Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Unknown network traffic and the increasing volume of cyber threats carry enormous risks for organizations. The ability to detect unknown threats systematically, alert administrators effectively and prevent a successful attack defines the effectiveness of your security deployment.
While many security deployments, including unified threat management (UTM) appliances, can detect unknown threats, there are vast differences in the ways security deployments handle unknown traffic and threats to protect their customers — especially when it comes to making administrators aware of critical threats.
Most security teams are overwhelmed with the amount of data produced by security deployments. Having so many alerts means critical information is frequently hidden in mountains of less important data. As a result, it often takes too long to respond to alerts on critical threats.
Here are key questions to ask of your security deployments to determine its effectiveness in handling unknown threats:
How is unknown traffic determined, and analyzed?
The Palo Alto Networks Next-Generation Security Platform is able to identify all applications, connect them with user names and analyze content. These three critical pieces of information provide powerful information to set effective security policy and prevent attacks.
How does the network protect against unknown threats?
Palo Alto Networks WildFire is used to analyze unknown traffic and threats to provide categorization and protection – analysis that makes it one of the most powerful methods of detecting unknown threats. Every week, WildFire analyzes more than 20 million malware samples and identifies more than 200,000 unique new threats. These updates are protecting many customers within 15 minutes of detection.
How is critical threat information prioritized and displayed?
Automated confirmation of compromised hosts across your entire network of Palo Alto Networks Next-Generation Firewalls happens with the automated correlation engine that can make logical connections between indicators of compromise. The automated correlation engine alerts administrators immediately if a compromised host has been detected. This significantly reduces the need for manual data mining to discover critical threats manually.
Actionable network and threat information is displayed in a highly visual, interactive and customizable user interface, called the ACC (Application Command Center) that enables the user to get answers to critical questions with just a few clicks for quick response.
Click here to learn more about the Palo Alto Networks Next Generation Security Platform or the ACC.
On July 16, 2015, the Palo Alto Networks Unit 42 threat intelligence team discovered a watering hole attack on the website of a well-known aerospace firm. The website was compromised to launch an apparent watering-hole attack against the company’s customers. It was hosting an Adobe Flash exploit targeting one of the newly disclosed vulnerabilities from the Hacking Team data breach, CVE-2015-5122.
This attack yet again showcases the opportunistic tendencies of adversary groups and bad actors. The malware deployed by this exploit has been seen in a number of targeted attacks and provides attackers with a foothold on the victim’s machine and/or network.
The exploit file, movie.swf, was ZWS compressed, a tactic that has been observed to evade anti-virus programs. Once uncompressed, a binary was found to be embedded in the Flash file. Upon further analysis, this file was found to contain behavior consistent with a Trojan commonly called IsSpace. Based on its codebase and behavioral patterns, it appears that IsSpace could possibly be an evolution of the NFlog backdoor, which has previously been attributed to the adversary groups DragonOK and Moafee. Both groups are thought to be operating out of Southeast Asia, and Moafee in particular has been associated with attacks on the US defense industrial base.
Exploit Details
The CVE-2015-5122 exploit found within the Flash file is nearly identical to the original proof of concept (POC) disclosed publically from the Hacking Team data breach. An analysis by Trend Micro covers the POC in detail. Unlike the POC mentioned in the Trend Micro report, this particular exploit file was weaponized, and, instead of loading calc.exe, a much more malicious file was loaded. As seen in Figure 1, the embedded shellcode is obfuscated using the same technique of representing bytes as integers and exponential numbers. However it appears that the adversary did not modify the POC much, as the variable name ‘calc’ remains unchanged.
Figure 1. Embedded shellcode within the malicious Flash file
These values can be converted into their byte representations using a simple Python script, truncated here for brevity.
Looking at the shellcode in further detail shows a fairly simplistic instruction set. Functions are loaded dynamically, and a file is dropped to %TEMP%\Rdws.exe before being executed using the WinExec Windows API call.
Returning to the Flash exploit, we discover that the dropped file is embedded within the Flash file itself as ByteArray. This binary data is loaded and decompressed with ZLIB prior to being stored in a newly allocated section of memory. The address of this binary data is then stored in the shellcode before it is executed.
Figure 2. Exploit loading binary and running shellcode
After successful execution, a binary with the following attributes is executed on the victim’s machine.
As seen by the compile timestamp, this malware sample is not extremely current. The timestamp shows a compile date of November 14, 2014, which indicates that the infrastructure used by this particular sample has remained intact for quite some time, relatively speaking. Analysis of the malware indicates that this sample is highly likely to be the Trojan tool IsSpace, which shares similar code and behaviors as the NFlog tool.
When comparing IsSpace to NFlog, we noticed a number of changes have been made. When initially run, the malware attempts to write log messages to ‘C:\ProgramData\log[.]txt’ indicating that this variant was intended to run on Microsoft Windows 7 or higher. However, it still maintains the capability to run on operating systems earlier than Microsoft Windows 7 if needed. IsSpace creates an event named ‘MdQ0784kd’ to ensure that only a single instance of the malware is running at any given time on an infected host.
To determine the flow of execution, IsSpace gathers various data about the infected host, such as administrative rights of the user, operating system version, and CPU architecture.
If IsSpace determines that it is running as an administrator on a Microsoft Windows 7 system on a 32-bit platform, it will attempt to execute itself accordingly, using a side-loading technique. The malware will drop a cabinet file and batch script to the following locations:
[CWD] is the directory where the malware was run from and [%TEMP%] is the full path of the %TEMP% directory.
The batch script will first extract the cabinet file to the sysprep directory. The extracted file is a 32-bit DLL with the name ‘CryptBase.dll.’ The batch script continues to execute sysprep.exe after approximately 5 seconds, which will automatically load the dropped CryptBase.dll file. This DLL will execute the provided argument in a child process. This newly created process has elevated privileges as it is spawned by sysprep.exe.
A similar process is taken for 64-bit systems. However, instead of dropping a batch script, a 64-bit executable along with a cabinet file containing a 64-bit version of CryptBase.dll is dropped to the following path instead:
%TEMP%\FASAPI.bin
%TEMP%\FASAP.DAT
This executable is then run in a new process. It is responsible for unpacking the cabinet file and spawning a new instance of sysprep.exe.
If the malware detects that it is running on a Windows XP host, it will attempt to check for Internet connectivity by making a HTTP request to www.microsoft.com. This is similar to characteristics observed in the NFlog backdoor, with the primary deviation being that this activity only takes place when running in a Windows XP environment with IsSpace.
IsSpace proceeds to make HTTP requests to 172.246.109.27, which appears to be its primary command and control (C2) server. The initial HTTP request is made to ‘//STTip.asp.’ Note the extra leading forward slash. This is likely an unfortunate side effect of the malware expecting a subdirectory in the URI path. As this particular sample did not supply one, the extra slash is seen. An example request made can be seen below:
Figure 3. Initial IsSpace beacon being sent
After the initial beacon, IsSpace will exfiltrate victim information by making an HTTP request to ‘//SNews.asp?HostID=xx-xx-xx-xx-xx-xx’, where the HostID contains the victim’s MAC address. The POST data sent in this request is encrypted using the same four-byte XOR key of ‘\x35\x8E\x9D\x7A’ that has been used by the NFlog tool.
Figure 4. IsSpace disseminating victim information and accepting command
The decrypted information contains data similar to the following:
Once again, the exfiltrated data is very similar to what has been used by NFlog; however with IsSpace, the victim’s user privilege level is also included, in addition to a variable of either ‘IsSpace’ or ‘IsGoogle.’ This particular variable is still under investigation by Unit 42. Additionally, we see what is likely a campaign code of ‘303_20140401’.
After the successful check-in and initial exfiltration, IsSpace will then accept the following commands:
Command
Description
Response URI
CMD
Executes command
//STravel.asp
Browse
List specified directory
//SJobs.asp
UploadFile
Upload file
//SSports.asp
DownLoad
Download file
//SWeather.asp
DelFile
Delete file
N/A
IsSpace provides attackers with a foothold into the victim’s machine and/or network. While the malware itself provides limited functionality, it allows attackers to perform minimal reconnaissance and deploy further malware onto the device.
Infrastructure
Figure 5. Infrastructure related to the command and control IP address
The IP 172.246.109.27 is hardcoded in the IsSpace sample and is likely to be the primary C2 server. Pivoting off of this primary C2 IP address using passive DNS data, we located seven domain names and two additional IP addresses that may be related to this attack. Three of the domains found used the prefix ‘ssl’ or ‘dns’ as the third level domain; this tactic is commonly used by malware authors as an evasion method.
Examining the WHOIS data for the domains revealed additional intelligence on possible attribution. Specifically, the WHOIS data showed the start-vedioing[.]net to be allegedly registered to an entity in Japan:
And the anywhere-staring[.]com was found to be allegedly registered to an entity in China:
Registry Registrant ID:
Registrant Name: lan fei
Registrant Organization:
Registrant Street: tian jing lu 244
Registrant City: bei da
Registrant State/Province: qing nao
Registrant Postal Code: 888000
Registrant Country: China
Registrant Phone: +86.13877554411
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: csolyc110@163[.]com
The geographic regions indicated in the WHOIS data are consistent with campaigns previously associated with NFlog, showing that the adversaries attributed to this malware were highly likely to be operating out of Southeast Asia. IsSpace is a newer variant of the NFlog malware family, and contains many similarities in its behavior and code base. It is highly likely that adversary groups that have historically used NFlog are now using IsSpace.
Conclusion
Adversaries continue to exploit easily accessible vulnerabilities and readily re-use exploit code and payloads, largely due to their efficacy. This type of behavior and activity is expected to continue for the near future due to the multiple vulnerabilities disclosed by the Hacking Team data breach.
As with many other previously disclosed advanced attacks, relying purely on a detection-based model for security is ineffective when IOCs are either unknown or are not readily available for ingestion. Thus, it is imperative that organizations deploy automated, behavior-based preventative measures such as Palo Alto Networks WildFire or Traps to reduce the risk of unknown attacks.
Palo Alto Networks customers using WildFire are protected from this campaign. Additionally, IPS signature 14365 detects IsSpace command and control traffic inside a network.
In cities and regions around the globe, Palo Alto Networks users are connecting in Fuel User Group’s 105 chapters and taking advantage of in-person and online forums to share their security expertise. Fuel has chapters on six continents and in over 30 countries, based from London to Singapore, and San Francisco to Saudi Arabia. Fuel chapter members hold meetings in spectacular venues like Dodger Stadium in Los Angeles, the Empire State Building in New York and even a cave that houses servers, to share their experiences and talk about pressing topics in cybersecurity.
Topics include:
PAN-OS 7.0
Threat Protection and Emerging Threat Intelligence
Endpoint Protection with Traps
Palo Alto Networks Best Practices and Tips and Tricks
In his latest article, posted this week over at Dark Reading, ‘The End Of Whack-A-Mole: From Incident Response To Strategic Intelligence,’ our CSO Rick Howard advises that if organizations want to get ahead in the cybersecurity game, they should move from a reactiveincident response model to a more proactive approach by creating a cyber threat intelligence team.
By understanding the motivations and tactics of the various cyberadversaries they face, a strategic intelligence team can analyze raw threat data and use it to implement a more effective security posture.
The adoption of practices and approaches for governance and management of enterprise IT (GEIT) is rising, and enterprises do experience its practical relevance in delivering value to their stakeholders. But implementing and improving GEIT takes a reasonable amount of effort, as it requires a company to assess and rethink the governance and management enablers (including their policies, processes, structures and skill sets) and how they support enterprise business goals.
As a result, investments in improving governance and management of IT are often perceived as costly and complex, while return in stakeholder value is difficult to measure in tangible—often financial—outcomes.
To address this challenge, ISACA commissioned a research project to the University of Antwerp— Antwerp Management School. This practice-oriented research was executed in the second quarter of 2015 and attempts to demonstrate the business value achieved by applying governance and management enabler categories as proposed in COBIT 5. By offering the empirical evidence that governing and managing those enablers has a positive impact on enterprise value creation, management will find it easier to support investment propositions related to GEIT.
Additionally, the results of this research contribute to the relatively new domain of knowledge and theory being built. It will assist practitioners by providing an international benchmark and more guidance on how governance and management frameworks such as COBIT 5 can lead to higher enterprise value creation from their information and technology (IT) assets and resources.
A glimpse of some findings The findings suggest that professionals perceive and experience governance and management enablers such as structures, processes, skills, etc. as valuable for adopting and implementing GEIT. Each of the COBIT 5 enablers is seen as highly important. Better implementation rates of the COBIT enablers clearly show positive correlations with the achievement of IT-related goals, which in turn strongly associates to the achievement of enterprise goals.
The research also revealed that, in general, many governance and management processes that required more business management involvement achieved lower implementation scores (e.g. managing organizational changes, business process controls). This is a call for action as the importance of business involvement in IT-enabled value creation has been stressed by many researchers (e.g., Weill and Ross, 2009; De Haes and Van Grembergen, 2015; Turel and Bart, 2014). Or in the words of Weill and Ross, “If senior managers do not accept accountability for IT, the company will inevitably throw its IT money to multiple tactical initiatives with no clear impact on the organizational capabilities. IT becomes a liability instead of a strategic asset.”
By extension, the research also showed limited board-level commitment in management and governance of IT. These results confirm other international studies that report on the “surprising state of practice” (Andriole, 2009) after having observed low involvement rates of boards in enterprise governance of IT. However, other studies underline the importance of board involvement, demonstrating a clear association between board-level involvement in GEIT and organizational performance (Turel and Bart, 2014). As such, these results are also a call for action for board members in the area of GEIT as Wim Van Grembergen and I noted in our text onEnterprise Governance of IT.
The results of this study are available in Benchmarking and Business Value Assessment of COBIT 5, which is available for free download at www.isaca.org/benchmarking-cobit. Many results will also be discussed in the next ISACA Journal edition. We invite you to explore the results and look forward to your comments.
Steven De Haes University of Antwerp – Antwerp Management School
