The dynamic world of cybersecurity continued its rapid pace of change in 2015, creating new challenges and opportunities for ISACA and our 140,000 global constituents. Of course, 2016 will be no different. ISACA professionals across the globe expect to see an evolving mix of cyberthreats, regulatory issues, and an ongoing shortage of qualified cybersecurity workers needed to address these issues, according to the January 2016 Cybersecurity Snapshot survey.
Nearly 3,000 IT professionals from 121 countries voiced their opinions in the Cybersecurity Snapshot, and the results say much about where cybersecurity is headed in 2016. Respondents said their top cyberthreat concerns for 2016 were social engineering, insider threats and advanced persistent threats (APTs). Fully 84 percent believe there is a medium to high likelihood of a cybersecurity attack disrupting critical infrastructure (e.g., electrical grid, water supply systems) this year. Nearly a third said there will be some increased risk of insider threats (privileged users) vs. last year.
ISACA’s well-trained, knowledgeable professionals do not lack for recommendations on how to best tackle these cyberthreats. Adding two-factor authentication was considered the best response for improving security in the virtualized data center, followed by adding dual-person approvals for certain actions. Other suggested solutions included using a password manager for checking in/out password access to systems, and adding air gaps for different types of workloads (e.g., sensitive or non-sensitive).
Another area where ISACA constituents had consistent opinions involved government regulations and privacy issues. We saw significant activity in these areas in 2015, and I believe we can expect to see more of the same in 2016. A majority (63 percent) of respondents believe governments should not have backdoor access to encrypted information systems. A similar majority think privacy is being compromised by stronger cybersecurity regulations.
From an organizational standpoint, 84 percent favor regulation requiring companies notify customers within 30 days of a data breach discovery. Interestingly, only a third of respondents believe their organization would voluntarily share cyberthreat information if it experienced a breach.
These issues make a strong case for organizations to have certified, well-trained cybersecurity personnel. Finding well-qualified cybersecurity professionals, however, is an ongoing, global issue. Nearly half of global organizations are planning to hire more cybersecurity personnel in 2016, and 94% say they will expect to have a difficult time finding skilled candidates.
Not surprisingly, 81 percent say they would be more likely to hire a cybersecurity job candidate who holds a performance-based certification. That’s where ISACA and Cybersecurity Nexus (CSX) come in.
ISACA launched CSX in 2014 and expanded its certification offerings in 2015 with the introduction of the CSX Practitioner (CSXP) certification. CSXP is a vendor-neutral, performance-based cyber certification—the first of its kind—that focuses on key cybersecurity skills and requires demonstration of skills in a virtual lab environment in the Identify and Protect domains.
CSX has big plans for 2016, kicking off today with the introduction of the Cybersecurity Career Roadmap, which will help cybersecurity professionals identify new opportunities for career advancement. It provides the resources to continuously hone your skills, expand your knowledge, and start (and keep) your career on a trajectory toward achieving your goals.
ISACA is committed to all four of its core focus areas— audit/assurance, governance, risk and cybersecurity—and we will be delivering new resources in all of these areas over the course of the year. There has never been a more challenging or rewarding time to be in our field than right now.
I wish you a happy and successful 2016. It’s going to be an exciting year.
Christos Dimitriadis, Ph.D., CISA, CISM 2015-2016 ISACA International President
2015 was an especially devastating year for healthcare in terms of data breaches. The Anthem breach exposed a staggering 78.8 million health records, and another 10 million were exposed in the breach at Excellus BlueCross BlueShield. In addition, the Ponemon Institute’s 2015 studyon data breaches reported that 91 percent of healthcare organizations had one data breach and 34 percent of the healthcare organizations experienced two to five breaches.
Attackers who target health records are motivated primarily by money. Health records are worth at least 5 times the value of credit cards on the black marketmost credit cards can be cancelled and replaced easily, but replacing health records is much more difficult due to the lack of advanced detection and controls against fraud. Health records offer detailed and specific information on individuals including personal identifiable information, financial information and health information, and attackers can use this data in a number of ways, including to profit via submitting false insurance claims. profit is to submit false insurance claims.
Medical devices will be increasingly targeted in the coming years since they are easier to attack and not as closely managed compared to other hospital IT Managed PCs. What’s more, many vendor-provided medical devices are connected to unpatchable PCs… well, “unpatchable” according to some vendors who say that FDA approval is required before patching or installing antivirus (which is not true). (The FDA actually encourages patching and use of endpoint protection on medical devices. Formal FDA approval is typically not required.)
Consider this: all of the major healthcare breaches we hear about – and most we don’t — involve attacks on endpoints. Therefore, healthcare organizations require a new approach to protect endpoints from advanced cyber campaigns that leverage zero-day exploits and unknown malware.
As part of Palo Alto Networks Next-Generation Security Platform, Traps is an advanced endpoint solution that prevents successful execution of advanced attacks originating from executables, data files or network-based exploits, known and unknown, regardless of whether patches have been applied.
With Traps deployed, security teams at healthcare organizations can protect patient care and their data, and solve tough problems like mitigating the risk of unpatchable systems and protecting workstation instances within VDI environments.
To learn more, visit the Fuel User Group and select ‘Protecting Your Patients and Their Privacy with Traps’ to watch a recorded webcast that delves deeper into these challenges and demonstrates how Traps solves these difficult problems.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
CRACK99: The Takedown of a $100 Million Chinese Software Pirate is the story of how the author, David Locke Hall, a federal prosecutor with no background in cyber forensics went after a cyber criminal. This is not a book that will help you develop better technical skills but rather help you understand how those outside the field deal with the challenges of applying their normal processes to the complexities of the virtual environment.
CRACK99 misses belonging in the Canon as it doesn’t develop a better cyber practitioner, but it is worth the read to understand the challenges the justice system faces in prosecuting cyber criminals. The style reminds me of Cuckoo’s Egg or Takedown with a lot of side stories about the writer’s life. There are also chapters on subjects like arresting an Iranian arms dealer for export violations, justice system, and national cyber strategy. The author does a reasonable job of tying these subjects together as the actual material about the crime is not enough to fill a book.
Review
CRACK99 is the true story of an Assistant United States Attorney (AUSA) who decided to go after a Chinese national who was selling stolen software. Most of the software was used in advanced design and simulation and had national economic/military implications. The AUSA decided to discreetly partner with Homeland Security Investigations (HSI). Normally a case like this would be handled by the Federal Bureau of Investigation (FBI), and the U.S. Attorney’s Office in Wilmington, Delaware would not focus resources on an international case. Finally, to keep the case with HSI, they classified it as smuggling.
One of the first applications they focused on was the Analytical Graphics Incorporated (AGI) Satellite Tool Kit (STK). The software normally sold for around $150,000; but, on the CRACK99website, an illegal copy cost only $1,000. STK was a simulation that could replicate the performance of satellites, drones or other military assets. This was one of a host of applications for sale, most of them using the same third party to enforce licensing. The AUSA thought that a rogue employee at that firm was the culprit; but, as he came to understand the technology involved, realized that was not likely.
They purchased a copy of STK for the investigation and were told to use a Western Union money transfer. Sending the wire transfer from Delaware helped establish a case that the AUSA could prosecute. The operator of the site gave the user’s name and address in China. His name was Xiang Li, and he not only delivered the software but would help by providing guidance on how to install it. This was enough to get a warrant for the Gmail account Xiang Li was using. Analysis of emails revealed that there were over 450 illegal software sales worth over $100 million. Additionally it showed that his wife was involved as the money manager, and most of the sales were in the U.S.
The investigators came up with a plan to engage Li as potential business partners and lure him into the U.S. via a meeting in Saipan (a U.S. territory). They got a grand jury for indictment on copyright infringement, traffic in access control circumvention, wire fraud, interstate transportation of stolen property, smuggling, and trafficking in counterfeit labels. Li met them; was arrested; and, initially, was cooperative with the investigation. One of the big questions was how he got the software and who cracked the licensing. It was mostly fan groups, web forums, and hackers – he found what he sold through open searches (many were in Russia), and some were given by customers who wanted them cracked. Xiang Li asked for mercy but got 12 years. Of all the U.S. buyers, only two were prosecuted: Mr. Best got 3 years, and Mr. Wedderburn received probation.
CRACK99 provides great background on the justice system. The Federal Bureau of Investigation (FBI) is the big dog with the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and Drug Enforcement Agency (DEA) getting news coverage. Homeland Security Investigations (HSI) is bigger than both but only half the size of the FBI. HIS came out of Customs, which became Immigration and Customs Enforcement (ICE). In 2010 the FBI moved from crime to intelligence collection. The AUSA didn’t want to give the case to them because they would not push for jail time.
The book also covers organizations like the Department of Justice (DOJ) Office of International Affairs, Mutual Legal Assistance Treaty (MLAT), Defense Criminal Investigative Services (DCIS), Office of the National Counterintelligence Executive (ONCIX). It provides insight into which law to prosecute under: economic espionage, smuggling, copyrights, conspiracy (too abstract for the jury), pen register (wiretap) rules, lure, embargo, or acts like the National Stolen Property Act and Sound Recordings Act. It also list resources like executive orders, commercial reports (Mandiant), and the Department of Defense (DOD) Science Board. The author also shares his opinion on case law, such as his belief that the Supreme Court was wrong in the Dowling decision.
While the author didn’t propose a strategy, he did frame many of the issues and possible solutions. One key theme was the concept that most law enforcement is hooked on fast food – low hanging fruit that is easy to prosecute but has no impact. He compares this to U.S. cyber strategy – a lot of talk and papers with strategy in the title but no actionable strategy. For example, much was made of Coreflood botnet being taken down, but nobody was arrested. The U.S. government indicted members of the Chinese People’s Liberation Army; but, again, there was no expectation they would be prosecuted. It was more of a political name and shame policy.
As part of his review of arresting arms dealers trying to avoid embargo restrictions, he said, “Dubai is a monument to the failure of the United States to control the proliferation of its own goods and technology.” He talks about the parallels to a lack of cyber strategy or concerted effort. The DOJ bragging sheet that covers their key cases had nothing about theft of intellectual property or cases against China – this despite the example of Microsoft having an application update downloaded 30 million times for one legitimate license. There is a real disconnect between the DOJ and national security / economic threats.
Conclusion
CRACK99 should be read by anyone who wants to understand more about how one prosecutor in the justice system took on a cyber criminal. The author does a decent job of covering both the tactical aspects of an investigation and the national strategy issues involved with the case. His side stories about getting pulled in to work other cases, such as those of drug dealers and even a mail carrier case that ended in a plea agreement, are interesting. It feels like he wrote the book over a period of years without updating some activities referenced. He talks about reports/actions ranging from 2011 to 2015. He also spends a lot of time talking about his Navy background and the potential Chinese government/military involvement but ends up with no proof.
Bottom line – this is not a Canon candidate but a quick and worthwhile read.
Exploit Kits (EK), arguably the most impactful malicious infrastructure on the Internet, constantly evolve to evade detection by security technology. Tremendous effort has been spent on tracking new variations of different EK families. In this report, we look at an EK from an operational point of view. Specifically, we have been tracking the activity of the notorious Angler Exploit Kit and have uncovered traces of what we believe to be a large underground industry behind this EK.
Given the numerous existing reports from Sophos, Malwarebytes, and USENIX that cover different variants of Angler, we will focus on the new findings in terms of the global operation of Angler in this work. All of the findings are based on the results of our malicious web content detection system.
Key findings include:
Detected over 90,000 compromised websites involved in Angler’s operation. Among which, 30 are within Alexa top 100,000 rankings (Top 1 million websites available here.) We estimate the number of monthly visits to these 30 compromised websites to be over 11 million based on visit counts from TrafficEstimate.com
Discovered a highly organized operation that periodically updates the malicious content across all of the compromised websites and all of the EK gate sites at the same time. This indicates a sophisticated and persistent command and control channel between attackers and compromised websites.
Discovered fine-grained control over the distribution of malicious content. This means the injected scripts can stay invisible for days to evade detection and the compromised websites can choose to target only certain victim IP ranges and certain configurations. This has lead to very low detection rates from the scanners used by VirusTotal (VT). Even weeks after our initial discovery, most of the compromised sites we found were not listed as malicious in VT.
Found potential connections between activities of scanning vulnerable websites and leveraging scanned websites as entry point for the EK. This suggests an industry chain behind the operation of this EK.
Overview and Impact
Between November 5 (when we started to scan highly vulnerable websites for similar injections) and November 16, we discovered a total of 90,558 unique domains that had been compromised and used by Angler EK.
The compromised domains result in a total of 29,531 unique IPs. Among these, 1,457 IPs hosted more than 10 compromised domains. The IP address 184.168.47.225 hosted a total of 422 compromised sites. Some of the compromised sites were very popular with 177 of domains (30 FQDNs) in the Alexa top 100,000 and 40 in the top 10,000.
Most of the compromised sites remain undetected by VT. We tested early scanning results (5,235 malicious sites discovered at that time) with VT on November 16 and found that VT only reported 226 sites as malicious. At midnight of November 17 we repeated this experiment and VT still only found 232 sites. This amounts to a less than 5% detection rate. On December 14 we tested our full list (all 90,558) against VT and it only found 2,850 compromised sites – a 3% detection rate.
Figure 1: Angler EK Compromise Topology
Figure 1 outlines the redirection flow of a full compromise. The victims visit a list of compromised WordPress/Apache hosts and get redirected to the malicious server hosting the EK, either directly or via a middle layer, which is commonly referred to as ‘EK gate’. The final malicious payload served could vary, including ransomware such as Cryptowall, and spyware or botnets that connect to a C2 server. A more concrete redirection chain example and its fiddler packet capture are shown in Figures 2 and 3. The redirection from EK gate to the malicious file hosting server can happen within the same domain (shown in red in Figure 2) or cross-domain (shown in blue in Figure 2).
Figure 2: Redirection Chain
Figure 3: Fiddler packet captured during redirection (excerpt)
Figure 4 shows some of the post-infection traffic we obtained using Fiddler. In this case the infected VM sent out a C2-like request and received back a long encrypted response.
Figure 4: Post infection traffic
Figures 5 and 6 give an overview of all compromised hosts’ IP information.
Figure 5: Compromised host ISP distribution
Figure 6: Compromised IP country distribution (truncated to show major items)
We can see in the figures that the compromised sites are primarily hosted inside the United States, with a few exceptions in Europe and Asia. Among the systems in the United States, most of the identified sites are hosted on GoDaddy’s infrastructure and a few other popular hosting services.
Angler EK Evasion Techniques
In this section, we will highlight some of the featured behaviors of the malicious scripts that attackers injected into the compromised websites.
The original version of the injected malicious JavaScript code served on the compromised servers (left side of Figure 1) targets almost ALL major versions of the IE browser (version 8-11 confirmed), presumably because these users may also have vulnerable flash versions installed. A more recent variant targets all modern major browsers, including Webkit-based ones such as Chrome and Gecko-based Firefox. In addition to its JavaScript-based anti-detection maneuver, the next hop redirection (EK gate) also selectively serves malicious content based on the victim’s geolocation. We further break down some of these behaviors in this section.
Static/Signature analysis evasion
The injected JavaScript code in all of the compromised websites looks similar but is not exactly the same. Figure 7 is an excerpt of the injected code. The obfuscated code is constantly morphing with random variable names. Even the responses between two consecutive requests are different due to the randomness. We are only able to find four meaningful keywords that remained constant in this script: ActiveXObject, window.sidebar, charAt, and Function. As we will detail in the Organized Evolution section, these keywords will slowly vanish as the EK evolves over time. This polymorphic behavior likely renders many signature-based static analysis methods ineffective.
Figure 7: injected script excerpt
Browser emulator evasion
We found that the exploit kit code contains multiple layers of behavior cloaking, and in one case uses ActiveXObject initialization as shown in Figure 7. The variable zmomfokopbpbbi shown in this example contains a long random-looking string (truncated in line 2). The malicious JavaScript attempts to fingerprint the browser to evade browser emulators and malware detectors which are usually designed to provide valid ActiveXObject at all times, or use symbolic/concolic execution which intentionally suppresses errors and forces execution to take the other branch. In other words, a real IE browser will throw an error for the try clause but a detector agent may not. Given that the value of qvqymkykvfzpl is 1 before line 9, the value zkvluyycbrtp will be 0 for real IE browsers and any other browser that does not supportActiveXObject, but it will remain to be 1 for certain browser emulators. Looking further down the malicious script (Figure 8) we see that the value of zkvluyycbrtp is again used in many other functions, and the return value of those functions depend on its value. This ultimately determines whether the malicious script will carry out the attack or not. This is one of the many cloaking mechanisms attackers employ that separates the real, intended victim population from browser simulators used by AV vendors for detection.
Figure 8: injected script excerpt (cont.d)
In addition to ActiveXObject initialization, the obfuscated code also examines UserAgent. This examination is different from a naïve substring search. Particularly, the code searches for the existence of two strings “rv:11” and “MSIE”. Combining the user agent examination with a special ‘browser quirk’ of old IE (version 10.0 or older), the malicious JavaScript ONLY exhibits malicious behavior when the browser is ‘truly’ Internet Explorer, but not other browser brands (e.g. Firefox/Chrome/other testing browser agents), even if they are ‘mimicking’ old IE user agents. We show the detailed combination of different configurations and their interactions in Table 1.
In this table, we can see that the malware authors target IE users and attempt to avoid security researchers; however, they left out one scenario: a non-IE browser mimicking IE 11. In this scenario the malicious behavior is actually exposed, and this is how we are able to automatically extract a number of next hops redirection (i.e. EK gate URLs) in Table 2.
IP address filter evasion
The successful execution of the abovementioned JavaScript always results in an injection of an iframe pointing to the EK gate. The malicious JavaScript injects an iframe similar to what’s shown in Figure 9.
Figure 9: iframe injection by malicious JavaScript
This URL structure resembles others that were previously disclosed by sources like malware-traffic-analysis.net; however, as mentioned earlier, the way this iframe is injected is entirely different in this campaign compared to their previous mechanism, which simply injected a flash file (<object>) into the HTML code.
It’s not easy to obtain the malicious content of these iframes because when we visit the compromised URLs from an IP addresses that belongs to Palo Alto Networks, the attacker’s server either does not respond, or returns an empty 200 response. The same results occurred when we used different browsers with different versions, residential IPs in California, and then an Amazon EC2 instance. On November 16 we used a proxy service to redirect our traffic through IP blocks across the world and found that when we use an IP block from Turkey, the server returned the Angler EK’s landing page. The landing page looks similar to previously posted ones, and eventually redirected the victim browser to download a flash file.
It is also interesting to note that many domain names hosting the EK gate pages, likefilchnerkunstkring.diversityadvice[.]com or ullshift-vastreden.avimiller.org, have legitimate and benign root level domains diversityadvice.com and avimiller.org. We suspect:
1) That the DNS nameserver of these domains are compromised and a rogue DNS record was created to point the malicious subdomain to the attacker’s server; and
2) the credential that can unlock registering subdomains has been stolen. Such DNS compromise is also popularly known as Domain shadowing.
In addition to the EK gate IP filtering, the compromised host seems to serve the malicious redirection scripts using similar IP filtering rules as well. We initiated requests from two clean machines using different outgoing IP addresses and the same user agent at almost the same time. The machine user of one IP address consistently received a malicious page while the other user only received clean HTML. It is particularly worthwhile to note that the attackers perform IP cloaking adaptively; we used one IP address range to scan the web for compromised sites and after approximately two weeks of scanning, the attacker stopped serving malicious content to these IPs. We suspect that the attackers detected abnormal scanning behavior from the IPs and therefore cloaked themselves to avoid detection.
Timing-based evasion
It also appeared to us that the injected content turns on-and-off inside the duration of our scan. After we discovered this behavior, we picked ten sites and significantly increased their scanning frequency to every ten minutes. Figure 10 shows the vulnerability status of three of these ten sites over the course of 24 hours. The markings of the top portion indicate that the site’s malicious code was active during that time slot while the markings on the bottom portion indicate the site was benign, or dormant, during that time slot. It appears to us that nine out of 10 sites share a similar (but not exactly the same) dormant/active pattern, as shown in the orange and blue dots, while the other site (www.grillman[.]com.au) shows a somewhat different pattern. We are not exactly sure why the injection exhibits such behavior over time, but our guess is that the malicious code intends to hide itself and put the website owner or security companies under the illusion that the threat has been cleaned up.
Figure 10: Time-based cloaking of compromised hosts – Pacific Standard Time.
User Agent-based evasion
In addition to the User Agent checks inside the JavaScript code we described earlier, the servers will also perform their own check of the visiting browsers UA string. We found that unless we used a special user agent string (mimicking IE 8 and 9), we were unable to access the malicious content. This is yet another way that the attackers appear to be attempting to evade detection from web scanners.
Cookie-based evasion
Finally, the compromised site sets the user’s cookie the first time the victim visits the site, and never sends the injected code a second time to a browser if it detects the same cookie on subsequent requests. We consider this as one of the many mechanisms to cloak the threat against security researchers that may employ dynamic analysis approaches to visit the compromised sites repetitively.
Organized Evolution
Detection evasion techniques are crucial for a malicious attackers operation, but in time researchers will identify and expose them. To avoid being caught, attackers constantly evolve the compromised sites to further complicate the detection and prevention process. We list some of the more important changes we observed below.
EK Gate URL evolution
Continuous monitoring of the EK gate URLs (result of DNS shadowing) shows that they change frequently, at approximately half-hour to one-hour periods. Our large scale continuous scanning reveals that, at any given time, almost all compromised sites point to the same next-hop domain, but in roughly half an hour to an hour this domain changes completely and all infected hosts make the change at approximately the same time. Table 2 shows our scanning result for the source hostnames of the injected iframe URLs. Since we cannot get hold of a compromised host and capture the traffic ourselves, we suspect that this synchronized behavior is an indication of malicious C2 server(s) actively and continuously communicating with the compromised hosts to activate the switch to new EK gates.
Although the hostname changes frequently, we are able to confirm using passive DNS data that the IPs these domains resolved to are relatively limited, including 91.239.74.80 and 188.120.235.94. This indicates the attacker is reusing some IP resources behind the subdomain-fluxing mechanism.
Injected JavaScript evolution
Figure 11 illustrates the timeline of the injected JavaScript’s evolution. We denote the first version we saw (November 5) as Version 1.0. During our continuous tracking, we found that the EK’s malicious JavaScript code evolved into a slightly advanced variant on November 11. In this version (1.1,) the code previously used to detect a Firefox browser is gone, i.e. (+[window.sidebar]). We suspect this line was removed because it might trigger the traditional signature-based detection as it is always written in plain text. On November 21, another version (1.2) appeared across all of the compromised sites and completely removed ActiveXObjectinitialization in the scripts. Upon observing this evolution we quickly adjusted our detection method to continue tracking the compromised pages. On November 27, the JavaScript changed again, this time to a completely different structure (version 2.0). Instead of concatenating tiny strings together, this version boasts a very long string that it decodes to the iframe injection statement. A particular interesting aspect of this variation is that the injected code targets all major browsers including Firefox and Chrome, with the exception that for IE7, 8 and 9, they do additional checks via browser quirks to see if the declared userAgent matches the actual browser behavior. Again, on December 5, we found that the malicious code reverted back to version 1, but with a slight tweak of statement order; it also changed variable zmomfokopbpbbi’s initialization in Figure 7 from a static long random string to a concatenation of smaller strings.
Figure 11: Injected JavaScript evolution
In each of the evolutionary steps, almost all compromised sites we had identified presented the update at the same time. This timing provides further evidence that a C2 channel is likely maintained at all times between the attacker and the compromised hosts.
SWF/Binary file evolution
Continuous monitoring of the Flash files served by the EK revealed that it changes slightly on a daily basis, and VT has never seen these samples by the time we obtain them. We submitted SWF file distributed on November 16 to VT, and the immediate detection score was 3 with less confident verdicts e.g. ‘behaves like Flash Exploit’. On December 3 we requested a rescan on the same file, this time VT gave a score of 11 with many major AV vendors picking up the detection.
Infection Vectors
In this section we explore some interesting common properties that the compromised hosts share. We demonstrate how we use this information to discover many more compromised websites.
Inferred infection vectors
Generally speaking, we found that the infections fell into two categories, indicating that there may be two infection vectors used to compromise the websites.
1) For a small portion of sites, the malicious script is injected at the very top of the HTML source code, before the opening of <html> tag. One example is http://www.cxda[.]gov.cn. We think this is because the compromised host has an Apache or system level vulnerability which was exploited by the attacker.
2) For most of the compromised websites, the malicious script is injected right after the opening of the <body> element, and all these injections happen on WordPress-powered websites. This type of infection also shares another common attribute – a cookie-setting snippet is installed just before the large malicious JavaScript file to make sure the malicious content is not served twice to a single victim, as described above.
Extending scans
Based on our injection vector inference, we extended our scan from newly registered domains to two additional categories of websites, greatly increasing the number of detections.
Collocated hosts
Since the attacker may exploit the same Apache/web server vulnerability on the same machine, we believe the hosts collocated with the known compromised sites have a higher chance to be compromised as well. Many hosting services host multiple websites on the same host and IP address (i.e. virtual hosting). During our daily scan of newly registered domains, we found a large number of compromised sites served by popular hosting services including GoDaddy, and found that some of them share the same IPs. Using passive DNS data, we are able to retrieve a sizable list of likely-vulnerable sites – those that are hosted on the same IPs as ones we already detected. The list contains a total of 82,000 unique domains. Of these, approximately 65,000 domains are actively hosting websites and at least 3,880 of them are compromised.
WordPress sites
Based on the high percentage of WordPress websites present in the compromised site list, it is highly likely that the attacker is exploiting one or more WordPress vulnerabilities. However, to compromise these websites the attackers would have to first perform some type of reconnaissance. We theorized that the malware sample behavior collected in Palo Alto Networks WildFire could help us discover more of these infected websites. In WildFire scans, we identified many malware samples actively probing vulnerable WordPress sites by requesting their xmlrpc.php file. This file is linked to several vulnerabilities and hazards that have been previously disclosed. We collected such probing behavior in WildFire history, which amounts to a total of 201K unique domains. We determined that 174K URLs that were still alive and responding, and of these, our malicious web detection system identified 535 additional compromised sites.
Following the success of this scan, we further obtained a large list of websites using WordPress which contained almost 17 million sites and scanned them using the same system. This revealed over 84,000 compromised WordPress websites in total.
Infection lifecycle
Looking at how many websites are being compromised and how quickly their operators detect and remove the infections helps us better understand the lifecycle of Angler EK infections.
First, our daily scan reveals tens to hundreds of new compromised sites that have never previously been detected, as seen in Table 3 and Figure 12. These numbers suggest that this is still a very active threat.
11/6
11/7
11/8
11/9
11/10
11/11
11/12
11/13
11/14
11/15
11/16
11/17
Accu.
214
285
467
472
549
593
704
880
932
1196
1211
1241
Incr.
NA
71
182
5
77
44
111
176
52
264
15
30
Table 3: Unique new compromised sites detected every day
Figure 12: Unique new and total compromised websites each day.
Before we make any statements about how quickly compromised websites are cleaned up, we would like to point out that the numbers discussed here are educated guesses to the upper-bound, due to the fact that the injected scripts may simply just be dormant for a long time. For example, we observed one site, ‘seorewolucja[.]pl’ that was first observed as infected on November 6 and followed the on-and-off infection pattern until 05:30 PST on November 15. Since then the site remained clean of infection for three days, until the morning of November 18 when the injected script appeared again. Although the injected code looks similar before November 15 and after November 18, we cannot be sure if the site owner disinfected their system and it was later re-compromised, or if the infection simply stayed dormant for three days. This demonstrates how long the infection may stay dormant and that we should not make hasty decisions regarding whether a site has been cleaned up and patched appropriately to prevent future infections.
To get a rough idea about the cleanup rate and status, for every six hours we rescanned the entire infected population collected through November 16 – a total of 5,234 unique URLs. We aggregated the scanning result on November 18 and our system found that 5,002 URLs were still infected at least one time in our scanning period, and saw a total of 396 sites that never showed any infection behavior throughout the scans from noon of November 16 to November 18. Even if we consider all of these sites as disinfected, they account for less than 8 percent of the entire infected population. When we checked this number again on November 19, the total number of clean sites dropped to 377. This means that some of the 396 sites that we thought had been cleaned up were simply staying dormant from November 16 to 18. Since many of these sites were discovered in early November and possibly infected even earlier, the scanning results indicate that disinfection is happening very slowly.
Conclusion
Modern exploit kits are becoming harder to catch as they maneuver to avoid detection by security researchers. Particularly, the Angler EK boasts the following features:
Targeted Exploitation: This family of JavaScript and iframe injections is targeted at specific configurations and/or geographic and IP distributions. This attacks malicious scripts and servers that use multiple techniques to target IE users and visits from an IP outside of the United States.
Cloaking against researchers: The constantly evolving injected scripts are trying their best to identify malware researchers’ sandboxes. They hide their malicious behavior from sandbox/emulated environments. The techniques used include browser fingerprinting using browser quirks, as well as IP and UserAgent
Frequent evolution and persistent control: Large scale tracking of many compromised domains revealed that the attackers have persistent control over the compromised machines. We saw three major version changes in injected scripts as well as hourly switches of the malicious EK gate domains over the course of one month. These actions cannot occur without continuous control of the compromised hosts. This contradicts the common assumption that the hosts are compromised only at one point and injected malicious codeonce.
Growing number of infections: According to our observation, newly compromised sites appear at a consistent rate of over 100 sites per day (this is a lower bound as we can only scan a limited number of websites per day), while older compromised sites do not seem to be disinfected promptly, if at all. This results in a steady increase of total active compromised sites, and this threat is still a long ways from elimination.
Despite these challenges, we also found some consistent behavior patterns and limitations of this attack:
Suspicious redirections: Although the redirection script may change, the redirection chain stays relatively stable. The EK is always served from a different WordPress-like domain and a flash file is downloaded soon afterwards.
Infrastructure reuse: Exploiting known WordPress vulnerability and weak DNS configuration for DNS shadowing may be easy for the attackers, however, changing the exploit kit’s hosting server is relatively hard. This requires the attacker to physically control a new machine or move an existing machine. At least for now, we have never seen the attacker serve the actual EK file on a compromised machine, possibly to avoid bandwidth spikes/AV detection of the compromised sites.
We will continue to track down the compromised sites, learn more about modern exploit kits and offer maximum protection for our customers.
The number and severity of cyber threats in the United States are on the rise, and a new voluntary program aims to increase cooperation among government entities and private-sector organizations looking to reduce these damaging cyber events.
New US legislation promotes and encourages the private sector and the US government to exchange cyber threat information. The legislation also authorizes the information to be shared amongst several US federal agencies, including the Department of Commerce, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Justice, the Department of the Treasury, and the Office of the Director of National Intelligence.
The legislation had a long incubation period, and similar bills were introduced in previous sessions of Congress. The idea was jumpstarted again about a year ago when US President Barack Obama called for cybersecurity legislation in his 2015 State of the Union address. In late April 2015, the House of Representatives passed two separate versions of the legislation, and in October 2015, the Senate followed suit by passing its own version of the bill. A conference committee was convened to hammer out a compromise version, and the bill was tacked onto to a large omnibus spending bill in order to make to the respective chambers for a vote. President Obama signed the measure into law on 18 December 2015.
Under the new law, the sharing of information is completely voluntary on the part of private entities. Shared information must not include personally identifiably information unless that information is directly related to the threat being reported. For those that do share information, legal liability protections are provided so long as the information shared is in accordance with the procedures outlined in the Act.
Most of the specific rules are not initially detailed in the Act. Instead, the Secretary of Homeland Security and the US Attorney General will develop and issue regulations for the requirements and procedures to be followed. Thus, much of the practical effect of the legislation is still unclear.
What is also unclear is how forthcoming the private sector will be in sharing cyber threat information. Prior to the enactment of the legislation, many companies expressed that liability protections were a minimum necessary requirement before they consider sharing information.
Reaction to the legislation was mixed. Some industry leaders welcomed the measure. Several high-profile tech companies along with privacy advocates, however, are not in favor of the legislation, with some worrying that it is a “surveillance act” disguised as a cybersecurity act.
Read a Special Report on the legislation from ISACA’s Cybersecurity Nexus (CSX) for background on the act, as well as survey results on opinions about the Act and whether companies are likely to voluntarily share information.
Montana Williams Senior Manager of Cybersecurity Practices, ISACA
