Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Employees, customers and partners connect to different repositories of information within your network, as well as to the internet, to perform various aspects of their jobs. These people and their many devices represent your network’s users. It’s important to your organization’s risk posture that you’re able to identify who they are — beyond IP address — and the inherent risks they bring with them based on the particular device they’re using, especially when security policies have been circumvented or new threats have been introduced to the organization.
Here are two high-profile, real-world breaches that you can learn from. The key takeaway here is that, to make the most of your next-generation firewall investment, it is critical to implement user-based controls.
Example 1: Data Breach at a Large U.S. Retailer
This data breach started with the attackers stealing a third-party vendor’s login credentials. This allowed them to gain access to the third-party vendor environment and exploit a Windows vulnerability. Since the vendor had the privileges to access the corporate network, the attackers gained access, too. The attackers were then able to install memory-scraping malware on more than 7,500 self-checkout POS terminals. This malware was able to grab 56 million credit and debit card numbers. The malware was also able to capture 53 million email addresses.
The SANS Institute Reading Room for InfoSec has published a report on the breach. The report mentions several ways in which the breach could have been prevented. One of the most important is to have the right access controls in place. Quoting from the report:
An identity and access management solution should be used to manage the identities and access of all internal and external employees (third-party vendors).
Each external employee should have their own account, so that there is accountability for anything performed on their behalf.
Account review procedures should also be in place, specifically for third-party vendor accounts. Auditing of these third-party vendors is critical. This will allow the detection of abnormal behavior.
Having all of these controls in place for managing and monitoring the third-party vendor accounts will detect any misuse of third-party vendor credentials.
Example 2: Data Breach at a Large U.S. Banking and Financial Services Company
This data breach started with the attackers infecting the personal computer of an employee. The malware stole the employee’s login credentials. When the employee used VPN to connect to the corporate network, the attackers were able to gain access to more than 90 corporate servers. The attackers stole private information for 76 million households and 7 million small businesses.
The SANS Institute Reading Room for InfoSec’s report on this breach mentions the need to manage user privileges as one of the key ways to minimize the risk of a breach or minimize damage in case of a breach. Quoting from the report:
Least privilege simply means to give someone the least amount of access to perform his or her job. If least privilege control access were applied, these organizations would have reduced the amount of stolen data by 86 percent.
Anonymous access must be disabled because many Windows vulnerabilities are caused by null user sessions. A null user session is essentially a Server Message Block (SMB) session with blank username and password.
What This Means for You as the Security Practitioner
Want to make sure your organization does not end up in the headlines for the wrong reasons, like a massive data breach? You’d do well to implement user-based controls and restrict user access to least privilege, as the SANS Institute reports recommend. Employ the right user access mechanisms not only on the endpoints and on the applications that they access but also on your next-generation firewall.
Call to Action
If you own a Palo Alto Networks® Next-Generation Firewall, refer to the following resources to enable User-ID™, and increase your organization’s breach defenses:
Last year I wrote an article that discussed using COBIT 5 to audit cyber controls, in this instance the Australian Signals Directorate (ASD) Top 4. At the time of writing this article I had the privilege of being an expert reviewer on a draft ISACA white paper on creating an audit program. This white paper has now been released.
In the Australian government, as with all governments around the world, compliance against legislative and regulatory requirements is an important factor for the various government entities responsible for the delivery of functions for the Australian government. As a result, the internal audit programs for these government entities generally have a strong focus on compliance factors. Within the Australian government, entities are required to comply with a myriad of legislation, regulations and rules, including (but not limited to):
The Protective Security Policy Framework
The Information Security Manual
The Public Governance Performance and Accountability Act (and associated legislation)
The Commonwealth Procurement Rules
The Commonwealth Risk Management Policy
Whole-of-government ICT Policy
The Commonwealth Fraud Control Policy
Each government entity is also required to comply with their individual enabling legislation and regulations, as well as laws and regulations that any business and organization must comply with. In recent times, the following have been a focus of internal audit programs:
Workplace health and safety requirements
The Privacy Act
As discussed in my article about the ASD Top 4, internal audit has traditionally taken a yes/no approach to auditing compliance in government. For instance, if an audit on procurement was scheduled on the audit program, an auditor would take a sample of recent procurements, assess them against the regulatory requirements and internal policy and procedures, and produce a report that outlined instances of noncompliance.
In my opinion, this approach is useless. It does not help management understand why there was noncompliance and how they can prevent noncompliance. This white paper goes through a 5-step process to develop an audit plan:
Develop an audit plan.
Define audit objective.
Set audit scope.
Perform audit planning.
Determine steps for data gathering
These five steps provide details on how to put together an effective audit plan that can ensure that you help management. It very deliberately guides you on what to consider and prepare in the planning process so you are better prepared to undertake the audit. This will help ensure that when undertaking an audit of legislative compliance in government, you move away from the traditional yes/no approach and consider the factors or, to use a COBIT 5 term, the enablers that actually help management achieve compliance.
David Berkelmans, CISA, Executive Director IT Audit, Synergy Group
If you’re an organization with trans-Atlantic presence that transmits and stores European citizen data (e.g. employee payroll & HR data, client & prospect data) in the U.S. you will want to pay attention. What we will discuss was administered under the European Union’s Data Protection Directive and a previous EU-U.S. agreement called Safe Harbor. We will cover what happened, what’s next, new rules (and penalties) that are set to go into effect and our recommendations.
What Happened?
Safe Harbor, invalidated by a European Court of Justice (ECJ) ruling (PDF) in October 2015, allowed companies to transmit and store EU citizen data in the US so long as the U.S. companies agreed to meet requirements as described in Decision 2000/520/EC otherwise known as ‘Safe Harbor Privacy Principles’. The European Court of Justice ruled to invalidate the Safe Harbor agreement as it determined that US companies were not able to meet Safe Harbor Privacy Principles as they conflicted with National Security Agency or other government agency subpoenas request for information and other government data collection programs. Data on EU citizens was found as a result of US government surveillance program information being made public. In other words, if U.S. companies were complying with Safe Harbor Privacy Principles, that information would not have been found or made public as a result of those programs.
What’s Next… In early February 2016, the US Department of Commerce and the European Commission announced a new framework called the Privacy Shield. Since then, a group known as the Article 29 Working Party, Europe’s data protection body, issued its own statement (PDF) about the Privacy Shield framework and expressed their reservations regarding the adequacy of the “Privacy Shield.” On July 8, 2016 the European Union Member States Representatives approved the final version of the Privacy Shield. The new Privacy Shield framework allows for transatlantic data transmission and outlines obligations on companies handling the data, in addition to written assurances from the U.S. that among other items rules out indiscriminate mass surveillance of European citizens’ data.
Additionally, in early 2016 the European Union enacted a new data protection framework that has been in the works since 2012, known as the General Data Protection Regulation. This new Regulation repeals and replaces the pre-existing European Union’s Data Protection Directive. While not much has changed in the new ‘Regulation’ U.S. companies should note that policies and procedures as it relates to employee data transmission from the EU to U.S. be updated as well as be aware of new penalties. The new rules of the Regulation (and penalties) “will become applicable two years thereafter.” So, in 2018, the rules and penalties around the General Data Protection Regulation will go into effect.
New Rules that will go into effect (enforceable, starting in January 2018):
Strong obligations on companies handling Europeans’ personal data and robust enforcement:U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
Effective protection of EU citizens’ rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
New Penalties that will go into effect (enforceable, starting in January 2018): Under Article 79 of the Regulation, penalties and enforcements are described for Organizations less than 250 personnel and Enterprises. Violations of certain provisions for Enterprise organizations (> 250 employees) will carry a penalty of “up to 2% of total worldwide annual [revenue] of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual [revenue] of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organization.”
What should U.S. companies consider? There are a few options we’ll highlight here such as conducting Privacy Assessments with Privacy Shield and GDPR regulations in mind, ISO 27001 / 27018 certification, cyber risk program development to include vendor risk management, incident response planning and cyber risk assessments.
What to do – Privacy Shield
As it relates to the new EU-U.S. Privacy Shield, companies should review and be aware of the legal requirements outlined in the Privacy Shield (PDF). For certified Safe Harbor organizations, continue to abide by those elements within Safe Harbor, as you still have an obligation to protect EU data transfers, and begin to incorporate the Privacy Shield requirements as you will have to obtain certification (in-house or third-party) to gain listing on the Privacy Shield website maintained by the Department of Commerce.
Specifically, “It requires participating U.S. organization to develop a conforming privacy policy, publicly commit to comply with the Privacy Shield Principles so that the commitment becomes enforceable under U.S. law, annually re-certify their compliance to the Department (of Commerce), provide free independent dispute resolution, to EU individuals, and be subject to the authority of the U.S. Federal Trade Commission (“FTC”), Department of Transportation (“DOT”), or another enforcement agency.”
New requirements for Privacy Shield participating companies as outlined on the Commerce.gov site include:
Informing individuals about data processing
Maintaining Data Integrity and purpose limitation
Ensuring accountability for data transferred to third parties
Cooperating with the Department of Commerce
Transparency related to enforcement actions
Ensuring commitments are kept as long as data is held
What to do – EU GDPR
Under the new EU General Data Protection Regulation (Chapter 4, Section 2), not only is there also a requirement for an annual assessment, but the Regulation requires for data breach notification, incident response planning and security awareness training for staff involved in the data transmission process.
As it pertains to incident response plan and handling, the regulation stipulates notification to a supervisory authority within the European Union within 24 hours and notification to data owners without undue delay. Having an incident response plan in place will be critical to an organizations ability to respond to a data compromise incident.
On vendor risk management, Article 26 stipulates that subcontractors cannot process or transmit data on behalf of the organization (e.g Data controller). Since most organizations have programs for vendors to access systems or assist in data management, you’ll want to evaluate your vendors’ security and risk posture, since you could be affected by their negligence and entangled into one of those 2% or 4% of total revenue fine situations.
There are many other certifications and services that organizations should consider if they are not being done already including ISO 27001/27018 certification and attestation, privacy assessments and vendor risk management services to ensure data processors participate with Privacy Shield requirements and GDPR regulations.
ISO 27001 AND 27018 Certifications are an international security framework for securing information systems. ISO 27001 establishes an Information Security Management System and is an independent verification that your organization meets the ISO 27001 security standard.
ISO 27018 is a compliment to ISO 27001 and specifically focuses on protecting Personally Identifiable Information (PII) transmission and storage in the cloud. For Data Controllers and Data processors, meeting ISO 27018 will provide your organization with a method to establish control objectives, controls and guidelines for implementing measures to protect PII in the cloud in accordance with privacy principles in ISO/IEC 29100.
In Conclusion
The finalized Privacy Shield and the updated EU General Data Protection Regulation will require U.S. Companies to make EU citizen privacy a paramount priority to avoid any ramifications from EU regulations. Contact Coalfire to discuss any of the above information. Where needed we can also pull in our partner law firm to further educate and provide guidance on the updated EU privacy and data changes.
Marshall England, Industry Marketing Director, Technology & Cloud, Coalfire
This past year Unit 42 has seen a resurgence of keylogger activity and it seems like every week a new research blog comes out talking about one of four popular families: KeyBase, iSpy,HawkEye, or PredatorPain. These blogs usually delve into the technical workings of the threats, discuss their relationship to each other, and explain how they evolved from one another through new ownership or branding of the tools. The intent of this blog is not to rehash what has already been discussed, but instead to shift the focus to the actors behind these keylogger threats and show a practical technique for identification.
To be of any value, keyloggers must transmit data back to the attacker. There are three well-established methods for doing this: HTTP, SMTP, and FTP. HTTP transmission usually involves a simple POST request with a body containing the stolen data; however, for SMTP and FTP, more often than not these protocols require authentication to log into a service before transferring the data from the compromised system. This presents a valuable data point, because all of the big four keylogger families embed their credentials inside of their binaries. This further provides an analyst with a remote server address, username, and password for each sample analyzed. Couple this with the increase of keyloggers found in the wild and we find ourselves with a very large data set that can be used for correlation.
By using Palo Alto Networks AutoFocus, I was able to quickly identify 500 recent samples of HawkEye and iSpy, which exhibited either FTP or SMTP activity during dynamic analysis. After downloading the samples and their respective network activity, I parsed out all successful FTP and SMTP activity to build a data set for Maltego. We’ll use these embedded credentials to try to uncover patterns and find actor-identifiable data through our research.
Before getting into the correlation, some general statistics on the data:
207 FTP connections were caught with active credentials, e.g., the malware successfully logged into the FTP server to upload data from our virtual test machines
53 SMTP connections were made with active credentials
37 unique drop destinations were identified for stolen data
96 unique accounts used to log into these drop sites
After collecting all of the data from PCAPs and loading it into Maltego, we can visually see multiple organic clusters standout along the top, which will be the topic for discussion.
Figure 1. Key logger clusters
Actor 01 (“Kramer”)
Starting from right to left, the first cluster shows a heavy concentration of samples communicating with IP address, 108.179.196[.]24. This FTP drop site was the most utilized across our sample set, with 71 unique samples and 18 unique FTP accounts being used to drop data.
Figure 2. The “Kramer” cluster
Looking a little closer, there is a smaller cluster of accounts on the left of the graph that warrants further investigation.
Figure 3. Unique password reuse in the “Kramer” cluster
While all the stolen data being dropped on one FTP server is a solid relational indicator, what’s even stronger is that 14 usernames all used the same password, “joinkrama2”. When you look at the actual accounts as well, we see usernames are formatted like e-mail addresses and some of the local parts of the address get shared across domains. The below list highlights some of these shared local parts across domains in the username. The domains themselves have been truncated.
chekube@her
chima@min
daniel@her
daniel@oma
dubem@sam
golden@sam
okumen@oma
oni@pea
oni@sas
udobata@sam
victor@sam
wizzy@pea
wizzy@sas
This correlation provides strong evidence that the actor behind these accounts is the same. We’re also able to pivot from the unique password to another account hanging off the bottom in the first image, which shares a local name with the above local, “dubem”. The sample in question is also seen dumping key logged data to a separate server at 68.171.217[.]250. Finally, one of the “oni” accounts from the above list was also seen using the password “pereyikelamo2”, which was tied to one other account using the same domain, “atus@sas”.
By following these links we can slowly begin mapping out part of the infrastructure utilized by this actor and collect multiple indicators to identify them.
Top Indicators for Actor 01 “Kramer”:
108.179.196[.]24
68.171.217[.]250
Chimaeze12
LAURINA12
chimaeze12
joinkrama2
pereyikelamo2
pokerdick123
dubem
oni
wizzy
atus
uzochi
Actor 02 (“OpSec”)
The next cluster we’ll take a look at also uses one server and, similar to the previous actor, the usernames take the format of e-mail addresses.
Figure 4. The “Opsec” cluster
Only one domain is used, nayyabgroup[.]com and, as the image above illustrates, each account uses a unique password. For this particular actor, the complexity of their FTP passwords was a good linking indicator, as it deviates from what is seen throughout most of the embedded credentials captured during this analysis.
P!{Xwn{eEV$T
?G34p}b);w
k*wsOH*P]!up
C7,5#dg4X1b?
QsvGK8H9XGJ8
0gZ3I%dmpXi5
The passwords appear to be auto-generated by a tool and might successfully protect against brute force attempts or unauthorized access. While the actor’s password policy appears strong, he or she seems to be disregarding the fact that credentials are embedded in malware that employs plaintext transport mechanisms.
A final indicator to attribute to this actor is the usage of the local name “sirvor” followed by three numbers, for example “sirvor123” – there are four different variants of this across the 11 samples using the FTP server.
Top Indicators for Actor 02 “Opsec”:
243.113[.]211
sirvor
nayyabgroup[.]com
P!{Xwn{eEV$T
?G34p}b);w
k*wsOH*P]!up
C7,5#dg4X1b?
QsvGK8H9XGJ8
0gZ3I%dmpXi5
Actor 03 (“LogAllTheThings”)
For the third cluster, we again have one FTP server being used by the actor to drop their data. However, one unique attribute about this cluster is that the actor is using three different key loggers across 46 samples to dump data here – HawkEye, iSpy (coupled with Galaxy Botkiller), and PredatorPain.
Figure 5. The “LogAllTheThings” cluster
This use of multiple different key loggers could be determined by looking at the file names being stored on the FTP server.
(HawkEye log – 23.229.206[.]201)
(iSpy log – 23.229.206[.]201)
(PredatorPain log – 23.229.206[.]201)
Each of the families has its own unique capabilities and, more importantly, different ways of morphing itself to avoid detection. It’s not surprising to see the usage of more than one type of keylogger by an actor, as actors constantly need to update and change tools to stay ahead of defenders.
At the top right of this cluster you’ll notice eight different accounts all share a common password, “pentium12345”.
Figure 6. Password reuse by multiple accounts
While there were very few unique passwords, all of the credentials identified for this actor used a numeric suffix of either “12345”, “1234”, “123”, or “@@123123”. Similarly, the usernames were again formatted as e-mail addresses and the domain portions were all listed as“@bigcountrywater[.]com”, with seven of the 13 total accounts using “office” somewhere in the local portion. Tying these all together provides a strong indicator to identify this actor.
Top Indicators Actor 03 “LogAllTheThings”:
229.206[.]201
pentium12345
bigcountrywater[.]com
@@123123
Actor 04 (“MailMan”)
Our last cluster in the top left was purely SMTP traffic to the e-mail server at “web.arch[.]ai”, used for transferring HawkEye logged data.
Figure 7. The “MailMan” cluster
As evidenced by the image above, almost every account had a unique username and password. Across the majority of the accounts identified, the passwords were structured to take part of the username (e-mail format) and suffix it with five numbers, usually “12345” or “54321”. For example, if the username was “username@email.com”, the password might be “user54321”, which provided a consistent indicator across the 45 samples identified.
In addition, out of the 20 unique accounts identified sending data to this e-mail server, only two domains in the username field were seen during this analysis, “shamaraholdinq[.]com” and “pmtlogisticsinc.co[.]uk”. A quick WHOIS search for these domains shows the same registrant, based out of Nigeria, with a number of other domains registered that can be used for further pivoting and analysis.
Figure 8. The man behind the mail
Looking at the domains, you can guess the type of phishing activities being carried out by this actor.
Figure 9. Masquerading as US Government sites
Top Indicators Actor 04 “MailMan”:
web.arch[.]ai
shamaraholdinq[.]com
pmtlogisticsinc.co[.]uk
Nelson12345
abacom12345
abuchi12345
abuchi54321
alfred54321
bethel54321
bro54321
compu54321
ebuka12345
humble12345
immortal12345
kaycelaz5
kelechi12345
kunde54321
miraclebaby16
obi12345
opera54321
philip54321
shoki54321
spencer098765
sular54321
sular@54321
Conclusion
In the grand scheme of keylogger activity, this was a small sample set. Despite this, it was enough to highlight that using embedded credentials at scale could be leveraged to gain insight into actor behavior and infrastructure. It’s a practical technique and quickly identified at least four different actors actively utilizing keyloggers to steal data from compromised systems.
It should be obvious, but it’s worth stating: keyloggers aren’t going anywhere and without a doubt they will only continue to evolve like every other type of malware. As this happens and we’re left trying to protect our organizations, sometimes we can get lost in the analysis of minute details between various malware families, so it helps to change perspective now and again and take more of a macro look at the landscape in front of you.
There is always a human element to these threats and, as evidenced throughout this blog and countless others, the people behind these threats can fall prey to the same issues that organizations do – poor operational security.
Palo Alto Networks customers are protected by these various threats through WildFire AV signatures. AutoFocus customers can further research these threats through the below tags.
Below are additional indicators from the discussed sample set, including the ones shown above, that were observed by the malware. Please note that individually, these indicators may not be enough to determine whether something is good or bad, but the combination of multiple indicators can lead to actionable intelligence. Account names will not be included in an effort to prevent any potential abuse from the credential pairs.
Chief information security officers and their teams must lead their organizations into adopting safe business practices. In our increasingly connected world, this goal is more important than ever. Speaking the language of the C-suite and the board, and translating information security into business terms is key for CISO success.
The General Session at this year’s (ISC)² Security Congress will help CISOs chart their paths to successful leadership and cybersecurity practices. “CISO Impact: Driving Security Into the Business” will be presented by Phil Gardner and Stan Dolberg. Both speakers are executives at IANS, an information security advisory and consulting firm: Gardner is founder and chief executive officer, and Dolberg is chief research officer.
The session is based on IANS’s data-driven leadership framework, CISO ImpactTM, based on research with more than 1,000 information security teams, including many (ISC)2 members. The session will take place on Thursday, September 15 from 8:00-9:00 a.m.
Gardner founded IANS in 2001 and currently oversees strategic and operational decisions. He has seven years of service in security with the U.S. Navy as a strike fighter pilot and ordnance requirements officer. He received his B.A. from Harvard University, as well as his MBA from Harvard Business School.
Dolberg has been the chief research officer at IANS since 2015. Before joining the organization, he ran his own consulting firm working with CEOs and boards of technology companies, addressing key questions about markets that affect sales velocity. He received his B.A. from Harvard University and his MBA from the Carroll Graduate School of Management at Boston College.
Along with the General Session, full-conference attendees will have access to more than 90 educational sessions, as well as the exhibit floor, Career Pavilion, and Solutions Theater. This year’s Security Congress event has 11 tracks:
Application Security/Software Assurance
Cloud Security
Forensics
Governance, Regulation and Compliance
Incident Response
Malware
Mobile
People Centric Security
Professional Development
Swiss Army Knife
Threats: Inside & Out
Threat Intelligence
While the first session takes place Monday morning, September 12, (ISC)2 members are invited to attend the annual Town Hall meeting the day before, Sunday, September 11. (ISC)2 leadership, including CEO David Shearer and board members, will be available to answer questions about membership, certifications and more. Questions may be submitted to the panel via email at congress@isc2.org or tweet them to us on Twitter @ISC2Congress (Use #Congress16TownHall).
This year’s (ISC)2 Security Congress will take place in Orlando, Florida at the Orange County Convention Center from September 12-15, 2016. The event will be co-located with the ASIS International 62nd Annual Seminar and Exhibits, once again bringing together operational security and cybersecurity professionals. As the best-value and largest industry event of the year, more than 20,000 professionals from around the world are expected to attend. For more information, or to register to attend, please visit http://congress.isc2.org/.