It’s National Volunteer Week in the US. ISACA, however, is global in its reach, as is our corps of dedicated volunteers, and I want us to honor them all. So, I am choosing to declare this period as “ISACA Volunteer Appreciation Week.” In this spirit, I ask you, members of our professional community worldwide, to join me in thanking our organization’s over 4,000 members who provide us with their generous gifts of time and expertise to support advancing ISACA’s purpose to help realize the positive potential of technology.
Here, in their own words, are a few examples of volunteers’ contributions, and their motivations to give back to ISACA and our profession:
Hari Chede, president of the UAE chapter, speaks proudly of his impact on members’ career development and of skills he’s gained through his volunteer work conducting CISA and CISM review classes: “If you have a passion in assurance fields and you want to grow in that field, apart from having different assurance certifications and education, being a volunteer at ISACA can accelerate your career by learning various skills (event management, time management, project management, accounting and public speaking) and keeping you engaged with successful people in the assurance fields.”
Joe Cai helps position ISACA to expand its global impact by volunteering as a translator as a member of the CISA Certification Working Group: “I find ISACA is paying more and more attention to the market in China. ISACA is providing many Chinese Simplified materials to break the language barriers and engaging with the local community, both of which require lots of local volunteers. With their help, we can build a good ISACA ecosystem, gathering more and more IT control, security, risk and governance professionals in China. Participating also affords volunteers many benefits like building relationships with industry peers, acquiring more IT control and cyber security trend information and knowledge within China as well as ISACA global, and meeting other ISACA members from all over the world.”
Jo Stewart-Rattray serves as volunteer chair of ISACA’s Women’s Leadership Council which has developed and launched the Connecting Women Leaders in Technology program to address urgent challenges of women in the technology workforce: “Together with my HQ colleagues, we have brought together a group of influential women from across the world to build the resilience and confidence of our women leaders to seek the career they want and to provide the knowledge assets and connections that can guide them along the way. ‘Connecting Women Leaders in Technology’ is in response to a great want and need for such initiatives from our constituency base. Without women in the workforce, we simply won’t have the resources to continue to fuel the job economy and innovation.”
In 1969, it was a small group of volunteers in Los Angeles who had the foresight to see the need for our work as a result of companies investing in technology capability to support financial and business operations. They established the EDPAA, and sowed the seeds of opportunity that led to our current day ISACA. As we approach our 50th anniversary, volunteering has always been at the foundation of ISACA’s evolution. Increasing this engagement will be a hallmark of how we write the next 50 years of ISACA’s history.
On behalf of the entire ISACA family, we thank our chapter leaders who work tirelessly to increase ISACA’s visibility, influence and impact locally. We thank those who contribute to keeping our certifications and continuing education relevant in a constantly changing workplace as a result of a rapidly changing technology landscape and an increasingly complex legal, regulatory and compliance environment. We extend our gratitude to those volunteers committed to advocating for and strengthening our professions, creating opportunities for career growth and, perhaps most importantly, helping all of us to share the value of what we do to enable the organizations for which we work.
In a world where time is our most precious commodity, your willingness to give back inspires us all, especially knowing that you do so above and beyond your many other professional and personal responsibilities.
On April 11th 2017, we saw a new malicious spam campaign using United States Postal Service (USPS)-themed emails with links that redirected to fake Microsoft Word online sites. These fake Word sites asked victims to install malware disguised as a Microsoft Office plugin.
This campaign introduced a new ransomware called Mole, because names for any encrypted files by this ransomware end with .MOLE. Mole appears to be part of the CryptoMix family of ransomware since it shares many characteristics with the Revenge and CryptoShield variants of CryptoMix.
The campaign quickly changed tactics and increased complexity.
After two days on April 13, 2017, the attackers behind these fake office plugins changed the format and began including additional malware. Along with Mole ransomware, victims would be infected with both Kovter and Miuref. Then, on the following day, April 14, 2017, the attackers stopped using a redirect link in the malicious spam and instead linked directly to a fake Word online site. Figure 1 shows the attackers’ changing tactics from Tuesday April 11, 2017 through Friday April 14, 2017.
Figure 1: Changing tactics April 11 – April 14, 2017
April 11th – Introducing Mole Ransomware
From Tuesday April 11th to the early hours of Wednesday April 12th, the fake Word Online used Google Docs links to provide Mole ransomware disguised as an Office plugin. Criminals behind this campaign abused Google Docs to provide a link for an executable file. File names were plug-in.exe or plugin.exe. Figure 2 shows how these fake Microsoft Word Online documents would attempt to lure users into downloading the Mole ransomware.
Figure 2: Fake Microsoft Word Online site with link to a Google Documents URL with the ransomware.
After downloading the executable, the infection chain is straight-forward. The victim executes the ransomware and infects his or her Windows computer. The mechanics behind a Mole ransomware infection have already been covered at the Internet Storm Center (ISC) and Bleeping Computer. Figure 3 shows the April 12 Mole ransomware in action.
Figure 3: Desktop of a Windows host infected with Mole ransomware on April 12th
April 13th – Introducing .js Files and Additional Malware
By Thursday April 13, 2017, this campaign changed tactics. The fake Microsoft Word Online sites no longer used a Google Docs URL to provide their malware. Instead, the malware was sent as a zip archive directly from the compromised site being used as a fake Microsoft Word Online page. The zip archives contained JavaScript (.js) files designed to infect Windows computers with Mole ransomware and additional malware.
The Figures 4 and 5 below illustrate the newer format used for malware infections by this campaign, where the new file is a zip archive named plugin.zip that contains a .js-based downloader named plugin.js.
Figure 4: Fake Microsoft Word Online site later on April 13th with link to a zip archive instead of an executable
Figure 5: The zip archive contains a .js file
The plugin.js is a type of file downloader commonly called a Nemucod. This .js file downloads and installs three Windows executable files named exe1.exe, exe2.exe, and exe3.exe as shown below in Figure 6.
Figure 6: Plugin.js installing 3 items of malware as shown in a reverse.it analysis
Network traffic generated by this infection is similar to Nemucod downloaders we have seen from other campaigns. In Figure 7 below, you can see URLs for exe1.exe, exe2.exe, and exe3.exe from forum-turism.org.ro.
Figure 7: Traffic from an infection filtered in Wireshark
The three items of follow-up malware are named exe1.exe, exe2.exe, and exe3.exe. In the early days of this campaign, they have been Mole ransomware, Kovter, and Miuref, respectively.
The Emails
Figure 8: An example of the malicious spam from Thursday April 13th
Emails from this campaign follow the same format as originally reported from Tuesday April 11, 2017. Figure 8 above shows an example email. They have a variety of subject lines, spoofed sending email addresses, and message text. Through Thursday April 13, 2017, the URLs were different for each message. By Friday April 14th, these emails were linking directly to the fake Microsoft Word Online pages, so the URLs for that day were the same.
Conclusion
Most large-scale malicious spam campaigns tend to stick with operating patterns that are much easier to identify and track. This particular campaign has evolved more quickly than we usually see. Such changing tactics are likely a way to avoid detection.
And this campaign continues to evolve. By Tuesday April 18, 2017, it stopped distributing Mole ransomware, and it began pushing the KINS banking Trojan with Kovter and Miuref. By Friday April 21, 2017, this campaign moved from USPS-themed emails to messages about speeding tickets, and it began utilizing a fake parking services website.
Why did we stop seeing Mole ransomware? Because families of ransomware are constantly changing. CryptoMix variants like Mole rarely stay around for more than a few weeks before being repackaged and distributed as a new variant. The samples of Mole ransomware we have identified so far are tagged in AutoFocus using the MoleRansomware tag.
We will continue to investigate this activity for applicable indicators to inform the community and further enhance our threat prevention platform.
Indicators from this campaign
Subject lines:
ATTENTION REQUIRED: INFO ON YOUR IMPENDING REFUND
ATTENTION REQUIRED: INFORMATION ON YOUR LATEST REFUND
ATTENTION REQUIRED: you are legally obliged to review the status of your shipment
AUTOMATED letter: refund information
AUTOMATED notice in regards to your item’s status
AUTOMATED notification: refund information
AUTOMATED notification: refund information
AUTOMATED USPS notification: your shipment has been postponed
AUTOMATED USPS OFFICIAL LETTER CONCERNING YOUR SHIPMENT
AUTOMATED USPS statement: your package has been delayed
AUTOMATIC letter: moneyback information
AUTOMATIC notice concerning your package’s location
AUTOMATIC notice: refund information
AUTOMATIC notification in regards to your package’s status
AUTOMATIC notification regarding your order’s location
IMMEDIATE ATTENTION NEEDED: your parcel’s been delayed
IMMEDIATE ATTENTION REQUIRED: your parcel’s been delayed
IMPORTANT USPS customer support letter
IMPORTANT USPS REFUND INFO
IMPORTANT USPS REFUND INFORMATION
IMPORTANT USPS system notice
Major problems reported to the USPS support team
Major trouble reported to the USPS customer support
Official letter from USPS support team
Official letter in regards to your parcel
Official notice from USPS support team
Official notification concerning your package
Official notification from USPS
Official notification from USPS customer support team
OFFICIAL USPS MONEYBACK INFO REGARDING YOUR ITEM
OFFICIAL USPS MONEYBACK INFORMATION
Official USPS notification concerning your package
PROMPT ACTION NEEDED: your order’s been delayed
PROMPT ATTENTION NEEDED: your item’s been delayed
There has been an issue with your package
There’s been an issue with your package
URGENT USPS customer support letter
URGENT USPS customer support notification
URGENT USPS MONEYBACK INFORMATION REGARDING YOUR ITEM
URGENT: notice of postponement of your order
USPS CLIENT IMPORANT NEW DETAILS REGARDING YOUR PACKAGE
USPS CLIENT IMPORANT NEW INFORMATION REGARDING YOUR ITEM
USPS customer support notification: your order has been postponed
USPS OFFICIAL LETTER regarding your parcel
USPS official letter: big problems with your shipment
USPS official letter: serious issues with your order
USPS official letter: serious problems with your shipment
USPS official notice: serious trouble with your parcel
USPS official notification: serious issues with your package
USPS system notice: your package has been delayed
USPS system notification: your package has been delayed
USPS URGENT LETTER concerning your item
USPS USER URGENT NEW INFO IN REGARDS TO YOUR PARCEL
WARNING: DETAILS ON YOUR IMPENDING REFUND
WARNING: INFORMATION ON YOUR LATEST REFUND
WARNING: ISSUES WITH YOUR SHIPMENT
WARNING: PROBLEMS WITH YOUR PACKAGE
WARNING: TROUBLE WITH YOUR ITEM
WARNING: TROUBLE WITH YOUR SHIPMENT
WARNING: you are legally obliged to check the status of your order
Spoofed sending addresses (not from the actual domains listed):
Information technology (IT) administrators have been quick to adopt new security solutions, but operational technology (OT) administrators are forced to proceed cautiously, in order to prevent compromising process performance or unwanted downtime. These concerns can result in deliberately leaving software unpatched, antivirus (AV) signatures outdated, technologies disjointed, or security solutions left out entirely.
Even organizations that can successfully deploy fully updated antivirus solutions on fully patched systems still find themselves struggling to prevent advanced attacks. The lack of protection against new attacks, impacted system performance, and high rates of false positives leave these organizations vulnerable, often to sophisticated, never-before-seen attacks.
Organizations can no longer rely on fragmented legacy solutions or point solutions to defend critical infrastructure. The result is a dire need for improved security in ICS/SCADA environments – security that can prevent advanced attacks effectively without impacting system performance and can communicate across the environment.
Palo Alto Networks Traps advanced endpoint protection combines multiple layers of prevention to protect endpoints before they are compromised.
Traps integration with WildFire cloud-based threat analysis service allows for automated prevention against known malware; local analysis via machine learning enables the automatic prevention of unknown malware and prevents a wide variety of exploit techniques, whether a machine is offline or online, on-premise or off; and cloud-based threat analytics permits rapid detection and automated prevention of unknown threats.
With trusted publisher execution restrictions, executables that are signed by trusted publishers are quickly identified as “unknown good.”
Flexibility to customize systems exposure with policies that restrict specific execution scenarios can control what is or is not allowed to run based on the executable files hash, eliminating unnecessary analysis and minimizing the security footprint.
Malicious process control prevents the launch of applications that can be used for malicious purposes.
As part of the Palo Alto Networks Next-Generation Security Platform, Traps enables bi-directional information-sharing to deliver consistent protections across the organization’s endpoints, data centers, firewalls, public and private clouds and SaaS environments.
Learn More about Traps advanced endpoint protection:
Author’s note:This post was inspired by the discussions among CISOs attending ISACA’s 2016 CISO Forums, plus additional readings and personal experience. The opinions are my own. For more insights from the CISO Forums, read ISACA’s CISO Board Briefing 2017.
A study by K logix Research titled “CISO Trends” found that “53% of CISOs state that one of their main objectives is to align security with business goals while 46% want to partner with business leaders to help them solve problems.”
This will have implications that go far beyond resource allocation. The CISO’s contribution to the organization is fundamentally to enable growth and support the attainment of the strategic objectives. The CISO will achieve this by ensuring that the information security posture is commensurate with the risk appetite and compliant with industry requirements.
When a group of CISOs discuss reporting, you rapidly come to realize that there is not a unique global best practice. In fact, as indicated in ISACA’s CISO board briefing, “there is not one correct organizational map, not one universal title and not even one universally applicable job description for the information security executive.”
To best fulfill this role, a key success factor is having the CISO as close as possible to those who set the tone at the top. Direct reporting to the CEO is what first comes to mind. Working closely with the CEO helps ensure best alignment of security with business imperatives. This requires an excellent working relationship between the CISO and the CEO.
Being perceived as part of the inner circle has its ups and downs. Other executives and directors will want to display a collaborative attitude and deal with the CISO as a key player but might also see the CISO as a threat to their own agenda.
The same study by K logix points out that “more than half of CISOs report to the CIO, and just 15% report to the CEO, with the rest reporting to the COO, or Risk-related organizations. But when asked about the future of the security organization, 50% of CISOs responded that the role will report into the CEO.”
There are some public examples in which even the CEO had an agenda that made her avoid her CISO. Googling Yahoo’s Marissa Mayer will provide an example of a situation in which no CISO wants to be part.
A very prevalent option is reporting to the CIO. As information security gained recognition and started to be recognized as no longer a technical issue, the person in charge was promoted and reported directly to the CIO. At the time, this was a very positive enhancement of the role. But while may work well for some, it comes with some risk. The CIO is under heavy pressure to deliver the required projects on time and within budget. In this model, the CIO, who has a supervisory function for security and other matters, may also be influenced by personal financial considerations, such as a bonus – particularly in the private sector.
The CIO will eventually be confronted with conflicting objectives when the project does not meet the security requirements and is running out of time or budget. Security is at risk of being sidetracked. There is a clear rationale for having the CISO function independent of IT.
Other reporting lines may be to the chief risk officer, chief financial officer, chief operations officer and even the chief audit executive.
In “Determining Whether the CISO Should Report Outside of IT, Refreshed” from research firm Gartner, it is noted that:
“Information security organization design is influenced by a host of factors specific to each enterprise that must be well understood before the adopted structure can work optimally.”
“The main trend has been a tendency to establish a corporate information security function outside of the IT organization.”
When the opportunity comes to revisit the reporting lines for the CISO, it’s no time to try to be idealistic. One must determine which is the best option within the context/culture/environment of his or her organization.
Among other considerations, one must assess the organization’s vision and strategic goals, culture, management style, security maturity, IT maturity, risk appetite and all relevant dynamics involving the current security posture and reporting lines.
Michel Lambert, CISA, CISM, CRISC, CGEIT, CISO, Québec Ministry of Agriculture, Fisheries and Food
The prospects of autonomous self-driving vehicles becoming a pervasive presence on our roadways seems more likely everyday. From the big automakers to Tesla to Google to Uber, a wide range of companies are investing a tremendous amount of money to create a world without carbon-based drivers. The motivation for a big payday abounds, but the hope is that this will be a huge boon to vehicle safety, and I believe it ultimately will be. As we have learned at hacker conferences, there are a lot of security concerns about self-driving cars that we need to solve, but that is not what I want to talk about here.
What I would like to do here is steal the term from the automotive industry and apply “Self Driving” to Information Security. What is Self-Driving Information Security? For me, this is an initiative to apply the ever growing power of computing to solve complex and fast changing information security problems dynamically and without human intervention. Do I believe we can eliminate humans from the information security industry? No, I don’t believe that is possible or desirable, and it certainly would make BlackHat a lot less fun. However, I think we need to rapidly take steps to push the envelope on where we can take the person out of the loop, simply because we are not going to have enough humans to go around and insert into every potential security problem space. In a world where we will soon have thousands of Internet connected devices for every person on Earth, it’s highly unlikely we will have enough information security professionals to go around to solve all of the resultant problems.
Automation is a very old idea that is present in every industry. In information technology, we seek to automate every repetitive task we can. But like in other industries, the explosion in compute power is causing us to explore automating ever more sophisticated tasks. It is no longer just assembly line robots, but advances in computing are taking on white collar jobs and in many cases doing a great job. Computers are diagnosing diseases more accurately than doctors. Computers are doing journalism and even taking on the legal profession.
Are you a skeptic in regards to computer encroachment on sophisticated and complex professions? One of the most seminal moments in computing history that impacted me was the chess contest between Garry Kasparov and IBM Deep Blue. Personally, I was rooting for the human until the bitter end. When Deep Blue ultimately defeated the world’s greatest chessmaster, I was in mourning for days. That was 20 years ago.
To be clear, Self-Driving Information Security will not be bereft of humans. Humans are the biggest part of information security today by any measure – clearly by the budgetary metric. I think we will continue to grow the overall number of people employed in the profession for the foreseeable future. The unpredictability of information security and its adversarial, logic-defying nature will require humans. But Self-Driving Information Security will gobble up the jobs we are doing today, and I am not quite sure what jobs we will be doing in the future. What I do know is, if we do not implement Self-Driving Information Security, we are going to drown in information and incidents.
What are some of the building blocks of Self-Driving Information Security? It is actually many things we are working on today, they just need to gain maturity:
DevSecOps. This idea of merging DevOps with Security Operations, enabled by cloud, is gaining in popularity with very diverse security teams. The ability to tear down and instantiate new computing systems, using “serverless” capabilities and applying some imagination is leading to automation of security process that can seem like magic to an old security guy like me.
Autonomics. The ability for computers be self-managing, self-healing, self-optimizing – self-EVERYTHING is important. A big part of how the Internet works today is through some levels of hierarchy and “command and control” systems. Clearly this model is going to break. I think about the apartment of the future with thousands of computers. Then I think about the bad guy that attacks the upstream link or servers. Or perhaps malware is injected into one of the apartment’s devices. In both cases, the nodes must not only be resilient and independent, but may need to collaborate and attack the infected device.
Blockchain. The distributed, immutable ledger technology that underpins Bitcoin is a favorite of VCs and the finance industry. I believe we are going to find a lot of applications for Bitcoin in information security. An authoritative, tamper-proof log of transactions which can be either public or private has fascinating implications. We can record any change in a very granular manner. I think about IT audit and having a record of all security control implementations, it can really change how that job is done.
Analytics. Data Science. The answers are in the data. If the data sets are large enough, if the quality is good enough and if the algorithms are well designed and speedy, we will find the security answers we are looking for. I believe our massive and inexpensive compute infrastructure is going to excel in finding the right answer to a new security problem
Artificial Intelligence. AI is certainly controversial, even trying to define it can cause fights. Many are terrified by AI and its potential threat to mankind. Some security solutions claim to use AI, others say that the current products are really employing machine learning. Closely related to analytics, having access to quality data is going to enable AI to make security decisions and take action before a human can blink.
In addition to all of these areas of focus, it is safe to assume that computing is going to get faster, cheaper and bigger at an ever-increasing pace. Quantum computing may be years away, but there are already serious efforts in government and industry to make a massive leap in computational speed. It’s also safe to assume that the bad guys will want to harness or exploit all of these trends for themselves.
The building blocks above will soon be assembled together into Self-Driving Information Security. It will be quite necessary for this to happen to manage our rapidly increasing compute universe. The jobs we know today will go away. I am convinced new jobs will replace them in greater numbers, but it may be messy. The paradox of automation is that humans will operate in a world with more layers of complex technical abstraction. We aren’t as intimately involved, but when we are needed, it is for more critical reasons.
At Cloud Security Alliance, we think it is important to be considering these trends now to be true to our mantra of “solving tomorrow’s problems today”. That’s why we have research in all of these areas happening in 2017. As always, our research is your research and we encourage you to join us.
Jim Reavis, Co-founder and CEO, Cloud Security Alliance
