On July 8, 2015, Unit 42 used the AutoFocus Threat Intelligence service to locate and investigate activity consistent with a spear-phishing attack targeting the US Government. The attack exploited an Adobe Flash vulnerability that stems from the zero-day vulnerabilities exposed from this month’s Hacking Team data breach.
The spear-phishing attack used a link to a Flash exploit hosted on two subdomains of a legitimate website, perrydale[.]com; rpt.perrydale[.]com and report.perrydale[.]com. Both domains resolve to the same Ukraine-based IP 194.44.130.179.
There are no indications at this time that the actual website has been compromised, rather, this is more likely a case of DNS hijacking. The Flash exploits, specifically located at rpt.perrydale[.]com/en/show.swf and report.perrydale[.]com/ema/show.swf leverage one of the newly disclosed vulnerabilities from the Hacking Team data breach, CVE-2015-5119. Successful exploitation leads to the affected host retrieving a secondary payload, b.gif, also located at the same two subdomains as the Flash exploit.
This attack shares similarities with a previous targeted attack, also using a Flash exploit, leveraging what was at the time a zero-day vulnerability in CVE-2015-3113. Analysis of both malicious Flash files indicates both these attacks are attributed to the APT group known as UPS or APT3.
ActionScript
The malicious Flash file named “show.gif” contains ActionScript that attempts to exploit a vulnerability and execute shellcode to ultimately install a payload. Show.swf is composed of the following ActionScript classes:
MainClass.as
MyClass.as
MyClass1.as
MyClass2.as
MyUtils.as
ShellWin32.as
Preliminary analysis of class names revealed overlap with one of the two Flash zero-day exploits disclosed following the Hacking Team breach. When comparing the classes above with those associated with Hacking Team’s Flash zero-days, we found that MyClass.as, MyClass1.as, MyClass2.as, MyUtils.as and ShellWin32.as were shared within show.swf and Hacking Team’s Flash exploit. In addition, there are several log messages as well as multiple function and variable names that exist in the ActionScript classes in both the UPS and the Hacking Team’s Flash files. The most important overlap occurs in the “TryExpl” function within MyClass.as, where the same functions and variables are used to create the use-after-free condition caused during the exploitation of the CVE-2015-5119 vulnerability. Figure 1 shows the code in the “TryExpl” function that causes the use-after-free vulnerability found in both the UPS and the Hacking Team’s Flash exploits. Also, the error message “can’t cause UaF” is found in both exploits.
Figure 1. ActionScript Causing the Use-After-Free Vulnerability
While analyzing the MainClass portion of show.swf, we also observed shared functions with a previous attack attributed to UPS that was designed to exploit an earlier Flash zero-day, CVE-2015-3113. The CVE-2015-3113 ActionScript is publically available and can be obtained from the following link:
The shared function names, seen below, include several functions used for data type manipulation, logging, and decrypting the shellcode executed in the event of successful exploitation:
decode
hexToIntArray
logMsg
func_prepare
hexToBin
The most obvious overlap between the two ActionScripts involves the shared variable name “m_scKey”, which is a variable that stores the RC4 key that the ActionScript will use to decrypt the shellcode.
Shellcode
When the Flash vulnerability is successfully exploited, shellcode executes which then extracts and decrypts a payload embedded in an animated GIF image. During analysis, Unit 42 was unable to obtain the payload; the “b.gif” file received was not weaponized as it does not contain an encrypted payload. There are two likely reasons for this – UPS is known for both only serving malicious payloads within very limited windows of time during an attack, and even then only serving those payloads to victims that fit their desired profile.
The technique of extracting and decrypting a payload from within an animated GIF image was also used by UPS in the attacks exploiting CVE-2015-3113. Using Zynamic’s binDiff tool to compare, we discovered 99% similarity with 99% confidence between the 5119 shellcode and the 3113 shellcode. By manually comparing the code, we confirmed the high similarity and confidence rates as calculated by binDiff.
The technique of locating the payload embedded in the animated GIF is the same within both the 5119 and the 3113 shellcodes. Additionally, both shellcodes use the exact same algorithm and key values to decrypt the payload from ciphertext to cleartext, specifically using an XOR, subtraction and a second XOR instruction using key values 0x12, 0x11 and 0x85, respectively. In fact, we compared the two shellcodes side-by-side and found that there is only one instruction added to the 5119 shellcode as seen highlighted in red in the image below.
Conclusion
These attacks highlight how sophisticated APT groups such as UPS can quickly leverage new vulnerabilities in their attacks. A patch is available for this vulnerability, but was only released on the same day of weaponization, which leaves very little time for any organization to patch effectively. Due to the highly targeted nature of this type of attack, traditional detection methods via known IOCs can be challenging. Deployment of automated, behavioral preventative measures such as Palo Alto Networks Traps can significantly reduce organizational risk to these types of attacks.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
[T]he product of a three-year project by twenty renowned international law scholars and practitioners, the Tallinn Manual identifies the international law applicable to cyber warfare and sets out ninety-five ‘black-letter rules’ (95 rules) governing such conflicts. It addresses topics including sovereignty, State responsibility, the jus ad bellum, international humanitarian law, and the law of neutrality. An extensive commentary accompanies each rule, which sets forth each rule’s basis in treaty and customary law, explains how the Group of Experts interpreted applicable norms in the cyber context, and outlines any disagreements within the group as to each rule’s application. [1]
Key to understanding this application of international law to cyberspace operations is understanding what the Tallinn Manual is not. It is not a commentary on cyber activities that occur below the level of a ‘use of force’ as set forth in the UN Charter, such as cyber criminality; moreover, it only comments on the legality of cyber intelligence activities as they relate to the issues of ‘use of force’ or ‘armed attack.’ [2] Also, the Tallinn Manual recognizes that cyber espionage and theft of intellectual property pose real and serious threats to all states, as well as corporations and private individuals, but it is not the aim of the authors to address such matters. [3]
Cybersecurity Canon candidate books are supposed to be essential to the cybersecurity practitioner. As a practicing computer network operational attorney, this book is not only required reading: it is malpractice if you don’t read it. Similarly, for technologists and cybersecurity practitioners, it is a must read, particularly after the redefining of computer network defense roles due to the Sony cyberattack. [4] To understand the various authorities of the multiple disciplines involved in computer network defense requires, first and foremost, an understanding of the incidents, intrusions, use of force, and yes, attacks that occur in cyberspace. The Tallinn Manual provides an essential education into these legal differences.
About the People
The Tallinn Manual was drafted by an “International Group of Experts,” including distinguished legal academics and practitioners, supported by a team of technical experts. [5] A select group of peer reviewers offered comments on the various drafts, as did a number of states that were willing to informally and unofficially do so. [6]
The initial criticism of the Tallinn Manual focuses on the fact that [T]he legal experts that wrote it have distinctly American and Old European backgrounds.[7] Similarly, others noted the absence and criticism of China or the Russian Federation. [8] The Russian authorities have taken a very guarded view of the Manual. Moscow thinks its publication is a step toward legitimizing the concept of cyberwars. [9]
Moreover, it is hard to overlook that there was a complete lack of scientists from the former Warsaw Pact countries among the legal experts partaking in the project. It seems that despite there being a NATO competence centre in Tallinn, the leaders of the project seem to think that there is not much competence in international law in the area. Even if we excluded the Baltic states – was it really impossible to find top-level legal experts from Poland, Hungary, the Czech Republic or Slovakia who could have had a say on the topics of the legality of the use of armed force, international humanitarian law, and the responsibility of the state? [10]
This criticism did note:
[N]obody is forbidding other countries from starting their own science projects or telling the scientists who were not invited to Tallinn not to write and express their opinions. [11] A point emphasized by the “Experts” as they “assessed that there has been huge interest in the Manual since it came out, but that the Manual reflected “all reasonable positions”on the issues it took up and that there were only a few amendments worth pondering. [12]
The Story
The main tenet of the Tallinn Manual is that cyber warfare is governed by international law already in force, particularly the rules that regulate the commencement of an armed attack (jus ad bellum, UN charter, mostly effective since 1945) and the rules that regulate the conduct of armed conflict (jus in bello, including, for example, The Hague Convention of 1899 and the Geneva Convention of 1949, the latter with the 1977 amendment protocols). [13] (The Manualhas a great compendium of international law of armed conflict or international humanitarian law.) [14]
The Manual consists of 95 rules and accompanying commentary. The rules set forth the International Group of Experts’ conclusions (black-letter rules) as to the broad principles and specific norms that apply in cyberspace. The accompanying commentary indicates the rules’ legal basis, applicability in international and non-international armed conflicts, and normative content. Also included are differing or opposing positions among the Experts. This is important because several complex issues produced debates amongst the Experts. The Manual’s editors attempted to capture all of the views expressed in the deliberations, as well as other reasonable positions that they were aware of from outside the group. [15]
While covering all of the salient portions of the Manual is far beyond the scope of this review, I will concur with other reviewers who noted:
Particular attention was paid to terminology. An array of terms has been employed in, and beyond the legal literature: computer network attack, computer network exploitation, cyber attack, cyber operation, cyberspace operation, cyber incident, cyber terrorism, cyber conflict etc. To circumvent this semantic inconsistency, the Tallinn Manual operates with four key notions. First, a “cyber operation”connotes the employment of cyber capabilities for achieving a particular objective, and is one of the few terms that is not derived from a legal term with a concrete meaning. Next, a “cyber use of force”and “cyber armed attack”are cyber operations that rise to the levels of a use of force, and armed attack, in the way those terms are used in Articles 2(4) and 51 of the UN Charter, respectively. Lastly, a“cyber attack”carries the meaning of an attack, as defined in Article 49(1) of Additional Protocol I to the Geneva Conventions; its usage is restricted to the law of armed conflict analysis. This consolidation of legal terminology allows for a reduced number of terms to be used consistently throughout the book, contributing to the clarity of the positions expressed therein. [16]
Conclusion
The TallinnManual is not just a worthy book for the Canon candidate list; it is a must for induction into the Canon proper, both for lawyers and policymakers (non-techies) and for techies in the community. As pointed out:
[T]he Manual is designed as a reference tool for State legal advisors, policymakers, and operational planners, although scholars and students will hopefully find it useful as well. NATO CCD COE has launched a three-year follow-on project, ‘Tallinn 2.0,’ that will expand the scope of the Tallinn Manual. The Tallinn Manual is strictly an expression of opinions of the International Group of Experts, and, as such, does not represent the official positions of the Centre or NATO. This will also be the status of Tallinn 2.0. [17]
Still, others observe:
[T]he intense interest in developing clearer international norms to regulate different facets of cyber activity is running up against two hard facts. The first is that some states, especially those with sophisticated cyber capacities, such as the United States, are content to state at a general level that they will apply existing, general international rules to cyber. But these states have limited incentives to reveal in any detail HOW they apply those norms. The second is that the major cyber players (Russia, China, and the United States) remain on different conceptual pages as to how to proceed. [18]
Whatever the focus and direction Tallinn 2.0 takes, this version is a must read, and when 2.0 is released, at least I’ll have more material to include in the Canon process!
Sources
See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, loc 3 of 7915, Kindle Ed.
See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, p. 3 of 282, Kindle Ed.
See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, p. 4 of 282, Kindle Ed.
See, Excerpt From: Schmitt (Editor). Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge University Press, 2013, loc 209 – 351 of 7915, Kindle Ed.
A few short years ago, cloud computing was considered a relatively new concept inherent with risks that many IT professionals weren’t comfortable taking. I’ll avoid the debate about who coined the term cloud computing, but I’m old enough to remember how we formerly referenced the cloud in telecommunications as a way to simplify and abstract the details of the external network that’s connected to internal devices. Today, the concept of cloud computing is intended to simplify communication by eliminating the need to know all of the specifics of the cloud provider’s underlying software and infrastructure. The cloud provides benefits to businesses and consumers alike by offering consolidated services, quicker delivery time and decreased costs.
As we look toward the future of IT, cloud computing hovers over us at the forefront. Adoption rates are soaring, and cloud computing must integrate with in-house IT infrastructure and data assets. According to nearly 14,000 respondents from the 2015 (ISC)² Global Information Security Workforce Study (GISWS) by Frost & Sullivan, 43 percent state that cloud is a priority for their organizations and 57 percent of total respondents state it will become even more of a priority over the next two years.
Though it may be obvious to some, the growing adoption of cloud services will increase the demand for security professionals who can apply the proper controls to public, private, community and hybrid cloud models. Cloud computing was identified as the top area of information security with growing demand for education and training within the next three years, according to the (ISC)² GISWS. IT professionals who understand how cloud services can be securely implemented and managed within their organization’s IT strategy and governance requirements are essential. In fact, 73 percent of GISWS respondents believe leveraging cloud-based solution and services will require information security professionals to develop new skills.
(ISC)² and the Cloud Security Alliance (CSA) teamed up in an effort to address the need to establish a common global understanding of professional knowledge and best practices in design, implementation, management and service orchestration of cloud computing systems. CSA’s Certificate of Cloud Security Knowledge (CCSK) provides a very solid baseline of cloud security. Working together, (ISC)² and CSA developed a cloud security credential for those requiring a deeper understanding and demonstrated experience. The Certified Cloud Security Professional (CCSPSM) validates that professionals have met the highest standard for cloud security expertise. The combined initiative addresses the expanded information security complexities as organizations begin to leverage cloud-based infrastructure, software and services more frequently.
So why should organizations take note? With breaches rife and the C-suite increasingly aware of the implications of inadequate security, hiring CCSPs will help the C-suite sleep at night. Companies will benefit from employing CCSPs because they possess the knowledge, skills and abilities needed to address the security and business issues associated with the complexities of cloud computing. CCSP is vendor-neutral and requires practical knowledge and skills covering a broad set of cloud security capabilities necessary for cloud professionals to effectively carry-out their responsibilities and contributes to the overall security of their cloud environment.
Those in the C-suite at organizations who have decided to take advantage of recurring savings related to leveraging cloud solutions and services should consider what a modest investment in staff training and certification could mean for near-term and long-term success in relation to recurring operating cost savings, while ensuring cloud security best practices. Cloud security should be more of a science than an art. Leveraging the cloud should be predictable and repeatable, versus becoming an area of self-expression across an organization’s business units.
Had I been able to employ CCSPs during my early cloud implementation days, I know I certainly would’ve slept easier at night. For more information about CCSP, please visit https://www.isc2.org/ccsp/default.aspx. -David Shearer, CISSP, PMP, CEO, (ISC)²
Following this week’s headline-grabbing breach, we all learned of an exploit utilizing CVE-2015-5119, a zero-day vulnerability in Adobe Flash. Successful exploitation of this vulnerability allows an attacker to take control of an affected endpoint, making it a critical threat. Various security researchers have since reported that the zero-day was indeed exploited in active attacks.
CVE-2015-5119 can be exploited against all commonly used browsers, including Google Chrome, which is considered to be much harder to exploit relative to other browsers.
This disclosure provides us a rare glimpse into the advanced attack tools market. From my perspective, the critical lesson to take from this incident is not the specific zero-day vulnerability itself, but the acknowledgment that this is merely the tip of the iceberg. One live zero-day exploit was disclosed by chance, but many others are and will be developed, marketed and utilized worldwide.
CVE-2015-5119 is part of an increasing trend of exploiting Flash vulnerabilities. Earlier this year we have referred in this blog to zero days CVE-2015-0311 and CVE-2015-0313, as well as a deep technical analysis of a new Flash vulnerability exploitation. Most recently was the CVE-2015-3113 zero-day, disclosed a week ago. Additional patched Flash vulnerabilities were rapidly reversed by attackers and integrated in the leading exploit kits.
To counter trends like these, the endpoint security paradigm must shift towards a proactive approach, capable of preventing known and zero day exploits. Palo Alto Networks Traps prevents memory corruption exploits in real time, obstructing the core techniques used in exploitation without needing to rely on any prior knowledge of attacks. Traps successfully prevented exploitation zero-day CVE-2015-5119, and users of Traps as part of the Palo Alto Networks Security Platform were already protected from exploitation of these vulnerabilities prior to the disclosure and patch.
Exploits are the default attack vector in the current threat landscape. Traps is the only solution that provides proactive protection from this vector.
Read more about Traps advanced endpoint protection here.
I don’t usually blog about specific product features, but I’m so excited about our new correlation objects, released in our 7.0 update to PAN-OS, that I really can’t help myself. It’s been a month now since we released 7.0, and I’m still particularly jazzed about this new feature!
Correlation objects, available in our PA-5000 Series, PA-3000 Series, the PA-7050, andPanorama, accurately identify infected devices based on patterns of network behavior that are correlated to characteristics of specific threats. So, for example, if a device is infected, the correlation engine can identify a pattern of a behavior: a host having visited a malware URL, then a vulnerability being exploited, and then abnormal DNS requests generated from said host.
Maybe a user took a corporate laptop home and inadvertently picked up some known malware (looks like GlobalProtect wasn’t activated!). When this user reconnects to the network, the correlation object correlates suspicious activities stemming from that device, which may not be of any concern individually, but taken together, alert the security team that this laptop needs to be remediated.
Meanwhile, the infection is stopped from spreading because Threat Prevention IPS, AV, and anti-spyware protections have blocked the malware from moving laterally inside the network and ended its outbound command and control beacons.
What’s really cool about this, though, is how it works with WildFire to dynamically correlate network activities based on zero-day malware.
Take the same concept of looking for patterns of abnormal behavior that point to infection, and from there, factor in zero-day malware that WildFire discovers. As soon as WildFire analyzes new file behavior, which only takes a few minutes for completely unknown files, a report on the file’s malicious behavior is sent back to the security platform. Our correlation engine consumes that report and looks for patterns of behavior specific to the newly discovered malicious file across the device from which it originated and other devices in the network, both going forward (analyzing in real time) and looking back through logs from 96 hours before the file was forwarded to WildFire.
At Palo Alto Networks, we believe that prevention isn’t futile – in fact, it’s central to stopping breaches. However, quick mitigation is also important to limit the damage and learn from threats that get past your defenses. With the right ecosystem of detection, intelligence, and prevention, infection doesn’t have to turn into a catastrophe.
There are currently five correlation objects available: three static objects that were created from Unit 42 research and two that are dynamically fed information from WildFire submissions. These five correlation objects are just the beginning. Our threat research teams, including Unit 42, will eventually be able to create new correlation objects based on their ongoing research into new attack campaigns and deliver them to deployed platforms through weekly content updates.
