This past week, Palo Alto Networks hosted our very first Intern Tech Week to give our interns the chance to connect with teams from different branches of the company. It was an opportunity to not only learn more about Palo Alto Networks products but also see how they are made.
We kicked off the week last Monday with a deep dive from the creative minds behindAutoFocus. Scott Simkin, Senior Threat Intelligence Manager; Bilal Malik, Senior Product Manager; and Farshad Rostamabadi, Software Engineering Manager, discussed how they worked as a team to create a game-changing product that provides actionable threat intelligence to businesses and governments.
Tuesday began with a field trip to Flex to discover how our products are made. Vonnie French, Vice President, Supply Chain Operations, and her team provided an overview of the manufacturing organization and took the interns on a tour of the factory to see the entire cycle, from where the products are built to how they’re packaged and shipped to our customers.
The interns then met up with their hiring managers at Baylands Park to enjoy some good eats and fun outdoor games.
On Thursday, we got to find out what goes on in the mind of a hacker! Bryan Lee from Unit 42 stopped by to discuss what motivates hackers and what the future looks like for the cybersecurity industry. Ashwin Dewan, an intern from Product Management, learned a few new things from Bryan. “The presentation from the Unit 42 researcher helped me understand the company mission and vision,” he said. “Palo Alto Networks exists because hackers do, and understanding what a hacker is, and does, is as important as understanding any particular part of the platform.”
We ended the week with a great talk by our InfoSec Team. Rinki Sethi, Senior Director, Information Security, led a presentation with Lucas Moody, CISO, and other Information Security experts. This engaging panel discussed how they work to protect our brand and people using our best-in-class products. They also led the interns through an exercise of thinking through risk assessments, giving them a glimpse of what our customers do on a daily basis.
One of the main goals of our Summer Intern Program is to provide our interns with experiences that offer them a meaningful connection with our business. By hosting this Tech Week, we wanted our interns to learn more about the company and our products and get a glimpse into what our culture is truly like.
We think we achieved this because, as the week wrapped up, Channel Operations Intern, Jennifer Lu, said, “Seeing all the different people that made time for us interns, from Nir [Zuk] to Unit 42 to the InfoSec team, I really felt like I was part of Palo Alto Networks. I could clearly see the incredibly supportive, humble, and collaborative culture from every person I met at Tech Week! We are thankful for all of the great speakers we had this week and we already can’t wait for next year!”
When speaking to people who never considered a career in cyber or information security, we often find an audience put off by the perception that it is only for the technically minded. This couldn’t be further from the truth! Lucy Chaplin, a young consultant from the United Kingdom (U.K.) who became an Associate of (ISC)2 last year, demonstrates the possibilities.
Lucy considers herself lucky to have missed out on graduate programme schemes for management consulting. Coming out of Bristol University in 2012 with an honours degree in Economics and Politics, these programmes seemed to be the obvious choice at the time; and she made a concerted effort to contact The Big Four global consulting firms and small consultancies alike. Her research led to KPMG’s risk consultancy practice, which was a little bit more technical than the career she had imagined, but not daunting.
“I have never looked back. I asked for the opportunity to speak to as many people as I could around different practice areas and it became obvious that this was a high-growth industry that promised a lot of opportunity,” Chaplin says.
Celebrating her 25th birthday this year, Lucy is well aware that her choice has fast-tracked her career. She has worked on a variety of business, technical and strategic programmes examining technical risk, business resilience, infrastructure, cybersecurity and now Data Insight Services, where she helps clients take advantage of the volumes of data they have running through their systems to maximise the impact of their data and reporting. Her assignments have even included a stint on the McLaren Alliance, where she got a close-up view of the cars and met star Formula One driver Jenson Button.
Given the level of information and IT security required in the work she was doing, Lucy sought to solidify her knowledge in this area. Luckily, she was supported by her employer to pursue the Certified Information Systems Security Professional (CISSP®). She is now an Associate of (ISC)2 while she gains the five years’ experience required for full professional recognition.
“This was a great credential to work for because it really helped me get a broader view of the field, and the directions I could take in my career,” she says, adding, “As a young female who hadn’t studied the area, it also demonstrates that I understand the technical aspects of what I am working on. I continue to be very business-oriented, with a strong understanding of how technology works; but I have never had to be a technology expert. I work with others when such deep expertise is needed.”
What advice would Lucy give to graduates today?
“When you graduate, there is so much pressure on you from employers, family and peers to have a clear idea of what you want. But I got into a field that was changing too much to be able to build a five-year plan. In this organisation, my five-year plan changes with both the firm’s and my priorities. Take the time to talk to as many people as you can. Ask recruitment agents to refer you to people who can talk to you about their work. Attend events and ignore the pressure — let them tell you what is possible.”
When you listen to Indra Nooyi, PepsiCo CEO, you hear calm, measured confidence. When you listen to Sheryl Sandberg, Facebook COO, you hear upbeat, energized confidence. And when you listen to Mary Barra, GM CEO, you hear the concise messaging and confidence of a been-there-done-that leader.
Each of these women telegraphs leadership through her voice. When you listen, you don’t think, “I am listening to a woman leader.” You just know you are listening to a leader, a person with a passion for what she wants to convey and the utmost belief in her mission.
Our voices are one of the most powerful tools we can develop and leverage to convey leadership. By the same token, a weak voice lacking a passionate, well-defined, meaningful message will hinder our ability to grow and advance as leaders.
Sheryl Sandberg exhorts us to lean in. The most obvious way to do that is through what we say and how we say it.
One’s voice and the way one talks about their work is a powerful signal that we read instantly. We know leadership when we hear it.
Leaders Stand Out As a recruiter and career coach for IT audit and IT governance, risk and compliance (GRC) professionals, I listen to a myriad of professional voices as people describe their jobs and careers. The leaders stand out from the moment they speak. They talk about their work with energy and intensity. Their thoughts are organized and they are clear about their contributions to their clients and teams. They communicate what they do by illustrating their work with specific examples.
An important point: Leaders build credibility by demonstrating what they do and have done, not by talking in generalities.
Indra Nooyi, in an interview about her keys to success, says that excellent communication skills were her focus early on. She worked hard to present a genuine voice and clear messages of her vision.
One can read books about improving communication, but doing the scary work of practicing your leadership voice, making mistakes along the way, is the best way to hone your message and vocal presence. Networking at conferences is an outstanding training ground for trying out messages and getting immediate feedback.
While networking at your next meeting, conference or coffee break, offer something about the exciting work you and your team are doing to drive the enterprise and make it a great place. Your understanding of the bigger picture, and passion about the mission, are critical leadership elements of this communication. Craft your story into a concise one to one and a half minute presentation of the cool stuff you are doing. Leading means communicating a vision for the greater good. This simple act helps you do that.
Illustrate Your Leadership Competencies I use the STAR (Situation – Task – Action – Result) technique to help candidates create examples for interviews. Behavioral interview questions, designed to help interviewers assess competencies and traits, not the least of which is leadership skills, demand examples that illustrate thought process, character, decision making, judgment, persuasion and conflict resolution. Using STAR as a framework to organize work examples and accomplishments will help you create interesting stories that differentiate you from the competition. Your goal is to be memorable—in a good way. This method will help you achieve that.
People get to know us through the stories we tell. Leaders illustrate their work through powerful stories.
Important tip: When you acknowledge your team or describe how you fit into it, put the focus on your contributions. This is critical. I prep people for interviews every day. The most common interview mistake I hear—made by men, but even more so by women—is subsuming individual accomplishment under the mantel of “we” and being uncomfortable stepping up and saying this is what I am doing, this is what I bring to the table.
Leadership presence is something you can cultivate every day. Your work presents you with multiple opportunities to lean in and speak. Small changes in how you present yourself, your vision, your knowledge and your contributions will earn you greater recognition as a leader.
Editor’s note: The ISACA Now Blog section is celebrating Women in Technology Month throughout June by featuring female bloggers. If you are a female blogger and would like to contribute a blog, please contact us at news@isaca.org.
Andrew Tarvin is a best-selling author and professional stand-up and improv comedian. He teaches people and organizations how to use humor to be more effective and productive. Tarvin has worked with more than 100 organizations including Procter & Gamble, GE and Western & Southern Life Insurance, speaking, training, and coaching on topics ranging from humor in the workplace to communicating confidently to strategic disengagement.
ISACA Now: There are so many potential landmines when it comes to using humor at work, but overthinking humor can result in stilted un-funniness. What’s the solution? Tarvin: This a great question and a common concern for using humor in the workplace. While there are potential landmines, that doesn’t mean humor shouldn’t be used at all. Sending an email could theoretically get you fired (such as if you hit “reply all” on a distribution list causing a massive “Don’t hit reply all” flurry of emails), but we still use email. Just as email is a tool, humor is a tool.
The key to avoiding landmines while still being funny is intent. If you are using humor to get back at someone or really even “just to be funny,” it is more likely to come across negatively. However, if you have a specific reason for using humor (to connect with someone, get people to read an email, etc.), and come from a positive, inclusive perspective, your humor will be better received, creating laughter without offense.
Another way to think about it is that using humor doesn’t give you an excuse to be a jerk or talk about taboo subjects in the workplace. An offensive joke may “just be a joke,” but it’s still offensive.
ISACA Now: Governance, risk and control are not known for their ability to inspire humor. How can someone inject appropriate humor in otherwise serious tasks and jobs? Tarvin: Who says IT governance can’t inspire humor? There’s so much to laugh about in the auditing and control of computer systems…
OK, so it can be a little dry, but the drier the material, the easier it is to instill humor because it’s so unexpected. Just because a job or work is serious doesn’t mean that it can’t be done in a fun, engaging and inspiring way. When I was a project manager at Procter & Gamble, small changes to how I worked had a huge impact. Simple things like using images in my presentations or giving my project team nicknames, went a long way in making the work more enjoyable. My colleagues from one team still call me Drewsito.
Don’t think about using humor as changing what you do, just how you do it. No matter your role, you still have to communicate messages, build relationships and be productive—all things that humor can help you do.
ISACA Now: Can humor be instilled in an entire organization? How? Tarvin: Humor can be instilled in an entire organization, and the answer to how is simple… but not necessarily easy. It’s like how cooking is simple (follow the instructions) but not necessarily easy (my chicken always comes out burnt).
Humor in an organization comes down to individuals making a choice to find ways to enjoy their work more. The best way to encourage people to make that choice is to support them when they attempt to use humor. If someone adds humor to a presentation or email, let them know that you appreciate it (yes, even if the humor didn’t necessarily make you laugh).
Having a leadership team that embraces and uses humor is a huge help as well. The number 1 reason people don’t use humor at work more often is that they don’t think their boss or coworkers would approve. If you can dispel that myth, people will start to try new things; encourage that behavior, and it will start to spread.
It’s like a zombie apocalypse. It all starts with a patient zero and spreads from there. (For a more corporate metaphor, see Margaret Mead: “Never doubt that a small group of thoughtful, committed citizens can change the world; indeed, it’s the only thing that ever has.”)
ISACA Now: We’ve all had a supervisor who used humor—or what they thought was humor—in a passive-aggressive or even an active-aggressive manner that was off-putting and more about power than leadership. Can we use humor to safely defuse those situations? How? Tarvin: You certainly can use humor to defuse a situation, but how you do it comes down the specific circumstances. Perhaps one of the biggest challenges with humor is that it is very situational; what works in one setting for one person could backfire in a different setting with a different (or even the same) person.
For example, I think puns are like the coolest technologies we support—everyone should want to use them every day. Instead, they tend to be more like audits—people groan whenever they hear about them (sorry, just a joke to all of my auditors out there).
Safely using humor to defuse the situation goes back to having positive intent about the humor you use and really understanding your purpose.
ISACA Now: Oftentimes when teams want to solve a significant problem or do some major brainstorming the words, “Okay, let’s get serious and focus,” are used. How can humor regain a seat at the table? Tarvin: It’s important to recognize that serious work doesn’t mean it can only be done in a serious way. In fact, the more serious something is, the more power humor tends to have, particularly when it comes to problem solving. Humor and creativity are both about finding unique connections and providing a new perspective.
In one study, students who watched a 20-minute comedy video before being asked to solve a problem were nearly 4 times more likely to solve the problem than students who didn’t watch the film. (If you want to know what problem they had to solve, check out the Candle Problem.) Humor gets the brain looking for new connections. Take this simple joke: “I can’t believe I got fired from the calendar factory. All I did was take a day off.” In order to understand it, your brain started making connections between “calendar factory” and “take a day off.” That same process is how we solve problems.
If you’re serious about solving a problem, you’ll use the best means to solve that problem, and humor is one of them.
Andrew Tarvin, Author, 2016 Governance, Risk and Control Conference Presenter
Unit 42 recently identified a variant of MNKit-weaponized documents being used to deliver LURK0 Gh0st, NetTraveler, and Saker payloads. The documents were delivered to targets involved with universities, NGOs, and political/human rights groups concerning Islam and South Asia. Reuse of this MNKit variant, sender email addresses, email subject lines, attachment filenames, command and control domains, XOR keys, and targeted recipients show a connection between the different payload families delivered.
MNKit is the name given to a builder that generates CVE-2012-0158 exploit documents. The documents are in MHTML format and install a malicious payload on the compromised host. We believe MNKit is privately shared between multiple attack groups, but is not widely available.
Information about previous attack campaigns using MNKit is available in the following reports:
Typical MNKit MHTML files have used User123 or User323 as the Author and LastAuthor element values within their DocumentProperties sections and C:/2673C891/Doc1.files/ as a file directory location. The samples discussed in this blog use User323 and User426 as Author and LastAuthor element values and C:/23456789/Doc1.files/ as a file directory location.
LURK0 Delivery
LURK0 is a family of remote access trojans derived from Gh0st RAT. It has been used by attack groups for years, as discussed by CitizenLab in a publication from 2012 on Tibet-related information operations and has been fairly well analyzed in publicly available reporting. Contained within a subset of the MNKit exploit documents were malicious SFX PE files that delivered LURK0 implants. These PE files were encoded using a decrementing XOR function with the key beginning at 127. Within each SFX are five files:
1
2
3
4
5
RasTls.exe
RasTls.dll
MemoryLoad.dump
BTFly.dump
IconConfigBt.DAT orIconConfigBty.DAT
The execution of the self-extracting zips side-loading of LURK0 payloads is identifiable by the registry key they create
http://www.amerikauyghur[.]top and dge.123nat[.]com are two command and control domains resolved by the malware. The first domain was previously mentioned by Arbor Networks in a report detailing the targeting of Tibetan, Hong Kong, and Taiwanese interests in their report, The Four-Element Sword Engagement. A subdomain of 123nat[.]com, manhaton.123nat[.]com, was also referenced in Arbor’s report as a LURK0 command and control domain. Below shows theLURK0 string used in the first five bytes of an implant beacon.
Saker Delivery
Saker, often also called ‘Xbox’ and ‘Mongall’, is a malware family used by targeted attack groups who have also deployed NetTraveler and Gh0stRAT.
Two of the sending addresses used to distribute the above LURK0 samples,dolkun2015@gmail[.]com and duqdiniishlari@gmail[.]com, were also used to distributed other types of malware. By observing overlaps in the sending and receiving email addresses as well as the filenames of attachments, we were able to identify additional MNKit exploit documents that also included self-extracting PE files. These PE files were again XOR encoded in the attached documents using the same decrementing key (beginning with 127). These additional SFX PE files are password protected using one of the following passwords:
1
2
3
aurhuhkdsf!.xlas
^elqwiajdsfile!
Ieafsdisdlflei!dsa
Instead of including RasTls.exe to sideload payloads (as the LURK0 payloads did), within each of the embedded PEs is a single DLL file named msdis.dll which exports a function namedJustTempFun. The recently compiled and deployed msdis.dll files’ SHA256 hashes and compile timestamps follow:
Saker samples construct strings during execution. One such string is the origin of the malware’s name.
The Saker PEs also contain a user agent strings (also constructed manually during execution) of Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 1.1.4531) and Mozilla/6.0 (compatible; MSIE 9.0; Wis NT 8.1; .NET CLR 2.13431). This second user agent is similar to the user agent, <code>Mozilla/4.0 (compatible; MSIE 6.0; Wis NT 5.0; .NET CLR 1.1.4322), as outlined by FireEye in 2014.
The command and control locations for the Saker samples delivered via MNKit follow:
1
2
3
bsnl[.]wang
www.amerikauyghur[.]top
www.onebook[.]top
amerikauyghur[.]top overlaps with the LURK0 samples previously mentioned. Bothonebook[.]top (registered with a registrant email address of interestbook@sina.com and bsnl.wang (registered with a registrant email address of jgjop@yahoo.com) have resolved previously to 103.232.222[.]20.
Using AutoFocus, we were able to locate additional samples that resolved to these domains. The samples are a mix of LURK0, Saker, and PlugX. Their hashes follow:
NetTraveler is a backdoor used to install other malware, steal information, and provide remote control of a compromised system. The targets previously mentioned by Kaspersky Lab of the NetTraveler operators aligns closely with the recipients of a new set of samples.
Three additional MNKit documents were located as MNKit exploit attachments. Unfortunately, we were unable to locate emails the attachments were sent with. These three samples also included SFX PE files encoded using the same decrementing XOR. Within each PE are three files which side-load NetTraveler. The files are named:
1
2
3
fsguidll.exe
fslapi.dll
fslapi.dll.gui
The hashes and compile timestamps for each fslapi.dll follow:
The fslapi.dll files load their accompanying fslapi.dll.gui files that are XOR encoded. The decoded fslap.dll.gui DLLs include the following embedded URLs, the first of which was previously documented by Unit 42 as a red herring within NetTraveler samples.
The fslapi.dll files contain an overlay that is used to decode the real C2 as documented in the same Unit 42 NetTraveler blog. The decoded command and control URLs include:
Tassnews[.]net was registered with a registrant email address of ghjksd@gmail[.]com and info-spb[.]com was registered with a registrant email address of kefj0943@yahoo[.]com.Riaru[.]net was registered with a registrant email address of fjknge@yahoo[.]com on 29 March 2016, which also registered one other domain name, yandax[.]net, on 16 June 2016 using the same authoritative DNS servers and registrar. Interfaxru[.]com was registered with a registrant email address of ganh@gmail[.]com on 18 April 2016 using the same registrar and authoritative DNS servers as riaru[.]net and yandax[.]net. Only one domain name is currently registered byganh@gmail[.]com, however it would be no surprise if an additional domain is registered by this registrant in the near future.
Putting it All Together
While MNKit has been associated with multiple different groups the reuse of domain names, IPv4 addresses, phishing themes, XOR schemes, and email accounts are strong evidence for linkage between these new attacks and the previously documented ones. The change in PE SFX contents over the three sets of SFX PE files between February 2016 to March 2016, March 2016 to April 2016, and April 2016 to June 2016 time frames show a slight deviation is payload but consistencies in delivery methods. The best defense against MNKit is to ensure your systems are patched for CVE-2012-0158, but in situations where this isn’t possible, exploit mitigation technology like Traps is warranted.
While attribution is a challenging art, it’s likely whoever is behind these recent attacks is, through infrastructure, malware families and delivery techniques, somehow related to the previously reported attacks. The attackers have been active for years, will likely continue to be active, and seem to prefer to change tactics only subtly.
AutoFocus users can track the malware discussed above using the following tags:
