AutoFocus: Your Answer to Actionable Threat Intelligence

Threat intelligence involves learning about new attacks, adversaries, campaigns, and malware families through distinct pieces of information often referred to as indicators of compromise, or IOCs. The more we make relevant information available to network defenders, the better the odds are that they will find answers to their questions. One key consideration for leveraging threat intelligence to improve an organization’s security posture is that it must be readily able to enforce new prevention-based controls.

Threat intelligence has traditionally been used by security operations centers’ incident response teams. As security awareness in organizations of all sizes begins to expand, most people realize that they want to know which alerts should be made a priority and which threats the organization is subject to. Who are the threat actors? There is a big difference between commodity and targeted attacks. Answering these questions can lead you to implementing new controls that allow you to better secure the environment.

Enter AutoFocus. AutoFocus is the Palo Alto Networks threat intelligence service, which provides a window into billions of samples and threat artifacts collected from and correlated within our Threat Intelligence Cloud, including results from global WildFire data. The information allows security teams to quickly identify targeted that’s and pivot to relevant IOCs quickly, accelerating their analysis and response workflows. AutoFocus complements the Palo Alto Networks Next-Generation Security Platform, enabling searches from your Palo Alto Networks appliances into AutoFocus, or from AutoFocus into your Palo Alto Networks appliances. There is also an API that interacts with the data and feeds third-party security solutions. This level of usability means that a threat research team isn’t necessary to make use of the data. Anyone responsible for handling security incidents in the environment can make use of the data in AutoFocus.

In this post, we will explore a use case that will enable security operators to quickly identify what happened during an incident and to take action.

Searching From AutoFocus

Unit 42 is the Palo Alto Networks threat intelligence team that provides AutoFocus users access to world-class human intelligence, even if they don’t have a research team of their own. Unit 42 contributes to the AutoFocus community by researching malware families, campaigns, adversaries, exploits and malicious behaviors, and by compiling indicators of compromise into durable tags to identify malicious events.

To get started, it may be interesting to navigate through some of the research already done by Unit 42. Let’s assume Locky is something we have not investigated yet. By selecting this tag, we can get information about the research done by Unit 42 on this malware family.

Drilling into Locky provides us with all the search attributes associated with this tag. We can see that Locky is a ransomware payload, which is used to encrypt sensitive files or systems, then hold them until the victim pays the attacker. We also see that Locky is typically dropped byDridex actors, which gives us a better idea of who is likely to be behind the attack. Ransomware is typically more of a commodity type of crime, in which the attacker’s goal is to get as many systems encrypted as possible, driving profits from their malicious activity.

Selecting “Add Tag” to “Search” will bring up the results of a query that includes samples, sessions, statistics, and much more information about the malware. You can search through samples of data that came from devices owned by your organization via WildFire. You can also see samples made public by other organizations, dramatically broadening the lens.

This allows you to gain visibility into threats not directly observed by your organization, taking advantage of the community of WildFire and AutoFocus users. In this case, we will pivot into “Public” samples to further analyze the Locky ransomware.

Finding over 7,000 variants seems daunting. It also demonstrates that file-hash-only identification is no longer practical. By drilling into the samples, we can see that there are patterns in the malware. These are the same similarities that Unit 42 used to create the tag. The infrastructure for the malware and most of what it does to the system once installed are the same each time it is deployed – primarily, that the file is obfuscated by changing a few bits to avoid hash-based detection.

By drilling into one of the hashes, we can see everything that WildFire observed when detonating this malicious software on Windows® XP and Windows 7. From there we can drill into individual indicators of compromise and search our own appliances for evidence, as well as create new protections for specific high-value IOCs, such as IP address, DNS or URLs.

The remote search function allows you to add search filters specifically designed for Palo Alto Networks security appliances. You will first be prompted to choose which of your appliances to search. Finally the console for the specified appliances will launch with the search filters already in place.

In this case, we have selected our Panorama instance. Since the logs from all security appliances are being forwarded, we will have visibility into the entire network with one search.

When we search through all the various types of logs in Panorama, we are looking for a specific command and control server as the destination. The good news is that we did not find the command and control server for Locky in the network, meaning we have confirmed there is no active infection within the organization.

[Palo Alto Networks Research Center]

COBIT: The Road Ahead

1996 had its share of significant events. The first flip phone, the Motorola StarTAC, went on sale. The Czech Republic applied for European Union membership. Australia defeated Sri Lanka 2-0 to win cricket’s World Series Cup. The first version of the Java programming language was released. The massive Internet collaboration “24 Hours in Cyberspace” took place. IBM computer Deep Blue became the first computer to win a game of chess against a reigning (human) chess champion. Excel Communications Inc. became the youngest company ever to join the New York Stock Exchange. Intel released the 200 MHz Pentium chip. And ISACA published the first edition of what was then called Control Objectives for Information and related Technology, or COBIT, as its typography was styled at the time.
Of course, at the time it was released, no one knew it would be just the first of several versions of COBIT. Nor did they foresee that it would undergo continuous evolution to make it ever more relevant and useful to practitioners seeking to control organizational information and the technology that processed, manipulated and stored it. Neither could anyone have anticipated the level of acceptance and use COBIT would achieve, as it was increasingly used—alone or in combination with other frameworks or in-house solutions—in governments and companies large and small worldwide.

COBIT 5: A New Framework for a New World

Since its release, COBIT 5 has been downloaded tens of thousands of times, has been widely discussed on social media, and has been prescribed for use by national governments and municipalities alike. Likewise, the impetus for use of COBIT has evolved from just supporting internal audit to a means of organizing multiple frameworks (including regulatory frameworks) and as a means for connecting overall enterprise objectives to the governance and management of IT assets.
The traditional use of COBIT has been to assist companies with their compliance and assurance needs, but those needs exist outside of just for-profit companies. For example, the government of South Africa has mandated the use of COBIT among municipalities.1 The intent is to exercise proper control over the use of scarce IT resources to ensure delivery of value to those served. Municipalities are expected to use COBIT to align their goals for the use of IT assets with the requirements of the local governments.

The impetus for use of COBIT has evolved from just supporting internal audit to a means of organizing multiple frameworks and as a means for connecting overall enterprise objectives to the governance and management of IT assets.

In May 2006, the government of Turkey mandated the use of COBIT for banks operating within Turkey.2 The Banking Regulation and Supervision Agency of Turkey (BRSA) mandated that all banks operating in Turkey must adopt COBIT’s best practices when managing IT-related processes. The result of this legal requirement has been that internal auditors and bank management have put into place resources based on the process descriptions used in COBIT. Compliance reports are now submitted to government officials to demonstrate adherence to COBIT process and practice descriptions. There have been other government mandates for the use of COBIT in Costa Rica and Nigeria.
These uses were not foreseen, but they are understandable, natural extensions of the framework. The potential for a comprehensive framework is to use it to administer resources such that greater efficiency and effectiveness are realized and value is created for stakeholders. IT resources are ubiquitous, and the potential for IT spending without clear alignment to overall strategic aims is high. That risk of misalignment is a control issue.

Fast Change, Faster Response

One area where this issue is particularly impactful is in the arena of new and emerging technologies—particularly those that have a high potential for “shadow IT” adoption (i.e., adoption without central oversight such as by IT or another organization). In many cases, an enterprise can become aware that users have begun adopting a new technology only after that technology has begun to proliferate throughout the enterprise as a whole.
When that happens, resources can be consumed in a way that does not align with enterprise requirements nor directly or indirectly progress the prioritized goals of the enterprise. This is obviously undesirable as it can divert time and attention away from those activities and investments that do tie directly to those goals and anticipated or desired outcomes. The issue is further compounded as, in many cases, senior management is unaware that this resource strain is even occurring in the first place. Cloud services is an example of this (in particular, software as a service [SaaS]), mobile technologies (whether bring your own device [BYOD] or otherwise), and social media. It does not take an extraordinary level of insight to see that these disruptive changes, when adopted without a workmanlike and disciplined approach, can bring about potential areas of risk, introduce potential inefficiencies and spark other undesirable outcomes.
COBIT already provides the means to manage technology resources no matter their origination, purpose, internal user community or other defining factors. Organizations can already adopt and apply COBIT 5 (as it exists right now) in such a way that all technology use is deployed, managed, measured, and otherwise aligned with stakeholder needs and business goals. This puts organizations in the position of being able to lessen the potential disruptive impact of new technology, better manage and control risk, and directly measure the value to the business (even of “shadow IT”) against the business value provided through the use of new technologies. Looking forward, though, a primary area of further growth for COBIT lies in the ability of the framework to provide value as the pace of change accelerates and as operational technology and traditional IT merge.

Governance

It does not take a rocket scientist or an especially astute prognosticator to be able to state a few things with confidence about where enterprise technology use is heading in light of the trends we are seeing in the marketplace already. First, we can state with confidence that a proliferation of devices will likely occur as the Internet of Things (IoT) continues to expand. Likewise, we know that certain sectors that have specialized operational technology (i.e., the clinical network of a health care provider, industrial control systems, specialized networks used for telecommunications, broadcasting or other industries that require high-speed or specialized transmission) are likely to see their existing specialized technology use continue and, in fact, become even more specialized in supporting the way that they do business tomorrow.
While the COBIT framework can be used already to address these challenges head on, there are opportunities to provide more and better guidance to practitioners about how, specifically, to do this. For example, specialized supporting artifacts and tools to build upon the COBIT framework can provide immediate value to the practitioner so they are not “reinventing the wheel” separately from enterprise to enterprise. Tools that are immediately practical to the professional in the field—such as templates to support deliverable creation and reporting; governance artifacts such as policy examples and templates; and tools that support measuring effectiveness, managing risk or other activities to support robust governance—are a necessity given the pace at which technology use evolves and the likely even more rapid pace at which it will evolve tomorrow.
These items and others that directly target an increase in the practical value of the framework to the practitioner are on the forefront of the COBIT research agenda. Just as COBIT evolved over the last 20 years to meet the changing landscape of enterprise and become a framework for systematic governance of enterprise IT (GEIT), the future will mean continued evolution to address a systematic framework for governance as “information technology” becomes just “technology”—as usage and scope expand beyond the borders of the IT department and become embedded in the fabric of the business more generally. Likewise, as the alacrity of change (and the pace of disruption that occurs as a result) continues to increase, the framework will continue to evolve to meet those needs.

Peter Tessin, CISA, CRISC, CGEIT

Is a technical research manager at ISACA where he has been project manager for COBIT 5 and has led the development of other COBIT 5-related publications, white papers and articles. He also played a central role in the design of the COBIT online web site. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside of his native US including Canada, Mexico, Germany, Italy, France, UK and Australia.

[ISACA – COBIT Focus]

Audit: A Key Success Factor

Why is it that some companies succeed and others fail? There is a general consensus certain things are common among successful companies. We call these things key success factors. Key success factors are essential attributes that are critical to an organization reaching its business goals.

There is no agreed-upon list of success factors because they vary depending on the nature of the business, among other things. Some business experts would say good, productive employees are a key success factor. Others believe keeping loyal customers is a critical factor. Still others would submit that having clear policies and procedures is how organizations succeed.

I would not disagree with any of these. However, as a Certified Information Systems Auditor (CISA)and a former IT auditor and manager, I would suggest that having an effective audit function is critical to the success of a business. The purpose of an audit is to evaluate an entity, such as a policy, process or account, to ascertain if it meets a predetermined standard or criteria.

Cybersecurity Ripe for Audits
A successful audit should identify areas of the organization needing improvement, including those that are likely to be high risk. In today’s digital environment, cybersecurity is typically top of mind for company leaders. They often know enough to be concerned, but not enough to actually address those concerns. In other words, there is no question that cybersecurity is an area of high risk for most organizations, but how they should respond to this risk is unclear.

It is the job of the IT audit function to determine how the organization should respond to risks that are specific to their operation and then evaluate whether the response is appropriate based on auditing standards and best practices. One common response to mitigate risk is to implement countermeasures, also known as controls. In those situations it is the responsibility of the auditor to evaluate the effectiveness of the controls to determine if they will indeed work.

For example, business leaders often believe that a firewall is a sufficient response to cybersecurity concerns. Some questions IT auditors will ask these situations include, What type of firewall is it? How has it been configured? How often are the rules updated? The IT auditor will also inform senior management that a firewall is only one of many controls that should be considered when responding to the threat of a cyberattack.

While the audit team should be actively involved in the tactical procedures of auditing the company, a skilled audit team that partners with the board of directors and senior management will not only identify aspects of the company that need attention, but also develop an audit plan that supports the organization’s overall strategy and act as consultants to help move the company closer to its vision. Over time, with the ongoing involvement of the audit team on the tactical and strategic levels, the organization can certainly count audit as one of its key success factors.

Note: For more on auditing cybersecurity, view this article in @ISACA.com.

Paul Phillips, Technical Research Manager, ISACA

[ISACA Now Blog]

Which Approach Is Better When Choosing a CASB? API or Proxy? How About Both?

There have been recent articles and blog posts arguing that the API approach is better than the proxy approach when it comes to selecting a cloud access security broker (CASB). The argument doesn’t really make sense at all. Both surely have their advantages and disadvantages, but each covers unique use cases and while you could certainly select a CASB that supports one versus the other, why not choose a CASB that offers both so you have the option to combine the two and address expanded use cases?

Pitting one against the other is like comparing a spoon vs. a fork. A spoon was designed to hold softer food in addition to liquid so you can place it in your mouth and eat a meal. Spoons come in various sizes depending on the application. In a similar fashion, an API deployment method is primarily focused on a set of specific use cases that includes being able to inspect content in sanctioned cloud apps and support for out-of-band policies such as restrict access, revoke shares, quarantine, and encrypt.

A fork on the other hand, was designed primarily to grab and hold solid foods for eating. That is a job that the spoon cannot do.  In a similar fashion, a proxy deployment method is primarily focused on a specific set of use cases around providing real-time visibility and control over cloud traffic and depending on the type of proxy, you can cover both sanctioned and unsanctioned cloud apps in real-time.  Real-time and covering unsanctioned cloud apps is not possible with an API deployment method.  In addition to use cases, there is the comparison of effort to deploy and use. You can argue that a fork requires a bit more care versus a spoon. You might not give that fork to a toddler for example, but a spoon would be less risky with trade-off of course that they might have a hard time eating their vegetables with that spoon. Similarly, a proxy requires and inline deployment and a forward-proxy specifically requires extra configuration and care.  The effort can be worth it given the use cases.

Let’s get back to my original argument that why choose one versus the other?  Choose a CASB that covers both an API method of deployment and multiple proxy methods of deployment.  You can choose only one or combine them to expand your use case coverage.  Should we start calling API + Proxy a spork?

Here is a table that compares use case coverage for API vs Proxy to help you make the decision which one to choose or perhaps choose both.

Bob Gilbert, Vice President/Product Marketing, Netskope

[Cloud Security Alliance Blog]

VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick

The Hancitor downloader has been relatively quiet since a major campaign back in June 2016. But over the past week, while performing research using Palo Alto Networks AutoFocus, we noticed a large uptick in the delivery of the Hancitor malware family as they shifted away from H1N1 to distribute Pony and Vawtrak executables. In parallel, we received reports from other firms and security researchers seeing similar activity, which pushed us to look into this further.

Figure 1 AutoFocus view of new sessions of Hancitor since July 2016

The delivery method for these documents remained consistent to other common malicious e-mail campaigns. Lures contained subjects related to recent invoices, or other matters requiring the victim’s attention, such as an overdue bill. These lures were expected, until we started digging into the actual documents attached and saw an interesting method within the Visual Basic (VB) macros in the attached documents used for dropping the malware.

This blog will review in detail the dropping technique, which isn’t technically new, but this was the first time we’ve seen it used in this way. The end goal is to identify where the binary was embedded, but we’ll cover the macro and the embedded shellcode throughout this post.

The Word Document

For this section, we’ll be looking at the file with a SHA256 hash of  ‘03aef51be133425a0e5978ab2529890854ecf1b98a7cf8289c142a62de7acd1a’, which is a typical MS Office OLE2 Word Document with your standard ploy to ‘Enable Content’ and run the malicious macro.

Figure 2 The ploy used by the malicious document

Opening the Visual Basic editor up, we can see two forms and a module for this particular sample.

Figure 3 VBProject components

The Malicious Macro

Visual Basic can directly execute Microsoft Windows API calls, which allows it perform a number of interesting functions —  exactly what this VB code is doing.

Figure 4 Microsoft Windows API calls within VB code

As we can see, the macro includes logic to determine the architecture of the system it’s running on and has the ability to execute correctly on either 32-bit or 64-bit platforms. The primary calls of interest for us will be VirtualAlloc(), RtlMoveMemory(), and CallWindowProcA().

When we originally started looking at this sample, we were mainly interested in where the payload was being stored, so we began debugging the macro to understand how it functions. The payload in question is base64-encoded and embedded within a form in the VBProject as a value of the ‘Text’ field on the ‘choline’ TextBox.

As a side note, what is really interesting is that the authors went through the trouble to actually write their own base64 decoder purely in VB. We’ll leave that as an exercise for the reader to dig into that but it’s a good overview of how base-N encoding works; the entire ‘maria’ module within this macro is the base64 decoder.

The macro base64 decodes the payload into a local byte-array and then we come to our first API call, VirtualAlloc().

Figure 5 Memory page being allocated

The call commits specific pages of memory with read, write, and executable (RWX) permissions at 0x59B0000.

Figure 6 New memory page with RWX permissions

Afterwards, the VB macro continues to setup the next call to RtlMoveMemory and then calls it with the location of the memory from the previous call and our base64 decoded byte array.

Figure 7 Base64-decoded byte array

We can quickly validate by dumping that region of memory in our WINWORD.EXE process and comparing transferred bytes.

Figure 8 Confirming bytes match from dumped memory

Now that our code has been copied to in executable memory, the macro sets up the last API call for CallWindowProcA(). The first value supplied to this call is our memory offset +2214, which is a function pointer within this code, and the second is a string of the path to our file for a handle. These actions redirect code execution to shellcode.

Figure 9 Passing execution to the shellcode

The Shellcode

If we attach to WINWORD.EXE and break on the offset of our memory location +2214 (0x8A6), the entry point of the shellcode, we can validate program execution shifts to this code path.

Figure 10 Validating shellcode is executing

From here, the shellcode gets the address for LdrLoadDLL() function, which is similar to LoadLibraryEx(), by enumerating the Process Environment Block (PEB) and then begins to hunt for the functions it will use within kernel32.dll.

The values for the functions it’s looking for, along with other values, are embedded into the shellcode and built on the stack for later usage.

Figure 11 Embedded data in shellcode

Following these sets of encoded names, we can see the shellcode is interested in the following syscalls: CloseHandle(), ReadFile(), GetFileSize(), VirtualFree(), VirtualAlloc(), and CreateFileA(). For each API call, it looks up the address of the function and stores it on the stack.

Next, the shellcode calls CreateFileA() on the Word document and receives a handle back, which it passes to GetFileSize() for the file size, that is then subsequently passed to VirtualAlloc() to create a section of memory for the file contents (0x2270000). Finally, it reads in the file to that memory location and closes the handle.

Figure 12 Egg hunting by the shellcode

Once it has the copy loaded into memory, it begins a process of hunting through memory for the magic bytes 0x504F4C41, which we can see is located at 0x022836F3 in our new memory page.


Figure 13 Egg located

Now that we’ve found what’s likely to be our binary, the last step is to just decode it. Looking at the shellcode, we can see that it will add 0x3 to each byte starting at 0x22836FF, in our example, and then XOR it by 0x13, as shown below.

Figure 14 XOR decrypting

Once the counter reaches 0x13AAC (80556), it begins a series of sub-routines to manipulate each byte and decrypt the binary. If we set a breakpoint after the decryption routine and check our memory location, we can see that the binary is decoded and can now be dumped for further analysis. The MZ and PE headers can be seen in the following dumped memory.

Figure 15 Decoded binary

For this particular campaign run with this dropper, it places the binary in the %TMP% directory before launching it, which then ends up writing itself to ‘%SYSTEMROOT%/system32/WinHost.exe’.

At this point, the Hancitor downloader has been fully loaded on the victim’s machine, where it will proceed to perform additional malicious activities.

Conclusion

Macro-based techniques are quite common, but the technique being used here with the macro dropper is an interesting variation. From the encoded shellcode within the macro and using native API calls within VB code to pass execution to carving out and decrypting the embedded malware from the Word document, it’s a new use of Hancitor that we’ll be following closely. .

Palo Alto Networks customers are protected from the dropper detailed throughout this blog and its contained Hancitor payload. You can continue to track this threat through the AutoFocus Hancitor tag. Additionally, all Hancitor downloader samples are identified as malicious in WildFire. Domains used by Hancitor are also categorized as malicious.

Acknowledgements

For more analysis of the Hancitor payload, please see this write-up by Minerva Labs.

Indicators of Compromise

Below are some of the most common observed e-mail subjects and file names seen in the latest campaign this week from over 380,000 sessions. Patterns substituted with regex or representation.

Email Subjects

<domain> invoice for <month>

levi.com invoice for august

<domain> bill
<domain> deal
<domain> receipt
<domain> contract
<domain> invoice

metlife.com bill
metlife.com deal
metlife.com receipt
metlife.com contract
metlife.com invoice

File Names

artifact[0-9]{9}.doc
bcbsde.com_contract.doc
contract_[0-9]{6}.doc
generic.doc
price_list.doc_[0-9]{6}.doc
report_[0-9]{6}.doc

In addition, we observed these C2 calls out during analysis, which can be detected at your perimeter by the use of ‘/(sl|zaopy)/gate.php’.

hxxp://betsuriin[.]com/sl/gate.php
hxxp://callereb[.]com/zapoy/gate.php
hxxp://evengsosandpa[.]ru/ls/gate.php
hxxp://felingdoar[.]ru/sl/gate.php
hxxp://gmailsign[.]info/plasma/gate.php
hxxp://hecksafaor[.]com/zapoy/gate.php
hxxp://heheckbitont[.]ru/sl/gate.php
hxxp://hianingherla[.]com/sl/gate.php
hxxp://hihimbety[.]ru/sl/gate.php
hxxp://meketusebet[.]ru/sl/gate.php
hxxp://mianingrabted[.]ru/zapoy/gate.php
hxxp://moatleftbet[.]com/sl/gate.php
hxxp://mopejusron[.]ru/sl/gate.php
hxxp://muchcocaugh[.]com/sl/gate.php
hxxp://ningtoparec[.]ru/sl/gate.php
hxxp://nodosandar[.]com/ls/gate.php
hxxp://nodosandar[.]com/zapoy/gate.php
hxxp://ritbeugin[.]ru/ls/gate.php
hxxp://rutithegde[.]ru/sl/gate.php
hxxp://surofonot[.]ru/sl/gate.php
hxxp://uldintoldhin[.]com/sl/gate.php
hxxp://unjustotor[.]com/sl/gate.php
hxxp://wassuseidund[.]ru/sl/gate.php

The below Yara rule can be used to detect this particular dropper and technique described throughout this blog.

[Palo Alto Networks Research Center]

English
Exit mobile version