Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
The Information Technology Industry council (ITI), which is widely recognized as the global voice of the tech sector, announced that Palo Alto Networks is its newest member. This brings the membership to 61 of the globe’s leading innovation companies.
ITI advocates on behalf of its members for both global and U.S. domestic policies that:
advance the development and use of technology
open access to new and emerging markets
promote e-commerce expansion
drive sustainability and efficiency
enhance the competitiveness of its member companies
Joining ITI gives Palo Alto Networks many opportunities to join the conversations that will expedite the prevention of breaches. To learn more, read the press release here.
Palo Alto Networks researchers have been credited with discovery of new vulnerabilities affecting Adobe Shockwave Player and Microsoft Internet Explorer.
Palo Alto Networks researcher Tongbo Luo discovered a critical vulnerability in Adobe Shockwave Player affecting Shockwave versions 12.1.9.160 and earlier for Windows. The vulnerability and upgrade instructions are detailed by Adobe in a Security Bulletin dated September 8, 2015.
Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities affecting IE versions 6, 7, 8, 9, 10, and 11. Each is included in Microsoft’s September 2015 Security Bulletin, and documented in Microsoft Security Bulletin MS15-094.
By proactively identifying these vulnerabilities, developing protections for our customers, and sharing them with Microsoft and Adobe for patching, we are removing weapons used by attackers to compromise enterprise, government and service provider networks.
Cyberattacks are effectively unstoppable and people are starting to recognize that. Two things are happening; one is a technical issue and the other is a management issue—both hold promise. Fundamentally we are in detection and remediation cycle. The faster that cycle goes, the better you are. Signature-based detection tools are limited, and anomaly-based tools do not remediate in an automated way so another technical defense is emerging—authenticate transactions using two factor authentication.
The second is implementing the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). What we are talking about is agencies being able to accept risk and the whole Federal Information Security Management Act (FISMA) implementation project effectively. Continuous diagnostics and mitigation cracked the idea that information security was just about checklists, but the problem of implementing the RMF is that you uncover flaws in your operational processes. All organizations, even large companies, have a hard time putting discipline into their organizational processes because people are not used to discipline.
Security Issues
Attackers are smart. They study the defenses of an organization so no combination of signature-based, detection-based mechanism and human response can keep them at bay unless it is a security organization. This is a problem for the civilian agencies and commercial organizations since they are not designed to be a security organization. Part of the answer will have to be in the cloud. If the intelligence community establishes a workable cloud model at the high level, it will be propagated to other organizations. Cloud providers can leverage very expensive monitoring, SOC audits and training that agencies cannot afford.
If you assume that code is not securable, then you have to do authenticated transaction underneath the operating system to secure transactions. National Strategy for Trusted Identities in Cyberspace (NSTIC) and FIDO are initiatives by the US government and industry to secure transactions through stronger identity management. The old argument that this would cause a performance hit is irrelevant when modern performance capability grow at Moore’s law speed. In our economy, the way we deal with inferior products is through the plaintiffs’ bar, except for software where there is an exemption. If this is our economic model but we exempt software, how do you expect a change to occur?
Views on US Legislation
Legislatively, the update to FISMA was a useful step forward because it codified the risk management framework in the US federal government. It establishes risk management and risk assessment as a primary function, not merely a response to IG audits. The strategic advantage is that agencies have to do risk management. The other big thing is the whole sharing problem which is the old paradox where those who know will not say and those who say do not know and everyone has a reason to not say what they know. There is a fundamental issue about how businesses avoid liability problems. I do not think the legal model is in place yet to allow business to truly share information with each other to control proprietary knowledge. If you have a product, would you like to admit a vulnerability to a competitor? This is a real issue, but no one has figured out how to manage this yet. Perhaps the US executive order setting up the Information Sharing and Analysis Organizations will meet this need. The US Department of Homeland Security (DHS) Information Sharing and Analysis Organizations (ISAO) model is an attempt to crowd source the security issue. ISAOs will have a common operating environment and culture so they can constitute themselves as information sharing organizations.
Staffing
There are two types of staff. First, there is staff that manages the SOCs. These are the people who are able to read net flow data, understand coding languages and how to detect and remediate an attack, which is a specialized capability. For most organizations, you do not want that capability on your staff due to cost. These people are too highly qualified and specialized; they need to be leveraged across many organizations like the cloud model. Your staff has to be very well educated, but also need to be generalists with business acumen to be able to translate technical information and communicate it to your business owner. Your staff needs to be made up of four parts: incident response, training, certification and authorization, and a security architect. I think if properly filled by people with broad-based experience and credentials with the ability to reach down into the technical staff, then you have a staff that will create a better defense against cyberattacks .
Leo Scanlon Division Director, IT Security Office of the Chief Information Officer US Department of Health and Human Services
The Gh0st malware is a widely used remote administration tool (RAT) that originated in China in the early 2000s. It has been the subject of many analysis reports, including those describing targeted espionage campaigns like Operation Night Dragon and the GhostNet attacks on Tibet. Musical Chairs is a multi-year campaign which recently deployed a new variant Gh0st we’ve named “Piano Gh0st.”
Our evidence suggests the actors behind these attacks have been operating for over five years and have maintained a single command and control server for almost two. They use compromised e-mail accounts to distribute their malware widely and their targeting appears opportunistic rather than specific.
The overall motivation of this campaign is unclear at this time. Gh0st is very versatile as it allows an adversary to take complete control over the infected system including installing additional malware.
Tracking the Gh0st
Using Palo Alto Networks AutoFocus we have identified Gh0st variants associated with Musical Chairs leading back to mid 2013. The source code and building tools for Gh0st are available freely on the web; anyone who is so inclined can build their own version of the malware. The way researchers differentiate between most variants is based on their “magic tag.”
Gh0st uses a custom TCP protocol to connect to a command and control (C2) server and retrieve instructions from the attacker. The malware identifies itself to the server by sending a string of characters (the magic tag), which the server repeats back to confirm the connection (See Figure 1.)
In the original version this string was “Gh0st” but in subsequent versions many different strings are used. These strings, along with the actual location of the command and control server (domain and/or IP address) allow us to associate various Gh0st samples with a single attacker or group. In 2011, Norman released a paper that showed many clusters of Gh0st samples that were connected based on these tags.
Figure 1. Gh0st “magic tag” value sent over custom TCP protocol
Using these tags in the network traffic, the command and control infrastructure and other characteristics of the attacks, we have grouped together a series of attacks into the one campaign, named Musical Chairs.
The functionality of Gh0stRat (3.6) is well documented by multiple sources and is summarized below:
Keylogging
Remote terminal access
Remote audio and video access
File management
Remote file download and execution
Process explorer and additional system enumeration capabilities
GUI interaction (remote control)
Self Update
Reset of SSDT to remove existing hooks
Spreading the Gh0st
The Gh0st variants used in the Musical Chairs campaign are distributed using phishing e-mails. The threat actors behind the attacks use a “shotgun” approach, blasting e-mails to as many recipients as possible in hopes of tricking a small percentage of targets into opening the attack. The attackers generally do not rely upon any vulnerability exploitation, and instead rely on the user to open the attached executable to compromise their system. Additionally, the phishing messages are sent from US-based residential ISP e-mail addresses. The accounts themselves appear to be legitimate, and are likely also compromised by this actor. In many cases the phishing e-mails are sent indiscriminately to all e-mail addresses in an infected user’s address book, including “no-reply” addresses a human operator would know to ignore.
While Gh0st itself does not have built in e-mailing components, it is also possible that an additional payload is responsible for the propagation via e-mail.
The following list contains known filenames of attachments used in the delivery stage of the Musical Chairs campaign:
“Pleasantly Surprised.exe”
“Beautiful Girls.exe”
“Sexy Girls.exe”
“gift card.exe”
“amazon gift card.pdf.exe”
The subject of the e-mails carrying these files typically matches the filename itself and does not contain any sophisticated attempts at social engineering. The attacks detected thus far by Palo Alto Networks WildFire have been exclusively in the United States and do not appear to target any particular industry.
Infrastructure
The infrastructure used in Musical Chairs stands out primarily due to its longevity and use of multiple Gh0st command servers on the same host. At the center of the infrastructure for the last two years is a Windows 2003 server using the IP address 98.126.67.114. The server uses a US-based IP address, but displays a Chinese language interface for Remote Desktop connections.
Figure 2. Chinese language Windows Server 2003 login banner on Gh0st C2
Thus far Unit 42 has identified 32 different Gh0st samples connecting to this server dating back to July of 2013. The Gh0st C2 software operates on Windows and allows the attacker to specify which port it should listen on for connections from infected systems. The attacker may host multiple Gh0st C2s on this server at one time, or may change the hosting TCP port very frequently. The 32 samples we have identified connect to 19 different TCP ports.
First Seen
Gh0st TCP Port
7/18/13
10003
9/4/13
10009
9/4/13
10008
9/14/13
10004
10/15/13
10004
11/21/13
20004
11/28/13
20001
1/2/14
40000
1/2/14
40000
1/9/14
20004
1/29/14
10008
3/17/14
30001
4/17/14
8001
4/22/14
8001
7/14/14
10005
8/18/14
8003
9/10/14
9000
9/19/14
9000
10/27/14
10006
2/20/15
9001
3/24/15
600
7/13/15
200
7/15/15
200
7/15/15
200
7/17/15
200
7/21/15
200
7/21/15
201
7/22/15
201
7/29/15
201
8/10/15
203
8/18/15
204
8/20/15
204
While 98.126.67.114 is the longest standing command and control server, it is not the only server used by Musical Chairs. The malware typically finds this server using a domain that is registered by the attacker and the registration information used by these C2 domains has allowed us to identify additional infrastructure used in these attacks.
Figure 3. Diagram of relationships between Musical Chairs C2 domains and related infrastructure
These many related domains put the approximate start date of this campaign in 2010. The earliest versions of the attacks we’ve found are still visible in e-mail groups and public Facebook postings. Figure 4 shows an e-mail with the subject “my girlfriend’s self-view video” that contains a link to an executable hosted on nvzm.info, one of the domains associated with the Musical Chairs infrastructure.
Figure 4. Screenshot of e-mail linking to nvzm[.]info using a “self-view video” theme.
The image below shows a Facebook post from 2012 with a similar theme and a different link to a URL that is also part of the same infrastructure map.
Figure 5. Screenshot of Facebook posting including a different “video” theme.
Finally, we located a user who posted to the Gmail Help forum in 2010 requesting assistance with ridding their system of malware. He states that all of his contacts received one of the “self-view” phishing e-mails after his system was compromised.
Figure 6. Screenshot of request on Gmail help forums related to “self-view” video e-mails.
While we have not been able to identify the specific malware used to distribute these spam messages, the infrastructure and the themes used in the e-mails connect them directly back to Musical Chairs happening this year.
Piano Gh0st
In July, Musical Chairs began deploying a new variant of Gh0st, which we’ve named “Piano Gh0st.” This variant uses a new wrapper file to hide the Gh0st payload. The files are delivered as a self-extracting executable (SFW) that acts as the dropper. It is responsible for extracting its payload to “c:\microsoft\lib\ke\Piano.dll” and executes the “mystart” function within the DLL’s export address table (EAT) using rundll32.exe.
Figure 7. Screenshot of calls observed by Palo Alto Wildfire from within the AutoFocus interface.
The “Piano.dll” file itself has very little functionality other than decrypting, loading and running an embedded DLL. It decrypts the embedded DLL using the Blowfish symmetric cipher with a simple key consisting of the character “y”. “Piano.dll” proceeds to load the newly decrypted DLL manually and calls the exported function “my start”. The decrypted DLL has the following attributes:
Type: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
Size: 148008 bytes
Imphash: 9c01d71c9bf78d231a313c86540e284c
Compiled: 2015-07-14 02:11:32
Exports:
(0x123f0) mystart
This embedded DLL is the actor Gh0stRat Trojan, specifically version 3.6. The following debugging path is found within the DLL, which suggests the individual who compiled this DLL has a Chinese language pack (GB2312 specifically) installed:
C:\Documents and Settings\Administrator\桌面\GetRawInputData_dlll键盘记录版_win7bug改_网络验证_Mutext_LSPlayer_20150708\gh0st3.6\Server\svchost\Release\
The Trojan maintaings persistence on the infected system by creating an entry in the registry at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the key “nvidiake” and value “c:\microsoft\lib\ke\vv.js”, as seen in Figure 8.
Figure 8. AutoFocus view of registry key modifications made by Piano Gh0st to maintain persistence through system reboots
The file “vv.js” in the registry key is a simple one-line JavaScript that executes the “vvv.bat” file, as seen in the following:
The ‘vvv.bat’ file is a batch file that executes the Piano.dll payload in the same way as the initial dropper, using “rundll32.exe” to call the “mystart” exported function, as seen in the following:
1
rundll32.exec:\microsoft\lib\ke\Piano.dll mystart
After setting up the registry keys for persistence, the Gh0stRat sample begins communicating with its command and control server using a custom network protocol. The magic tag used by this version of Gh0st is “clarkclar1” as seen in Figure 9. This variant also communicated with a command and control server using the domain http://www.meitanjiaoyiwang[.]com, which is hosted by 98.126.67.114 on tcp port 200.
Figure 9. Screenshot of Piano Gh0st variant using the “clarkclar1” magic tag.
Detection and Prevention
Palo Alto Networks WildFire detected the Gh0st malware, including the Piano Gh0st variant, as malicious based on the behavior the attack files exhibit on an infected system.
Additionally, we have deployed threat prevention signatures to detect Piano Gh0st alongside our previously deployed signatures for earlier Gh0st variants. AutoFocus users can find more information about this threat using the MusicalChairs tag.
The following indicators identify attacks using Piano Gh0st and the Musical Chairs campaign.
Palo Alto Networks Recognized by TSIA for Outstanding Commitment to Customer Support and Success
On the heels of receiving the 2014 TSIA Star Award for Innovation in the Delivery of Support Services, Palo Alto Networks was again honored by the TSIA when it received a “Rated Outstanding Assisted North America” rating. This distinction recognizes industry leaders in assisted support – including remote phone, email and live chat support – that exhibit best practices as measured by an extensive list of detailed criteria.
To achieve this distinguished certification, Palo Alto Networks participated in a rigorous audit process that evaluated over 160 best practice criteria for delivering industry-leading technical support. The audit was developed by over 50 leading technology companies. Auditors conducted a thorough inspection of Palo Alto Networks support organization at several locations, including our headquarters in Santa Clara, CA, and our offices in Austin, TX and Chennai, India. Audits included listening to support services calls, reviewing procedures, conducting extensive team interviews, and inspecting support outcomes. Following the audits, we are happy to announce that the TSIA has determined that Palo Alto Networks assisted technical support processes exceed industry benchmarks.
Our primary focus at Palo Alto Networks is exceptional customer service and we could not be more proud to receive this distinguished certification from TSIA. Read the full announcement press release here.
Please let me know if you have any comments or questions, or contact me via Twitter anytime at @CicconeScott.
