Month: May 2016

Posted on

Ransomware Is Not a “Malware Problem” – It’s a Criminal Business Model

Today Unit 42 published our latest paper on ransomware, which has quickly become one of the greatest cyberthreats facing organizations around the world. As a business model, ransomware has proven to be highly effective in generating revenue for cybercriminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – all are potential targets.

Ransomware has existed in various forms for decades; but, in the last three years, criminals have perfected the key components of these attacks. This has led to an explosion of new malware families, which make the technique work, and drawn new actors into participating in these lucrative schemes.

To execute a successful ransomware attack, an adversary must be able to do the following:

  1. Take control of a system or device.
  2. Prevent the owner of the controlled device from accessing it, either partially or completely.
  3. Alert the owner that the device has been held for ransom, indicating the method and amount to be paid.
  4. Accept payment from the device owner.
  5. Return full access to the device owner after payment has been received.

If the attacker fails in any of these steps, the scheme will be unsuccessful. While the concept of ransomware has existed for decades, the technology and techniques required to complete all five of these steps at a wide scale were not available until just a few years ago. The resulting wave of attacks using this scheme has impacted organizations all over the world, many of whom were not prepared to prevent these attacks from being successful.

The paper we released today details the history of ransomware and how attackers have spent many years trying to get this business model right. We also delve into what we can expect from future ransomware attacks, which includes the trends that follow.

1. More Platforms

Ransomware has already moved from Windows to Android devices and, in one case, targeted Mac OS X. No system is immune to attack, and any device that an attacker can hold for ransom will be a target in the future.

This concept will become even more applicable with the growth of the “Internet of Things” (IoT). While an attacker may be able to compromise an Internet-connected refrigerator, it would be challenging to turn that infection into a revenue stream. But the ransomware business model can be applied in this or any other case where the attacker can achieve all five steps for a successful ransomware attack. After infecting the refrigerator, the attacker could remotely disable the cooling system and only re-enable it after the victim has made a small payment. 

2. Higher Ransoms

The majority of single-system ransomware attacks charge a ransom between $200 and $500, but the values can be much higher. If attackers are able to determine that they have compromised a system which stores valuable information, and that infected organization has a higher ability to pay, they will increase their ransoms accordingly. We have already seen this in a number of high-profile ransomware attacks against hospitals in 2016, where the ransoms paid were well over $10,000. 

3. Targeted Ransom Attacks

A targeted intrusion into a network is valuable to an attacker in many ways. Selling or acting on stolen information is a common technique, but it often requires additional “back-end” infrastructure and planning to turn that information into cash. Targeted ransomware attacks are an alternative for attackers who may not know how else to monetize their intrusion. Once inside a network, attackers can identify high-value files, databases, and backup systems and then encrypt all of the data at one time. These attacks, using the SamSa malware, have already been identified in the wild and proven lucrative for the adversaries conducting them.

Download your copy of the “Ransomware: Unlocking the Lucrative Criminal Business Model” paper and learn techniques for preventing ransomware attacks.

[Palo Alto Networks Research Center]

Posted on

Elliptical Curve Cryptography for the Internet of Things

The elliptic curve cryptography (ECC) asymmetric algorithm is widely promoted to developers for new Internet of Things (IoT) advancements. At a first glance, it is easy to see why this is the case. While IoT faces new constraints and challenges that make traditional cryptography difficult to implement, these difficulties also empower ECC to emerge as a front-runner. Constraints in IoT include limitations to computational resources such as the bare minimum processor speed and memory needed as such devices are typically designed for low power consumption. Challenges include the need to reengineer things such as identity management, device and user registration, and cryptography to suit IoT needs.

Is ECC the right cryptosystem to meet the aforementioned constraints and challenges? As ECC offers shorter keys, lower central processing unit (CPU) consumption and lower memory usage for equivalent security strength, it is easy to say yes after a quick glance. However, there are many more concerns that must be deliberated. My recent Journal article, “Can Elliptic Curve Cryptography Be Trusted? A Brief Analysis of the Security of a Popular Cryptosystem,” delves into these concerns by assessing and reviewing the key threats and challenges to the famous asymmetric cryptosystem.

Does ECC provide sufficient security that would satisfy the demanding world of IoT? The potential risk is high, and damages are not limited to data theft or loss. Compromise of an IoT device can lead to significant safety issues when related to vehicles, health care devices and control systems. Such an event, whether it results in loss of vehicle control, malfunctioning medical device or other adverse event, may result in injury or worse. Threats such as unauthorized tracking of individual’s locations, manipulation of financial transactions and compromise of the integrity of highly sensitive data (e.g., health data required for proper diagnosis) are significant enough to cause anybody to pause and think. Does the risk of ECC outweigh the rewards?

Read Veronika Stolbikova’s recent Journal article:
Can Elliptic Curve Cryptography Be Trusted?,” ISACA Journal, volume 3, 2016.

Veronika Stolbikova

[ISACA Journal Author Blog]

Posted on

Are Your IT and Strategic Business Goals Aligned?

Developing and using models to help represent relationships between business strategy and IT is an effective method to show the strategic effect of IT within the enterprise. As more and more business commerce becomes automated, the growing impact of IT on business strategy, such as the development of a sustained competitive advantage in a highly connected world, becomes increasingly evident.
Alignment of IT and business strategies is paramount for achieving and maintaining a leadership position. Today, the elements that differentiate one successful organization from another are difficult to observe and measure as the power of imitation levels the playing field, making a business-driven, information-centric and technology-supported strategy imperative.

How Does COBIT 5 Contribute to the Alignment of Goals?

COBIT 5 is an integrated framework that facilitates the achievement of the business’s strategic goals and solidifies value through an effective IT governance and management approach.
COBIT 5 provides for the governance and management of enterprise IT (GEIT) in a holistic way for the whole organization, taking into account the needs of business and functional area stakeholders and driving the business´s strategic goals in an end-to-end fashion throughout the enterprise. Because COBIT 5 aims to help organizations achieve balance in financial, customer, internal process, and learning and growth goal sets, the framework may be applied to public, private or nonprofit organizations.
Upon adopting COBIT 5, the organization will be able to identify strengths and weaknesses associated with its IT processes and environment. This, in turn, will identify areas where processes can be optimized to better support the organization’s goals and provide for safer, more dependable operations. Similarly, the organization will be able to ensure that IT has the correct direction, i.e., alignment with strategic business goals.

Implementation Stages

A successful strategy for implementing COBIT 5 always begins with identifying the drivers for developing the organization’s goals and the primary results the organization would like to achieve, whether it be realizing the benefits of a strategy or optimizing risk or resources. Once this is understood, an implementation of COBIT 5 should consider the stages shown in figure 1.

Figure 1—COBIT 5 Implementation Stages

Source: A. Zapata. Reprinted with permission.

ISACA provides some related COBIT 5 materials that can be used to obtain additional references to this suggested strategy, including the COBIT 5 Framework, COBIT 5: Enabling Processes, COBIT 5 Process Assessment Model (PAM): Using COBIT 5 and COBIT Self-Assessment Guide: Using COBIT 5.

Conclusion

COBIT 5 provides a powerful framework for the identification of enterprise goals. It also enables each critical process to be directly aligned to achievement of these goals in a way that can be easily measured and communicated. By applying the proven and efficient implementation strategy suggested, any organization can understand how effectively it is achieving these goals and ensure transparency across all functional areas.

Alexander Zapata, CISA, CGEIT, CRISC, COBIT 5 Implementation and Assessor, ISO 22301 LI, ISO 27001 and Foundations, PMP

Is an international consultant in IT governance and IT improvement with experience in Mexico, Colombia, Panama and Peru. He is also an expert instructor and COBIT 5 Accredited Trainer. He can be reached atazapatacolombia@yahoo.com.

Alexander Zapata, CISA, CGEIT, CRISC, COBIT 5 Implementation and Assessor, ISO 22301 LI, ISO 27001 and Foundations, PMP

[ISACA COBIT Focus]

Posted on

VirusTotal Policy Changes Have No Impact On Palo Alto Networks Customers

What’s happened?

On Wednesday, May 4, VirusTotal cut off unlimited ratings access to companies that do not share their own evaluations of submitted research samples.

How does this impact Palo Alto Networks customers?

There is no impact to Palo Alto Networks customers or the protections our customers receive from us. VirusTotal will continue to provide subscribers, including Palo Alto Networks, access to all file samples. There is no change to the way we work with VirusTotal. Palo Alto Networks collects files samples from as many sources as possible. VirusTotal is one of many sources we use, but we do not rely on VirusTotal or any other third-party service to provide file verdict.

Palo Alto Networks relies on our WildFire cloud-based malware analysis environment to determine if a file is malware, greyware or benign based on static and dynamic analysis.

To learn more about WildFire, visit:  https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/wildfire

[Palo Alto Networks Research Center]

Posted on

KRBanker Targets South Korea Through Adware and Exploit Kits

Online banking services have been a prime target of cyber criminals for many years and attacks continue to grow. Targeting online banking users and stealing their credentials has yielded huge profits for the criminals behind these campaigns. Unit 42 has been tracking “KRBanker” AKA ‘Blackmoon’, since late last year. This campaign specifically targets banks of the Republic of Korea. On April 23, researchers at Fortinet published a blog describing the functionalities of the recent ‘Blackmoon’ campaign. Our objective in this blog is to share additional details on the distribution of the KRBanker or Blackmoon malware campaign and indicators of KRBanker samples.

Early variants of this campaign started surfacing in late September 2015. Though the number of KRBanker infection attempts was relatively low in 2015, we have noticed a gradual increase in the number of sessions since the start of 2016, and identified close to 2,000 unique samples of KRBanker and 200+ pharming server addresses in the last 6 months.

Figure 1 KRBanker download sessions on Autofocus

Malware Distribution

Our analysis shows that KRBanker has been distributed through web exploit kits (EK) and a malicious Adware campaign. The exploit kit used for installing KRBanker is known as KaiXin and the Adware which distributes it is called NEWSPOT.

In March 2016, Unit 42’s Brad Duncan wrote two articles for SANS and Malware-Traffic-Analysis.Net, noting that the KaiXin EK is observed in Republic of Korea. In those cases, malicious JavaScript through compromised web sites or advertisements led to the EK that exploited Adobe Flash vulnerabilities CVE-2014-0569 or CVE-2015-3133. We confirmed that final payload in both cases was KRBanker.

Another distribution channel is a malicious Adware program, called NEWSPOT. According to the marketing document of the product, NEWSPOT guarantees 300% revenue growth for online shopping sites . NEWSPOT is a basic adware program that displays advertisements in browsers, but since at least November 2015 has started installing malware.When visiting some Korean websites, a user may notice a pop-up of a browser add-on requesting installation for NEWSPOT.

Figure 2 Installing NEWSPOT tool

If installed, the adware is executed on the computer and starts getting configuration from the following URL:

http://www.newspot[.]kr/config.php?sUID=%5Bweb site name]

It downloads a file from URL described in the <update> section within the configuration data returned by the server.

Figure 3 Configuration file contains download link to malware

This might have originally been used to update the NEWSPOT software, but we have confirmed that Banking Trojans like KRBanker and Venik has been installed through this update channel. Figure 4 shows the URLs:

Figure 4 Downloading Banking Trojans from NEWSPOT update channel

Execution

KRBanker uses Process Hollowing to execute its main code in a clean (non-suspicious) executable. The process is as follows:

  1. KRBanker executes a clean PE file in System directory.
  2. Windows loads the PE file into memory.
  3. KRBanker overwrites the whole clean process with its own (malicious) main module.
  4. Overwritten process starts malicious activity.

Figure 5 Execution Steps

Figure 6 Execution Steps (cont.)

After a successful execution the Windows Firewall alerts the user on the process attempting to access the Internet. Many users may allow this activity because the process originally involved a clean Microsoft file.

Figure 7 Windows Firewall Alert

Pharming

Banking trojans like Dridex or Vawtrak mainly employ Man-in-the-browser(MitB) techniques to steal credentials from targeted victims. However, KRBanker uses a different technique known as “pharming.” This technique involves redirecting traffic to a forged website when a user attempts to access one of the banking sites being targeted by the cyber criminals. The fake server masquerades the original site and urges visitors to submit their information and credentials.

Set Up

The IP address of the fraudulent server is not hard-coded in the malware. KRBanker obtains the server address by accessing Chinese SNS, Qzone through a Web API. The API provides basic user information by sending QQ number to the following URL.

users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=[QQ ID Number]

The server then responds with the QQ ID Number, link to picture, nick name and some other information from SNS profile identified by the QQ ID Number. The author of the trojan put the Pharming server address in the “nickname” field.

Following is an example response that contains the IP address, 23.107.204[.]38 which is then extracted by KRBanker for Pharming.

Figure 8 Receiving IP address for Pharming from QZone

Next, KRBanker gets the MAC Address using an embedded VBScript and code page by executing GetOEMCP() API on the compromised system. It then registers the compromised system with the C2 server by sending the following HTTP GET request:

http://[IP address]/ca.php?m=[encoded MAC Address]&h=[code page]

Proxy Auto-Config

Researchers at ALYac had reported previously, on KRBanker employing hosts file modificationand local DNS proxy techniques to redirect HTTP traffic. The latest version of the threat employs Proxy Auto-Config(PAC), a legitimate function on Windows and Network administrators that can define an appropriate proxy address for each URL by writing JavaScript, and was also mentioned by Fortinet on their blog post. The adversaries abuse this feature for Pharming.

To configure this, the Trojan starts a local proxy server and creates the following registry entry.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL = http://127.0.0.1:%5Brandom%5D/%5Brandom%5D

The local proxy hosts encrypted JavaScript.

Figure 9 Malicious JavaScript for Proxy Auto-Config

After decrypting the JavaScript we can see the function for PAC, FindProxyForURL() which is used to check for a list of targeted sites.

Figure 10 Decrypted malicious JavaScript

When the browser attempts to connect to a web server, the traffic goes to the local proxy. The malicious JavaScript on the Proxy PAC checks the domain with the list of targets using the FindProxyForURL() function. If the domain being accessed matches with any of the targets from the list, the traffic goes to a fraudulent server. If not, it goes to the legitimate domain being requested.

Figure 11 Redirecting traffic by Proxy Auto-Config

Current, KRBanker is targeting a large list of Korean financial institutions using this Pharming attack.

When a compromised user visits one of the targeted websites, the user will see a page like the one shown in Figure 12 below. It appears to look like a legitimate webpage with a valid URL displayed on the address bar of the browser. However, this is a fake website for stealing the credentials and account information of the victims.

Figure 12 Fake Authorized Certification Center for renewal

KRBanker is also capable of taking the following actions:

  • Stealing certification from NPKI directory in order to access online bankingaccounts
  • Terminating Ahnlab’s V3 security software

Conclusion

Profit is the primary motivator for attackers who use banking Trojans. The adversary behind KRBanker has been developing new distribution channels, evolving the pharming techniques multiple times, and releasing new variants on a daily basis to maximize the revenue from victims.

As described in this article, the threat is distributed through Exploit Kits that exploit old vulnerabilities and Adware that needs to be manually installed. It is essential to understand the infection vectors of such campaigns to minimize the impact. Palo Alto Networks Autofocus users can track this threat using the ‘KRBanker’ Autofocus tag.

Indicators

The indicators on KRBanker can be found on Unit 42’s github page below

https://github.com/pan-unit42/iocs/blob/master/krbanker/hashes.txt

and

[Palo Alto Networks Research Center]

English
English
Exit mobile version