Palo Alto Networks Unit 42 threat intelligence team has just released new research that has uncovered a previously unknown second wave of Shamoon 2 attacks: Second Wave of Shamoon 2 Attacks Identified
Based on our analysis, these attacks were timed to occur on November 29, 2016, twelve days after the initial Shamoon 2 attacks that we wrote about previously.
Like the initial Shamoon 2 attacks, this second wave of Shamoon 2 attacks utilize the Disttrack wiper malware. Disttrack is optimized to destroy systems by targeting their hard drives and to spread as widely as possible throughout a network it’s infiltrated. And once again, the Disttrack malware was configured to operate without any command and control (C2) servers, essentially optimized for a one-way mission of data destruction.
But this second wave of Shamoon 2 attacks show evidence of potential new tactic. Unit 42 analysis shows that the latest sample contains credentials for virtual desktop infrastructure (VDI) solutions, such as Huawei’s FusionCloud. VDI solutions can provide protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems to recover from a wiper attack. The presence of these credentials in the sample may suggest that attackers intended to increase the impact of their attack by not only wiping systems but also carrying out destructive activities against the VDI deployment, as well as any snapshots.
The possible targeting of VDI solutions with legitimate credentials (either stolen or default) represents an escalation in tactics not only in this specific attack but other future attacks. Security teams and administrators should be aware of and take immediate steps to evaluate this development and consider adding additional safeguards to protect credentials related to their VDI deployment.
Full technical details including associated indicators of compromise (IOCs) that can be used for more detailed analysis and protection, can be found the full report.
Palo Alto Networks customers are protected from the Disttrack payload used in this attack:
WildFire properly classifies Disttrack samples as malicious
Threat protection AV signature of Virus/Win32.WGeneric.ktoto detects the new payload.
AutoFocus customers can monitor Disttrack activity using the Disttrack tag
Training Registration Opens for First Official CCSP & SSCP CBK Training Seminar in March and April 2017
Hong Kong/Hanoi – Jan 16, 2017–(ISC)²® today announced it has appointed Robusta Technology and Training Center (Robusta), a leading training company in Vietnam, as an (ISC)² Official Training Provider (OTP) to offer official (ISC)² cloud security and cybersecurity education to potential its certification candidates in Vietnam. The first official (ISC)² CBK® Training Seminar for the Certified Cloud Security Professional (CCSP®) will be held on March 27 in Hanoi. The official (ISC)² CBK Training Seminar for the Systems Security Certified Practitioner (SSCP®) will be held on April 3 in Ho Chi Minh City.
Robusta is a leading training company in Vietnam. As an (ISC)² OTP, Robusta will offer official (ISC)² CBK Training Seminars to security professionals looking to become certified. The first two certifications to be offered are the CCSP and SSCP. Globally acclaimed, (ISC)²’s credentials qualify cyber, information, software and infrastructure security professionals throughout their careers. The CCSP credential is appropriate for professionals with deep-seated knowledge and competency derived from hands-on experience with information security and cloud computing. CCSPs help candidates achieve the highest standard for cloud security expertise and enable organizations to benefit from the power of cloud computing while keeping sensitive data secure. The SSCP is suitable for those pursuing technical skills and practical security knowledge for hands-on operational IT security roles. It provides industry-leading confirmation of a practitioner’s ability to implement, monitor and administer IT infrastructure in accordance with information security policies and procedures that ensure data confidentiality, integrity and availability.
“Cybersecurity has become the prime concern of thousands of enterprises worldwide. Cyber threats pose a real challenge in many developing nations, including Vietnam. Robusta Technology and Training, one of the top training providers in Vietnam, has been dedicated to raising the issue of cybersecurity threats and emphasizing the importance of proper methods to defend cyberattacks amongst the public. Working with (ISC)² to provide world-class cybersecurity education is a major step in our journey to serve and give back to the IT community. Together, we aim at providing more certified cybersecurity professionals to strengthen the nation’s defense capability,” says Thuan Ta, president, Robusta Technology and Training.
“We are delighted to add Robusta Technology and Training to our reputable network of OTPs in Vietnam. The working relationship with Robusta will help to enhance the development of capacity building with (ISC)²’s official education program in Vietnam. The CCSP education will definitely cater to the needs of candidates looking for advanced cloud security education, and SSCP education is ideal for those who would like to develop practical security knowledge in hands-on operational IT roles,” says Clayton Jones, managing director, (ISC)² Asia-Pacific.
For more information or to register for training seminars, please contact Robusta team at Learn@robusta.vn or call (+84) 939 586 168 or visit http://www.robusta.vn/.
About Robusta
Established in May 2010, Robusta Technology and Training, a national leader in virtualization, cloud computing, big data, and security training services, has quickly become one of the most trusted and prestigious training brands in Vietnam. After 7 years of rapid growth, Robusta is now an authorized training partner for technology leaders including VMware, Microsoft, Cisco, EMC, etc. Robusta has provided more than 10,000 students with industry-leading technical training that delivers the most intuitive and advanced courses and certification. For students and corporate clients, we commit to provide the highest quality source materials and the latest products and technologies. Our trainers are experienced experts both in training and conducting big corporate and governmental projects. Our classes are conducted with innovative and interactive approaches. We deliver not only knowledge but also hands-on experiences and consultation to our students. Placed in both Vietnam and the United States, our labs are well-equipped with latest cloud technology, allowing students to gain access to our labs 24/7 anytime, anywhere they are. For more information, visit Robusta.vn and connect with us on Facebook.
About (ISC)²
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, programmatic approach to security. Our membership, over 123,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation– The Center for Cyber Safety and EducationTM. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook.
Next week, I will have the privilege of participating in the annual meeting of the World Economic Forum (WEF) in Davos, Switzerland, organized this year around the theme of “Responsive and Responsible Leadership.” As WEF notes, 2016 demonstrated that existing systems and institutions at national, regional, and global levels have strained to keep pace with an increasingly complex and interconnected world. Yet, the growth of this complexity and interconnectedness shows no sign of slowing, as the Fourth Industrial Revolution (last year’s theme) drives “the convergence of technologies that blur the lines between physical, digital, and biological systems.”
As I noted last year in the run-up to Davos, the future prosperity promised by the Fourth Industrial Revolution relies upon the trust that we all place in technology to function properly – and securely. Our embrace of connected devices, smart homes, self-driving cars, and other innovations underpins the digital economy, but it also leaves us vulnerable to new forms of attack. Cybersecurity, therefore, is an absolute necessity for future economic prosperity. For this reason, I can think of few topics that more urgently require responsible leadership than cybersecurity – and not just cooperation but also collaboration among public and private sector interests.
Responsible leadership in the digital age requires questioning established practices and leading the implementation of changes when warranted. To this end, I will encourage my fellow attendees to adapt to the emerging threat environment by choosing a prevention-based approach that proactively identifies and manages cybersecurity risks to their organizations. For many, this involves scrutinizing legacy approaches to cybersecurity that have failed to keep pace with the Fourth Industrial Revolution, and ensuring that operational teams apply the proper combinations of people, process and technology to prevent successful attacks.
The decreasing cost of computing power makes it easier and cheaper than ever for cyber criminals to launch attacks in greater volume and with greater sophistication. Attackers enjoy decreasing start-up and marginal costs, using automated, specialized, and scalable tools to achieve their objectives. Legacy defenses are inadequate to deal sufficiently with this rise in volume and sophistication, dependent as they are on decades-old core technology, patchwork systems and manual intervention by security teams. To effectively address this risk, responsible leaders must instead focus their organizations’ cybersecurity efforts on automated prevention of attacks, decreasing the likelihood of, and raising the cost required for, a successful attack. By focusing on prevention, we make attacks cost-prohibitive for attackers, diminish their success, and securely enable the technologies underlying our digital age.
The Fourth Industrial Revolution holds great promise, but it will also challenge us in unprecedented ways. Few challenges, in my view, are as serious as that of cybersecurity, which is why it is the perfect topic for responsible leadership. I look forward to bringing this message to Davos, and hope we can all work toward a fresh approach to cybersecurity focused on the prevention of successful cyberattacks.
EITest is a name originally coined by Malwarebytes Labs in 2014 to describe a campaign that uses exploit kits (EKs) to deliver malware. Until early January 2016, “EITest” was used as a variable name in the attacker’s malicious injected script in pages on legitimate websites compromised by this campaign. While the variable name is gone, the name for the campaign remains: we still call this campaign “EITest” and it continues to use EKs to distribute a variety of malware.
We reviewed EITest in March 2016 and October 2016. However, the EITest campaign looks noticeably different than when we last reviewed it three months ago.
The EITest campaign is focused on the Delivery, Exploitation, and Installation phases of the cyber attack lifecycle. The way the attacker executes each of these phases changes over time, and this blog examines the changes during the last quarter of 2016. Two significant changes have occurred during this time.
Since our last report, EITest no longer uses a gate between the compromised website and the EK landing page (possibly in response to that report).
Script injected by the campaign into pages on legitimate websites no longer contains any obfuscation.
Perhaps the most interesting thing about EITest is its longevity. People have been tracking this campaign since 2014, and its longevity suggests that despite the shifting EK landscape, EKs remain a profitable venture for the criminals involved.
Chain of Events
Successful infections by the EITest campaign generally follow a set sequence of events. It currently uses at least two variations of Rig EK to deliver a variety of ransomware. The infection sequence is similar to other campaigns utilizing EKs to distribute malware. To understand how campaigns use EKs, see our previous blog on EK fundamentals. For EITest, we see the following steps:
Step 1: Victim host views a compromised website with malicious injected script.
Step 2: The injected script generates an HTTP request for an EK landing page.
Step 3: The EK landing page determines if the computer has any vulnerable browser-based applications.
Step 4: The EK sends an exploit for any vulnerable applications (for example, out-of-date versions of Internet Explorer or Flash player).
Step 5: If the exploit is successful, the EK sends a payload and executes it as a background process.
Step 6: The victim’s host is infected by the malware payload.
For most of its history, EITest has used a gate between the compromised website and the EK landing page. However, the EITest campaign has stopped using a gate after we published our previous blog about it on October 3, 2016. Since then, injected script from this campaign links directly to an EK landing page. Gates are no longer used by EITest.
Figure 1: Chain of events for the EITest campaign as of October 3, 2016.
EITest and Rig EK
The EITest campaign still uses Rig EK to deliver its malware. Our research shows EITest most often uses a variant of Rig EK called Empire Pack. Many in the community refer to Empire Pack as “Rig-E” to distinguish it from other variants and still emphasize its relationship to the original Rig EK. Empire Pack uses the same URL patterns we’ve seen from Rig EK since late March 2015, while other variants of Rig EK like Rig-V (an improved “VIP” version or Rig) and Rig standard moved on to different URL patterns.
Of note, the variant of Rig EK that EITest uses depends on the payload it delivers. Most EITest payloads are sent using Rig-E. However, EITest has used Rig-V to distribute ransomware like Cerber or CryptoMix (also known as CryptFile2).
Payloads sent by EITest
Since October 2016, the EITest campaign continues using Rig EK to distribute a variety of malware.
We occasionally see ransomware like Cerber or CryptoMix from the EITest campaign. More often, the campaign will distribute information stealers like Gootkit or the Chthonic banking Trojan. EITest has also delivered other types of malware like Ursnif variants and Latentbot.
Patterns of injected script
When we last examined injected script by the EITest campaign, it still used obfuscation to disguise the EK landing page URL. By October 15th 2016, EITest stopped obfuscating URL within the injected script. Figure 3 shows the injected script shortly before the change. Figure 4 shows the injected script shortly after wit an unobfuscated landing page URL.
Figure 3: Injected EITest script in page from a compromised website on October 13th, 2016.
Figure 4: Injected EITest script in page from a compromised website on October 17th, 2016.
Throughout the rest of 2016, injected script from EITest hasn’t changed that much, as seen in Figure 5.
Figure 5: Injected EITest script in page from a compromised website on December 30th, 2016.
Conclusion
EKs are still a popular method to distribute malware. Campaigns like EITest continue to use EKs to deliver a variety of malware, including information stealers and ransomware. These campaigns do not have a specific target and anyone with a Windows system that’s out of date or has out of date applications is vulnerable to infection.
As the EK model of distribution remains profitable, we expect to see malware delivered by EKs through campaigns such as EITest. Domains, IP addresses, and other indicators associated with this campaign are constantly changing. Fortunately, EKs are relatively ineffective against people using a fully-patched Windows operating system who ensure their applications are all up-to-date. Furthermore, customers of Palo Alto Networks are protected from the EITest campaign through our next-generation security platform.
