Ransomware will continue to evolve its methods of propagation and evasion techniques, hiding its communication and the targets it seeks. As reported by the Cyber Threat Alliance, ransomware has been very lucrative for cybercriminals to launch campaigns and, in a short period of time, derive large revenue streams. Today, the value of credit card data is low compared to ransomware, where higher value can be extracted from more victims.
Research by the Cyber Threat Alliance reported that CryptoWall v3 generated more than $325 million for the group behind it. This will drive further versions of ransomware-style attacks to be released, allowing more cybercriminals to extort users to pay the ransom to get the decryption key for their data. We predict seeing this crossing over to other platforms, such as Mac OS X and mobile operating systems.
2. Sharing of Threat Intelligence
Efforts have been around for years to share threat intelligence in some verticals, and we predict that 2016 will mark a year in which the private sector and security vendors look to share more of this than they ever have in Asia-Pacific. Today, many adversaries often write one piece of malware and send it to multiple organisations, with only minor changes made to make it undetectable. However, if we, as a community, can force cyber adversaries to create multiple unique attacks each time, it will force their costs to go up. And if we can share the information, the defender costs go down. The benefits grow exponentially if we automate this process whereby organisations do this in real time, whilst preventing the attacks. Knowing what kinds of actors are targeting you, the tools that they have available, and the tactics they employ allows organisations to defend their networks more effectively.
Although the debate continues on how effective these regulations will be, Asian governments should look to foster the sharing of threat intelligence, and organisations should think about how they can share in their vertical and go cross vertical in their efforts. We should ensure that there are responsible privacy protections in place for the purpose of identifying, preventing, mitigating and responding to cyberthreats, vulnerabilities, and malicious campaigns. The faster organisations can share this information, the better we can serve to protect each other and push the cost back to the attackers.
We expect this trend to continue, as more organisations begin to realise the benefits of sharing knowledge as a means to unify efforts to fight against cyber intrusions in Asia-Pacific.
3. Secondary Victim Attacks
More and more we are seeing that, when we know the motive of an attack, there is usually a secondary victim. The 2015 Verizon Data Breach Report highlighted that adversaries are using third-party websites to deliver their attacks. This often can mean that the person or organisation that experiences the initial breach isn’t the real target but rather a pawn in a bigger attack.
From the perspective of an attacker, this allows them to take advantage of trust and use the resources of another company for their gain. The most common method seen in Asia Pacific has been “watering hole attacks”, where an organisation’s website is infected with exploit code to try and infect visitors of their site. We predict that this will continue to rise with more reported incidents coming to light in 2016.
4. Trust in Our Security Models
Over the past few years, cyberattacks have escalated and gotten more aggressive and successful. Not only have we seen it become easier and cheaper to launch successful attacks, it has eroded our digital trust in online systems. That trust also extends itself to the failure of legacy security architectures due, not only to an outdated assumption that everything on the inside of an organisation’s network can be trusted, but also the inability of legacy countermeasures to provide adequate visibility, control and protection. We expect to see more organisations adopting new security models, such as “Zero Trust,” which is intended to remedy the deficiencies with perimeter-centric strategies and the legacy devices and technologies used to implement them. It does this by promoting “never trust, always verify” as its guiding principle.
This differs substantially from conventional security models that operate on the basis of “trust but verify”. Essential security capabilities are deployed in a way that provides policy enforcement and protection for all users, devices, applications and the communications traffic between them, regardless of their location. We expect this will continue across Asia-Pacific in 2016.
5. Attacking the Internet of Things
Whole new categories of digital device are getting connected to the Internet, from domestic appliances to home security, and the list goes on. Gartner predicts the number of connected things will rise from 6.5 billion in 2015 to almost 21 billion by 2020, growing by a staggering 5.5 million “things” each day. This will continue to accelerate in 2016. Sadly, we see no reason why these things won’t become a target for cybercrime. During this year we have seen some evidence of this emerging trend, like attacks on cars, smart rifles and many more shown at Black Hat USA in August this year. We don’t expect to see millions of devices compromised in 2016 across Asia-Pacific, but we should be prepared to see more attacks and proofs of concepts trying to exploit these types of devices.
6. Cybercrime Legislation
Asia-Pacific has often operated under very lax regulations when it comes to cybersecurity. It is a global issue; however, regulations to safeguard businesses and consumers are still evolving around the world. It’s unsurprising that the USA is taking the lead on this front, given the number of high-profile attacks reported to have targeted U.S. firms in recent years. This has resulted in cybersecurity becoming a focus for policy, most recently seeing the introduction of the Cybersecurity Information Sharing Act (CISA), which aims to help U.S. companies work with their government to combat hackers. Similarly, the European Union has laid out 14 actions to improve cybersecurity readiness, along with a policy on Critical Information Infrastructure Protection (CIIP), which aims to strengthen the security and resilience of vital ICT infrastructure by supporting high level preparedness, security and resilience capabilities at a national and EU level.
We expect that we will see a significant shift in the mindset of governments and regulators in Asia-Pacific to take on an even more active role in protecting the Internet and safeguarding its users. Cybercrime laws will be in discussion, and changes to outdated cybersecurity standards will be mandated to bolster an improved stance on security.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.
Anonymous proxies play an important role in protecting one’s privacy while on the Internet; however, when unsuspecting individuals have their systems turned into proxies without their consent, it can create a dangerous situation. Palo Alto Networks researchers recently discovered a family of malware, designated ProxyBack, and observed over 20 versions that have been used to infect systems as far back as March 2014.
The primary distribution observed by Palo Alto Networks is focused heavily in Europe with most targets belonging to educational institutions.
Figure 1 – ProxyBack distribution shown in AutoFocus
In this report, we’ll dive into the behavior of a recent sample of ProxyBack, examine how it establishes the victim proxy, and analyze the traffic using this service.
ProxyBack Malware
To be an effective proxy, network traffic must be able to flow through the proxy unhindered. In a typical setup, this may be accomplished by allowing a proxy system to receive traffic over a network socket designated for this function and then forwarding the network traffic on as its own.
Figure 2 – Classic proxy setup
The problem for a non-legitimate proxy is that the network traffic destined to reach the proxy server, which is a compromised system, will usually not be able to reach it because of firewalls or other network based restrictions put in place to protect systems.
Figure 3 – Corporate firewalls prevent the victim from being accessed in a classic proxy setup
ProxyBack gets over this hurdle by building a reverse tunnel over TCP to an attacker controlled proxy server. In other words, it has the victim proxy make the initial call home, thus allowing the proxy server to send its traffic through the tunnel and out to the Internet, or to other devices internal to that network.
Figure 4 – Victim proxy establishes a connection with the attacker-controlled server
Victim proxy pokes a hole in the firewall by establishing a TCP connection with the attacker controlled proxy server.
The proxy server validates it has access to the victim proxy and that it can successfully route traffic through it to the Internet.
The users of this proxy service are now able to route traffic through the attacker-controlled proxy and exit any of the victim proxies they’ve validated.
The victim proxy is now unwillingly participating in the routing of web traffic to the Internet
ProxyBack Analysis
To establish this tunnel, ProxyBack will initially make a connection to a web server hosting a PHP file that simply contains a URL to another PHP file on the same server. This subsequent PHP file will be used by the malware to send commands to the initial web server and fetch information used to setup its proxy connection. Each GET Request Method observed since early 2014 contains a User-Agent string of “pb”, which makes it trivial to detect.
Figure 5 – User-Agent “pb”
The first variable passed, “getip”, to the “command” parameter retrieves the public IP address of the victim proxy.
Figure 6 – “command=getip”
The second variable passed, “getid”, retrieves the ID for the victim proxy, which will be used in subsequent commands to keep track of the victim proxy. From the initial assessment of this malware until today, the ID number has continued to sequentially increment. So far, it has increased by 11,149, which may be indicative of the number of victim proxies compromised.
Figure 7 – “command=getid”
The third variable passed, “ghl”, to the “command” parameter receives an encoded base64 string for a URL. This URL led to another PHP file, which contained a URL to another PHP file; however, the subsequent URLs were never live during analysis.
Figure 8 – “command=ghl”
The fourth variable passed, “dl”, receives an encoded base64 string, “fA==”, which signifies the delimiter to be used in the subsequent command.
Figure 9 – “command=dl”
The fifth variable, “version”, deserves some extra attention as it has changed during the course of this analysis. Initially, the URI included the ID of the victim proxy and the variable “version” passed to the “command” parameter; now, the URI includes the version of the running malware, the victim proxy ID, and the running operating system.
Figure 10 – Old “command=version”
Figure 11 – New “command=version” with current version and OS
Additionally, the ProxyBack malware is capable of reporting the following operating system versions, which suggests it can run each of them.
Figure 12 – Operating Systems
The content returned from the fifth command remains similar between versions. The “version” variable receives an encoded base64 string that includes the version number of the malware and a URL to the malware version, delimited by the previously retrieved character. Another change noted is that versions were previously in the following format, “17.exe”, “20.exe”, and “41.exe”; whereas in November 2015 they started to include the first three letters of the web server domain in which they are hosted, such as “sof1.8.exe” on “softwearfounds[.]com” and “sky2.1.exe” on “skyjfasters[.]com”.
Figure 13 – Old “command=version” response
Figure 14 – New “command=version” response
Figure 15 – New “command=version” response
At this point, if the version running deviates from the version returned, it will use the GET Request Method and download the version provided in the output of the “version” variable. After that, the process restarts from the beginning but will keep the same ID value that was previously assigned.
Figure 16 – Downloading the new version
The next variable passed, “getbackconnect”, to the “command” parameter is used to get the IP address and port of the remote system with which the victim proxy should establish the reverse tunnel.
Figure 17 – “command=getbackconnect”
Once the ProxyBack malware has this information, it begins the process of building the TCP session to be used over the course of this session. For this particular sample, the destination port provided was “495”. After the TCP handshake completes, a series of packets with PSHACK flags are transmitted back and forth containing data appended to them that control the flow of this process.
The first packet in this series is sent from the victim proxy to the malicious proxy server and includes a sequence number, followed by a null byte, followed by two bytes that serve as delimiters for the rest of the data.
Figure 18 – Sequence 1, Initial PSHACK packet
The proxy server replies with the next packet in the sequence that tells the malware what IP and port to pass as variables in the next GET Method Request to the original server. The last two bytes tell the malware which new socket to open a TCP connection to for transferring the data that is being sent through the TCP tunnel.
ProxyBack now passes the variable “update2” to the “command” parameter with the additional data received from the PSHACK. The web server simply replies with an “Ok”.
Figure 20 – “command=update2”
The next PSHACK in the series is sent to the victim proxy and tells the malware to create a TCP session over the additional port provided in the second sequence of the PSHACK packets.
Figure 21 – Sequence 3, Stop and switch
Figure 22 – Switching ports
The victim proxy sends the 4th PSHACK packet to let the proxy server know it’s ready to continue on the new port.
Figure 23 – Sequence 4, Continuation
Similar to the first packet in this PSHACK series, the proxy server initializes the session with a delimiter to be used in subsequent commands.
Figure 24 – Sequence 5, New delimiter
Also of note is the value 0x02 after the sequence number. This seems to indicate additional commands for this phase are to follow, or possibly the number of packets to expect. The victim proxy responds with the value 0x0500 and then the proxy server sends the final packet in this sequence, which contains an IP address and a destination port, which the ProxyBack malware will open a TCP session with.
After the handshake is complete, the victim proxy notifies the proxy server of the source IP and source port used in the three-way handshake as the last PSHACK packet in sequence 5.
As the last validation step, the proxy server issues a GET Request Method through the tunnel established over TCP/5114 and the victim proxy forwards it on.
Figure 27 – Validating the victim proxy
The return data from 188.116.23.99 is sent back to 46.165.222.212 over TCP/5114 as data in a PSHACK packet, which completes the validation phase. It’s interesting to note that the proxy server IP and “secret” key are included in the URI. The returned data is a serialized PHP formatted configuration file with information about the web server hosting it. The “secret_string” variable observed in the URI and the configuration file has not changed since the first samples were seen in March of 2014.
Figure 28 – Returned configuration
Traffic will begin to flow through the victim proxy once it has been validated
Figure 29 – Traffic going through victim proxy
Every 27 minutes, the ProxyBack malware on the victim machine will send the “update” variable to the “command” parameter on the original web server hosting the PHP file to see if it needs to change malicious proxies or update it’s software.
Figure 30 – Software update
To wrap up this section, below are the available commands found in the old and new versions of the ProxyBack malware. Throughout the period this malware was observed, neither “log” nor “update” variables were ever passed to the “command” parameter.
Figure 31 – Available commands
Conclusion
When a system infected with ProxyBack was actively operating, there was an sizeable volume of traffic being routed through. It was clear that there were legitimate, benign, users of the SOCKS proxy, along with malicious users as well, further adding weight to the conclusion that this is a proxy service. Users of these services should be aware that their traffic is neither anonymous nor safe from tampering.
Upon review of the web traffic routed through our victim proxy, the majority of that traffic appeared to source from an automated system creating fake accounts and soliciting people across dating sites like “farmersonly.com”, “match.com”, “meetme.com”, and “okcupid.com”. The legitimate traffic included sites like eBay, Twitter, Craigslist, Facebook, Wikipedia, and more.
Another website that stood out during this review was “buyproxy.ru”, which was the only site that seemed to match a proxy service found within our captures. Looking deeper into this traffic, we see a GET Request Method to http://buyproxy.ru/proxy/ at less than 4 hours into our capture, which lists our victim proxy.
Figure 32 – Web source that contains victim proxy
What’s interesting to note here is that our victim proxy’s reverse PTR record is shown in the sixth column, whereas in the second column, our malicious proxy server is listed for users to presumably connect to. In an odd twist of fate, the same users of the service also betray it.
Figure 33 – Proxy connection with “185.72.244.171”
When visiting the buyproxy[.]ru site, it states in their FAQ that they have been in business for over seven years, they provide only private proxy servers that are not in public proxy bases, they average between 700-3,000 proxies per day, proxies usually live between 4 to 24 hours, nothing is logged, and they use a “BackEnd proxy” which shares an IP for access but distributes the exit. In addition, on their main page they tout that the connections are encrypted and use a “proprietary technology of traffic tunneling”.
When accessing the site with a registered account, you are presented with three proxy options:
“Private proxy” – Supposedly maintained by “buyproxy[.]ru”.
“Public proxy list” – Public proxies.
“Personal proxies” – Proxies dedicated to the buyer.
Figure 34 – “buyproxy[.]ru” main menu
On the “Private proxy” page we find our victim proxy under the United States, among others. One thing that immediately stands out is yellow highlighted entries, which follow the same characteristics as our victim proxy. The IP address differs from the listed domain, possibly implying they are also victim proxies.
Figure 35 – Victim proxies
Whether the people behind “buyproxy[.]ru” are responsible for the distribution of the ProxyBack malware or not is unknown; however, it is clear that the ProxyBack malware is designed for, and used in, their service.
Palo Alto Networks has released the IPS signature 14864 to detect and block ProxyBack traffic. WildFire properly classifies ProxyBack executables as malicious and AutoFocus users can track this threat using the ProxyBack tag.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
So why am I recommending a book from 20 years ago? Because Information Warfare: Chaos on the Electronic Superhighway shows both how far we have come and how little things have changed. Books like this and Bruce Schneier’s Secrets and Lies from 15 years ago stand the test of time and still have something to contribute. This was one of the first books that really laid out the concepts of how economic and military warfare would evolve online.
Information Warfare shows both those foundational ideas on cyber warfare and how some of the issues that are hot now might fade into the background. This book belongs in the Canon due to the foundational and timeless issues it addresses for our industry. It is a quick read and provides critical perspective for anyone serious about strategic issues around cyber warfare.
Review
For context, in the mid-1990s, we had flip cellphones, personal digital assistants (PDAs), U.S. President Bill Clinton and Russian President Boris Yeltsin signed the Kremlin accords, the movie Sneakers was in theaters, DEFCON Conference started, and Kevin Mitnick was arrested. As the threat of apocalyptic global warfare was receding into history, it was being replaced by economic warfare. In the information age, that quickly became information warfare.
Information Warfare is not a technical, how-to guide but rather talks about the strategy and methods involved in information warfare. It is organized as a series of topics, starting with the large picture of Econo-Politics and information’s role in it; then goes from Internet infrastructure issues down to malicious code. Next comes predictions about hardware and chip vulnerabilities, use of electromagnetic eavesdropping, high-energy radio frequency (HERF) guns and electromagnetic pulse (EMP) weapons. Then comes the introduction to the hacker culture at the time, the military perspective, and the categories to frame discussion about info war (i.e., personal, corporate and global). Finally there is a review of defensive techniques for each of the types of warfare and his view on a National Information Policy: A Constitution for Cyberspace and an Electronic Bill of Rights – both of these are still very relevant.
He missed on whether or not techniques like Electromagnetic Pulse, HERF and EMP would become commonly used. In other areas like economic impacts leading to cybercrime, military implications of the Internet, and Cryptography becoming a commercial capability (at the time NSA had declared crypto software like DES to be a weapon), he was right on target.
While the early chapters covered the political landscape of the day, and focused on terrorism heavily, the ideas (while dated) are still applicable today. The discussion on phone phreak hackers stealing long distance reminds us that the hackers have always changed their focus based on business models – now banks are online, so they can go directly to the source. The conversations with some hackers of the time shows how they have evolved from hobbyist to full time. Interestingly while he doesn’t use the present-day term “Internet of Things (IoT),” he does foreshadow the concept.
Conclusion
Information Warfare should be read by anyone who wants a strong background in strategic and military around the concepts and principles of information/cyber warfare. While the use of the term “information warrior” is ubiquitous for both hackers and government agents, their activities and methods still ring true today. Also the national policy debates presented are still going on. Finally defending the digital device is still relevant. This is a quick read that provides understanding around how long the “cyber warfare” issues we are dealing with today have been around.
Addressing the evolving threat landscape is a key factor in security, but organizations also want security that can keep up with the new, distributed and dynamic environments that they are building and adopting. In other words, they want to have their cake and eat it too.
In order to accommodate this shift, security will have to go where the applications, users and data are. And that’s not easy because all three are going everywhere. This new, distributed foundation is the basis for more agile and efficient IT – but it all needs to be secured to deliver benefits at an acceptable level of risk.
In 2016, this need will manifest itself in three key ways:
Develop Full Situational Awareness
Security systems that operate on IT-level context (e.g., applications and users) will become all the more relevant, as “divining” high-level activities based on low-level context (e.g., ports, protocols) is a losing proposition. In other words, higher-level information will drive better security posture.
Programmable, Adaptable Security
Security is rarely an end in itself. When we’ve come to think of it that way, it’s because it was applied to overall environments that were static in nature. Now, with on-demand, elastic environments in vogue, securing capability also has to be dynamic.
Looking Within – the Need for Segmentation
Micro-segmentation has made the topic of segmentation “cool again,” but it’s really broader than just a virtualized data center use case. And it’s not segmentation in the sense of barriers or pure isolation. Elements (e.g., computers) between segments need to interact, but it’s more like a membrane where you get to determine what gets through (in a language that you can understand) and, beyond that, how the interaction is inspected for threats.
Securing a static environment from cyberthreats may be easier to achieve, but customers want more. That’s why, even in the face of ever-increasing threats, security platforms must also account for the new, dynamic and distributed models of IT that organizations are deploying.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.
It’s a great year for those with IT skills with the demand booming, but hiring managers are finding themselves up against a wall when it comes to the supply side of the equation – there just isn’t enough talent to go around. Or so it seems. So while those who fit the normal IT profile are likely to be snatched up immediately, there remain plenty of job openings just waiting to be filled. And they can be, but recruiters need to start thinking differently about what an IT professional looks like.
Reconsidering Qualifications
One of the fastest ways to increase the pool of IT talent is to start shifting the emphasis away from requiring four-year college degrees. Instead, IT recruiters should start accepting qualified candidateswith IT certificates. So many IT jobs are so specific that the broad knowledge base associated with a bachelor’s degree is unnecessary.
A quality certificate program will give candidates the specific skills they need without the huge time and money investments that come with a four-year degree. From there, companies can identify employees who show potential for further training, including possibly earning a degree, but first recruiters need to open the door to new talent.
Consider Bias
Not only are IT recruiters losing out on talented candidates by focusing on degree qualifications over concrete knowledge—many companies also have walled off their efforts by functioning from a preconceived notion of the IT professional. This image is too often white and male, leaving women and people of color out of the picture.
In many cases, IT companies have built bias into their hiring procedures, largely through networking and old boys’ clubs that readily exclude women and recent immigrants, anyone who isn’t tied to the current startup culture. If a female candidate walks in to interview with a panel of white men, for example, she may immediately feel excluded from the company environment. This can impact the interview quality, as the candidate loses confidence or preemptively accepts that she won’t be hired.
Dedicate Space
Because white men have already colonized so much of the tech industry, sometimes it is not only helpful, but necessary, to dedicate specific space to those historically excluded from the industry. Twitter tried this recently by focusing on bringing women to its Flight conference. This year 29% of attendees were women, compared to only 18% last year.
This success is likely linked to the taskforce of women and minorities in the IT field that Twitter created, a group that networked with Girls Who Code and TechWomen to start shifting the participation and employment demographics in IT. More companies should consider creating teams focused on diversifying the field – Twitter has shown that even a small effort can reap great success.
Train the Next Generation
Ultimately, it may not be possible to remediate the talent shortage in IT immediately – if there aren’t enough trained professionals, even among those with certificate training, then there aren’t enough candidates for the many jobs in IT. The only solution, then, is to start training the next generation, getting them interested in IT careers from a young age. While youth today may be very skilled with navigating the tech world, they often know little about the behind-the-scenes world. That needs to change.
Microsoft is making an effort in that direction, dedicating $75 million over the next three years to build up its YouthSpark program. This program focuses on exposing students to computer science at the primary and secondary school levels with the goal of increasing the number of computer science students at the university level.
With dedicated efforts from major companies like Twitter and Microsoft, the shortage of IT professionals may finally decline in the next few years, but their success won’t just be measured by job slots filled. Until the IT field begins to reflect the diversity of our communities, the field will have a talent shortage. It’s time for recruiters to open the doors and welcome qualified candidates.
