Network security management is a critical aspect of any security deployment. However, most administrators would agree that configuring and managing a complete security network could at best be described as a nightmare.
According to AlgoSec, 64% of organizations are consumed with complex management, such as time consuming manual processes, obscured security policies, poor change management, and more. Manual processes also mean a greater likelihood of human error. According to Infonetics, 25% of security network outages are directly related to human error — a scary statistic.
Most security vendors don’t pay much attention to streamlining and simplifying the network configuration and management aspects of deployment. In fact, most security deployments are separate from each other, with differing management consoles and independent rule bases, lacking the ability to communicate with each other.
Ask yourself the following questions to understand if you are spending too much time managing your security deployment:
How many UIs and security rule-bases (URL filter, IPS, firewall, etc) do I manage to keep my network security current?
Can I manage my distributed security network from a central location, or do I need local administrators for each firewall?
What tools do I have that help with reducing manual processes during network configuration or policy development?
Does my security network structure match my organizational structure for a more logical deployment of security policies, or is it unnecessarily complex?
At Palo Alto Networks, network security management is a critical part of a security deployment. This translates not only into efficient management of individual firewalls but also of large distributed networks using our Panorama network security management solution.
Palo Alto Networks next generation security platform offers the convenience of a single user interface, as well as a single security rule-base that can be used to manage security policies for your application control, threat prevention, URL filtering, and more. This significantly streamlines policy management.
Panorama also offers tools that help reduce manual tasks and human errors such as the utilization of template stacks that eliminate manual replication of configuration elements across a distributed network. The ability to import existing firewall configurations with the click of a few buttons eliminates manual re-typing of configurations.
Other focus areas include intuitive network and policy management that enables you to deploy a security network that matches your organizational structure, making management of the security deployment significantly easier and logical.
Click here to learn more about Palo Alto Networks network security management capabilities.
We are excited to announce that Telstra has become the first channel partner in Asia Pacific to achieve the highest level of Diamond Partner Status in our NextWave Partner Program.
Telstra has been a partner of Palo Alto Networks in Australia since 2012. Over the past several years, Telstra has been instrumental in successfully bringing Palo Alto Networks offerings to market in Australia, especially with large enterprise customers.
This recognition was marked with an official signing ceremony at 11 AM today at the Hilton Hotel in Melbourne, Australia. The event was attended by John Ieraci, Director of Security Practices and Euan Prentice, Director of Services Business Development from Telstra, and Steve Redman, Vice President of Asia Pacific and Armando Dacal, Vice President of Australia/New Zealand from Palo Alto Networks.
A June 23 FireEye blog post titled “Operation Clandestine Wolf” discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash. Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.
The UPS group has exploited several zero-day vulnerabilities, most recently using the zero-days released in the Hacking Team breach that we discussed in our July 10 blog post, “APT Group UPS Targets US Government with Hacking Team Flash Exploit”. However, the most recent original zero-day released by this group is tracked by CVE-2015-3113, which has similarities to the once zero-day vulnerabilities CVE-2014-1776 and CVE-2014-6332 exploited by UPS in May and November 2014, respectively. We’ll discuss here the similarities observed between the various components used to exploit these two vulnerabilities, specifically focusing on the malicious Flash files and the payloads delivered.
Malicious Flash Files
Recent zero-day vulnerabilities exploited by UPS exploit or leverage Adobe Flash to exploit other applications on the system. Unit 42 recently analyzed malicious Flash files that exploitedCVE-2015-3113, which was a zero-day vulnerability in Adobe Flash that was patched on June 23, 2015.. During the analysis, we noticed similarities between this malicious Flash file, those that UPS used to exploit CVE-2014-1776, and the proof-of-concept code for CVE-2014-6332, albeit these two Flash files were used to exploit zero-day vulnerabilities in Internet Explorer.
Overlaps within ActionScript
Unit 42 analyzed the ActionScript within malicious Flash files created by UPS that exploited CVE-2014-1776 and CVE-2015-3113 and discovered shared code between the two. First, both ActionScripts contain a function named “hexToIntArray”, which Figure 1 displays side-by-side for comparison. Not only do these files contain the same function name, but they also share the same exact operation codes (opcodes) to carry out its functionality. The existence of the hexToIntArray function in the CVE-2015-3113 sample is rather interesting, as it is never called or used within the ActionScript. We believe that the threat actor used the CVE-2014-1776 ActionScript as the basis for the CVE-2015-3113 file and forgot to remove the unused hexToIntArray function.
Figure 1. Side-by-side comparison of opcodes in hexToIntArray functions
Also, the Flash file exploiting CVE-2015-3113 had a main class named “flappyMan”. This class name was also used in the Flash file that Unit 42 analyzed and discussed in its November 26, 2014 blog titled “Addressing CVE-2014-6332 SWF Exploit”, as well as the proof-of-concept (PoC) for CVE-2014-6332 that is now publicly available in exploit-related forums. According to FireEye’s “Operation Double Tap“, UPS exploited CVE-2014-6332 in its November 2014 attacks; however, UPS used a VBScript to exploit the vulnerability instead of a Flash file. While purely speculation, this overlap in class names between the CVE-2014-6332 PoC and the Flash file exploiting CVE-2015-3113 may suggest that UPS also used Flash files to exploit CVE-2014-6332.
Shellcode Similarities
As with most remote code execution vulnerabilities, UPS’ malicious documents execute shellcode in the event of successful exploitation of either CVE-2014-1776 or CVE-2015-3113. The shellcode found in the UPS delivery documents exploiting both of these vulnerabilities are not the same, but have similarities worth noting.
First, the delivery documents share the same technique of locating API functions, which involves using the rotate right (ror 7 to be specific) instruction on the function name in kernel32.dll and checking it with a specific value. The use of the same rotate right algorithm results in several common constants, such as 0xC917432 that both shellcodes use to locate LoadLibraryA. Second, both shellcodes use a similar method of creating the Unicode string “kernel32.dll”, seen in Figure 2. The shellcodes use the Unicode string and the same method to find the base address of the loaded kernel32.dll module from the LDR structures obtained from the process environment block (PEB). Third, both shellcodes have similar single byte XOR algorithms used to decrypt and later execute the functional payload.
Figure 2. Comparison of Instructions in UPS Shellcodes that Builds Kernel32.dll Unicode String
Steganography to Conceal Payloads
While analyzing the malicious Flash file exploiting CVE-2015-3113, Unit 42 discovered that the ActionScript loaded an animated GIF image. The malware author used steganography to embed an encrypted payload within this animated GIF image. The payload in the CVE-2014-1776 was also embedded within an animated GIF. Ultimately, the shellcode executed in the event of successful exploitation of either of these vulnerabilities decrypt and execute the embedded payload, as mentioned in the previous section. While the animated GIFs themselves are vastly different, as seen in Figure 3 and 4 (payloads removed), the use of steganography and animated images as the carrier of the payload is common between the two campaigns.
Figure 3. Animated GIF “v.gif” from UPS Campaign Exploiting CVE-2015-3113 (click to see .gif)
Figure 4. Animated GIF “anyway.gif” from UPS Campaign Exploiting CVE-2014-1776
Payload Comparison
With the amount of overlap between the other components in these separate campaigns, we decided to compare the Pirpi payloads delivered by the UPS group using CVE-2014-1776 and CVE-2015-3113. From here on, we will refer to these two payloads as Pirpi.2014 (CVE-2014-1776) and Pirpi.2015 (CVE-2015-3113), whose details are listed in Table 1. Unit 42 discovered several similarities between the two Pirpi variants, as well as a few equally important differences, both of which are worth discussing. We also compared the Pirpi.2014 and Pirpi.2015 payloads to other known Pirpi samples in an attempt to determine which variant they most closely resemble.
Table 1. File Details of Pirpi.2014 and Pirpi.2015 Samples
Similarities in C2 Communications
Both Pirpi variants perform an initial check to see if a configuration file exists at %APPDATA%\vcl.tmp or %TEMP%\vcl.tmp depending on the operating system. If it finds one, it decodes it and uses the configuration data it finds inside for C2 communication, otherwise it uses hardcoded C2 domains encoded inside the binary. The malware then creates threads to begin C2 communication.
The Pirpi.2014 and Pirpi.2015 payloads communicate with their C2 by issuing HTTP GET requests to the C2 domain hardcoded inside the payload or within its “vcl.tmp” configuration file. While the structure of the C2 URL differs between the two variants, both use the HTTP Cookie field to transmit data in encrypted form to the C2 domain. Figure 6 shows examples of C2 communications from Pirpi.2014 and Figure 7 shows communication with the C2 of Pirpi.2015 malware variants, both containing data within the Cookie field.
Figure 5. Pirpi.2014 C2 Communication using Cookie Field for Exfiltration
Figure 6. Pirpi.2015 C2 Communication using Cookie Field for Exfiltration
The GET request will return a web page that the malware will parse, specifically looking for encoded commands within two of the HTML tags.
Command Loop Overlap
Once the two Pirpi variants successfully communicate with their C2 server and parse the returned HTML for commands, Pirpi enters a command loop that processes the commands and carries out the respective activities. The command loop for the backdoor remains largely unchanged between Pirpi.2014 and Pirpi.2015 with only two of the commands differing between the two. Table 2 shows the commands that each malware can accept with only the 35 and 36 commands differing between the two Pirpi variants.
Value
Pirpi.2014 Command
Pirpi.2015 Command
1
Launch Process
2
Process Listing
3
Terminate Process
4
Download a file from the C2, launch it, and then delete it
5
Exit the malware
6
Sleep
7
Update C2 configuration and save it to %APPDATA%\vcl.tmp
8
Download a file, load it into memory, then delete the file
9
Load a DLL from %APPDATA% and execute one of its exported functions
10
Do nothing
11
Do nothing
12
List all servers in the domain
13
Get network adaptor information
14
List TCP connection status (netstat)
15
Retrieve information about connected users
16
List servers in the primary domain
17
Locates DCs on a domain
32
Directory listing
33
Upload a file to the C2
34
Delete file
35
Copy file and delete original
Copy file
36
Download and save file
Do Nothing
37
Echo
38
Execute Process
49
Get location of configuration file and set as current working directory
Table 2. Commands Available within Pirpi.2014 and Pirpi.2015
Anti-Disassembly
The UPS threat group is a fan of one anti-disassembly trick that can be seen in both Pirpi.2014 and Pirpi.2015. It plays upon the order IDA Pro disassembles instructions. As you can see in the code sample in Figure 6 from Pirpi.2014 there is a “jump above” instruction, followed by a “jump below or equal” instruction which just falls through to the next instruction. This fall-through code path will never get executed since the jump occurs if 0x58693C96 > 0x0D7F31B4.
Figure 7. Code Showing Anti-Disassembly Technique used in Pirpi Tool
IDA Pro’s disassembly sequence follows the fall-through branch of conditional jumps first, and thus in the previous instruction sequence, IDA keeps disassembling one instruction after another. When IDA goes back to disassemble the jump target for 0x10009133, it finds it pointing to the middle of an instruction. This stops IDA from being able to draw function borders, view a function in graph mode, or decompile with Hex-Rays. To solve this, undefine all of the code that will not be executed, and define code starting from the target of the conditional branch (in this case 0x1000913E), as seen in Figure 7.
Figure 8. Fixing Anti-Disassembly Trick used by Pirpi Tool by Undefining Errant Instructions
You will now be able to create a function to improve your ability to do analysis. To make this easier, use an IDA Pro script to fix these anti-disassembly tricks. Please note that this script specifically targets the anti-disassembly used in Pirpi and other UPS samples. It may cause issues with malware that uses other anti-disassembly tricks. Use with caution.
Notable Differences
The first major difference between the Pirpi.2014 and Pirpi.2015 variants is in the way the command loop is executed in each backdoor. In Pirpi.2014, the malware uses a simple state machine that executes code blocks that correspond to a state value, which the malware updates at the end of each code block. Many of these code blocks include sleep functions, however, if the state value is set to the correct value, the malware executes a code block that contains the command loop. The purpose of this state machine is to intentionally delay the malware’s execution of the command loop.
In Pirpi.2015, the malware implements a second state machine that executes the Pirpi.2014 state machine as one of its code blocks. The second state machine introduces a large number of randomized sleep functions, causing the malware to take much longer to execute its command loop. The majority of code blocks in the second state machine either sleep, or create threads and wait for them to finish. The malware author likely implemented these state machines as an anti-debugging technique and to defeat most modern sandbox solutions.
The second difference between the two Pirpi variants involves the encoding algorithm, which has improved greatly in the past year. Contained in the binary is an invertible math function for encoding and decoding of data. In Pirpi.2014 this function is rather simple, involving a few mathematical operations. However, in Pirpi.2015, the algorithm when decompiled is more than 300 source code lines of mathematical operations.
Other Pirpi Samples
FireEye released two reports in 2014 about APT3 phishing campaigns, Operation Doubletap and Operation Clandestine Fox. Each report containins md5s of other Pirpi samples that were available on VirusTotal. In addition, simple VirusTotal searches resulted in a few more Pirpi samples that came from the same code base. Table 3 contains the file information for each of these Pirpi samples.
Table 3. Details of Pirpi Samples from FireEye Reports and Samples that Share the Same Code Base
The sample listed as “{FireEye Report Sample}” in Table 3 is simply a dropper and loader for msupd.dll sample. Unit 42 compared all of the DLL samples listed in the table above and found that they are most closely related to Pirpi.2014. Table 4 below shows the statistics from Zynamics BinDiff from comparing each of the DLLs with Pirpi.2014 and Pirpi.2015.
Sample MD5
Pirpi.2014 Bindiff
Pirpi.2015 Bindiff
Similarity
Confidence
Similarity
Confidence
FA3578C2ABE3F37DDDA76EE40C5A1608
89.5%
98.6%
29.8%
69.5%
1A4B710621EF2E69B1F7790AE9B7A288
92.7%
98.8%
29.4%
69.5%
F4884C0458176AAC848A911683D3DEF5
91.4%
98.7%
29.6%
71.6%
4CA97FF9D72B422589266AA7B532D6E6
93.7%
98.7%
30.7%
71.6%
B48E578F030A7B5BB93A3E9D6D1E2A83
100%
100%
34.3%
73.0%
1B0E6BA299A522A3B3B02015A3536F6F
34.3%
73.0%
100%
100%
Table 4. Resulting Similarity and Confidence Rates of Pirpi Samples
Conclusion
The UPS threat group continues to exploit zero-day vulnerabilities in their campaigns, which shows that this group is quite sophisticated and has access to significant resources. Within their attack campaigns involving zero-days, UPS has consistently reused delivery techniques and code within various components of the attack. UPS has relied on steganography to conceal the payloads delivered after exploitation of zero-days by embedding payloads, specifically the Pirpi backdoor within animated GIFs. This group also reuses portions of their ActionScript within their malicious Flash files used to exploit vulnerabilities, as well as sharing portions of shellcode that executes after exploitation.
In regards to similarities amongst payloads, UPS delivers variants of the Pirpi backdoor that are typically very similar to each other. The Pirpi backdoors we analyzed use the same configuration file, a common C2 communications channel and a similar command handler. Also, the author of Pirpi includes several notable fingerprints within the code, specifically using a unique state machine and anti-disassembly techniques. Organizations can use all of these overlaps and similarities to track and hopefully protect themselves from this advanced adversary. AutoFocus users can identify Pirpi payloads with the Pirpi tag (Figure 9). WildFire automatically classifies Pirpi samples as malicious and we have released IPS signature 14643 to detect Pirpi C2 communications.
Cyber attacks are on the rise and the costs to businesses are increasing – recent estimates show that this could be as much as $USD500,000 and take an average of 24 days to identify and resolve. These figures in isolation make the situation appear dire. But understanding the cyberattack lifecycle before it reaches your data center – how a breach occurs, what happens once it’s in, and even just how long it takes to resolve – means you’re in the best position possible to prevent a successful attack from taking place at all.
Think about securing your organisation not as a house, with your security at front and back doors, but as a hotel, with security segmented by rooms and access levels. Network segmentation means multiple layers of protection that prevent hackers from moving freely within the network should they break through one layer.
Monkeys move with curiosity, agility and speed. When competing for a prize, they focus on their prize and use their knowledge to race to where the prize will be, not where it was. They quickly adjust their speed to match the speed of the situation. Creatures of the wild take advantage of their capabilities in their environment.
We can all stand to learn from these animals because a contributing factor to security failure root cause is frequently the organization’s inability to move at the speed of the wild.
After presenting at ISACA and IIA programs earlier this year, I heard a common statement from auditors: “it is all moving too fast.”
Auditors described how they attempted to apply audit methods (even good ones) and yet suffered security problems. “We just need more auditors,” said one in exasperation.
Will more auditors fix security? No. As those familiar with ISACA know, there is a big difference between the methods for daily use of a COBIT implementation and a periodic audit of a COBIT implementation.
Assurance is about whether policy, procedure, standards and such existed and were complied with at a past point in time. Audit “risk assessment” is about top priorities for audit, not about risk to specific business objectives in a dynamic world. Audit scope may be any agreed-upon bite-sized piece, not the organization’s entire dynamic world.
Security must happen every second of everyday. The scope is the entire living system with all its change, complexity and fatigue in people and equipment. Security must adjust to each change in actor, action, attack method, infrastructure configuration and timing.
Assurance methods may be used to audit whether appropriate security processes exist. Assurance methods should never be used to actually manage security—they are simply the wrong tool for that job.
Because assurance is about achieving business objectives, the audit function is central to assuring the right tool is used for the job.
The wrong tool for the job often increases risk and wastes time and money. Worse, it might provide a false sense of security and divert attention from higher priorities.
Looking to the future, the wrong tools will increasingly struggle as attackers learn more lessons in deception from the history of warfare, sports or the wild.
Methods must change. To meet the threat, methods must be able to move at the speed of the wild. Further, methods must succeed in the “dirty” wild—a system where users and devices frequently change.
Designed to move at the speed of the wild is the 5+2 Step Cycle for managing risk. Step 1 is “know the business,” including “dirty” environments. Step 2 is “what if?”—the heart of managing risk. By understanding the speed at which a scenario unfolds, a response can be designed in light of the entire system and how a system is likely to fail.
The 5+2 Step Cycle achieves this speed because it was designed to:
Be simple, to avoid adding complexity to system complexity and thus increasing risk
Save time and money—effectively creating resources thus easing the struggle to “prioritize”
A stark reminder of what happens when the response cannot match the speed of the situation is this new video from the U.S. National Transportation Safety Board. In aviation, the Commercial Air Safety Team (CAST) was created to avoid accidents. CAST’s award-winning progress was a fundamental shift.
In security, benefits of making the shift start with fewer ugly surprises, more actionable insight, and reduced time and cost. Your opportunity today is to shift to the right tools designed to move at the speed of the wild.
Brian Barnier Principal Analyst & Advisor, ValueBridge Advisors, USA
