologies, there has been little or no effort applied to ensuring that the systems were built securely. As the technology has advanced, the potential danger associated with these advanced data processing technologies has significantly increased. For example, take the latest smart phones. These phones have the capability of acting in the capacity of a temporary mobile portable desktop, accessing sensitive emails or downloading copies of sensitive documents. Yet how many of these devices have the capability to install a personal firewall, antimalware programs or operating system updates?
All of these vulnerabilities are at the forefront of a hacker’s arsenal for attack. Given that it is highly likely that these devices will be included in 2020’s predicted 50-75 billion connected devices, it is extremely important that data and system security be placed at the forefront of any future technological advances.
In addition, it is important that vendors realise the importance of ensuring that the psychological perspectives associated with the older generations’ use of technologies13 are factored into the design of such systems to provide ease of use and effective and integrated security measures.
End users receiving security awareness training about the safe and secure use of the devices—The significant threats to data resources come from the end-user perspective, in which users carry out actions that undermine or bypass the security measures employed to protect both the device and the data within it. Ensuring that all end users are fully aware of the correct usage of devices becomes increasingly important when such devices are interconnecting, as in the world of IoT.
It is important to remember that as technologies advance to meet IoT capabilities, human beings may not be able to respond as quickly to the new technologies, and more seasoned members of staff may need additional training in the correct and effective use of these devices.
Security professionals maintaining their professional knowledge and awareness of emerging technologies and threats—This can include membership in professional bodies, formalised professional development programmes or other similar efforts. The appointment of suitably trained and experienced professionals within an organisation is critical to helping reduce the risk associated with the introduction of new technologies. They act as the linchpin between decision makers and end users, ensuring effective mentoring, risk identification and communication. To make this an effective service, it is essential that these specialist appointments maintain their professional knowledge so they can efficiently respond to the challenges associated with the dynamic world of new technologies.
Global governments recognising the need to ensure data and device security by introducing appropriate legislation and awareness campaigns—Unfortunately, today’s world appears to be one of reaction and, as a result, the majority of organisations only react to technology-related issues in response to data breaches. There are limited legal requirements for businesses to ensure that technologies, usage and data are secure. With the introduction of more IoT technologies, it has never been more important for global governments to recognise the need to enforce the sensible use of such technologies, through the introduction of appropriate legislation. Without such legislation, there is nothing to incentivise businesses to operate their technologies responsibly.
Much of the same happened with the advancement of the motor industry. In 1769, the first steam-powered vehicle was invented. However, in the United Kingdom, the requirement to have a license to drive was not introduced until 1903. By the early 1930s, there were more than 2.3 million motor vehicles on UK roads, and there were about 7,000 motor vehicle-related deaths each year. This caused the UK government to react with the introduction of the Road Traffic Act and the Highway Code.14 Lessons should be learned from the technological advancements in the motor industry so that similar mistakes do not occur with the technological advancements of the IoT.
All of the aforementioned measures will help to reduce the potential for IoT-associated data losses and minimise the potential for exploitation by an attacker. The following studies and reports show the existing vulnerabilities and sources of attack against existing technologies. They also demonstrate the importance and need for secure dynamic technologies and investment in the development of information systems (IS) security professionals and systems testing professionals, without which the potential benefits provided by the emerging IoT technologies will be undermined by reactive responses, resulting in some serious areas for concern in the future.
Figure 1 shows that the most significant threats are presented against external-facing web applications and from the insider misuse perspectives. Consequently, this demonstrates the need for ensuring systems are continually tested against exploitable vulnerabilities (before an unknown hostile exploits these vulnerabilities) and robust policies and procedures are in place to help reduce the threats presented from the insider (whether from a deliberate or accidental action).
Figure 2 provides an overview of the contributing factors that were seen to be behind the causes of a security incident. This clearly demonstrates that good security principles start with senior management endorsing and supporting good security practices.
The development of the IoT world will increasingly involve the use of mobile devices and, as a consequence, developers, vendors and end users need to be fully aware of the high risk of malware threats that could cause a breach, especially given the theme of IoT where millions of devices will be interconnecting and sharing data. Figure 3shows that even in the relatively immature mobile environment, a significant number of devices are getting infected—recorded as peaking at more than 60,000 devices during September and October 2014.
Figure 4 is the most disturbing of all the statistics discovered, given the rapidly evolving technology industries and the business reliance on such technologies. This technological evolution does not appear to be matched with the appointment of suitably trained and experienced information security professionals to proactively engage with businesses to mitigate the threats highlighted in figures 2 and 3.
Conclusion
If these trends continue in the same vein, there is substantial risk of technology advancing at a rate that creates billions of interconnected data-sharing devices (including intelligent machines/AI) with minimal security considerations being applied.
As a result, much like the Terminator movies, the development of the security industry can be likened to that of John Connor’s resistance. The future of a safe and secure technological world will rely on an under-resourced and outnumbered band of security professionals providing a reactive service, responding to increasing numbers of breaches.
If the world does not recognise these issues and act quickly to address them, we run the risk of fact becoming stranger than fiction. To quote the Terminator, ‘The future is not set. There is no fate but what we make for ourselves’.
Jim Seaman, CISM, CRISC, has enjoyed an extremely interesting and rewarding career within the security industry spanning almost 26 years. His career was forged in the application and enforcement of robust security and compliance legislation in the Royal Air Force Police over 22 years in the areas of physical security, counterterrorism and security intelligence. Since 2002, he has specialised in the field of information security management and investigations and cybersecurity. Over the last four years he has employed his skill sets, knowledge and experiences in the corporate sector across various industry sectors including financial, retail, oil and gas, UK government, travel, insurance, e-commerce and telecommunications.
Unit 42 recently published a blog on a newly identified Trojan called Bookworm, which discussed the architecture and capabilities of the malware and alluded to Thailand being the focus of the threat actors’ campaigns.
In this blog, we will discuss the current attack campaign along with the associated threat infrastructure and the actor’s tactics, techniques and procedures (TTPs). The following list provides a summary of the threat actors TTPs, which we will cover in this blog:
Actively attacking targets in Thailand, specifically government entities.
Uses Bookworm Trojan as the payload in attacks.
Has access to compromised servers that they use to download Bookworm.
Known to use spear-phishing as the attack vector to compromise targets, but have access to compromised web servers that could facilitate strategic web compromise (SWC) as an attack vector in the future.
Uses standalone Flash Player to play slideshows that contain pictures of current events in Thailand as decoy documents, but also use the legitimate Flash Player installation application as a decoy in some instances.
Uses date codes to track campaigns or Trojan version. If date codes are indeed used for campaign identifiers, then the dates precede attacks or current event seen in decoys by 6 to 18 days, which provides a glimpse into the development and operational tempo of this group.
Use of large command and control (C2) infrastructure, which heavily favors dynamic DNS domains for C2 servers.
Deployed Poison Ivy, PlugX, FFRAT and Scieron malware families.
Bookworm Attack Campaign
Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components.
Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.
Static Date Codes and Decoys
As mentioned in our previous blog on Bookworm, the Trojan sends a static date string to the C2 server that we referred to as a campaign code. We believed that the actors would use this date code to track their attack campaigns; however, after continued analysis of the malware, we think these static dates could also be a build identifier for the Trojan. It is difficult to determine the exact purpose of these static date codes with our current data set, but we will cover both possibilities in the next sections. While we currently favor the theory that these dates act as campaign codes, we extracted the following unique date codes from all known Bookworm that suggests the threat actors began their campaign in June or July 2015:
20150626
20150716
20150801
20150818
20150905
20150920
Trojan Build Dates
Threat actors may use the date string hardcoded into each Bookworm sample as a build identifier. A Trojan sending a build identifier to its C2 server is quite common, as it notifies the threat actors of the specific version of the Trojan in which they are interacting. As mentioned in our previous blog, Bookworm is fairly complex based on its modular framework, which suggests that the threat actors would need to know the exact version of the Trojan they are communicating with in order to install appropriate supplemental modules.
While a plausible premise, our data set does not fully support the hardcoded dates in Bookworm samples as a build identifier. To attempt to confirm the dates acting as a build ID, we extracted all of the modules for each Bookworm sample. We then compared the modules of each Bookworm sample that had the same date values. Most of the modules were identical amongst Bookworm samples using the same date string, but several samples had differing modules yet the same date string. For instance, Table 1 shows two sets of Bookworm samples with the “20150716” and “20150818” date codes that have completely different Leader.dll modules.
Date Code
Leader.dll Module
Compile Date
20150716
e602a12e8173ca17ba4a0c6c12a094c1
2015-07-18
20150716
4537257cb69a467a63c5a561825571f9
2015-07-23
20150818
e6cb32805bc5d758a5ea1dcd3c05beb8
2015-08-24
20150818
7065c709dd9dc7072dd5a5e2904c2d78
2015-08-31
Table 1 Two sets of Bookworm samples that share a sttic date cod but have different Leader modules
If the Bookworm developers used the date code as a build identifier, it would suggest that a new date code would have been added to samples using the new Leader module. Due to these changes without a new date string, we believe the date codes are used for campaign tracking rather than a Bookworm build identifier. Unit 42 will continue to compare the date codes to the Bookworm modules in future samples and will modify our assessment if indications suggest the date string is indeed a build identifier.
Campaign Codes
We believe that Bookworm samples use the static date string as campaign codes, which we used to determine the approximate date of each attack that we did not have detailed targeting information. We also compared these campaign codes to the date the attacks occurred or the date of the event seen in decoy documents to get a sense of the threat group’s internal operations.
A number of the Bookworm samples include a decoy that is opened during installation of the malware in an attempt to disguise the compromise. The threat actors have used two types of decoys thus far: a legitimate Flash Player installation application and a standalone Flash application to display a photo slideshow. The use of a Flash Player installer, seen in Figure 1, suggests that the threat actors are using social engineering to instruct the victim to update or install the Flash Player application. The Bookworm campaign code “20150818” was used in all samples associated with these legitimate Flash Player installers.
Figure 1 Adobe Flash Player Installer used as a Decoy
Unit 42 has witnessed six decoy slideshows used in a Bookworm campaign targeting Thailand. All six of these decoy slideshows contain pictures that in some manner relate to Thailand. One known decoy includes an animation of what appears to be children in Thailand going to temple (Figure 2), which is associated with a spear-phishing attack on a branch of the Thailand government that occurred on July 27, 2015. The decoy’s filename is “wankaophansa.exe” that suggests the animation is regarding Wan Kao Phansa, which is a term for first day of the three month long rainy season. Wan Kao Phansa is a national holiday in Thailand, which in 2015 started on July 31. The attack occurred four days before the actual holiday and had a campaign code of “20150716”, which is eleven days before the attack took place.
Figure 2 Decoy slideshow of children in Thailand celebrating Wan Kao Phansa or Buddhist Lent
We do not have detailed targeting information on the attacks that delivered the remaining five decoy slideshows. To determine the approximate date of these attacks, we compared the Bookworm campaign code associated with each decoy slideshow and found that they coincide with the timeline of events seen in the photos in the decoy slideshows.
Three of the decoys analyzed are related to the August 17, 2015 bombing near the Erawan Shrine in Bangkok, Thailand, as seen in Figures 3, 4 and 5. The campaign code “20150801” is associated with the decoy slideshow showing the graphic Erawan Shrine bombing (Figure 3), which is 16 days before to the actual event took place.
The second bombing-related decoy, seen in Figure 4 contained pictures of the arrest of a bombing suspect named Adem Karadag. This arrest was made on August 29, 2015, which is 11 days after the campaign code “20150818” that was associated with the decoy slideshow.
Figure 4 Picture from a Decoy Slideshow Showing the Arrest of a Bomber Related to the Erawan Shrine Bombing in Bangkok, Thailand
The third and final bombing-related decoy slideshow contains pictures of Adem Karadag re-enacting his role in the bombing for police (Figure 5). This re-enactment is a standard procedure for Thai police, which in this particular case took place on September 26, 2015. The campaign code “20150920” is associated with this decoy, which is six days before the actual event took place.
Figure 5 Picture from Decoy Slideshow of Erawan Shrine Bombing Suspect at the Crime Scene
Another decoy slideshow associated with the Bookworm attack campaign contains photos of an event called Bike for Dad 2015. Bike for Dad is a cycling event that will be held on December 11, 2015 to commemorate the King of Thailand Bhumibol Adulyadej’s 88th birthday. Many high profile figures in Thailand are promoting this event, such as the Prime Minister Prayut Chan-o-cha who is seen in many of images in the decoy slideshow (Figure 6).
The campaign code “20150920” is associated with this decoy, which is a week prior to media articles announcing that the Crown Price of Thailand Maha Vajiralongkorn will lead the Bike for Dad 2015 event. At first, we believed the use of the Bike for Dad 2015 event was unrelated to the previous Erawin Shine bombing decoys. According to the same announcement article, the Crown Prince said that the bike route would pass the Ratchaprasong intersection, which is where the Erawin Shine bombing took place. Therefore, the threat actors using this within their social engineering attempts continues to follow the theme involving the bombing of the shrine in Bangkok, as it is undoubtedly still in the hearts and minds of the Thai people.
The final remaining known decoy includes photos of Chitpas Tant Kridakon (Figure 7), who is known as heiress to the largest brewery in Thailand. Chitpas is heavily involved with Thailand politics and was a core leader of the People’s Committee for Absolute Democracy (PCAD), which is an organization that staged anti-government campaigns in 2013 and 2014. As recently as September 2015, Chitpas has been in the news for her attempts to become an officer in the Royal Thai Police force, which has caused protests due to her political stance. Two of the images in the slideshow can be seen in an article that was published on September 20, 2015. These images were associated with the Bookworm campaign code “20150905”.
Figure 7 Picture of Chitpas Tant Kridakon included in a Decoy Slideshow
By comparing the campaign codes with the dates of known attacks or the date of the events shown in the decoys, we found that the campaign codes precede the attack or event dates by 6 to 18 days. The campaign code date preceding the attack or associated events suggests that the threat actors perform development operations on their tools and then choose their decoy. These decoy documents also suggest that the threat actors actively track current news events and use photographs from the media to create their decoy slideshows.
Compromised Hosts
Unit 42 analyzed the systems communicating with the Bookworm C2 domains and found that a majority of the IP addresses existed within autonomous systems (ASN) located in Thailand. The pie chart in Figure 8 shows that the vast majority (73%) of the hosts are geographically located in Thailand, which matches the known targeting of this threat group. We believe that the IP addresses from Canada, Russia and Norway are analysis systems of antivirus companies or security researchers. The IP addresses in South Korea prove interesting and could suggest that this threat group has carried out an attack campaign on targets in locale as well. However, we’ve found no additional evidence to corroborate this theory.
Figure 8 The Unique IP Addresses Seen Communicating with Bookworm C2 Emphasizes Attacks on Targets in Thailand
We took the IP addresses seen communicating with Bookworm C2 servers and obtained their geographic coordinates using an IP geolocation database and plotted them on a map, as seen in Figure 9. A majority of the IP addresses in Thailand have coordinates in the Bangkok metropolitan area, with one in the southern town of Pattini and one in the Phanat Nikhom District of the Chonburi Province. IP geolocation systems are not perfectly accurate, but the data suggests that most of the compromised hosts exist near the largest city of Bangkok. This grouping of compromised hosts also aligns with the known targeting, as Bangkok and Nonthaburi is where a majority of the government of Thailand exists.
Figure 9 Map Showing GeoIP Locations of Compromised Hosts Grouped in the Bangkok Metropolitan Area
Bookworm’s Threat Infrastructure
Bookworm-related infrastructure created by threat actors mainly involves the use of dynamic domains, however, an early sample used a fully qualified domain name (FQDN) owned by the actor. The actors also appear to have access to legitimate servers that they use to host Bookworm and other related tools for attacks. Overall, the Bookworm infrastructure overlaps with the infrastructure hosting C2 servers used by various attack tools, including FFRAT, Poison Ivy, PlugX, and others.
Compromised Web Servers
Unit 42 has seen threat actors hosting Bookworm and other related tools on legitimate websites, which suggests the actors have unauthorized access to these servers. We have witnessed Bookworm samples hosted on a website belonging to the following organizations:
Two branches of government in Thailand
Thai Military
A Taiwanese Labor Association
Three of the four compromised webservers have been breached in the past with each being listed on Zone-h as being defaced, while the remaining site was defaced by the TURKHACKTEAM, according to a Google cache from November 11, 2015. The specific details of how the actors gained access to these sites is unclear, however, one site has a publicly accessible form that would allow visitors to upload files to the webserver (Figure 8). Unit 42 believes that threat actors could have uploaded Bookworm to this server using this form. It is also possible that the threat actors uploaded an ASP shell to gain further control over this webserver. We also speculate that these threat actors may use strategic web compromises (SWC) as an attack vector in future campaigns using their unauthorized access to webservers.
Figure 10 Publicly Accessible Form to Upload Files to Server Seen Hosting Bookworm Trojan
The site hosting this file upload form belongs to one of the organizations targeted with Bookworm. This may suggest that the threat actors used this webserver to pivot from the webserver into the internal network.
Infrastructure Overlap and Related Tools
The domains hosting Bookworm C2 servers (see Indicators of Compromise section of ourBookworm blog) connect to a larger infrastructure that the threat actors are using to host C2 servers for other tools in their toolset. So far, Unit 42 has seen infrastructure overlaps with servers hosting C2 servers for samples of the FFRAT, PlugX, Poison Ivy and Scieron Trojans, suggesting that the threat actors use these tools as the payload in their attacks.
Unit 42 enumerated the threat infrastructure related to Bookworm and created a chart to visualize connected entities to its current attack campaign. The infrastructure is fairly complex and has many overlaps with other toolsets. Figure 11 below shows a fraction of the threat infrastructure that visualizes a connection between Bookworm, FFRAT, PlugX and Poison Ivy.
Figure 11 Infrastructure Overlaps connecting Bookworm to samples of the PlugX, Poison Ivy and FFRAT Trojans
The overlap between Bookworm, PlugX and Poison Ivy samples involves the use of the Smart Installer Maker, which is a common technique used by this threat group. In one particular case, a sample of the Smart Installer Maker (MD5: 6741ad202dcef693dceb98b0a10c49fc) installed both a PlugX and Poison Ivy Trojan that communicated with domains that resolved to an IP address (119.205.158.70) that also resolved a Bookworm C2 domain (sswmail.gotdns[.]com). This IP address was also used to resolve a domain (qemail.gotdns[.]com) that actors used to host a C2 server for another Trojan known as FFRAT. We observed another direct overlap in a C2 domain (ubuntudns.sytes[.]net) used for both Bookworm and FFRAT.
As previously mentioned, the infrastructure related to Bookworm is fairly complex with many connections to domains hosting C2 servers for other tools. The related infrastructure and associated malware can be seen in the table below.
We made connections between domains seen in Table 2 through shared stolen code signing certificates, other PE build commonalities, passive DNS data and direct C2 domain overlap. The domains connected using passive DNS all share common IP addresses used to resolve the domain. The following IP addresses provided many of the connection points within the infrastructure via passive DNS overlap:
226.127.47
156.239.105
167.143.179
144.107.22
144.107.46
144.107.52
144.107.53
144.107.134
144.166.209
205.158.70
248.8.249
Conclusion
Threat actors have targeted the government of Thailand and delivered the newly discovered Bookworm Trojan since July 2015. The actors appear to follow a set playbook, as the observed TTPs are fairly static within each attack in this campaign. The threat actors have continually used Flash Player installers and Flash slideshows for decoys. The decoy slideshows all contain photos from very meaningful events to individuals in Thailand, suggesting that the actors continually look for impactful events to use to disguise their attacks.
The vast majority of systems communicating with Bookworm C2 servers are within the Bangkok metropolitan area where a majority of the government of Thailand exists. While the current campaign has targeted the Thai government, Unit 42 believes the threat actors will target other governments to deliver Bookworm in future campaigns.
Nexon Asia Pacific, a Palo Alto Networks Managed Security Service Provider (MSSP), has about 120 staff across offices in Sydney, Melbourne and Brisbane. The Australia-based company covers about 200 enterprise clients, offering managed networking, telephony, and in recent years, cloud and application services. What Nexon sought — and found with Palo Alto Networks — was a way to manage security for the full stack of those services across one platform.
“We literally had four separate devices providing the security solutions that we were offering to our customers and the Palo Alto Networks platform gave us the ability to integrate all of those platforms into one and provide one source of reporting and visibility into the platform,” noted Barry Assaf, Nexon Asia Pacific director, in a recent interview with The Australian.
We invite you to read some recent coverage of Nexon Asia Pacific and Palo Alto Networks, including in CRN Australia and Channel Life, as well as the case study. And while you’re at it,come to our Customers page to read more stories and learn about businesses all over the world that have embraced the Palo Alto Networks next-generation security platform.
Cloud adoption is trending—and it is an inevitable choice for any enterprise that wants to stay relevant in today’s interconnected world.
The security of storing and processing critical data outside of the enterprise’s control is a central factor to the analysis of cloud adoption.
So whether your organization employs a cloud-first strategy or is still sitting on the sidelines of the cloud game, there are three key steps to understanding what risks the cloud poses to your data.
Assess your current cloud usage. What cloud services are your users already using to do their jobs? Security leaders should sponsor a project to inspect all network traffic using a web proxy server or cloud access security broker (CASB) to fully identify your enterprise’s app consumption. The next step is differentiation between enterprise-sanctioned apps and rogue shadow IT apps. The prevalence of shadow IT is either unknown or underestimated by the IT departments at most enterprises. The mounting risks from decentralized and uncontrolled cloud service adoptions for the gamut of enterprise applications has left CIOs wondering how to best assess the extent of shadow IT services that have migrated to the cloud without any adequate control measures or oversight from IT. While these shadow IT systems may have served as a quick win to the business when implemented, the legacy impact of these cloud solutions is redundancy and an increased attack surface throughout the enterprise. As surveillance and data leakage concerns continue to haunt consumers and businesses alike, security due diligence of cloud solutions is paramount.
Adjust your strategy to reduce cloud risk. There may be significant cost and efficiency gains possible by moving select services to the cloud. Risk reduction measures should be evaluated concurrently to securely scale your cloud adoption. Consider cloud identity management solutions for single sign-on to enable centralized access controls, including multifactor authentication options. Further, automated user provisioning will inject security into your application portfolio management. Another recommendation to security leaders is to leverage a layer 7 next-gen firewall for web traffic classification and control. This visibility will allow you to block risky, nonbusiness apps, such as peer-to-peer sharing, or restrict quasi-business apps, such as file sharing services, to only privileged users/groups with a demonstrated need.
Plan your future cloud model. Whether your business users want to consume Software as a Service (SaaS) solutions or your IT infrastructure teams see value in Infrastructure as a Service (IaaS) offerings, there are many ways to mitigate your risks while satisfying both sides. Advanced security analytics, data context and application auditing made available by CASBs can enable deep integration into many foundational enterprise apps (Office 365, Google Apps, AWS, Azure). It is also imperative to formalize your application risk assessment when choosing between cloud-based SaaS and increasingly available on-premise SaaS solutions for those critical services that your risk managers cannot bless to the cloud. Some niche cloud service providers (e.g., Github, JIRA) also offer on-premise options to customers, and new Docker container technologies (Replicated) are now allowing vendors to offer the same SaaS experience, but delivered on-premise, in an effort to keep a better handle on enterprise data and security. In the ultimate decision of cloud adoption, your future cloud model may well be sitting behind your own firewall.
Gary Miller, CISSP, CISA, CIA, CRMA, CCSA, ITILv3 Senior Director of Information Security at TaskUs
Note: Gary Miller will present on shadow IT risk and cloud governance at ISACA’s 2016 North America CACS conference in New Orleans, 2-4 May 2016. To learn more from him and other expert presenters, register here.
