Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Security Roundtable is a community designed to share best practices, use cases, and expert advice to guide executives on managing cybersecurity risks. In this article, excerpted below, Scott Kannry, CEO of Axio Global, dives into why attention to detail is key when evaluating cyber insurance.
“My title is not meant to suggest that cyber insurance is flawed. To the contrary; it’s a valuable risk transfer instrument that has performed as advertised in the vast majority of loss situations and often provides policyholders with a gateway to a host of response and mitigation providers that otherwise might be too costly or unavailable when most needed. Most articles questioning the viability of the product are usually centered on denied claims from types of insurance policies that were not designed to cover emerging cyber risks, or written by folks whose knowledge of actual policy language harkens back to earlier generation policies that sometimes contained strict stipulations about maintaining consistent levels of security.
Rather, my title intends to raise awareness that ‘cyber insurance,’ as is commonly offered by the insurance industry, is not an “all-risk” type of policy that covers anything and everything resulting from a cyber event…”
Is your business connected to the Internet for any services? Do you shop online or purchase any products or services online? Are you on Facebook, Twitter, LinkedIn or any other social networking web sites? Do you have a high-end mobile phone and use chat applications such as WhatsApp? If so, cybersecurity is an issue about which you should be concerned.
If you think that you could never be a victim of an attack originating on any of these platforms, you should think twice, because cybercriminals are keenly tracking your identities and researching your shopping behavior, watching what you do online and, ultimately, profiling the very devices through which you are connected to cyberspace. Since you are part of the bigger, interconnected network, you are a potential target of a cyberattack.
If you are thinking to yourself, “What do I possess that will interest a cybercriminal?,” think of it this way: You are targeted, not to steal anything specific, but to possibly build in-roads to a bigger trusted network to which you belong. Once your systems and networks are compromised, it may appear that the cyberattack has originated from your organization while it was actually performed by an invisible cyberattacker from your IP addresses using your system signatures.
Even if your interconnected networks are protected through a firewall or other security measures, a persistent hacker could still closely footprint your activities, e.g., when have you scheduled your next maintenance of systems and networks, the security behavior of users, or the tools and technologies deployed in your organization. In many cases, cybercriminals operate in stealth mode for a period of time before attacking. Once they are inside a network, they quickly adapt to the network behavior, making it difficult for the existing intrusion detection system to flag them. People are the weakest link that is targeted by a cyberattacker.
Essentially, every organization in cyberspace has to rethink with whom and how they are connected in cyberspace and prepare for any threats that can appear because of these interconnections. It is possible that something is already in place; it may just need strengthening through anti-hacking measures such as user awareness, firewalls, patch management, incident response, authentication, authorization and other controls.
We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.
The malware itself provides a wealth of functionality, including the ability to download and execute files, execute Python code, log keystrokes, spawn a HTTP server, and mine Bitcoins via the victim’s CPUs and GPUs.
There are at least 12 variants of PWOBot, and the malware has been observed in attacks dating back to late 2013. More recent attacks have been observed affecting organizations between mid-to-late 2015.
Targeting
Over the past year, we have witnessed PWOBot affecting the following organizations:
Polish national research institution
Polish shipping company
Large Polish retailer
Polish information technology organization
Danish building company
French optical equipment provider
The majority of the PWOBot samples were downloaded from chomikuj.pl, which is a popular Polish file sharing web service. The following unique URLs have been observed providing copies of PWOBot:
Additionally, in one instance the malware was downloaded from http://108.61.167.105/favicon%5B.%5Dpng. This IP address is associated with the tracking.huijang[.]com domain, which was also used by a number of PWOBot samples.
The following filenames were observed being used to deliver PWOBot:
Fizjologia sportu. Krtkie wykady.exe [Physiology of sports. Short lectures.exe]
As we can see from the filenames used, a number of the PWOBot samples purport to be various software utility programs. In some instances, the Polish language is used for what appears to be a more targeted filename.
It is unclear how this malware was originally delivered to the end-user. Inferences can be made based on the filenames witnessed, as this malware may have been delivered to end-users who believed they were downloading other software. Alternatively, it’s possible that phishing attacks were used in order to entice victims into downloading these files.
Malware Analysis
As originally mentioned, PWOBot is written completely in Python. The attackers leverage PyInstaller to convert this Python code into a Microsoft Windows executable. However, as Python is being used, it can easily be ported to other operating systems, such as Linux or OSX.
Upon initial execution, PWOBot will first uninstall previous versions of PWOBot should they be found. It will query Run registry keys searching for instances of previous versions. The majority of versions use a format of ‘pwo[VERSION]’ for the Run registry key, where [VERSION] is the version number of PWOBot.
Figure 1 PWOBot uninstalling previous versions
After the previous versions are uninstalled, PWOBot will install itself and create a copy of its executable in the following location:
%HOMEPATH%/pwo[VERSION]
It will then set the following registry key to point to this newly copied executable:
If this is the first time the malware is run, PWOBot will execute the newly copied file in a new process.
After installation completes, PWOBot will hook various keyboard and mouse events, which will be used for subsequent keylogging activities. PWOBot is written in a modular fashion, allowing the attacker to include various modules during runtime. Based on the number of samples currently identified, the following services and their accompanying descriptions have been observed being included with PWOBot:
PWOLauncher : Download/execute file, or execute local file
PWOHTTPD : Spawn a HTTP server on the victim machine
PWOKeyLogger : Log keystrokes on the victim machine
PWOMiner : Mine bitcoins using the victim CPU/GPU
PWOPyExec : Execute Python code
PWOQuery : Query remote URL and return results
PWOBot also is equipped with two configuration files, one of which specifies various settings the malware should use, while another specifies what remote servers PWOBot should connect to during execution.
Figure 2 PWOBot settings configuration
Figure 3 PWOBot remote server configuration
As is visible in the settings configuration (Figure 2), PWOBot includes various windows executables that are included when the attackers compile the code using PyInstaller. These executables are used to perform Bitcoin mining and to-proxy requests via Tor. The Bitcoin miner is a compiled version of minerd and cgminer. These files are used for CPU and GPU Bitcoin mining respectively.
PWOBot also makes use of Tor to tunnel all traffic to the attacker’s remote server(s). While this provides both encryption and anonymity, it also should raise alerts to an organization’s network administrators if viewed, as such traffic likely violates said organization’s policies.
PWOBot uses a Python dictionary as it’s network protocol. Every specified period of time PWOBot will send a notification message to the remote server. An example of this notification can be seen below:
Enumerations are configured to represent the various number encountered in the previous example. Once replaced with their respective enumeration, we see a more complete picture of what data is being sent.
After notifications are sent, the attacker may opt to provide a command instructing PWOBot to perform one of the previously defined services. Results from said actions are then uploaded to the attacker using the same format.
In total, 12 variants of PWOBot appear to exist, based on the lastest versions identified by Palo Alto Networks Unit 42. Of the 12 versions, we have witnessed versions five, six, seven, nine, 10, and 12 in the wild. Changes between versions appear minimal, and are likely performance improvements.
Conclusion
PWOBot is interesting as a malware family because it is written entirely in Python. While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems. That fact, coupled with a modular design, makes PWOBot a potentially significant threat.
This malware family has not previously publicly disclosed. It has currently been witnessed affecting a number of European organizations.
Palo Alto Networks customers are protected from this threat in the following ways:
All PWOBot samples are properly categorized as malicious by the WildFire service.
Domains related to the PWOBot threat have been appropriately categorized as malicious.
AutoFocus customers may use the PWOBot tag to monitor this threat.
For a list of SHA256 hashes of PWOBot, please refer to the following file.
Panorama provides streamlined management, great visibility and excellent rule management across distributed networks of next-generation firewalls.
When deploying their network security management solutions, most customers deploy them in a way that is optimized for their current situation without consideration of future company or traffic growth. It is, however, critically important to plan a Panorama deployment strategically to optimize processing speeds and logging capacity/retention, as well as availability.
For example, deploying Panorama as a Virtual Machine (VM) makes a lot of sense for smaller companies who don’t have to manage too many logs or firewalls. However, adding just one or two more firewalls to your distributed network, may result in the VM servers being overloaded with the number of logs being generated. A small step to add either a dedicated management appliance or a log collector can ensure that log ingestion and retention won’t reach limits, and processing speeds won’t get impacted.
Thanks to the flexible deployment options of Panorama, you can ensure you maximize the performance of your network security management solution by adding dedicated management appliances and log collectors, or deploying Panorama in High Availability (HA) pairs.
Learn more about Panorama by downloading the datasheet.
Thanks for reading my series on maximizing your Panorama deployment. If you have additional questions or suggestions for future topics, leave a comment for me below.
Cloud computing is transforming the world of information technology before our eyes. Less than a decade ago, IT teams focused most of their time on building enterprise data centers, managing capacity and building custom applications.
Today, times have changed and many organizations are now shifting their focus toward the cloud, moving to a world where automation and integration dominate, and enterprises purchase much of their computing as a service from a number of different providers.
This shift toward the cloud doesn’t only change the world of developers and engineers, it also dramatically affects the work of information security professionals. In the world of cloud computing, assessments rise in importance and contract language becomes as significant a security control as the configuration of the enterprise firewall.
As security professionals seek to reinvent themselves as cloud security experts, they must gain new knowledge and skills and may wish to pursue professional certifications that help them demonstrate this aptitude to current and potential employers.
Security in the Cloud
Perhaps the most fundamental security difference between the old world of on-premises enterprise IT and the new world of cloud computing lies in the degree of dependence that organizations place in their vendors. Certainly, IT organizations have always relied upon vendors to provide hardware, software and services and those vendors have played a key role in enterprise security.
Even in a completely on-premises model, a security flaw in a vendor-supplied product can have dramatic security implications that open holes for an attacker to exploit. In a cloud model, those dependencies grow larger as organizations call upon vendors to provide services in a more active fashion.
The shared responsibility model is the key to understanding cloud computing security. Both vendors and their customers must take responsibility for different elements of security and that division of responsibility depends upon the scope of services provided by the vendor and the agreement between the vendor and its customers.
For example, an infrastructure-as-a-service (IaaS) vendor offering virtualized servers to its customers is typically responsible for providing physical security in their data centers. The vendor is expected to manage network security, and secure both the hardware underlying the servers and the hypervisor that separates virtual instances from each other.
Customers configure the operating system, install applications, manage firewall rules and manipulate their own data. Therefore, the security of those components remains a customer responsibility.
In a software-as-a-service (SaaS) model, on the other hand, the burden of responsibility swings more heavily in the vendor’s direction. The vendor manages all of the servers as well as the application, assuming responsibility for almost the entire security stack. That said, customers may still manage application security settings and control the flow of sensitive information into the application.
As you move services to the cloud, the most important security concern you should have is a clear and documented understanding of the shared responsibility model. You should clearly articulate your security requirements, perhaps drawing this information from the requirements you use for on-premises environments.
Next, you should work with vendors to spell out the technical, physical and administrative controls that satisfy each objective and state who is responsible for the implementation, configuration, operation and verification of each control.
Preparing Yourself for the Cloud
It’s not just organizations that need to reinvent themselves for the cloud. It certainly is true that technologies and business processes will change as we move toward a cloud-centric computing environment.
Those changes will also require a shift in the individuals performing technology-related functions in those organizations, including information security. Current security professionals will need to update their skills to cover the emerging world of cloud computing.
In a cloud-focused world, security professionals must work closely with internal and external customers and suppliers to ensure that security follows the organization’s data wherever it flows or resides. Key skills for cloud security professionals include vendor relations, contract negotiations, security assessments, cloud platform operation and cloud application security.
In addition, cloud security professionals will need to have a deep understanding of the security services provided by their organization’s slate of cloud vendors, and understand how to manipulate those services to achieve the organization’s security goals.
If you’re hoping to reinvent your career as a cloud security specialist, then you may wish to consider earning a cloud-focused information security certification, such as the Certified Cloud Security Professional (CCSP) certification available as a joint partnership between (ISC)² and the Cloud Security Alliance (CSA).
These two organizations, known for providing some of the premier information security certifications available today, partnered to provide an advanced certification that requires a combination of advanced knowledge and practical, hands-on work experience that complements the other certifications they offer.
The Certified Information Systems Security Professional (CISSP) certification offered by (ISC)² is already considered the gold standard certification in the information security field. It covers an extremely broad range of material and only touches on cloud computing topics.
CISSP holders who wish to focus on cloud security may wish to supplement their existing certification with the CCSP as a specialized credential. The good news is that CISSPs already meet the CCSP’s five-year work experience requirement.
The Certificate of Cloud Security Knowledge (CCSK) certification offered by CSA is more of a foundational certification that focuses on a candidate’s mastery of the CSA’s cloud security guidance and has no work experience requirement.
Earning CCSK can smooth your path to CCSP by checking off a portion of the CCSP professional experience prerequisite. If you’re a practicing information security professional, you are probably better off earning the CCSP credential, either as a stand-alone certification or as a complement to the CISSP.
As enterprises continue to move applications, data and infrastructure to the cloud, they will increasingly require the services of information security professionals skilled in securing cloud computing environments.
Building out your skills in the realm of cloud computing and demonstrating those skills by earning the CCSP credential will position you well to take advantage of this trend and find interesting and lucrative employment opportunities.
Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.