Device groups make configuring firewalls easy by enabling you to group firewalls that require similar policy rules based on location and function. You can make your configuration workflow even easier by nesting device groups in a hierarchy with the predefined Shared location in the top layer and then parent and child device groups in descending layers. In a device group hierarchy, all firewalls inherit rules and objects that are common across your organization from Shared and the firewalls in child device groups inherit rules and objects from parent device groups. Inheritance enables you to avoid configuring duplicate settings in each device group.
How Do I Configure a Panorama Device Group Hierarchy?
Say you have data center firewalls in Chicago and Cairo and branch office firewalls in London and Shanghai. To avoid redundant configuration, you can create six device groups, each containing only the settings that are specific to the firewalls used for each function (data centers or branch offices) or each location (Chicago, Cairo, London, or Shanghai). Configuring the Chicago and Cairo device groups as children of the Data Center device group ensures that the firewalls in those locations inherit the Data Center settings. Similarly, configuring the London and Shanghai device groups as children of the Branch Office device group ensures that the firewalls in those locations inherit the Branch Office settings. All the firewalls in every location inherit shared settings.
Robert Megennis is a 16-year-old racing prodigy. Palo Alto Networks is proud to be an ongoing sponsor of Rob’s races for the 2016 Mazda Road to Indy racing season. We’ll be checking in tochronicle his adventures as a true next-generation competitor!
After nine races, including the recent Grand Prix Road America in Wisconsin, Rob is the highest ranked rookie in the championship, with almost double the points of the next closest first-year driver. He is the only rookie in the top 10, and the only American in the top 10. On to Toronto!
Check out photos from Rob’s recent travels and fan feedback below.
“We both wanted to thank you so much for the wonderful hospitality and also the amazing view and great food yesterday. Rob is such a great kid–we can’t wait to keep following his career! We will wear the t-shirts with pride!”
“Thanks for the inside look at racing. We enjoyed it a lot. Best of luck to you, Rob, and the whole team this year!”
The weakest link in every security posture is always the human element, which is a problem because the core asset of every business is its people. It is that human factor that makes social engineering such a significant, difficult to manage problem.
The term “social engineering” incorporates any and all human-intelligent interactions that are designed to elicit an involuntary or unconscious response that serves the social engineer’s need. In many cases, this means that social engineering is conducted to elicit sensitive/private information or induce end users or enterprises to adopt a certain set of behaviors.
Typically, social engineering is a precursor to, or simultaneous to, technology-based attacks. The overall attack, therefore, has a technical and a social component, allowing attackers to fine-tune their methods and reactions to end-user or corporate behavior. The more background research and intelligence the social engineer possesses, the more difficult it will be to recognize the social engineering attempt.
Social engineering is especially dangerous for employees who may have special access to valuable assets that other employees may not, such as the ability to wire funds. A good example of this occurred last year when Ubiquiti Networks Inc., a US-based manufacturer of high-performance networking technology for service providers and enterprises, was taken for US $39 million. An employee of a Ubiquiti subsidiary was the victim of a CEO scam, which hijacks or impersonates the email of a senior executive within an organization. In this case the victim, who had authority to initiate wire transfers, transferred large amounts of money from company accounts to the criminal’s accounts.
Adversaries are cognizant of the basic human tendency to trust people on face value, and accordingly, they abuse that trust to perform social engineering attacks. Unfortunately, the best way to combat these conditions is to change behavior. Specifically, it is best to change behavior in a way that makes people less trusting and more skeptical. Changing behavior is already difficult and especially more so when the change requires a person to acquire a bleaker outlook on the world around them. For these reasons, organizations need to recognize that results may require investments of time and resources to drive a long term change.
Increasing Vigilance, Awareness It takes considerable training and awareness for organizations to develop the skills and collective mindfulness required to consistently fend off social engineering attacks. Though commonly seen as synonyms, it is important to note that training and awareness are distinct topics.
Training seeks to educate individuals about what they should or should not do. Through training, personnel become more educated about the ways they may unwittingly become victimized, so they can become more vigilant. For example, a good training program would teach attendees about why they should be suspicious of a phone call asking for information, and it would provide them with techniques to politely ascertain the validity of the request.
Awareness seeks to galvanize the group to address security problems together. Through awareness, members of a team become more cognizant of what each member is doing. For example, an effective awareness program leads members to raise a red flag if they see a delivery person walking through the office area unescorted. Seemingly innocuous circumstances (such as package deliveries) are the arenas in which social engineers operate most effectively.
Editor’s note: ISACA Now is running a series of blogs on the 10 threats covered in ISACA’s Cybersecurity Nexus (CSX)Threats & Controls tool. To learn more about the controls for cybercrime, as well as recent examples and references, typical patterns of cybercrime and more, visit the tool here. Ted Harrington drives thought leadership initiatives for Independent Security Evaluators, and is a sought-after speaker, presenting at high-profile conferences in a range of industries, including media and entertainment, hospitality, finance and others.
In recent weeks, I’ve spent time investigating the LuminosityLink Remote Access Trojan’s (RAT) embedded configuration. For those unaware, LuminosityLink is a malware family costing $40 that purports to be a system administration utility. However, when executed, the malware leverages a very aggressive keylogger, as well as a number of other malicious features that allow an attacker to gain full control over a victim machine.
Figure 1 LuminosityLink website
At the request of a coworker, I was asked to extract the configuration of a LuminosityLink sample, and while I could have simply executed the malware in a sandboxed environment and pulled the configuration from memory, I chose to see if I could perform the same action against the static binary.
This led to me understanding how the configuration is encrypted within the binary, as well as how to parse that configuration. I’ve created a script to perform this action against an unaltered LuminosityLink malware sample, which I will be sharing within this blog post. Furthermore, I looked at the roughly 18,000 LuminosityLink samples Palo Alto Networks has collected over time, and using this script, I was able to extract the configurations of 14,700 samples. (This data can be found in the Appendix section of this post.)
Overview of LuminosityLink
Originally surfacing in May 2015, LuminosityLink’s popularity has been on the rise, as shown in the following chart. To date, Palo Alto Networks has tracked approximately 50,000 attempted infections of LuminosityLink against our customers.
Figure 2 AutoFocus graph of LuminosityLink sessions over time.
LuminosityLink currently sells for $40 and can be purchased directly from its author. This package allows attackers to host a LuminosityLink server as well as generate customized binaries, which are obfuscated with ConfuserEx 0.4.0. ConfuserEx is an open-source project that obfuscates the underlying .NET code, making it much more difficult for reverse engineers that decompile it. This is important to note for later when we discuss determining how to reverse-engineer the encryption process.
As mentioned previously, a number of configuration options are included, as we can see in the following screenshot.
Figure 3 Client configuration options in LuminosityLink
Once executed, attackers are given a wealth of options, including keylogging, remote desktop, password stealing, and interacting with a shell on the device.
Reverse-Engineering the Configuration
The first step in parsing out the configuration of LuminosityLink is to extract it statically. I initially opened up a clean LuminosityLink sample using a program named dnSpy to search for clues as to where the configuration might be stored. (As a quick aside, I highly recommend dnSpy, as it not only does a great job of decompiling the provided .NET binary, but it also comes equipped with a built-in debugger, which is instrumental in tackling problems such as the one we are facing.)
When initially opening up a sample binary, I didn’t expect much as I knew the sample was obfuscated using ConfuserEx. However, looking at the resources of the sample, I saw some strings that looked promising.
Figure 4 Embedded resource strings in LuminosityLink
As we can see, the malware contains a number of resources that in turn contain what appears to be Base64-encoded data. The “SMARTLOGS”, “XML”, and “CONFIG” resources all contain a wealth of data, which, at this point, is still unknown. Unfortunately, decoding these strings results in garbage, which likely means some other form of encryption is being used underneath.
I continued to investigate the underlying code, which, while obfuscated, still provides a high-level idea of what various classes are doing. Using imported namespaces, API calls and certain un-obfuscated strings, we’re able to get clues as to what is going on within the program. Specifically, we see the fd() class using the namespace of ‘System.Security.Cryptography’, which certainly merits investigation as we suspected crypto being used against the earlier referenced resource strings.
Figure 5 Cryptography namespace being used by LuminosityLink
As we further investigate this class, we see references to the following classes and functions:
MD5CryptoServiceProvider
ComputeHash
FromBase64String
RijndaelManaged
At this point, I turned to my debugger in an attempt to see how these strings were handled. I set breakpoints on various calls previously mentioned. Specifically, the breakpoint on the RijndaelManaged class yields excellent results.
Figure 6 Successful recovery of AES-128 key
We’re able to not only verify that AES-128 encryption is used, but also verify that the “SMARTLOGS” resource string is being used. We also are able to identify the string being used as the key, which in this particular example is “\\ecnOnuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS”. Further investigation reveals that this string is hashed using the MD5 algorithm. The first 15 bytes of this hash is concatenated with the entire 16 bytes of the hash, followed by a null byte. We can replicate this decryption process in Python as such:
1
2
3
4
5
6
7
8
9
10
def decrypt_data(data,key_string):
decoded_data=base64.b64decode(data)
m=hashlib.md5()
m.update(key_string)
md5=m.digest()
key=md5[0:15]+md5+“\x00”
mode=AES.MODE_ECB
iv=‘\x00’*16
e=AES.new(key,mode,iv)
returne.decrypt(decoded_data)
We can further verify that this is correct using the above code. In the following example, the data variable has been set with the base64-encoded string found within the “SMARTLOGS” resource, and the key_string variable has been set to the reversed registry key previously mentioned.
Using trial and error, we’re able to successfully map each variable witnessed in the above configuration. The last variable proves to be quite interesting, as each character except for ‘1’ maps to a particular configuration option. The following mapping was determined:
i : Enable Client Installation/Startup
d : Client Persistence Module: Protect Luminosity’s Client Binary
s : Silent Mode (Hide Luminosity Window on Client PC)
a : Proactive Anti-Malware: Clean Malicious Files and Speed up Client PC
n : Power Saver: Prevent Sleep Mode and Turn off Monitor after 15 minutes of inactivity
m : Remove File after Execution (Melt)
v : Anti-Virtual Machines/Debugging
h : Hide File and Directories
b : Backup Startup
Using this knowledge, we can parse the above configuration, which yields the following results.
[X]Silent Mode(Hide Luminosity Window on Client PC)
[]Proactive Anti–Malware:Clean Malicious Files andSpeed up Client PC
[X]Power Saver:Prevent Sleep Mode andTurn off Monitor after15minutes of inactivity
[]Remove File after Execution(Melt)
[]Anti–Virtual Machines/Debugging
[]Hide File andDirectories
[X]Backup Startup
Parsing LuminosityLink Configurations at Scale
Using this knowledge, we created a script to parse the configuration of a given sample. The script searches for strings that appear to be base64-encoded with a length greater than 50 and takes a brute-force approach. While not elegant, it does the job quite successfully. The script can be downloaded in the Appendix section of this blog post.
Going through Palo Alto Networks repository of samples, we found roughly 18,000 files tagged as LuminosityLink. For these 18,000 samples, we applied our static configuration extraction and parsing script and successfully retrieved about 4,500 configurations. The remaining samples were packed beyond the built-in ConfuserEx obfuscation routine, and as such, the raw configuration strings were not present.
These samples were run through a local instance of the open-source Cuckoo Sandbox, where the process dumps were extracted. The same script was applied to these process dumps, where we were able to obtain an additional 10,200 configurations, leaving us with a total of 14,700 parsed LuminosityLink configurations.
As the samples were processed, further keys were discovered to be used by the author. The following additional three strings were used to generate the keys to LuminosityLink samples.
This conf’ig contains nothing useful. Quit acting as if you’re cool by decrypting it.
Resources.SMARTLOGS
Specify a Password
It appears as though the author of LuminosityLink is not without a sense of humor. Additionally, as we parsed older samples, it was discovered that the configuration made a change sometime between February and June of this year. Fewer options were available in the configuration of older samples. The provided script accounts for these differences and various keys used.
Using the aggregated data from the 14,700 configurations, the following high-level statistics were pulled:
Figure 7 Prevalence of enabled settings in LuminosityLink configurations
Top C2 TLDs/IP Addresses
[3308] ddns[.]net
[2537] duckdns[.]org
[904] no-ip[.]biz
[670] chickenkiller[.]com
[378] no-ip[.]org
[377] mooo[.]com
[242] fishdns[.]com
[174] no-ip[.]info
[165] ignorelist[.]com
[157] freedns[.]su
Top Build IDs
[4829] HOME
[83] Client
[82] crtx1
[71] M4CHINATION
[65] CSGO
[65] NEW
[59] Slave
[47] CAPO
[44] Youtube
[42] PROJECT.D
Top Executable Names
[1973] sysmon.exe
[1831] client.exe
[1254] helper.exe
[1207] repair.exe
[1087] winlogon.exe
[509] svchost.exe
[315] Luminosity.exe
[83] WinCOMHost.exe
[82] chrome.exe
[61] windowsbootapp.exe
Top Ports
[1866] 6318
[1055] 1400
[493] 1604
[412] 1337
[214] 3175
[182] 22028
[162] 9045
[119] 2122
[115] 100
[113] 9999
The parsed configuration data, provided in the CSV file format, is being freely provided to the security community in the hope that protections will be created against this threat.
Conclusion
LuminosityLink, while marketed as a systems administration utility, is a formidable keylogger and backdoor used by a large number of criminals. To date, Palo Alto Networks has witnessed over 50,000 attempted infections of LuminosityLink, encompassing 18,000 unique samples. The malware is cheap and readily available to the public, making this a dangerous threat to both organizations and individuals alike.
By reverse-engineering LuminosityLink samples, we were able to statically extract and parse the embedded configuration, which in turn provides valuable information about with what hosts and ports the malware is configured to communicate. It also provides information regarding configured protections configured within the executable, as well as installation information.
Palo Alto Networks customers are protected from this threat in the following ways:
An AutoFocus tag can be used to track this malware family
All LuminosityLink samples are appropriately marked as malicious in WildFire
All identified domains are flagged as malicious
Network traffic is appropriately identified and blocked as threat ID #14460 (LumonosityLinkRAT.Gen Command And Control Traffic)
Appendix
An extraction and parsing script for LuminosityLink samples can be found here.
A script to be used to parse plain configuration strings can be found here.
A CSV file containing all of the configuration data extracted from Palo Alto Networks sample set can be found here.
The Mobile Application Security Testing (MAST) Initiative is a research which aims to help organizations and individuals reduce the possible risk exposures and security threat in using mobile applications. MAST aims define a framework for secure mobile application development, achieving privacy and security by design. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications.
Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security vulnerabilities of mobile applications for platforms such as Android, iOS and Windows. These processes cover permissions, exposed communications, potentially dangerous functionality, application collusion, obfuscation, excessive power consumption and traditional software vulnerabilities. It also covers internal communications such as debug flag and activities and external communications such as GPS, NFC access as well as checking the links that are written in the source code. In addition to security testing and vetting, the initiative has also proposed processes and procedures for security incidence response.
The use of mobile applications has become unavoidable, almost a necessity, in today’s world. More people are starting to question the security of mobile applications and it’s about time that you take a look at what the Cloud Security Alliance has to say about mobile application security!
![TechDocs_logo_lrg_final[1]](https://i0.wp.com/researchcenter.paloaltonetworks.com/wp-content/uploads/2016/05/TechDocs_logo_lrg_final1-500x153.jpg?resize=500%2C153){kind=logo}
