One of the cheapest and easiest ways for an attacker to get into to your network is through users accessing the Internet. By successfully exploiting an endpoint, an attacker can take hold in your network and begin to move laterally toward an end goal, whether that is to steal your source code, exfiltrate your customer data, or take down your infrastructure. To protect your network from cyberattacks and improve your overall security posture, implement a Best Practice Internet Gateway Security Policy.
A best practice Internet gateway security policy has two main security goals:
Minimize the chance of a successful intrusion—Unlike legacy port-based security policies that either block everything in the interest of network security, or enable everything in the interest of your business, a best practice security policy leverages App-ID™, User-ID™, and Content-ID™ to ensure safe enablement of applications across all ports, for all users, all the time, while simultaneously scanning all traffic for both known and unknown threats.
Identify the presence of an attacker—A best practice Internet gateway security policy provides built-in mechanisms to help you identify gaps in the rulebase and detect alarming activity and potential threats on your network.
These best practices work because they employ methodologies (shown in the infographic below) that help you reduce your attack surface and enable detection and prevention of both known and unknown threats at all stages of the attack lifecycle.
Remember, security doesn’t come in a box. When deciding whether to implement a best practice Internet gateway security policy, answer the following questions: Are you using an application-based security policy? Blocking dangerous URLs and file types? Scanning for known and unknown threats? Decrypting traffic? If you answered no to any of these questions, you have room to improve your security posture. Get started now.
We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit.
The malware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a command and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers during analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware family ‘pisloader’.
Infrastructure
The pisloader malware family was delivered via HTTP from the following URL. At the time of writing, this URL was still active.
This particular file has the following metadata properties. The references to ‘pisload2’ led to the naming of this malware family.
Figure 1 pisloader dropper metadata
The initial dropper contains very simple code that is responsible for setting persistence via the Run registry key, and dropping and executing an embedded Windows executable. Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. This is likely to deter detection and analysis of the sample. The following decompiled code demonstrates this. Comments have been added to show the fully-generated strings.
Figure 2 pisloader dropper building strings and setting persistence
In the above decompiled code, we see that the pisloader is generating the following string, which eventually is called to set the Run registry key.
This particular command will set the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lsm registry key with a value of “%appdata%\lsm.exe”. After this key is set, the malware proceeds to decrypt a two blobs of data with a single-byte XOR key of 0x54. The resulting data is written to the %appdata%\lsm.exe file path.
After this file is written, the malware executes the newly written lsm.exe file, which contains the pisloader payload.
Payload
The following sample was discovered and is referenced in the subsequent analysis:
The payload is heavily obfuscated using a return-oriented programming (ROP) technique, as well as a number of garbage assembly instructions. In the example below, code highlighted in red essentially serves no purpose other than to deter reverse-engineering of the sample. This code can be treated as garbage and ignored. The entirety of the function is highlighted in green, where two function offsets are pushed to the stack, followed by a return instruction. This return instruction will point code execution first at the null function, which in turn will point code execution to the ‘next_function’. This technique is used throughout the runtime of the payload, making static analysis difficult.
Figure 3 Obfuscated code witnessed in pisloader
The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT record.
The use of DNS as a C2 protocol has historically not been widely adopted by malware authors. Notable exceptions include the following:
The use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic correctly.
Figure 4 DNS query for TXT record by malware
The pisloader sample will send a beacon periodically that is composed of a random 4-byte uppercase string that is used as the payload. An example of this can be found below:
Figure 5 pisloader DNS beacon request
The malware expects various aspects of the DNS responses to be set in a specific way, or else pisloader will ignore the DNS reply. The following DNS flags must be set. Should any additional flags be set, the response will be ignored.
Response
Recursion Desired
Recursion Available
The ‘Questions’ field must be set to a value of 0x1. The ‘Answer Resource Records’ field must be set to a value of 0x1. Additionally, the response query subdomain must match the original DNS request.
The remote command and control (C2) server is statically embedded within the malware. A single host of ‘ns1.logitech-usa[.]com’ is found in this specific sample.
The C2 server will respond with a TXT record that is encoded similar to the initial request. In the response, the first byte is ignored, and the remaining data is base32-encoded. An example of this can be found below.
Figure 6 Example TXT response by C2 server
The following commands, and their descriptions are supported by the malware:
sifo – Collect victim system information
drive – List drives on victim machine
list – List file information for provided directory
upload – Upload a file to the victim machine
open – Spawn a command shell
Some examples of these commands being used can be seen below. A mock DNS server was used to generate the commands and receive the resulting data.
Example sending the ‘drive’ command:
1
2
3
[+]Sending Command:drive|Encoded:CMRZGS5TF
[+]Raw Data Received:UMAVMGAGD0IE5FY7CDHJOHYRB2LR6A
[+]Decoded Data Received:A:\|C:\|D:\|
Example sending the ‘open’ command:
1
2
3
4
5
6
7
8
9
10
11
[+]Sending Command:open|Encoded:CN5YGK3Q
[+]Raw Data Received:ULCBMGAGCAJVUWG4TPONXWM5BAK5UW4ZDPO5ZSAW2WMVZHG2LP
[+]Raw Data Received:ATABMGAGCBNYQDMLRRFY3TMMBRLUGQUQ3POB4XE2LHNB2CAKDD
[+]Raw Data Received:HTPDMGAGCCFEQDEMBQHEQE22LDOJXXG33GOQQEG33SOBXXEYLU
[+]Raw Data Received:BNJWMGAGCDNFXW4LRAEBAWY3BAOJUWO2DUOMQHEZLTMVZHMZLE
[+]Raw Data Received:UARCMGAGCEFYGQUDIKIM5FYVLTMVZHGXCKN5ZWQICHOJ2W46TX
[+]Raw Data Received:UJRAMGAGC0MVUWOXCEMVZWW5DPOA7A
[+]Decoded Data Received:Microsoft Windows[Version6.1.7601]
Copyright(c)2009Microsoft Corporation.All rights reserved.
C:\Users\Josh Grunzweig\Desktop>
Example sending the ‘sifo’ command:
1
2
3
4
5
[+]Sending Command:sifo|Encoded:CONUWM3Y
[+]Raw Data Received:FUBWMGAGIANQ6TCNZSFYYTMLRRFYYTKMZGMM6VOSKOFVGEUTCW
[+]Raw Data Received:PGHRMGAGIBGJHEWSKPJNICAW2KN5ZWQICHOJ2W46TXMVUWOXJG
[+]Raw Data Received:MMAZMGAGI0N46TMLBRFQZTE
[+]Decoded Data Received:l=172.16.1.153&c=WIN–LJLV2NKIOKP[Josh Grunzweig]&o=6,1,32
Example listing the contents of the C:\ drive:
1
2
3
4
5
6
7
8
9
10
[+]Sending Command:listC:\|Encoded:CNRUXG5BAIM5FY
[+]Raw Data Received:QKTUMGAGLAGB6CIUTFMN4WG3DFFZBGS3T4GIYDCNJPGAZS6MRW
[+]Raw Data Received:EKNPMGAGL0EAYTIORUGA5DKN34GB6DEMS6
[+]Raw Data Received:RKMAMGAGLAGF6GC5LUN5SXQZLDFZRGC5D4GIYDAOJPGA3C6MJQ
[+]Raw Data Received:NMSIMGAGL0EAZDCORUGI5DEMD4GI2HYMZSLY
[+]Raw Data Received:OHRWMGAGLAGB6EE33POR6DEMBRGUXTAMZPGI3CAMJWHIZDIORQ
[+]Raw Data Received:DPDUMGAGL0GJ6DA7BSGJPA
[+]Raw Data Received:WIKGMGAGLAGF6GE33PORWWO4T4GIYDCNBPGA3C6MRYEAYDAORS
*Truncated*
[+]Decoded Data Received:0|$Recycle.Bin|2015/03/2614:40:57|0|22^1|autoexec.bat|2009/06/1021:42:20|24|32^0|Boot|2015/03/2616:24:02|0|22^1|bootmgr|2014/06/2800:21:34|391640|39^1|BOOTSECT.BAK|2015/03/2616:35:39|8192|39^1|config.sys|2009/06/1021:42:20|10|32^0|Documents andSettings|2009/07/1404:53:55|0|9238^1|Example.log|2016/02/0920:17:55|0|32^1|pagefile.sys|2016/04/2514:09:20|1660411904|38^0|PerfLogs|2009/07/1402:37:05|0|16^0|Program Files|2016/02/2915:59:43|0|17^0|ProgramData|2016/02/0217:28:04|0|8210^0|Python27|2016/02/2516:39:37|0|16^0|Recovery|2015/03/2614:39:57|0|8214^0|System Volume Information|2016/02/2916:00:19|0|22^0|Users|2015/03/2614:39:58|0|17^0|Windows|2016/02/1210:20:21|0|16^^end^
The sifo command above uses the printf format string of ‘l=%s&c=%s&o=%s’. This is consistent with previous versions of HTTPBrowser, which is another malware family frequently used by the Wekby group.
Additionally, a number of commands themselves, such as the ‘list’, ‘drive’, and ‘upload’ commands are consistent with HTTPBrowser. The formatted responses from these commands are also identical. A known HTTPBrowser sample was spotted with similar metadata as the discussed pisloader sample, which adds further credibility that pisloader is likely a variant of this malware family.
Additionally, the code used to generate these commands is available via GitHub.
Conclusion
The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.
Palo Alto Networks customers are protected against this threat in the following ways:
WildFire correctly identifies all pisloader samples as malicious
The Cloud Security Alliance has opened the call for papers for the 2016 CSA EMEA Congress, to be held November 15 at the Circulo de Bellas Artes in Madrid, Spain. CSA EMEA Congress is Europe’s premier cloud security event and is designed around the CSA’s core mission of promoting the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing.
The call for papers closes on August 1, and speakers will be notified by September 1.
The following topics are of key interest: Current and emerging trends
Containerization and micro service security
Software Defined Perimeter (SDP)
Blockchain
Cloud-enabled vs Cloud-centric application
Multi-actor authentication
Cloud-based solutions for Small and Medium Enterprises (SMEs)
Threat landscape for cloud computing
IoT and Cloud, e.g Cloud and smart cities, smart transport.
Big Data security
Privacy in the Cloud
The impact of the European General Data Protection Regulations
How to manage legal and security compliance in a multi national environment
Cyber Security Laws and Regulation in Europe
The impact of the right to be forgotten in the cloud
Privacy and Security by design
Encryption solutions and trends
Risk Management, Certification and standards for the cloud
The role of standards within organisations
Case studies on the adoption of cloud certification
How manage Governance Risk and Compliance in the Cloud
Risk Profiling
Security and Privacy Service Level Agreements
Cloud Security Automation: how to develop and implement framework for automated risk calculation and response.
SaaS Governance
Incident Management in the Cloud
Incident Information Sharing
Leveraging Big Data for Threat intelligence in the Cloud
Cloud Forensics
SIEM in the Cloud
Cloud Security Gateways vs SIEM
Privacy Breaches Reporting
Reporting Security Breaches: the state of art in Europe
Cloud Disaster Recovery
Cloud Computing in critical sectors
Finance sector
ehealth
eGovernement
Energy
Transport
General guidelines
Proposals cutting across the above topics are also encouraged.
Proposals, presentations, panels, or sessions must be in English and should provide a learning opportunity for the conference attendees.
In case a proposal is accepted, the author (or one of the authors) must attend
Proposals that focus on marketing or promoting a product or service will not be considered.
Proposals from marketing or PR professionals (external or internal) will not be considered.
For general inquiries and speaking opportunities, please contact pr@cloudsecurityalliance.org.
For sponsorship enquiries, please contact marketing@cloudsecurityalliance.org.
For media credentials, please contact kari@zagcommunications.com.
In a large organization, leaders create a vision and strategy for the business and employees work to achieve the vision. At the business unit level in information technology, CIOs, CSOs and CISOs define their strategies while other IT decision makers work to implement it. The key to success is a team working in unison with effective strategies and KPI’s. But this might be a case of “theory vs practice.”
When we surveyed 400 IT decision makers (ITDMs) for our 2016 Datastrophe Study, we discovered that CISOs, CIOs and other IT decision makers often diverge in the real world in terms of everyday data security implementation and addressing real-world issues such as BYOD policy administration, reputation management and insider threats. That’s the scary reality of the unseen divide: when the people who are meant to protect the enterprise do not agree, then the CXO’s need to step up and lead.
The Datastrophe Study reveals several specific drivers contributing to the disconnect between C-level and other IT decision makers and ways in which businesses can bridge the gap.
Image issues Data breaches are hitting organizations left, right and center, and there is little doubt that brands’ reputations are at stake. CISOs, with their executive hats on, spend their time on risk mitigation: more than half of CISO/CIOs (53%) say their ability to protect corporate and customer data is vital to their company’s brand and reputation. However, only two fifths (43%) of ITDMs share that focus.
While the Datastrophe Study reveals a 10% difference between leaders and decision makers, when it comes to sensitive data, even a little complacency can lead to security failures. This may be an issue of operational efficiencies being developed without using a secure framework. Data security needs to be part of the design starting with strategy at the CXO (horizontal) level and vertically with tactical execution.
In order to ensure that risk and the potential of reputational damage is reasonably mitigated, C-level and ITDMs need to work in concert. ITDMs have the clearest view of incumbent systems and employee behaviors—and should not be afraid to speak up. Equally, C-level executives need to take this information on board, if not back to the Board, in order to help ITDMs fulfill the vision of building a secure enterprise.
The insider threat is very real All security professionals will agree that the insider threat is a reality in any business. But it seems that CISOs, CIOs and other ITDMs have not aligned on the scope and magnitude of the threat or the threat vectors. Sixty-four percent of CISOs and CIOs believe that insider data security threats will increase in the next twelve months. Only 50% of other ITDMs agree with them.
Is the view from the top—with a focus on protecting the organization and brand—skewing reality? Or, with the day-to-day liaison between ITDMs and employees, could it simply be that ITDMs lack the proactive (instead of traditional detective) tools required to provide real-time situational awareness? Even so, if they haven’t aligned on the threat vectors, the probability is very high that ITDM’s aren’t aligned on what to measure or monitor. There is, today, a potential tendency for both parties to underestimate threats. A study by Forrester reported that 70% of data breaches could be traced to employee negligence. In order to overcome the insider threat, the C-level and all other ITDMs have to agree on the best strategic course forward. More importantly, both parties need to engage employees and help to educate them on behaviors that could lead to data breach. For example, C-level execs could use a workshop format to explain to employees the costs and damages caused by employee negligence, while ITDMs can provide practical tips and examples of how to actively avoid behaviors that put data at risk.
Anomaly at the endpoint In an increasingly mobile workplace, BYOD is a key driver for adoption of policies to manage employee-owned devices connected to organizational networks. But things are never as simple as they seem. Among the normally skeptical CISO/CIOs, 87% believe their companies have clearly defined BYOD policies in place. Meanwhile, only 65% of ITDMs say their organizations have defined BYOD policies. To add more contention to the mix, 67% of knowledge workers (employees who think for a living and engage with mobile devices daily), believe their companies have no apparent BYOD policies.
This disconnect is a major cause for concern: CISOs/CIOs believe that 47% of corporate data is held on endpoint devices, as opposed to the more moderate estimation of 43% by other ITDMs. It’s clear that C-level and ITDMs need to work collaboratively to clarify, communicate and implement well-defined BYOD policies.
Ultimately
The simple solution to bridging the gap? Better communication. CISO/CIOs need to talk to their teams and their teams need to talk back. Better alignment and integration between the vision and the reality will go a long way to building more secure enterprises.
Businesses of various sizes are extremely worried about information security. On a daily basis, we hear news of banks and financial institutions losing customer records, confidential information and money due to cyberattacks. Cyberattacks have increased exponentially over the last 5 years, and attack methods are becoming more sophisticated each day. On average, enterprises take about 100 days to identify an attack. It takes even more time to investigate, plug the gaps and prevent similar incidents. The goal of my recent Journal article is to help enterprises and security leaders realign the strategy of their information security teams by empowering the chief information officer (CIO) and the chief information security officer (CISO).
Effective strategies by information security drivers, such as the CIO and CISO, can fine-tune information security and the compliance needs of an organization. Many industries have invested heavily in order to meet regulatory requirements, but being compliant and being secure are 2 different things. Many compliant enterprises have been breached.
Information security needs to be a priority at the board level. CEOs should take active roles in promoting information security, as most valuable information is stored electronically, all systems and databases are online, and mobile transactions occur every minute.
CIOs’ and CISOs’ priority is to identify where sensitive information resides and how can it be protected effectively at the lowest possible cost. The security team, guided by the CISO, should approach problems in a consulting mode to solve security-related challenges in the best way for the business. Outsourcing security operations is still one of the easiest options to reduce cost and reduce risk. These decisions should always be undertaken consciously, evaluating the risk and fallback options.
Information security teams are the walls of every enterprise. An empowered CIO and CISO can create a cost effective, consistent security culture across the enterprise with the right strategies.