Month: June 2016

On June 7, 2016, Palo Alto Networks held an international cybersecurity conference in Tokyo called Palo Alto Networks Day. Over 1,200 participants from government organizations and industry came together to learn about the latest global trends in cybersecurity, threat intelligence, legal and policy issues as well as to look for networking opportunities with each other. Compared to last year, the size of this year’s conference almost tripled – highlighting the ongoing importance of and interest in cybersecurity.

Multiple participants shared challenges they face in getting their leadership and management teams’ buy-in to invest in and commit to cybersecurity technology and the people and processes needed to defend their organization against cyberattacks. Some struggle with keeping their executives up to date on new cyberthreats that are attacking today’s organizations. Until recently, most executives didn’t often consider cybersecurity in the context of their most common concerns, such as managing risk, preserving business operations and hitting sales targets. Because new threats are “unknown,” they often cannot attract enough attention from executives to take any immediate action to pay for “unknown costs.”

This is understandable. It is hard to invest resources in something not easily measurable when we have multiple things to worry about in today’s complicated and interconnected world. Nonetheless, it is also true that cyberattackers take advantage of such a mindset. This means culprits can keep winning as long as they adjust the ways they mount successful cyberattacks for the purpose of stealing proprietary information, customers’ personal data, sensitive government intelligence, or even crippling the operations of critical infrastructure to harm people.

During Palo Alto Networks Day, Mark McLaughlin, our chairman, president and CEO, reiterated the importance of automated prevention and the sharing of threat intelligence, saying that it is crucial to take unknown threats, turn them into known threats, and share the threat intelligence as openly and quickly as possible to bring greater security to the world. The Cyber Threat Alliance and Financial Services – Information Sharing and Analysis Center (FS-ISAC) are two good examples of organizations that use sharing frameworks to provide threat intelligence among member companies in the same industry. Their efforts jointly raise awareness at the global cybersecurity level and bring greater value to their customers in the form of protection from advanced cyberattacks.

William H. Saito, Special Advisor to the Japanese Cabinet Office and vice chairman of Palo Alto Networks K.K. pointed out that this kind of framework may sound odd to traditional business minds; some businesses would rather keep what they know than give it up for free, because information can be a source of power. However, that action may lead to the loss of an opportunity to utilize the information to protect other companies within the same industry against similar cyberattacks. The global threat of cyberattacks is too great not to share threat information among peers.

The U.S. defense and intelligence communities learned this the hard way during the 9/11 terror attacks, which prompted the paradigm shift from “need-to-know” to “need-to-share” to make relevant threat intelligence available to all stakeholders as soon as possible. Such a revolutionary change is needed for cybersecurity as well. Bad guys – whether cybercriminals, hacktivists, terrorists or state actors – work organizationally, tactically and strategically to achieve their adverse goals by cyber means. Defenders also need to collaborate in the same manner to increase the cost of successful cyberattacks – and make that cost prohibitive for attackers.

Second, organizations must switch from reactive defense to proactive and automated prevention. This does not mean denying the importance of incident response. Since there is no 100 percent effective security, incident response is an indispensable part of cyber resiliency. Automation allows defenders to compress the time for incident response, which involves time-consuming manual work and eventually reduces costs for cyber defenses.

The World Economic Forum argues that the Fourth Industrial Revolution relies on digital technology to push global economy and quality of life. The concept is dependent on people’s trust in the Internet. In his keynote speech, former Internal Affairs and Communications Minister Heizo Takenaka analyzed that economies are increasingly connected and only security can make them robust and successful. If people lose confidence in Internet security and use it less, the strength of the global economy will be diminished. In the 21st century, cybersecurity is not simply a cost as some people believe. Cybersecurity is, in fact, leverage to drive the Fourth Industrial Revolution.

See photos and read more details from Palo Alto Networks Day in Tokyo.

Mihoko Matsubara

[Palo Alto Networks Research Center]

In Part 5 of our IDAPython blog series, we used IDAPython to extract embedded executables from malicious samples. For this sixth installment, I’d like to discuss using IDA in a very automated way. Specifically, let’s address how we’re going to load files into IDA without spawning a GUI, automatically run an IDAPython script, and extract the results. Using this technique, we’ll be able to process many samples very quickly without needing to manually open each file in a new instance of IDA and run the IDAPython script.

Many may be surprised to learn that IDA can be executed purely on the command-line without spawning a GUI. In order to do so, the user must run the IDA executable with the ‘-A’ switch. This particular switch will instruct IDA to run in autonomous mode, ensuring that no windows or dialog boxes are presented to the user.

The following command-line examples demonstrate this technique being used in both OSX and Microsoft Windows . In these examples, the ‘-c’ switch generates a new IDB file, even in the event one already exists. Additionally, the ‘-S’ switch specifies the IDAPython script that will be run upon execution. We’ll be using these switches later on in the post.

The Scenario

For this example, I’m going to use the Cmstar malware family, previously discussed by Unit 42. For those unfamiliar with this malware family, it is a downloader that will transfer a file hosted at a specific URL over HTTP(S) and execute it on the victim’s system. The URL in question can be de-obfuscated using the following routine.

Knowing this, our next task is to identify where this data resides within a Cmstar sample. Correlating across a few samples, we conclude that two encrypted strings are being stored into a variable using calls to memcpy. One of the strings contains the domain or IP address that the malware will connect to, while the other contains the URI.

We also notice that the same sequence of instructions are executed when this memcpy instruction takes place:

mov esi, [offset]
pop ecx
lea edi, [variable]
rep movsd

Figure 1 Function containing encoded strings in Cmstar

Armed with this information, we can attempt to identify this sequence of instructions using IDAPython. To do so, we’ll iterate through every function IDA identifies, and proceed to ignore any functions marked as a jump function or belonging to a known library. The remaining functions will then be iterated through using a sliding window where we’ll inspect four instructions at a time, seeking the markers previously identified to determine if there are any matches:

In the above example, I’m simply printing out a debug string if I find any matches. Running this code against the sample with an MD5 hash of 4BEFA0F5B3F981E498ACD676EB352D45 in IDA, we get the following output. As we can see below, we’ve successfully identified the addresses of both obfuscated strings.

Figure 2 Running script against Cmstar sample

At this point, we can take the offsets we’ve identified and extract the strings to which they point. These strings can then be decoded using the previously defined decode() function.

Putting this all together, we come up with the following script:

At this stage, we can use the automation technique of running IDA in non-GUI mode and use the above script. This will allow us to run this script against a number of samples without the need for user interaction. We’ll run the script on our OSX machine as follows:

for x in ls; do /Applications/IDA\ Pro\ 6.9/idaq.app/Contents/MacOS/idaq -c -A -S/tmp/script.py $x; done

After a few minutes, we’re treated to the following within /tmp/output.txt, which is where we instructed our script to store results.

Figure 3 Output of /tmp/output.txt

Conclusion

By leveraging both the power of IDAPython, along with IDA’s command-line switches, we’ve successfully automated the extraction of the download location of a number of Cmstar samples. This technique can easily be applied to a larger number of samples, allowing us to execute IDAPython actions without needing to manually open each file in IDA. For those readers who were not aware of this IDA capability, I implore you to investigate it, as it can not only save you time, but also make things much easier when working with a large number of files.

Josh Grunzweig

[Palo Alto Networks Research Center]

(This post is also available in Japanese on our Japan website.)

Over 1,200 people attended Palo Alto Networks Day at the Prince Park Tower in Tokyo yesterday, underscoring how security continues to be a top, strategic priority for organizations and the industry at large in Japan.

The morning session of the conference kicked off with a welcome speech by Hiroshi Alley, chairman and president of Palo Alto Networks K.K.

Mark McLaughlin, chairman, president CEO of Palo Alto Networks, then delivered his keynote on protecting our way of life in the digital age and our prevention-based approach to doing so.

Other speakers include René Bonvanie, chief marketing officer and executive vice president of Palo Alto Networks and Heizo Takenaka, Director of the Global Security Research Institute at Keio University, and Japan’s former Minister for Internal Affairs & Communications and Minister of Economic/Fiscal Policy. Rene talked about the Palo Alto Networks Next-Generation Security Platform as well as recent enhancements made to Global Protect, updates to WildFire and AutoFocus and PAN-OS Panorama 7.1 release.

Professor Takenaka delivered a keynote speech on how the economy – global and in Japan – is interconnected and only security can make them robust and successful.

Check out some of the pictures below from the successful event, which also featured William Saito, Vice Chairman, Palo Alto Networks K.K., and Mihoko Matsubara, CSO, Japan, Palo Alto Networks.

Last, don’t forget to follow Palo Alto Networks Japan and Unit 42 on social media!

Facebook
Twitter
Unit 42 日本拠点ブログ
Unit 42 Twitter

* Event photos taken by Tsugunori Sugawara from Palo Alto Networks, and Hiroshi Haneda, official photographer for Palo Alto Networks Day 2016. 

Martina Schulze-Warnecke

[Palo Alto Networks Research Center]

Del Rodillas, our solution lead for SCADA & Industrial Control Systems, recently appeared in Electric Light & Power to discuss ransomware as an emerging threat for Operational Technology environments. With ransomware on everyone’s mind these days, Del shares insights from the recent report published by Unit 42 and instructs ICS owners and operators on how they can prepare their organizations to defend critical systems against ransomware.

As Del writes, “It is in every ICS owner’s and operator’s best interest to act now to prepare their organization from this rising threat. Education is the first step…”

Read Del’s full article in Electric Light & Power, and check out an infographic below.

Learn more:

• Download the Unit 42 Ransomware report
• Palo Alto Networks solutions for ICS/SCADA
• Palo Alto Networks solutions for Electric Utilities
• Palo Alto Networks solutions for Oil & Gas

Chad Berndtson

[Palo Alto Networks Research Center]

This is the second part of a two-part blog post for understanding Angler exploit kit (EK). The first part covered EKs in general. This blog focuses on the Angler EK.

Angler is currently one of the most advanced, effective, and popular exploit kits in the cyber criminal market. It generally uses the most recent exploits based on the latest vulnerabilities. Like most leading EKs, the authors behind Angler use Software as a Service (SaaS) as their business model, and Angler can be rented in the cyber underground for a few thousand dollars a month.

History

Angler EK was discovered in 2013, and it began appearing more frequently later that year. Angler grew in popularity sometime after Russian authorities arrested malware kingpin “Paunch”, the alleged creator and distributor of Blackhole EK. As Blackhole EK disappeared, other EKs like Angler began filling the void.

However, Angler is not the criminal’s name for this EK. Security researchers used the term “Angler” because of a picture of an Anglerfish in advertisements from late 2013.

Based on control panels found on Angler EK servers in 2015, the author’s name for Angler is “XXX”. Based on the copyright date in the control panel, Angler EK might have been around in some form as early as 2010.

Figure 1: Control panel for Angler EK with “XXX” from the Malware Don’t Need Coffee Blog.

Growth in Angler EK Traffic

Security researchers saw an increase Angler EK-related traffic during 2014. After a short lull,Angler EK has been relatively prominent since March 2015. Today, Angler accounts for the majority of EK traffic we find.

Angler EK Exploits

In 2015, Angler EK began focusing on exploits targeting three applications: Flash player, Internet Explorer, and Silverlight. Angler is often one of the first EKs to use new exploits targeting these applications.

For example, in June 2015 a previously unknown Flash vulnerability (later identified as CVE-2015-5119) was part of some 400 gigabytes of data dumped on the Internet as part of the infamous Hacking Team breach. A Flash exploit based on CVE-2015-5119 was integrated into Angler EK hours after the data dump was publicly available. It was a zero-day exploit at least 24 hours in the wild before Adobe issued a patch for it.

By August 2015, Angler EK implemented an exploit for Internet Explorer (IE) vulnerability CVE-2015-2419 that Microsoft had patched the previous month.

In February 2016, exploits for Silverlight based on CVE-2016-0034 found their way into Angler EK a little more than a month after Microsoft issued a patch for the vulnerability.

Angler EK Payloads

Different campaigns use Angler EK to distribute different types of malware.

The most prominent type of payload from campaigns using Angler EK appears to be ransomware. In 2015, the ransomware was most often CryptoWall. By the start of 2016, it was primarily TeslaCrypt. In mid-April 2016, the usual ransomware changed from TeslaCrypt toCryptXXX ransomware. We have seen CryptXXX primarily from actors behind the pseudo-Darkleech campaign.

But ransomware is not the only payload sent by Angler EK. EITest is another campaign that uses Angler EK to distribute other types of malware. In addition to ransomware, EITest Angler EK includes banking Trojans like Tinba, information stealers like Vawtrak, and other malware families including Andromeda, Ursnif, or Zeus.

Fileless Infection to Avoid Detection

In August 2014, Angler EK introduced a “fileless” infection technique to avoid detection by executing the payload from memory instead of storing it to disk. This technique is most often associated with Bedep payloads. Such fileless infections leave no artifacts from Bedep on the infected system’s disk. Fortunately, any post-infection activity usually leaves clues, since follow-up malware must be stored somewhere on the system in order to stay persistent and survive a reboot.

Angler EK and CryptXXX

In April 2016, the pseudo-Darkleech campaign started using Angler EK to send Bedep, and Bedep followed up with CryptXXX ransomware. Bedep also downloads click-fraud malware that generates web traffic behind-the-scenes (click-fraud is a fraudulent method used by criminal groups to increase advertising revenue). This click-fraud traffic is invisible to the end user, but it is noticeable when monitoring network traffic generated by the infected host.

Proofpoint and others reported details of CryptXXX and Bedep when this particular combination first appeared. Sometime during the second week of May 2016, the pseudo-Darkleech campaign stopped using Bedep and began sending CryptXXX only.

Figure 2: An example of Angler EK sending Bedep then Bedep sending CryptXXX on 2016-04-22.

Figure 3: An infected Windows desktop after Angler EK sent CryptXXX.

Conclusion

Angler EK will no doubt continue to evolve. We expect the EK to continue implementing improvements to avoid detection. As a payload of Angler EK, Bedep malware has recently changed and is much more capable of detecting virtual environments used by security researchers. CryptXXX ransomware is a growing menace that also has information stealing capabilities, and it appears to be moving to other campaigns that formerly spread TeslaCrypt ransomware.

How can people protect themselves against Angler EK? As stated in part 1 of this blog post, use a layered defense. First, make sure your operating system and applications are patched and up-to-date. Like any other EK, Angler takes advantage of outdated browser-based applications to infect vulnerable Windows hosts.

Network monitoring and endpoint protection are additional components of a layered defense. Palo Alto Networks Next-Generation Security Platform can help security teams monitor their network to detect the constantly changing indicators of Angler EK. Endpoint solutions like Palo Alto Networks Traps can help protect an organization’s assets against malicious executables, data files or network-based exploits before any malicious activity can successfully run.

Domains, IP addresses, and other indicators associated with Angler EK and its associated payloads are constantly changing. We continue to investigate this activity for applicable indicators to inform the community and further enhance our threat prevention platform.

Brad Duncan

[Palo Alto Networks Research Center]