Today’s cyberattacks on enterprises are persistent and advanced—no enterprise is 100 percent secure. It is no longer sufficient to only focus on prevention and detection. Enterprises need to consider cybersecurity from this standpoint and be part of an integrated and holistic, enterprise-wide approach.
With cyber incidents increasing, it is important for businesses to become cyberresilient; anticipating, withstanding and recovering from attacks. At the rapid evolving rate of cybercrime, it is more than an issue for the IT department—it is an issue for everyone in the business. The National Association of Corporate Directors, for example, encourages boards of directors to have a role ensuring that management is fully engaged in developing response plans .
The engagement must include understanding and prioritizing stakeholder needs, identifying the core business processes and understanding the potential impact of a cyberincident on the business. To help businesses approach cyber security holistically, ISACA recently released a new guide, The Cyberresilient Enterprise: What the Board of Directors Needs to Ask.
The 19 key questions boards should ask include:
Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services?
Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand?
To what extent have essential services and functions been identified and programs implemented to provide for their resilience in the event of a disruption or cyberincident?
As the paper points out, board members need to evaluate the operational risk inherent in today’s digital business and direct management so the enterprise is more than just protected—it is resilient. If boards dig deep and receive appropriate answers to these questions, they can help the resiliency of the enterprise as it continues its mission of value creation.
Ron Hale, Ph.D., CISM Chief Knowledge Officer of ISACA
For the full list of questions and to download The Cyberresilient Enterprise: What the Board of Directors Needs to Ask, visitwww.isaca.org/cyberresilient.
Retefe is one of the most targeted banking Trojans currently in the wild. While other families such as Zeus and Citadel are widely adopted by attackers targeting banking websites around the world, Retefe is consistently used to target victims in Sweden, Switzerland and Japan.
In the last two weeks we have detected a surge of e-mails using AutoFocus, each carrying the Retefe Trojan and targeting organizations in Western Europe and Japan.
Figure 1: AutoFocus map of recent Retefe Trojan recipients
The attack e-mails are using a variety of “order” and “receipt” themes, each tailored to the country they are targeting and using dated file names to make them appear more relevant. The e-mails most often claim to be from a local electronics retailer.
Figure 2: Retefe sample delivered to Swedish target.
On a global scale, Retefe is a rather small threat, but that appears to be by design. The malware hijacks connections to Swiss, Swedish and Japanese financial institutions to assist the attacker in committing fraud. The malware carried in the most recent campaigns also downloads and installs the Smoke Loader Trojan, which is a modular backdoor capable of stealing credentials and installing additional malware.
Retefe Behavior
Retefe is different from most banking Trojans, which typically attack web browser software to capture login credentials before they are encrypted with SSL and sent to the bank’s web server. Instead, Retefe uses the Windows PowerShell to execute a series of commands that installs a new root certificate on the system and a proxy configuration to re-route the traffic to the targeted banking websites.
The Retefe Trojan writes the root certificate to the disk and then uses the following command to install it on the sytem.
Retefe has used many certificates in the past, but the latest one is a fake “thawte Inc.” certificate.
Figure 3: Fake “thawte, Inc.” Root Certificate installed by Retefe.
After installing the certificate, Retefe makes a request to a server over HTTPS to retrieve JavaScript code that will reconfigure the system proxy for web browsing to route traffic for specific banking domains through a server controlled by the attacker. The proxy server performs a man-in-the-middle attack against the traffic, decrypting and possibly modifying the request before re-encrypting the data and passing it on to the bank. Retefe installs the new root certificate to prevent users from receiving a notification that the website they are contacting should not be trusted.
The Retefe command and control server appears to only return this proxy configuration code if the infected host is located in Switzerland, Sweden or Japan. Retefe changes command and control servers frequently, but the most recent campaigns use domains that mimic the names of VPN services, including:
securevpnalarm.net
hsshvpn.net
After installing the certificate and reconfiguring the system proxy, Retefe uses another PowerShell command to download an additional executable. In many cases we have identified this malware as a variant of Smoke Loader, a modular backdoor Trojan capable of stealing credentials from the infected system.
Retefe variants download additional malware from multiple URLs, but in most cases the server hosting the executable is a compromised website hosted in the country being targeted by the sample. Below is one example of the PowerShell script that initiates the download and executes it.
We suspect the actors behind Retefe began downloading Smoke Loader to help monetize infection of systems outside of their three targeted nations.
Conclusion
While Retefe’s distribution is small on a global scale, its attacks are specifically targeted at online banking customers in just a few countries. The most recent campaign shows that Retefe may also threaten users in other countries as they begin using their infections to install additional malware.
Palo Alto Networks WildFire identifies Retefe and Smoke Loader samples as malicious and AutoFocus users can identify these samples using the SmokeLoader and Retefe tags.
Palo Alto Networks was at the Gartner Security & Risk Management Summit in Brazil last week, and while we were there, Arthur Capella, Palo Alto Networks Country Manager – Brazil, spoke with Bit Magazine on how our next-generation firewall technology detects and spreads the knowledge of new threats, creating a network of effective corporate protection.
Capella also touched on the idea of good technology practices, and how instead of completely banning the use of applications, employers should manage in an intelligent and responsible way to maximize employee productivity without compromising security.
Yoga is a popular science and art of well-being. Its benefits range from as modest as being helpful for fixing specific ailments or disorders to transforming one’s body-mind communion to attain a state of eternal exhilaration and union, by aligning oneself with the world and nature.
Consider applying the concept of yoga to enterprise IT—if business is seen as the body, information surely is its mind. And, the right information at the right time with the right person can make the difference between exceptional success and dooming failure.
Given that we now inhabit an increasingly connected digital world, there is less disagreement on the ever more critical dependence on IT. Businesses clearly recognise the strategic nature of IT, but also often find themselves entangled in a range of IT pains and disillusioning disorders. Such issues include IT operational issues, IT project failures, cost over-runs and data breaches and a stagnating, or, at the other extreme, hyper IT that keeps costing resources and attention, without synchronised business deliveries. Baffled with finding the answers, organisations increasingly tend to find themselves at a loss when it comes to ascertaining the right approach to making IT work optimally for business.
COBIT 5 is a framework for enterprise IT governance that provides compelling reasons for a shift in an enterprise’s approach to management and governance of enterprise IT. Built on five key principles, many of COBIT 5’s principles resonate the yogic thinking, such as starting with the need to focus on stakeholders’ needs, covering the enterprise end to end, adopting a single aligned framework with a holistic approach and separating governance from management.
Many organisations suffering from impulsive or chronic IT operational and management issues have found solutions from COBIT 5 to effectively alleviate their burning pain points. But then there are the larger and often constipated IT governance questions of finding sustainable ways to make enterprise IT naturally meet strategic, compliance and reporting needs. Profound IT governance issues include chronic disorders, such as IT management deadlocks, certification fatigue, and goal disconnects between the board, the executive level and underlying operational layers. Also, governance issues can include, as I mentioned previously, either a stagnating or disintegrating IT or hyper IT.
As with yoga, there is emerging realisation that in the digital connected world, there are fewer chances for a business entity to achieve sustainable growth, unless it clearly recognises how it can make a difference to the world at large. There is a need for moving from an inside-out-focused thinking to one that is outside-in-driven. The focus on the goal needs to clearly shift from chasing profits and numbers to being relevant and making a difference to stakeholders, and aligning enterprise IT capabilities accordingly.
As a first step, take a cue from the transformational aspects of yoga that first looks at transforming the fundamental thinking through deeper introspection on questions such as, “Why do I exist?” Enterprise leadership could apply this question in their capacity as stakeholder representatives. That would help trigger a whole business-IT (body-mind) transformation at every layer. And, when an organisation experiences such a transformed realisation, suddenly it tends to be unexpectedly rewarded with answers and solutions that appear to be so simple—as if they were always there—and loaded with eternal benefits for all stakeholders.
To achieve this, an organisation would need to look within. It needs to challenge its approach at every layer of enterprise IT to see if what is being done has the goal of stakeholder value maximisation in mind, rather than the narrow perspective of maximising its own profits and numbers. All of this means experiencing information and IT capability empowerment at every level—not for mere IT sake but for governance sake.
Much like there is no one form of yoga that fits all, there is also no one COBIT 5 approach that will fit every organisation. Every organisation will, according to its near- and long-term goals, need to churn through the COBIT 5 guidance to concoct its own IT governance framework that aligns with its business and enterprise IT needs. Besides, an IT governance approach founded on COBIT 5 not only co-exists very well, but also inspires greater alignment with various standards that an enterprise considers as relevant.
If approached and practiced diligently enterprise-wide, every organisation could experience several rewards that include quality information-driven decisions, maximising stakeholder value from IT enabled investments, IT operational excellence, and IT risk and resource optimisation.
Hence, it may not be out of place to believe that to survive and sustain in the emerging global cyber economy, enterprises could do well to move from their narrow pursuit of IT happiness to a broader expression of enterprise information-aligned IT joy!
Vittal Raj,CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, COBIT 5 Foundation Accredited Trainer Founder and partner of M/s. Kumar & Raj, and Director at Pristine Consulting Private Limited
Earlier this week Mark Anderson and I had the distinct honor of unveiling our five Global Partner Award Winners as part of our FY16 Sales Kickoff.
This year’s Sales Kickoff was a milestone event for us as this was the first time in our company’s history that we invited partners from around the world to join our Sales Kickoff Meeting. The reason is simple, partners are not an extension of our global salesforce…they are an integral part of it.
Recognizing the best of the best is a global activity that has stood the test of time. Whether you are reaching back in history to the early days of competition and the quest for Olympic Gold or you are talking about today’s modern business world, teams and individuals are working hard to earn the prestigious honor of being recognized as the best.
And, when you are competing in a partner ecosystem that had 481 partners grow more than 100% year-over-year these awards truly recognize the best of the best, which is why I wanted to highlight them in this blog post.
We recognized five partners for their superior performance in the following areas: year-over-year growth, enablement, joint planning and services capabilities. And the winners were:
Americas Partner of the Year: Optiv
Accepting the award is Dan Wilson, Executive Vice President of Partner Strategy
APAC Partner of the Year: Telstra
Accepting the award is Euan Prentice, Director of Services Business Development
EMEA Partner of the Year: Dimension Data
Accepting the awards is Chris Jenkins, General Manager Security, Europe
Global Distribution Partner of the Year: Westcon Group
Accepting the award is Bill Corbin, Executive Vice President, Global Partner Management and Business Development
Japan Partner of the Year: Techmatrix
Accepting the award is Takaharu Yai, Director Senior Operating Officer General Manager
I want to thank all 548 partners from around the world that joined us in Las Vegas this week. Palo Alto Networks wouldn’t be the company it is today without you, but more importantly we can’t succeed in the future without you.
