Reinvent Your IT So You Can Disrupt and Handle Disruption

It may not be on the mind of every CEO, CIO or CTO but the rise of disruption is of major concern. Disruption itself has always been a part of business theory under Michael Porter’s five forces and classified as “the threat of new entrants”; but this threat has continued to evolve.

Barriers to entry in various markets have been in place to control competition. However, modern disruption can occur outside these barriers with the “disruptors” changing the very way the market sector operates thereby out manoeuvring and altogether eliminating existing big market players who could not anticipate this risk.

The difficulty in anticipating and mitigating disruptive risk is extreme since they may not actually exist at the moment but can exist in the future. Can your business survive after the disruption has happened? With the evidence of the impact of disruption all around, it should be evident that it is no longer a small issue, since the very survival of the enterprise may depend on it.

When Disruptions Occur
With this being the case, flexibility, speed and adaptability come to mind. However, many enterprises and their internal IT departments cannot offer those characteristics fast enough when disruption occurs, leaving the enterprise at a competitive disadvantage. This is because the “things always work this way” and “resistance to change” mentalities exist within all enterprises. By looking at the governance of enterprise IT (GEIT) and the importance of IT to support the enterprise, it may be wise to consider reinventing your IT.

By reinventing your IT you should consider the possibility of disruption as a major fact and readjust your current work models to offer some best case resistance/adaptability towards this. To take it a step further, you should streamline the enterprise to become the market disruptor itself, thereby giving your enterprise a head start against your current and potential competition.

One consistent view that remains is that security itself is of the uttermost importance and must be considered even though there is no single way to achieve the reinvention of your IT. We are in the age when digitization and connectivity play major roles for consumers. Customer demand and market conditions drive business strategy; however, reinvention can also be found in creating systems that change how business itself is done, to the benefit of customers, thereby driving habits and behaviors surrounding these.

Disruption should be discussed and considered as a new expectation rather than an impossibility. All strategy considers risk, but the question is:  how does one prepare for the unforeseen disruptive risk that has not happened yet? Is your enterprise ready?

Ammett Williams CCIE, CGEIT, Telecommunication Team Leader, First Citizens TT

[ISACA Now Blog]

Building Capability with CMMI

Capability is the backbone of an organization. The lack of organizational capability can lead to cost overruns, missed or close deadlines, poor morale, quality problems, customer complaints, and the inability to repeat previous success. But while organizational leaders recognize the need for capability improvement—according to a McKinsey & Company survey, executives view capability building as a top three strategic priority1—they often don’t know how to address their need.

CMMI Models
CMMI, or Capability Maturity Model Integration, provides a solution to increasing capability gaps. Proven effective in organizations and governments globally over the last 25 years, CMMI consists of collected best practices designed to promote the behaviors that lead to improved performance in any organization. CMMI’s pathway to capability improvement can be customized with 3 models for different environments:

  • CMMI for Development: Build capability when engineering or developing products and services.
  • CMMI for Acquisition: Build capability when acquiring products and services.
  • CMMI for Services: Build capability when providing services.

These models provide a framework for developing, improving and sustaining business performance in your environment. They enable you to determine if your current way of doing things is working, if you’re improving, and they lead you toward greater continuous improvement.

CMMI Maturity Levels
A key component to capability improvement is CMMI’s maturity levels. Maturity levels provide a rigorous benchmark rating method that enables you to compare your organization’s capability to its competitors, its industry and itself over time. CMMI provides 5 maturity levels that demonstrate a visible path for improvement: Initial, Managed, Defined, Quantitatively Managed and Optimizing.

As an organization advances its capabilities, it can expect to achieve a higher maturity level by identifying areas of improvement, working to correct these areas and integrating these solutions across its organization. High-maturity organizations have both lower risk and increased quality. The higher the organization’s maturity, the better its performance. By achieving a high CMMI maturity level, an organization demonstrates a deeper commitment to improving capabilities using statistical and other quantitative methods. A focus on continuous improvement means that high-maturity organizations are constantly evolving, adapting and growing to meet the needs of stakeholders and customers.

CMMI Around the World
Thousands of organizations have implemented CMMI; in 2015 alone, more than 1,900 high-performing organizations earned a CMMI maturity level rating. By implementing CMMI and communicating their maturity level to stakeholders, organizations highlight their capability and commitment to excellence.

CMMI has been implemented in 101 countries around the world, with 11 governments investing in CMMI to support economic development in their countries. For over 25 years, high-performing organizations in a variety of industries, including aerospace, finance, health care, software, defense, transportation and telecommunications, have earned a CMMI maturity level rating and proved they are capable business partners and suppliers.

In early 2016, ISACA acquired CMMI® Institute. ISACA and CMMI Institute share a vision for advancing organizational performance that centers on driving excellence in the IT, information systems governance, data management governance, software, and systems engineering functions in organizations across a spectrum of industries.

Learn about organizations who have implemented CMMI to improve their capability: http://cmmiinstitute.com/who-uses-cmmi.

Get Started
Ready to dive in? Download a model to get started:

For a deeper dive, the CMMI Institute offers several training courses and certification options. Elect for onsite training or take the online introductory Fundamentals of CMMI Elearning course from the comfort of your own home or office. Learn more about your CMMI training and certification options: http://cmmiinstitute.com/grow-your-career.

About CMMI Institute
CMMI Institute is the global leader in the advancement of best practices in people, process and technology. The Institute provides the tools and support for organizations to benchmark their capabilities and build maturity by comparing their operations to best practices and identifying performance gaps. Learn more: http://cmmiinstitute.com/.

Editor’s note: ISACA will be hosting a free webinar on the topic, ISACA Presents: Building Capability with CMMI, Wednesday, 17 August 2016, 12PM (EDT) / 11AM (CDT) / 9AM (PDT) / 16:00 (UTC).

1 McKinsey & Company, “Building Capabilities for Performance,” 2014

Sheela Nath, Business Writer, CMMI Institute

[ISACA Now Blog]

Aveo Malware Family Targets Japanese Speaking Users

(This blog post is also available in Japanese.)

Palo Alto Networks has identified a malware family known as ‘Aveo’ that is being used to target Japanese speaking users. The ‘Aveo’ malware name comes from an embedded debug string within the binary file. The Aveo malware family has close ties to the previously discussed FormerFirstRAT malware family, which was also witnessed being used against Japanese targets. Aveo is disguised as a Microsoft Excel document, and drops a decoy document upon execution. The decoy document in question is related to a research initiative led by the Ido Laboratory at the Saitama Institute of Technology. Upon execution, the Aveo malware accepts a number of commands, allowing attackers to take full control over the victim machine.

Deployment

The Aveo malware sample disguises itself as a Microsoft Excel document, as the icon below demonstrates. Note that the filename of ‘malware.exe’ is simply a placeholder, as the original filename is unknown.

Figure 1 Microsoft Excel icon used by Aveo malware

The executable is in fact a WinRAR self-extracting executable file, which will drop the decoy document and Aveo Trojan upon execution. The following decoy document is dropped and subsequently opened when run.

Figure 2 Decoy document used with Aveo malware

This decoy document is hosted on the Ido Laboratory and contains information about a 2016 research initiative. The document lists participants in the 16th CAVE workshop, including names, affiliations, and email addresses of those involved. The document, written in Japanese, as well as the filename of this document, “CAVE研究会参加者.xls”, indicates that this malware was used to target one or more Japanese speaking individuals. Additionally, the similarities between the Aveo and FormerFirstRAT malware families, which will be discussed later in the post, further add evidence that Japanese speakers are being targeted.

Infrastructure

The Aveo Trojan is configured to communicate with the following domain name over HTTP.

  • snoozetime[.]info

This domain was first registered in May 2015 to ‘jack.ondo@mail.com’. Since that time, it has since been associated with the following three IP addresses:

  • 104.202.173[.]82
  • 107.180.36[.]179
  • 50.63.202[.]38

All IP addresses in question are located within the United States.

Figure 3 PassiveTotal screenshot showing associated IP addresses with snoozetime[.]info

The WHOIS information for snoozetime[.]info lists a registrant email address of ‘jack.ondo@mail[.]com’ and a name of ‘aygt5ruhrj aygt5ruhrj gerhjrt’. Pivoting off of these two pieces of information to domains that share the same yields the following additional domains and email addresses.

  • bluepaint[.]info
  • coinpack[.]info
  • 7b7p[.]info
  • donkeyhaws[.]info
  • europcubit[.]com
  • jhmiyh.ny@gmail[.]com
  • 844148030@qq[.]com

Malware Analysis

After running the self-extracting executable, a number of files are dropped to the file system and the following execution flow is witnessed:

Figure 4 Malware execution flow

When the mshelp32.exe executable runs, it begins by reading in the setting32.ini file, which contains the name of the decoy document. This information is used to build a batch script, such as the following.

This batch script is executed within a new process, and acts as a simple cleanup script that runs after Aveo and the decoy document are executed.

Aveo Malware Family

The Aveo malware initially runs an install routine, which will copy itself to the following location:

  • %APPDATA%\MMC\MMC.exe

If for any reason the %APPDATA%\MMC directory is unable to be created, Aveo will use %TEMP% instead of %APPDATA%.

After the malware copies itself, it will execute MMC.exe in a new process with an argument of the original filename. When executed, if this single argument is provided, the malware will delete the file path provided.

After the installation routine completes, Aveo will exfiltrate the following victim information to a remote server via HTTP.

  • Unique victim hash
  • IP Address
  • Microsoft Windows version
  • Username
  • ANSI code page identifier

This information is exfiltrated to the ‘snoozetime[.]info’ domain, as seen in the following example HTTP request:

To encrypt the provided data, the malware makes use of the RC4 algorithm, using a key of ‘hello’. As shown in the following image, the encryption routines between Aveo and FormerFirstRAT are almost identical, with only the algorithms and keys being changed.

Figure 5 Comparison of encryption function between Aveo and FormerFirstRAT

In order to decrypt the data provided via HTTP, the following code may be used:

Running the code above yields the following results:

After the initial victim information is exfiltrated, the malware expects a response of ‘OK’. Afterwards, Aveo will spawn a new thread that is responsible for handling interactive command requests received by the command and control (C2) server, as well as requests to spawn an interactive shell.

Aveo proceeds to set the following registry key to point towards the malware’s path, thus ensuring persistence across reboots:

HKCU\software\microsoft\windows\currentversion\run\msnetbridge

A command handler loop is then entered, where Aveo will accept commands from the remote C2. While the Aveo malware family awaits a response, it will perform sleep delays of randomly chosen intervals between 0 and 3276 milliseconds. Should the C2 server respond with ‘toyota’, it will set that interval to 60 seconds. Aveo accepts the following commands, shown with their associated function.

  • 1 : Execute command in interactive shell
  • 2 : Get file attributes
  • 3 : Write file
  • 4 : Read file
  • 5 : List drives
  • 6 : Execute DIR command against path

The following example request demonstrates the C2 server sending the ‘ipconfig’ command to the Aveo malware.

C2 Request

Aveo Response

Conclusion

Aveo shares a number of characteristics with FormerFirstRAT, including encryption routines, code reuse, and similarities in C2 functionality. Aveo is far from the most sophisticated malware family around. As witnessed in the previously discussed FormerFirstRAT sample, this related malware family also looks to be targeting Japanese speaking users. Using a self-extracting WinRAR file, the malware drops a decoy document, a copy of the Aveo malware, and a cleanup script.

Palo Alto Networks customers are protected from this threat in the following ways:

  • An AutoFocus tag has been created to track and monitor this threat
  • WildFire classifies Aveo samples as malicious
  • C2 domains listed in this report are blocked through Threat Prevention.

Indicators of Compromise

SHA256 Hashes

9dccfdd2a503ef8614189225bbbac11ee6027590c577afcaada7e042e18625e2
8101c298a33d91a985a5150d0254cf426601e4632250f5a03ddac39375e7fb4d

C2 Domains

snoozetime[.]info

Registry Keys

HKCU\software\microsoft\windows\currentversion\run\msnetbridge

File Paths

%APPDATA%\MMC\MMC.exe
%TEMP%\MMC\MMC.exe

and

[Palo Alto Networks Research Center]

English
Exit mobile version