Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have reported six vulnerabilities that have been fixed by Apple, Adobe and Microsoft.
For current customers with a Threat Prevention subscription, Palo Alto Networks has also released IPS signatures providing proactive protection from these vulnerabilities.
Palo Alto Networks is a regular contributor to vulnerability research in Microsoft, Adobe, Apple, Google Android and other ecosystems. By proactively identifying these vulnerabilities, developing protections for our customers, and sharing the information with the security community, we are removing weapons used by attackers to threaten users, and compromise enterprise, government, and service provider networks.
In June of 2014 Dropbox achieved Level 1 Certification through STAR, the CSA’s publicly available registry, which documents how Dropbox’s security practices measure up to industry-accepted standards and the CSA’s best practices. Building on its Level 1 Self-Assessment, Dropbox recently announced CSA STAR Level 2 Certification which attests to its security controls and processes.
“Dropbox continuously proves to be at the forefront of compliance standards,” said Jim Reavis, co-founder and CEO of the Cloud Security Alliance (CSA). “With rigorous independent auditing and certification for both well-accepted and up-and-coming standards, they’re demonstrating an impressive dedication to their customers’ security. We’re excited to have Dropbox on the short list of companies that have achieved our Security, Trust & Assurance Registry (STAR) Level 2 Certification.”
Dropbox is dedicated to building trust with its customers across the globe, and helping them fit Dropbox into their compliance strategies. Dropbox is proud to work closely with the CSA to establish open and transparent cloud security best practices within the industry. Dropbox strives to stay ahead of the curve as new standards and certifications are introduced and will continue to partner with the CSA to support research and education in key cloud security areas.
Standards such as CSA STAR certification underscore Dropbox’s commitment to keeping customer data safe, operating at the highest levels of availability, and maintaining transparency in data storage and processing. And they demonstrate Dropbox’s leadership in the SaaS industry, as Dropbox is one of the first major providers to achieve CSA STAR certification. Dropbox is excited to make continued strides with these compliance milestones.
Tolga Erbay, Senior Manager, Security Risk and Compliance, Dropbox
Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.
At the time of initial reporting, we found two variants:
Variant A: A standalone variant that included Flash exploit code packaged with a payload.
Variant B: A modular variant that loaded exploit code on-demand and appeared non-operational at the time.
Since that time, we have been able to collect additional samples of the weaponized documents that the DealersChoice exploitation platform generates. These latest, additional samples are all Variant B samples. Two of these samples were found to have operational command and control servers which allowed us to collect and analyze additional artifacts associated with the attack.
In late October 2016 Adobe issued Adobe Security Bulletin APSB16-36 to address CVE-2016-7855. In early November 2016 Microsoft issued Microsoft Security Bulletin MS16-135 to address CVE-2016-7255.
Both of these were in response to active exploitation of zero-day vulnerabilities thought by other researchers to be associated with the Sofacy group. Additional reporting as well as our own analysis indicates the exploit code for the Adobe Flash vulnerability CVE-2016-7855 was indeed delivered using DealersChoice. In-house testing also reveals customers of Palo Alto Networks Traps end-point agent are protected by the new exploit code.
Deal Me In: Finding Live C2 Servers
In our previous blog discussing DealersChoice, we identified the steps that Variant B would take once executed on a victim host, but were unable to successfully interact with the command and control (C2) server identified at the time.
We have since discovered two fully operational and active C2 servers (versiontask[.]com and postlkwarn[.]com) that followed the exact steps we outlined in the blog; loading the additional Flash exploit code into memory, following by loading the associated payload also into memory. Figure 1 details the workflow of victim to C2 communications.
Figure 1 Workflow of DealersChoice
The ActionScript within Variant B will interact with the C2 server, specifically to obtain a malicious SWF file and a payload. This process starts with an initial beacon to the C2 server that contains system information and the victim’s Adobe Flash Player version. Figure 2 shows the beacon sent by the ActionScript to the C2 server.
Figure 2 Initial beacon from DealersChoice to its C2 server
The C2 responds to the initial beacon with strings that DealersChoice’s ActionScript uses as variables in upcoming actions, such as additional HTTP requests and the decryption of the responses to those requests. Figure 3 shows the C2 server’s response to the beacon, specifically including k1, k2, k3 and k4 values.
Figure 3 C2 response to beacon provides DealersChoice tokens and keys needed to decrypt data
The ActionScript then uses the k1 variable from the C2 response data as a token within the HTTP request sent back to the C2 server to obtain the malicious SWF file, as seen in Figure 4.
The C2 server will respond to this request with data that the ActionScript will decrypt using the value of the k3 variable.
The active C2 servers provided Variant B with a malicious SWF file that was the same SWF file found within Variant A samples that exploited CVE-2015-7645 (addressed in October 2016 in Adobe Security Bulletin APSA15-05).
Figure 4 DealersChoice HTTP request to obtain a malicious SWF file to exploit Adobe Flash Player
After receiving the malicious SWF file, Variant B will then issue an HTTP request using the k2 variable as a token to obtain its payload, as seen in Figure 5. The C2 will respond to this request with data that Variant B will decrypt using the value in the k4 variable as a key. The resulting decrypted data contains shellcode and a payload that the shellcode decrypts and executes.
Figure 5 DealersChoice HTTP request to obtain shellcode and payload to execute upon successful exploitation
The active C2 servers versiontask[.]com and postlkwarn[.]com provided shellcode that decrypts and executes a payload which in both cases was a loader Trojan that extracts and decrypts an embedded DLL that it saves to the system.
The two variants of the Seduploader tool share a common C2 domain of apptaskserver[.]com, with differing backup C2 domains of appservicegroup[.]com and joshel[.]com.
Ace in the Hole: Analyzing Victim Fingerprinting
In the process of analyzing Variant B’s active C2 server, we wanted to test our hypothesis that the C2 server would load different exploit code dependent on victim fingerprinting. We tested this by providing different responses to the C2 server.
First, we issued requests to the C2 server from a VPN located in California, USA and the server did not respond to the requests. We then connected to another VPN located in the Middle East and issued the same requests, at which point the C2 server responded with a malicious SWF and payload. This fact suggests that the Sofacy group uses geolocation to filter out requests that originate from locations that do not coincide with the location of their target.
We then issued several requests to test the C2 and each time the server responded with different k1, k2, k3 and k4 variables, suggesting that the server randomly chooses these values for each inbound request.
To further test the C2 server logic we created requests that contained different values for the operating system and Flash player version. When we sent the HTTP requests to the C2 server with the Adobe Flash Player version set to 23.0.0.185, the most recent Flash version vulnerable to CVE-2016-7855, the server responded with a compressed SWF file (SHA256: c993c1e10299162357196de33e4953ab9ab9e9359fa1aea00d92e97e7d8c5f2c) that exploited that very vulnerability.
Finally, when we issued requests to the C2 server indicating the victim was a macOS system, the C2 server served the same malicious SWF file and Windows payload as before, suggesting that the Sofacy group is not using DealersChoice to check operating system type for its victims at this time.
In all cases the payload delivered by the C2 server is a loader Trojan (SHA256: 3bb47f37e16d09a7b9ba718d93cfe4d5ebbaecd254486d5192057c77c4a25363) that installs a variant of Seduploader (SHA256: 4cbb0e3601242732d3ea7c89b4c0fd1074fae4a6d20e5f3afc3bc153b6968d6e), which uses a C2 server of akamaisoftupdate[.]com.
Show Your Hand: Decoy Documents
Six documents were collected for this wave of DealersChoice attacks, all appearing to be Variant B, using similar lures to what we had observed in the previous wave. The six filenames we discovered were:
Operation_in_Mosul.rtf – an article about Turkish troops in Mosul,
NASAMS.doc – a document that is a copy of an article regarding the purchase of a Norwegian missile defense system by the Lithuanian Ministry of National Defence,
Programm_Details.doc – a document that is a copy of the schedule of a cyber threat intelligence conference in London, targeting a Ministry of Defense of a country in Europe, and
DGI2017.doc – a document targeted at a Ministry of Foreign Affairs of a Central Asian country regarding the agenda for the Defence Geospatial Intelligence gathering in London.
Olympic-Agenda-2020-20-20-Recommendations.doc – a document containing details of agreements for the 2020 Olympics
ARM-NATO_ENGLISH_30_NOV_2016.doc – a document outlining an agreement between the Republic of Armenia and NATO
Figure 6. Collected decoy documents for current wave of attacks
Unlike the first DealersChoice attacks, these documents used stripped out or forged metadata in order to add in an additional layer of obfuscation. Two of the documents, NASAMS.doc and Programm_Details.doc shared a common, unique username pain in the Last Saved By field. Additionally, each of the weaponized documents continued to use the OfficeTestSideloading technique we had previously reported on. This was the technique we had discovered the Sofacy group began using over this past summer as a way to sideload DLL files using a performance test module built into the Microsoft Office suite as well as maintain persistence on the victim host.
Filename
Author
Last Saved By
Subject
SHA256
Operation_in_Mosul.rtf
Robert Tasevski
—-
Turkish troops in Mosul
f5d3e827…
NASAMS.doc
Антон Гладнишки
pain
Norwegian missile defense system
1f81609d…
Programm_Details.doc
Laci Bonivart
pain
Conference schedule
1579c7a1…
DGI2017.doc
Невена Гамизов
Невена Гамизов
Conference schedule
c5a389fa…
Olympic-Agenda-2020-20-20-Recommendations.doc
admin
User
Recommendations for 2020 Olympics
13718586…
ARM-NATO_ENGLISH_30_NOV_2016.doc
User
User
NATO agreement
73ea2cce…
The six first-stage C2 domains for the weaponized documents were all registered by unique registrant emails. Versiontask[.]com and Uniquecorpind[.]com appear to be completely new infrastructure, not sharing any artifacts with previously observed Sofacy group campaigns.
Type
Domain
Date Registered
Registrant Email
First stage C2
Versiontask[.]com
2016-10-24
dalchi0@europe.com
First stage C2
Uniquecorpind[.]com
2016-10-25
yasiner@myself.com
First stage C2
Securityprotectingcorp[.]com
2016-08-19
ottis.davis@openmailbox.org
First stage C2
Postlkwarn[.]com
2016-11-11
fradblec@centrum.cz
First stage C2
adobeupgradeflash[.]com
2016-11-22
nuevomensaje@centrum.cz
First stage C2
globalresearching[.]org
2016-11-18
carroz.g@mail.com
Six second stage C2 domains for the Seduploader payloads delivered by DealersChoice were identified.
Type
Domain
Date Registered
Registrant Email
Seduploader C2
Joshel[.]com
2016-11-11
germsuz86@centrum.cz
Seduploader C2
Appservicegroup[.]com
2016-10-19
olivier_servgr@mail.com
Seduploader C2
Apptaskserver[.]com
2016-10-22
partanencomp@mail.com
Seduploader C2
Akamaisoftupdate[.]com
2016-10-26
mahuudd@centrum.cz
Seduploader C2
globaltechresearch[.]org
2016-11-21
morata_al@mail.com
Seduploader C2
researchcontinental[.]org
2016-12-02
Sinkholed
Much like the first stage C2 domains, the five non-sinkholed second stage C2 domains were registered recently and used unique registrant email addresses previously unused by the Sofacy group. However, each of these domains used nameservers commonly associated with the Sofacy group, ns*.carbon2u[.]com and ns*.ititch[.]com. The domain akamaisoftupdate[.]com revealed additional artifacts linking it back to previous Sofacy group campaigns. Based off passive DNS data, we discovered akamaisoftupdate[.]com resolving to 89.45.67.20. On the same class C subnet, we discovered 89.45.67.189, which previously had resolved to updmanager[.]net, a well reported domain in use by the Sofacy group.
The domain securityprotectingcorp[.]com was also found to have links to previous Sofacy group infrastructure. It was registered a couple of months prior, but analysis of the registrant email address revealed that it had also been used to register microsoftsecurepolicy[.]org, which using passive DNS data we found had resolved to 40.112.210.240, an IP commonly associated with the Sofacy group. This IP and its corresponding domain resolutions have been used over the years for multiple purposes by the Sofacy group, as C2s for multiple tools such as Azzy or XAgent, or to host phishing sites to gather credentials from targets.
Figure 7 Chart of DealersChoice infrastructure
Conclusion
It appears evident at this time that the Sofacy group is actively using the DealersChoice tool, specifically the Variant B, to attack targets of interest. As evidenced by the delivery of exploit code for a recently patched vulnerability in Flash (which was used in zero-day attacks), we can see how the malware provides flexibility in exploitation methodology and is truly a platform in itself. New infrastructure does appear to have been created for DealersChoice, but as we have seen in the past, the Sofacy group has a tendency to reuse artifacts from previous campaigns and this is no exception. Palo Alto Networks customers may learn more and are protected via:
Correctly identify associated samples as malicious in WildFire
DealersChoice domains and C2 traffic are classified as malicious
Traps correctly identifies and prevents exploit code to be executed
Note that even though CVE-2016-7855 was a zero-day vulnerability, Palo Alto Networks customers would have been protected by our Traps endpoint agent as seen in Figure 8.
Figure 8 Palo Alto Networks Traps blocking exploitation of the CVE-2016-7855 vulnerability
This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
Based on the trends we are seeing within the mobile industry, here are some predictions for 2017:
Sure Thing: Cyberattackers will target service providers by tapping into wide network of IoT devices
We have seen how IoT and wearable technology can be used by cyberattackers to launch unprecedented levels of volumetric attacks aimed at taking down specific websites and applications. These attacks will now increasingly be aimed at taking down critical service-provider network infrastructure that cause wide-scale disruptions of mobile and other connected services. Service providers will have significant pressure to shift their security posture and leverage advanced network-based mechanisms to prevent these types of malware infections from reaching IoT devices that are connected to their networks.
Sure Thing: Cyberattackers will increase their emphasis on exploiting mobile device users, and mobile device infections will exponentially increase
Consumers continue to increase their reliance on smart devices and mobile applications to manage their digital lives, making themselves easy targets for cyber criminals and creating a ripe environment for the spread of many different types of mobile malware. This trend will degrade overall trust that consumers have in their mobile services and create a new challenge for service providers, which will spur providers’ increased focus on protecting end user services and preventing potential negative impacts on their brands. “Is it the service provider’s fault” will be a common debate.
Long Shot: Cyberattacks on mobile users will become the leading cause for churn
Research has shown that consumers would rather lose their wallets than their mobile phones (and now some are using their phone as their wallet). A recent Accenture survey of smartphone users revealed 62 percent are concerned about the security of their financial transactions; 60 percent are dissatisfied with their connectivity and experience; and 47 percent are concerned about privacy and security. Altogether, a majority of them are ready to switch providers, partly because they feel their current ones don’t help safeguard their critical properties. Mobile operators will shift focus to develop new strategies that ensure the security of customer devices and prevent an erosion of customer trust that leads to lost business.
Long Shot: Service Providers will market IoT security as a competitive advantage
Over the years, service providers have tended to define network security pretty narrowly, with a prime objective of maintaining network availability and no real need or obligation to secure end user devices. This may have been sufficient for operating successfully in the past, but the landscape is now changed, with an expanding mobile attack surface and growing occurrences of infected IoT devices launching malicious attacks. The implications to service providers are significant, especially considering that IoT is being counted on to help fuel the next wave of mobile-service revenue growth; providers have no choice but to now embrace IoT security as a means of enabling future business. Who wants to be the operator that allowed a hacker to take over thousands of cars or the operator that is labeled as “less secure” than its competitor? Service providers will begin to adopt advanced network-based IoT threat prevention mechanisms, and they will begin marketing to potential IoT customers with security as a competitive advantage.
What are your cybersecurity predictions for service providers? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for Japan.
One of the hottest emerging technology topics surrounds the Internet of Things (IoT), or as some have characterized it, the Internet of Everything. A McKinsey Global Institute report estimates that by 2025, the global financial impact of the IoT could reach between $3.9 trillion to $11.1 trillion a year.
Every industry will potentially benefit from this technology that relies on small sensors communicating among themselves and providing data that will drive exceptionally huge big data.
Smart sensors integrated into buildings could monitor and collectively control environmental conditions. Miniature medical sensors could keep healthcare workers informed and alerted about patients in hospitals or as they go about their normal activities. Manufacturing processes could self-control production providing instantaneous correction as sensors collaborate throughout the production of a product. Our self-driving cars will communicate with other vehicles and the roadway, navigating safe and quick transit to a desired location while providing city-wide information about traffic patterns to city planners.
IoT has the potential to dramatically change how things are done while significantly enhancing the quality of life for everyone. Our small experiments with home automation and building control are nothing compared to the automation we will see integrated into daily life and work.
The concept behind the IoT seems relatively simple. Multitudes of miniscule sensors will collect specific information, share information with neighboring devices, and communicate data to a repository where control can be coordinated or information massaged, giving never-before-seen insights. While this description is the basis for the IoT, it is not clear how devices will communicate and coordinate. It is not clear how innovative thinking could evolve new uses and business models around IoT that will result in significant levels of market disruption.
The most promising intra-device communication and data record among devices could well be blockchain. Blockchain is essentially a secure, distributed, peer-to-peer implementation of a ledger system that is most often associated with bitcoin monetary transactions.
The truth is that the blockchain ledger can contain any information, including heath records, identity, and non-financial transactions. A really interesting use is developing smart contracts using blockchain as the organizing infrastructure. Smart contracts could bind individuals, or for IoT, sensors that share information, and when a certain condition is met that is a metric included in the e-contract, a pre-programmed response is initiated. This could be a payment in the case of business-to-business relationships.
Between devices, smart e-contracts could be associated with carbon credits, power creation and consumption, or any number of other device-to-device activities. At an even higher level of organization, IoT sensors could be implemented within a Distributed Autonomous Organization (DAO) to achieve some end result but governed completely within the smart contract that established the DAO.
The genius of the IoT is not that there are multitudes of small sensors creating terabytes of data, but that there is a system of devices sharing information in an intelligent and controlled manner that achieve a result within a self-governing structure. The thing that binds these sensors, providing both governing and the ability to act intelligently, will come from the blockchain.
Ron Hale, Ph.D., CISM, Chief Knowledge Officer, ISACA