Last week at the Joint Service Academy Cybersecurity Summit at the United States Military Academy in West Point, Palo Alto Networks President and CEO Mark McLaughlin spoke with Fox Business Network correspondent Jo Ling Kent about ongoing efforts to improve cybersecurity.
Mark homed in on three things organizations can do to achieve the end goal of raising the cost of a successful attack, and making it successful breaches more difficult for attackers:
Have a breach prevention mindset
Make sure to share threat intelligence
Continually educate the public on cybersecurity and good cyber hygiene
The Summit is an invitation-only gathering of service academy graduates serving in critical leadership roles and select thought leaders from industry, government and academia that comes together to strengthen ties between industry and government, share best practices to secure the internet and defeat cyberthreats.
Interest in IT governance is increasing due to the changing role and relevance of IT within organizations for supporting, sustaining and expanding business. According to the IT Governance Institute, IT governance is the form of leadership, organizational structures and processes that ensure an organization’s IT sustains and extends the organization’s strategies and objectives. While management’s role in IT governance is imperative, practitioners and academics have also long advocated board involvement in IT governance. However, the literature shows that boards may not be very involved in IT governance. This could be because board members may not have the needed IT expertise to provide direction on important operational and strategic IT-related issues. Boards may also not be very involved because IT does not get put on the board’s agenda or board members simply do not understand their roles regarding IT governance.
Our recent Journal article addresses this issue of the board’s role in IT governance by examining the charters of board-level IT committees. We reviewed the committee charters to analyze the prescribed roles and responsibilities of these committees. If the charters are not clear or complete, board members may misunderstand their roles. We found that only 23 Fortune 500 companies had board-level IT committees at the time of our study. We used content analysis to categorize the documented roles and responsibilities according to the 5 IT governance domains: strategic alignment, value delivery, resource management, risk management and performance measurement. Our Journal article contains our findings and discusses the opportunities for these committees to improve their governance roles.
A topic that we are interested in beyond the scope of our article is the IT auditor’s role in ensuring the effectiveness of these committees or the board at large in terms of IT governance. During an IT governance audit, the auditor should examine the committee charters to ensure committees are set up to fulfill best practices and COBIT-related IT governance roles. Examining meeting minutes and matching them to the prescribed roles could further ensure these committees are effective in their oversight role. In fact, IT-related issues may be discussed and documented in board meeting minutes regardless of whether the company has a specifically designated board-level IT committee. We hope to explore some of these issues in the future.
Current state of SaaS security – with several years of cloud adoption in many organizations, approaches to security have been evolving rapidly. The purpose of this survey is to look at the specific concerns, policies, and controls that enterprises are using. The goal will be to answer the question, what are today’s enterprises doing to mitigate risk across both sanctioned and unsanctioned cloud applications?
The release of details contained in the Panama Papers will be one of the biggest news stories of the year. The number of high-profile individuals implicated will continue to grow as teams comb through the 11.5 million documents leaked from Mossack Fonseca, a Panamanian law firm. While the news headlines will focus on mainly world leaders, athletes and well-to-dos, the overview from The International Consortium of Investigative Journalists (ICIJ) gets into additional details. This overview is worth reading to understand what services the firm provided, who uses the services, how they can be used legally and how they can be abused.
The overview seems like something out of a John Grisham book. In fact some of the information being released is similar to a plot from a book he wrote over 25 years ago. In 1991, John Grisham published “The Firm”, a book which revolves around several lawyers working for the fictional law firm Bendini, Lambert and Locke. Some of the similarities between the book and today include a law firm that primarily exists to assist money laundering and tax evasion, part of the plot involves the details of many transactions from retrieving thousands of documents and there is a whistleblower. The fictional firm also provided services to legitimate clients, although in the book that number is about 25 percent. It is unknown what percentage of Mossack Foneseca clients were legitimate and how many would be described as Ponzi schemers, drug kingpins and tax evaders, as the ICIJ overview mentions. While the novel is fiction, the book sets the stage as something that has been seen before.
Whether the leak started from an external breach of systems or an intentional leak from an insider, it is always intriguing to know how it occurred and what could have been done. Did it start with a phishing email, a rogue employee, a web application flaw, etc.? Forbes reported that the client portal server was running Drupal 7.23, which was found to be susceptible to a SQL injection vulnerability that was announced in October 2014. There were many reports of exploitation of this vulnerability days after it was announced, so it is likely someone took advantage of the exploit. The team responsible for WordFence, a popular WordPress security plugin, provided another possible exploitation scenariorelated to upload functionality that existed in the Revolution Slide plugin. These are just some of the potential means that could have caused a breach at Mossack Fonseca. Other possibilities include scenarios related to weaknesses in the email server and a lack of encryption in transit. Mossack Fonseca’s does have a Data Security page on their site, although it primarily touts SSL and the fact they house all of our servers in-house as their primary security measures. In 2011, I wrote a post on how the legal profession was an easy target for breaches. Looking back I realize that technology has changed, but in many ways the weaknesses are likely to stay the same. One of the biggest changes to note from 2011 is the number of online applications law firms have now. This isn’t just the top 100 law firms; this includes smaller regional firms as well. In addition to the main corporate web site and an area to share documents (or client portal), which are now offerings that appear much more prevalent across firms of all sizes, firms have blog sites, premium service offerings, extranets and even applications that provide a gateway into all the other online applications. More applications means a larger attack surface. Unlike Mossack Fonseca, which claims it hosted everything internally, many law firms we see do use third-party SaaS offerings to handle some of these functions. Outsourcing to a third party which specializes in providing a particular service can often provide better security than a firm can provide in house.
Given the Mossack Fonseca’s focus on company formation, minimizing tax burdens, Private Interest Foundations and the like, the firm could have easily been a target given the recent groundswell of activism against tax avoidance and income inequality. While the lapse in security at Mossack Fonseca may not be representative of security at all law firms, the details surrounding their environment point to likely weaknesses in people, processes and technology which could exist in any organization.
People – Given what we know about potential vulnerabilities in their environment and the exfiltration of data, we can surmise that someone was not paying attention for an extended period of time. There are many security roles in an organization including, but not limited to policy development, administration and monitoring. In some environments one person may be responsible for many roles and in some cases not all responsibilities can be met. This may because no one was given the role or the person that was given the responsibility left the organization. A recent search of LinkedIn did not turn up too many IT-related profiles with Mossack Fonseca as a current or previous employer, although this doesn’t necessarily mean these individuals do not exist. Contractors may have also performed the role. That said, a third party could have been hired for a given job, say deploying the client portal, but maybe was not responsible for post implementation support.
Process – Being notified of vulnerabilities in the software supporting the organization is paramount to understanding where risks exist. Knowing what data is leaving the environment is also critical. The likelihood that either of these was occurring is low and if either were occurring there wasn’t necessarily anyone to act on it in a timely fashion.
Technology – A breakdown in people and processes can occasionally be mitigated by technology. The WordPress and Drupal sites are now protected by a third party security provider, but other sites likely are not. An up-to-date intrusion detection system (IDS) may have detected some of the threats the organization faced, or activities that occurred, although there were several potential options to exploit so one avenue or another would have likely been open. For an organization that appears to have missed some fundamental security concerns, they may have used technology to secure some data as there is a site named crypt.mossfon.com, which is still up.
The Panama Papers incident may once again raise awareness around data security with legal firms. Organizations performing support services to legal firms, such as eDiscovery and Case Management providers, may also want to take note. Mossack Fonseca has a link on their page for ISO Certifications. However, the only one listed is ISO 9001:2008. An ISO 27001 assessment, or certification, may not have prevented the leak, but it would have demonstrated greater consideration of security on the part of Mossack Fonseca. A penetration test would also have been beneficial, although given the vulnerabilities that existed even a vulnerability scan would have detected some of the issues.
With most data breaches, the actual data on the people and companies is less interesting (albeit potentially more valuable) than the way in which the breach occurred or the attacker persisted in the attack. As it relates to the Panama Papers, it is the opposite. The forthcoming details related to various individuals, their transactions, and the potential future tax and privacy implications are far more interesting to the public than the means whereby the exfiltration actually occurred. That said, taking a few minutes to understand how it happened and what we can learn can be a worthwhile step in preventing future breaches.
Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems. For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a convenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich suite of post-compromise tools. It is no surprise it’s now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns.
Despite its simplicity and prevalence, detection rates for both AV and IDS systems has always been surprisingly low for Poison Ivy. Possibly for these reasons, since the mid-2000s threat actors have frequently used Poison Ivy to establish beachheads within target organizations, although this occurs much less frequently today than in years past. Since the last public release of version 2.3.2 in 2008, new variants of the tool have been relatively rare, especially versions which modify the core communication protocols.
Unit 42 observed a new version of Poison Ivy which uses the popular search order hijacking, a/k/a “DLL Sideloading,” technique frequently seen in malware such as PlugX. The Poison Ivy builder has an output format option of either PE file or shellcode, and in this case the backdoor was built as shellcode and then obfuscated to help prevent detection. While analyzing the sample, we also observed a modified network communication protocol which will be discussed in this blog.
SPIVY
In March, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545. All of the decoy document themes involved recent Hong Kong pro-democracy events. In all of the samples we’ve found to date the exploit drops a self-extracting RAR which contains three files:
exe – a legitimate, signed executable which is used to side-load the malware DLL
dll – the malware DLL loaded by RasTls.exe, which then loads the Poison Ivy shellcode file
hlp – the encoded shellcode Poison Ivy backdoor.
Both identified C2 domains are third-levels off of leeh0m[.]org, which was created in late February 2016, less than a month before the attacks.
Figure 1. Malicious RARs and the three files within
In addition to the new variant we discovered, Japan’s Computer Emergency Response Team Coordination Center (JPCERTCC) published a blog last July on a different new variant. That variant is also side-loaded from a legitimate executable and stub DLL, but the shellcode isn’t encoded the same way as SPIVY. JPCERTCC didn’t comment on who was being targeted in their blog, but it is notable that two distinct Poison Ivy variants have recently appeared, several years after the tool largely fell out of common use by advanced actors.
SPIVY Analysis
We believe the samples dropped have a direct connection to older Poison Ivy RATs based off of the behaviors and code reuse present in the shellcode loaded by the samsung.hlp file within the RAR. Once decoded, the shellcode is launched by ssMUIDLL.dll.
Figure 2. The encoded shellcode is decoded with a single byte addition of 0x99, XOR with 0xD4, then subtract 0x33.
The SPIVY RAT uses the same API call table generation historically used by Poison Ivy. Shown below is a comparison of a PIVY sample from 2008 and our newer SPIVY sample on the right. Both have the exact same API call table function.
Figure 3. PIVY sample from 2008 and SPIVY variant with the same API call table function.
Unlike previous versions of Poison Ivy which utilize a fixed 256 byte challenge-response handshake, this new version generates a payload that has been prepended with anywhere from 1 to 16 bytes of pseudo-random data (plus control bytes), the 1st byte of which gives the length of the padding before the start of the 256 byte handshake. In the example below the first byte (0x09) tells the Poison Ivy controller to ignore the following 9 bytes (which were nulled out below for illustration purposes), plus one more byte which holds the first byte multiplied by 2 ( 0x09 X 2 = 0x12). Two control bytes, plus the 9 random, plus the 256 byte handshake gives us 267 total bytes. The Poison Ivy protocol has been very well documented in previous research by Conix Security and others, and in these samples the remainder of the protocol remains unchanged.
Figure 4. SPIVY’s new challenge-response.
We saw two Poison Ivy configurations with our samples, shown below.
Decoy documents are a common technique used by many actors to trick victims into believing they have opened legitimate files from spear phishing e-mails. The attacker sends a malicious file which infects the host with malware and then displays a clean document which contains content the victim is expecting to see.
The decoy documents associated with SPIVY are notable because they reference very specific recent events and organizations not widely publicized or known outside of the Hong Kong region and the pro-democracy movement. In addition, all appear to be legitimate invitations to actual events in Hong Kong. One of the decoys purports to be from Joshua Wong, announcing a press conference about ending the Scholarism group to start a progressive democratic political party, Demosistō, in March 2016. Joshua Wong is a well known Hong Kong activist who was one of the founders of the group and is the current Secretary-General for the political party. Scholarism centered around concerns for the Hong Kong’s Department of Education adding a mandatory course for all secondary-school students for “moral and national education”. Scholarism was successful in stopping the course and its members desired to shift into a political party to effect further change.
Figure 5. Invitation to press conference about disbanding Scholarism and establishing a political party.
Another decoy concerns the Mong Kok riot that took place February 8, 2016, the first day of the Lunar New Year. It purports to be from the Justice & Peace Commission of the Hong Kong Catholic Diocese and calls for the government to establish an independent commission to investigate the cause of the riots and for parishes to establish booths throughout April staffed with church members advertising this. The riots were officially written off as being caused by a crackdown on unlicensed street vendors, but the decoy claims it’s instead a sign of continued civil unrest and dissatisfaction with the government in Hong Kong.
Figure 6. Decoy allegedly from the Justice & Peace Commission of the Hong Kong Catholic Diocese
The final decoy is an invitation to an April 4, 2016 wreath laying event held by the Hong Kong Alliance in Support of Patriotic Democratic Movements of China. The event commemorated the 28th anniversary of the Tiananmen Square massacre and related events, information to which China heavily censors access for mainland Chinese citizens.
Figure 7. Decoy for an April 4, 2016 wreath laying event commemorating the Tiananmen Square massacre held by the Hong Kong Alliance in Support of Patriotic Democratic Movements of China.
Conclusion
The venerable Poison Ivy has been revamped and used to continue targeted attacks against pro-democracy activists in Hong Kong. It’s fairly common to see actors retool malware to make it harder to detect, though it was rarely seen before with Poison Ivy. The updated execution and communications mechanisms of SPIVY offer insight into the ever changing tools, techniques, and practices of targeted attackers. Unit 42 will continue to follow these attacks and any new Poison Ivy variants and provide updates as we uncover new information. It is clearly demonstrated by this recent campaign that an old dog can learn new tricks.
Pro-democratic activists in Hong Kong have increasingly been targeted by APT campaigns. Below are links to several related reports from different researchers. We don’t necessarily link the activity in this blog to any of the specific campaigns cited in the links; instead, they are provided for situational awareness.
October 2014 blog from Volexity titled “Democracy in Hong Kong Under Attack”
June 2015 blog from Citizen Lab titled “Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114”
December 2015 blog from FireEye titled “China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets”
April 2016 blog from Citizen Lab titled “Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns”
Palo Alto Networks customers can identify SPIVY command and control traffic using Threat Prevention signature ID and AutoFocus users can track this family using the SPIVY tag.
RasTls.exe – legitimate, signed binary that is used in the sideloading process
0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead ssMUIDLL.dll – 7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4
