Author: Dr. Philip Cao

Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Posted on

Dridex is Back and Targeting the UK

After Brian Krebs reported the September arrests of alleged key figures in the cyber crime gang that developed and operated Dridex, Unit 42 observed a marked decrease in activity related to this banking Trojan – at least until today.  Dridex re-entered the threat landscape with a major e-mail phishing campaign. Leveraging the Palo Alto Networks AutoFocus platform, we identified samples associated with this resurgence.

Malware

True to form, the Dridex crew continues to utilize Microsoft Word Doc files with embedded macros, just as they did at the start of 2015. The Bartalex kit, a favorite for various cybercriminals, constructs these macros to deliver their malicious payload. When a user opens the malicious document, the macro code reaches out to a URL and downloads the Dridex executable. We identified the following associated Microsoft Word Doc files and URLs from today’s campaign:

SHA256: 2a12822134b4c3f1396212e04bc462fdf23082a55fdbc15e91722d07d54fd4b2

Payload: http://www.norlabs[.]de/123/1111.exe

SHA256: c1e8fce5b72da6f2ce43920ca9e6574750f7e994c51f6084e90c115fe9d2b804

Payload: http://www.ifdcsanluis.edu[.]ar/123/1111.exe

SHA256: 6cfcf501aeaa319b576af713fef10e227775e59e82224d1182d309be5dc80bd

Payload: hobby-hangar[.]net/123/1111.exe

SHA256: 761b17c4f926c403813b5c2c4c79f3d64c3b5d5a96e841e454fd5791e56f67db

Payload: zahnrad-ruger[.]de/123/1111.exe

SHA256: 436c99c88ea0a7312f3d60b127d0735e4698599b2f83b4df3a1dc67764235256

Payload: miastolomza[.]pl/123/1111.exe

The 1111.exe payload for each of these DOC files corresponds to the following file:

SHA256: a497de7f2488f093aa74562695a2ce705cbddbd2c4a357f5c785f23ea7450f43

As of today, only 17 out of the 56 VirusTotal Anti-Virus (AV) scanners recognize the Doc files associated with this resurgence as malicious, and only two recognize the associated implant. The Palo Alto Networks AutoFocus platform correctly identifies all components of this threat under the Unit 42 Dridex tag.

Targeting and Delivery

Our analysis revealed that this return of Dridex is heavily targeted at the United Kingdom (UK).

AutoFocus map of today’s Dridex targets

Dynamoo’s Blog (Conrad Longmore) posted an example of one of this latest series of Dridex phishing messages. The malicious Doc files that we identified all employ a similar order theme in their naming convention (e.g., “Order-SO00653333-1.doc”), requesting that the recipient print out the attachment. While this phishing lure is not particularly sophisticated, it remains surprisingly effective for fulfilling the malicious actor’s objective.

Conclusion

Cybercriminals – especially those that have established prosperity and longevity – will continue to present threats to enterprises and home users alike, despite any setbacks as a result of arrests or other operational challenges. Even though key players in the Dridex crew may have been removed from the equation for the time being, the organization that they leave behind could very well remain viable; alternatively, other criminal groups are always waiting in the wing to assume control of certain endeavors should a vacuum or opportunity present itself. The October 2015 resurgence of Dridex is an example of how these threats continue to adapt and evolve.

Indicators

Category Type Value
Delivery SHA256 2a12822134b4c3f1396212e04bc462fdf23082a55fdbc15e91722d07d54fd4b2
Delivery SHA256 c1e8fce5b72da6f2ce43920ca9e6574750f7e994c51f6084e90c115fe9d2b804
Delivery SHA256 a6cfcf501aeaa319b576af713fef10e227775e59e82224d1182d309be5dc80bd
Delivery SHA256 761b17c4f926c403813b5c2c4c79f3d64c3b5d5a96e841e454fd5791e56f67db
Delivery SHA256 436c99c88ea0a7312f3d60b127d0735e4698599b2f83b4df3a1dc67764235256
Implant SHA256 a497de7f2488f093aa74562695a2ce705cbddbd2c4a357f5c785f23ea7450f43
Download URL http://www.norlabs[.]de/123/1111.exe
Download URL http://www.ifdcsanluis.edu[.]ar/123/1111.exe
Download URL hobby-hangar[.]net/123/1111.exe
Download URL zahnrad-ruger[.]de/123/1111.exe
Download URL miastolomza[.]pl/123/1111.exe
C2 IP 136.243.237.218
C2 IP 66.171.247.166
C2 IP 88.151.246.80
C2 IP 195.251.250.37
C2 IP 82.118.24.167
C2 IP 92.51.129.33
C2 IP 198.61.187.234

and

[Palo Alto Networks Blog]

Posted on

Two Distinguished Military and Intelligence Officials Join Palo Alto Networks

Earlier this week we added two new members to the team: retired U.S. Army Major General John Davis and Sir Iain Lobban. We’re honored two decorated military and intelligence leaders have joined Palo Alto Networks, and we’re confident they’ll bring their decades of experience to further enhance the company’s cybersecurity strategy and global policy expertise.

Retired U.S. Army Major General John Davis joins us from the Department of Defense and will serve as Vice President and Federal Chief Security Officer (CSO) here at Palo Alto Networks. His responsibilities include expanding cybersecurity initiatives and global policy for the international public sector and assisting governments around the world in successfully preventing cybersecurity attacks. He left the Pentagon in May 2015 as the Senior Military Advisor for Cyber to the Under Secretary of Defense for Policy and served as the Acting Deputy Assistant Secretary of Defense for Cyber Policy. Prior to this assignment, Davis served in multiple leadership positions in special operations, information operations, and cyber, earning multiple military decorations.  We’re honored he’s joined the team and confident his decades of experience will further enhance our cybersecurity strategy and global policy expertise.

Sir Iain Lobban has joined the Palo Alto Networks Public Sector Advisory Council, which serves as a sounding board for the Palo Alto Networks roadmap and vision for the needs of the international public sector, as well as strategy and policy relevant to global cybersecurity.  An internationally respected leader, he was the Director of Government Communications Headquarters (GCHQ) in the United Kingdom from 2008 to 2014, having served as the Director General of Operations from 2004 to 2008.  This is where Lobban pioneered an integrated service of intelligence and security.  A partner and senior strategy adviser at C5 Holdings, he is also on the Board Financial Crime Risk Committee at Standard Chartered Bank.

These distinguished public servants will be tremendous allies in our efforts to prevent cyberattacks around the world. Welcome to the team!

[Palo Alto Networks Blog]

Posted on

Book Reviews: Auditing Cloud Computing

Ben Halpert | Reviewed by Larry Marks, CISA, CISM, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP

Auditing Cloud Computing offers an independent supplement to Security Considerations for Cloud Computing, part of ISACA’s Cloud Computing Vision Series, which provides guidance to the auditor on how to help IT and business professionals who are considering the possibility of moving to the cloud.

Besides the generic approach to minimizing risk to the organization through a careful review of the contract, supporting appendices and service level agreements (SLAs), and white papers published by the cloud provider, Auditing Cloud Computing recommends that the auditor supplement the review by first identifying the type of cloud that is being contracted. The author suggests that the auditor’s approach cover:

  • Cloud-based governance of enterprise IT (GEIT)
  • Cloud-based IT service delivery and support
  • System and infrastructure life cycle management for the cloud
  • Global regulation and cloud computing
  • Business continuity and disaster recovery

Specifically, Auditing Cloud Computing points to risk related to cloud computing, which enables readers to do a deep dive on business continuity processing for the application. The book further emphasizes the importance of questions on where the data are located, given that business is of a global nature and many countries have their own data privacy requirements. The book recommends that the auditor not shy away from hard questions and ask the questions that matter (e.g., Does the provider regularly back up all data to tape and store it offsite? Can the customer approve any maintenance, updates or changes?). There are usage scenarios to be considered within the context of the cloud that the auditor has to ask as part of due diligence (e.g., When the organization wants to move away from this cloud service, how does it deprovision and transition assets out of the cloud vendor to another location for another context?).

The auditor needs to view the venture and IT risk from a business point of view, not just as boxes on a checklist. Some questions to ask are obvious, such as those regarding the risk to the enterprise if the vendor were to go bankrupt or not be able to continue servicing the client. But high-level business and control questions grouped around categories of governance need to be asked as well. The book also recommends that the checklist the auditor uses to guide the review not be locked in to a style of cloud, deployment model or type of customer. The auditor must have the vision and perform due diligence to ask questions that may not have an answer, and enterprises should be cautious of the questions for which there is no answer.

The book provides an overview of cloud deployment models and other cloud concepts so that the reader has a proper foundation on cloud basics. It does not require that readers have an understanding of cloud computing concepts. The book also provides real-life scenarios that auditors may encounter. Auditing Cloud Computing serves as a practical guide that can apply to other cloud possibilities that any employer may consider.

Editor’s Note

Auditing Cloud Computing: A Security and Privacy Guide is available from the ISACA Bookstore. For more information, visit www.isaca.org/bookstore, email bookstore@isaca.org or telephone +1.847.660.5650.

Reviewed by Larry Marks, CISA, CISM, CGEIT, CRISC, CFE, CISSP, CSTE, ITIL, PMP, who has extensive experience in implementing IT processes, policies and technology regarding internal controls and information security in the financial services, insurance, health care and telecommunications industries.

[ISACA Journal]

Posted on

Book Reviews: Computer Security Handbook, 6th Edition

Seymour Bosworth, Michel E. Kabay and Eric Whyne | Reviewed by Dino Ippoliti, CISA, CISM

Many students and young professionals want to know which topics they should master in the information security field. The answer is contained in the two volumes of theComputer Security Handbook, which has 75 chapters, written by industry professionals. The sixth edition provides an update to the content of each chapter while maintaining the structure of the previous edition, which was released in 2009.

The book covers the 10 domains of the Common Body of Knowledge by the International Information Systems Security Certification Consortium, Inc., (ISC)2. It is divided into eight parts, starting with the foundations of computer security and going from the typical security life cycle to the identification of preventive measures, which may be both technical and organizational. In case preventive measures have been bypassed or breached, readers can focus on the sections about detecting security breaches and preparing for response and remediation. The handbook also covers management’s role in security, public policy and other related considerations. Because of the way this book is written, understanding these topics requires minimal technical knowledge.

In the era of Wikipedia and Google, one might ask whether there is any need for reference work such as this book. Indeed, it is possible get an overview of most of the topics mentioned in this book, including biometric authentication or business continuity planning, just by surfing the Internet, but it might be a bit harder to find comprehensive articles on issues such as using social psychology to implement security policy or other complex topics covered by this book.

One shortcoming of this handbook is that it tends to focus primarily on US laws, regulations and standards (e.g., US legal and regulatory security issues, working with law enforcement). However, it does provide some coverage of the European legal framework. Another shortcoming is that for some topics, readers may need to jump from chapter to chapter to get a full understanding of the subject. This happens, for instance, with discussions on operating systems such as Microsoft Windows or Unix. To facilitate this process, readers can refer to the index at the end of volume 2.

In a business world where security professionals are required to master—in breadth and in depth—a wide range of security-related technologies, methodologies and techniques, having a sound and trustworthy point of reference to guide them through the variety of topics and expertise required is essential. Computer Security Handbook, with its more than 2,000 pages and abundance of referential material, is just the right book for the job.

Editor’s Note

Computer Security Handbook, 6th Edition is available from the ISACA Bookstore. For information, visitwww.isaca.org/bookstore, email bookstore@isaca.org or telephone +1.847.660.5650.

Reviewed by Dino Ippoliti, CISA, CISM, an expert consultant at inspearit. He has been a practitioner in information and computer security, IT system auditing, and software and system engineering process improvement for more than 17 years in multiple industries. Ippoliti is a member of the ISACA Publications Subcommittee and a mentor in ISACA’s Pilot Mentoring Program.

[ISACA Journal]

Posted on

“When It Comes to Network Security, Washington Should…”

How much should the U.S. government be involved in securing midmarket enterprises? It was one of several hot topics during this week’s “Accelerating America’s Middle Market” conference in Washington DC, hosted by The Wall Street Journal.

Scott Stevens, Palo Alto Networks VP, Technology and Worldwide Systems Engineering, was part of a panel titled “Can Cybersecurity Be Fixed?” alongside Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator at the White House. Among discussions over private-public sector collaboration in cybersecurity and how midmarket companies should prioritize cyber investments, Scott was pressed on how those organizations should re-architect security to meet the challenge of today’s sophisticated cyber threats.

“We all got comfortable, but what we we have been doing is no longer working,” said Scott, describing how a poorly automated, point product approach to securing networks and endpoints has stymied our collective efforts to thwart cyber attackers. “Attackers are automated. Why are we fighting them with all these manual processes?”

Scott also highlighted the need for better information sharing and collaboration among peers in security. Attackers are organized, he explained.

“They don’t do it because they like each other,” he said. “They share techniques.”

Check out some photos from The Wall Street Journal event below, and learn more about Palo Alto Networks next-generation security platform here.

Left to right: John Bussey, Associate Editor from the WSJ; Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator at the White House; and Scott Stevens, Palo Alto Networks VP, Technology and Worldwide Systems Engineering

[Palo Alto Networks Blog]

English
English
Exit mobile version