Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Palo Alto Networks researcher Bo Qu discovered two new critical Internet Explorer (IE) vulnerabilities affecting IE versions 6, 7, 8, 9, 10, and 11. Both are included in Microsoft’s July 2015 Security Bulletin, and documented in Microsoft Security Bulletins MS15-065 and MS15-066.
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from security vendors.
By proactively identifying these vulnerabilities, developing protections for our customers, and sharing them with Microsoft for patching, we are removing one weapon used by attackers to compromise enterprise and government networks.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Cybercrime and Espionage, published in 2011, is a book that was ahead of its time. The authors were pushing the envelope in terms of how the security community should think about advanced threats. However, almost five years later, there is not enough in here to make the book Cybersecurity Canon material. Gragido and Pirc present some stimulating ideas, but in the end, the security community has not adopted many of them.
My recommendation is to read this book if you are interested in how our community has evolved in terms of thinking about adversary campaigns. However, if you are looking for a state-of-the-art book about cybercrime and cyber espionage, this is not it.
Introduction
Will Gragido and John Pirc published this book in February 2011 — the year after the commercial industry experienced its wake-up call in terms of cyber espionage: Operation Aurora. [1] Aurora refers to the adversary campaign launched at Google and other commercial organizations that was designed to steal intellectual property, collect information on human rights activists, and gather intelligence regarding on-going FBI wiretap operations. [2]
What made Aurora notable was Google’s reaction to it. They went public and accused the Chinese government of being responsible for the attacks. Before Aurora, most commercial organizations would not admit that they had been breached, even though nation states had been targeting commercial organizations for at least a decade. Business leaders worried that admitting a breach would significantly affect the bottom line. After Aurora and Google’s public mea culpa, it became easier for other commercial entities to admit that they had been breached. Fast-forward to today, and public breach notifications are so common that it is difficult to keep up with them all.
But this was the beginning. Before Aurora, the only significant cyberthreat to the commercial world at the time was crime. After, cyber espionage became something that we all had to worry about. This is the context for the book: defining cybercrime and cyber espionage as motivations — what makes them different and what makes them the same.
Impressions
The two authors, Will Gragido and John Pirc, are experienced cybersecurity professionals, and it is clear that they know what they are talking about; but the book is a bit disorganized in terms of who the target audience is. The content is a mix of introductory and advanced material. However, I did not see that the book had a through line. The authors’ analysis of the cybercrime world is at the introductory level. If you want a more in-depth book on the same topic that was published around the same time, consider Kingpin, written by Kevin Poulsen. [3] If you are looking for something a little more recent, consider Spam Nation by Brian Krebs, which was inducted into the Canon earlier this year. [4] The espionage material is more advanced, but if you want to go deeper, consider Kim Zetter’s Countdown to Zero Day [5], another Canon inductee, or Richard Bejtlich’s The Practice of Network Security Monitoring. [6]
I do give the Gragido and Pirc credit though for covering some advanced ideas ahead of their time that have not really become popular until just recently. One idea that I really like is that commercial organizations should build their own intelligence teams to track adversary campaigns. They published the book almost five years ago, and this was not universally accepted at the time. It is not universally accepted today either, but more and more organizations are starting to understand the value of such teams. As an aside, this is one of the reasons I got hired at Palo Alto Networks: to build an intelligence team that we eventually called Unit 42.
Gragido and Pirc push their own intelligence model called MOSAIC: Motive, Awareness, Open Source Intelligence Collection, Study, Asymmetrical Intelligence Correlation, Intelligence Review and Interrogation and Confluence. It is a good framework for an intelligence analyst; unfortunately, the model has not really caught on. Most intelligence organizations — the CIA, the FBI, and the NSA, as well as Unit 42 — use a model called The Intelligence Cycle. [7][8] They are basically the same thing, but the MOSAIC model has more detail.
The authors introduce a new phrase called Subversive Multivector Threats (SMTs), a sort of superset to what the cybersecurity community used to call the Advanced Persistent Threat (APT). They even explain the origin of the APT phrase, a phrase the military had been using for almost a decade in an UNCLASSIFIED setting to mean anything that involved Chinese government-sanctioned cyber espionage. Gragido and Pirc were ahead of their time, understanding that the community needed another name to label similar attacks that did not originate from China. Thus, they came up with SMTs, but the community has not embraced that term. We have evolved the APT phrase to include everything instead.
Another advanced idea presented that I really liked was the concept that there are humans behind these attacks. Tools do not attack our systems. Humans — often organized into groups — attack our systems, and they use tools to accomplish some goal. These adversary groups can be rated in skill level from novice to expert and have motivations like cybercrime and cyber espionage; and it helps defenders do a better job by understanding that context, according to the authors. I wholeheartedly agree. But today, I think we can expand that motivation list to include hacktivism, cyberterrorism and cyberwarfare, and I thought their definitions of hackers’ maturity levels were not definitive enough to be useful.
Also, Gragido and Pirc introduce a two-tiered categorization scheme for adversary campaigns, where Tier – 1 campaigns target:
“… air-gapped networks or networks that would be considered highly secured, such as those of power companies (supervisory control and data acquisition or SCADA networks), governments, and defense organizations.” [9]
Tier-2 adversary campaign plans are all other APT campaigns. This two-tiered system seems ill-conceived today. The security community considers SCADA networks in general, and power companies in particular, as being at least 10 years behind the rest of the community [10]. And government networks have proven to be even less secure than most commercial organizations, except for maybe the intelligence community’s networks and some select defense networks. [11] I do not see a need for this two-tiered system in today’s threat environment.
One last advanced idea that I really liked was that threat prevention is possible. There has been a trend in the industry these past five years where security leaders have thrown their hands in the air saying they cannot possibly stop the APT, and that it is better to concentrate their precious resources solely on detection and mitigation. This is just plain wrong, and Gragido and Pirc do well to point that out. If I can prevent 90 percent of all attack campaigns because most adversaries use known techniques, why not do it? That lets me concentrate my resources on finding the unknown techniques. Detection and mitigation is important, but these activities hould be balanced with a robust threat prevention program. Even in 2011, Gragido and Pirc asserted this philosophy.
Conclusion
Cybercrime and Espionage is a book that was ahead of its time. I give the authors credit for pushing the envelope as to how the security community’s thinking around advanced threats should evolve. If you read it when it was published, it would have stimulated your thought process around your own security program. But almost five years later, there is not enough in here to make the book Canon material. Gragido and Pirc present some stimulating ideas, but in the end, the security community has not adopted many of them. My recommendation is to read this book if you are interested in how our community has evolved in terms thinking about adversary campaigns. However, if you are looking for a state-of-the-art book about cybercrime and cyber espionage that will stand the test of time, this is not it.
Sources
[1] “Google Hack Attack Was Ultra Sophisticated, New Details Show,” by KIM ZETTER, Wired Magazine, 14 January 2010, Last Visited 5 July 2015, http://www.wired.com/2010/01/operation-aurora/
“Internet Crime Complaint Center (IC3),” The Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), Last Visited 5 July 2015, http://www.ic3.gov/media/annualreports.aspx
The challenge of APTs targeting Industrial Control Systems continues to evolve and escalate. It is true that a number of the ICS-specific attacks in the years immediately following Stuxnet (e.g. Duqu, Flame, Shamoon) are not so interesting as derivatives of Stuxnet or in how they utilize more general, IT-centric exploits. However, 2014 was a milestone year in that we saw two APTs that uniquely expanded on the initial methods used by Stuxnet: Energetic Bear/Dragonfly (Havex) and Sandworm (Black Energy campaign).
The most recent campaigns from these APTs have upped the bar in terms of “craftiness” with techniques combining more sophisticated social engineering, ICS protocol exploits, and exploits to automation-specific HMI software. In the case of the APT attack to the German steel mill, also disclosed in 2014, we are reminded of potentially destructive cyberphysical effects that could occur when ICS systems are breached. (In this case, the destruction of a blast furnace.)
The “people, process, technology” discussion around security is very relevant here. As always, the human element involved in social engineering is a particularly difficult challenge. Most advanced attacks will employ some form of social engineering. Education goes a long way in terms of mitigating the issue but motivated attackers will always find a way to trick a targeted individual into opening the malicious email attachment, loading and infected file on the free USB thumb drive, or visiting a seemingly innocent website housing drive-by malware, unknowingly initiating the APT attack.
To add, on the technology front, these attacks by well resourced actors like nation states and cybercriminal organizations typically use both known attacks and zero-day exploits and/or malware which conventional methods cannot detect nor prevent. Combine social engineering and zero days, and you have a very effective methodology for establishing a beachhead for an ICS attack whether it is first into the IT side of the house or directly in the OT side.
Is APT Prevention a Holy Grail?
Many organizations assume they will breached, and think preventing advanced attacks is not feasible. Hence, they try their best to isolate the SCADA/ICS network and stop known threats. Capabilities to stop more advanced threats are typically non-existent or just starting to be deployed by some more forward-thinking organizations. Considering the high costs to organizations that are breached and the people and safety concerns associated with cyberphysical processes going awry in critical infrastructure, an inability to stop advanced threats should be something asset owners take seriously and address.
At Palo Alto Networks we believe that preventing attacks from APTs is possible. No security solution is ever 100% effective, but we have a strong platform that makes it extremely hard for the bad guys, even the very sophisticated ones behind APTs, to successfully implement their attacks. It is based on a platform approach that combines the power of the next-generation firewall, our threat intelligence cloud and advanced endpoint protection to prevent attacks and provide increased automation of security functions while providing correlated threat intelligence and logs.
Get up to Speed on APTs in ICS
We take a closer look at APTs in ICS and methods for protecting your organization against them using a platform approach in an upcoming webinar co-hosted by Mike Assante, Director of ICS at the SANS Institute, and myself. Join us on Wednesday, July 22, to learn more about:
The evolution of APTs in ICS from the original Stuxnet to the recent Black Energy
The model of the APT attack lifecycle with a focus on the different phases and associated “kill points” which are critical to understand from a defensive standpoint
Best practices and technologies that help organizations better protect themselves from such attacks, particularly those using zero-day techniques
Register for the webinar at this link. Thanks, and we hope to see you there!
Optimizing business risks associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise is a key component in an enterprise’s ability to create value. This will allow the enterprise to reach the main objectives and it will most likely result in expansion.
Optimizing IT risks not only requires key practices of the company governance, such as the definition of risk appetite and policies, but also a continuous management process to identify, analyze, evaluate and treat IT risks covering the whole enterprise end-to-end.
However, a frequent issue is that organizations are limited in essential resources for IT risk management—for example, staff-related gaps (quantity and skills), lack of automated tools, restricted budget, incomplete inventories of IT assets and absence of historical data of loss events related with IT risks.
Although all these limitations are solvable, the solution may not come up immediately. As a result, an organization would still be exposed to unidentified IT risk scenarios that could overcome the established appetite or even the capacity to resist losses, compromising the sustainability of the company.
Therefore, the priority is to start as soon as possible by defining valid criteria to identify the IT risk scenarios and determine an optimized scope for the IT risk management process depending on the resources and capabilities available. To start the primary identification of the risk scenarios, the following eight steps are suggested:
Consider internationally recognized standards and guidance, such as:
MAGERIT—includes numerous threats for each type of assets/resources with their corresponding safeguards
Additional documents from ISACA on topics such as big data, cloud computing, vendor management and social media
Analyze business objectives of the organization to identify IT-related risks that could jeopardize its success.
Collect the know-how of the experts within the organization scope (e.g., CISO, DBA and CTO) to engage them in the process of IT risk management.
Assess news of vulnerabilities of the IT assets/resources adopted by the company.
Apply “reverse engineering” over controls required by the ongoing regulations to infer/detect possible threats from those controls.
Analyze the events of operational risk loss database to detect materialized IT risk scenarios.
Once you have collected a considerable universe of scenarios, the organization´s possible scope of analysis should be formally defined. This will require a formal approval from the relevant bodies (e.g., risk committee).
Approved register of IT risk scenarios should be enriched periodically, depending on: what actually happened about threats, updates of standards, new technological developments and improvement of the capacity level of the facilitators required for risk management.
Once the registry of risk scenarios is formally approved, the universe of assets/IT resources to analyze could be defined assigning priority to the most critical ones in terms of their support for the business processes. After this, the phase of IT risk analysis within the company could already be started with the most appropriate scope.
Unit 42 has uncovered a new campaign from the CozyDuke threat actors, aka CozyCar [1], leveraging malware that appears to be related to the Seaduke malware described earlier this week by Symantec. [2]
This campaign, which began on July 7, 2015, appears to be targeted at government organizations and think-tanks located in democratic countries [3], and utilizes compromised, legitimate websites for spear phishing and command and control activity.
Unit 42 discovered the extent of this attack using the Palo Alto Networks AutoFocus service, which allows analysts to quickly find correlations among malware samples analyzed by WildFire. All files referenced throughout the analysis are contained in the IOC table at the end of this blog.
Figure 1. Sample decoy presented to a user while downloader runs. Researchers discovered 6 unique decoys in use with similar lures targeting pro-democratic organizations.
Malware Details
The Initial Droppers: Decoy and Downloader
The current CozyCar campaign includes spear phishing emails that deliver the payload from either by a link to a .zip file on a compromised website or by direct delivery as an attachment to the phish.
At the time of our analysis, the phishing link was no longer active. When a user opens the attached file a poorly detected executable file [VT 1/54] is extracted. The initial dropper is a self-extracting archive (SFX). Upon execution, this executable file will drop two files in the %TEMP% directory: a decoy .wav file and the secondary dropper.
The CozyDuke group commonly uses legitimate media files to trick users. In reality, while the media — a .wav file with a female voice claiming to be a reporter looking for commentary — is played, the secondary dropper executes in the background. The secondary dropper requests a .swf file using SSL as illustrated in the HTTP traffic below.
As of this writing, the domain extranet.qualityplanning[.]com resolved to 64.244.34[.]200.
The secondary dropper then cleans up after itself with a simple vbs script (md5:0d132ee171768dc30d14590ed2dbadd1) that leaves only the decoy multimedia file behind. But what did the dropper do with the .swf file?
The Real Payload
While the player.swf file downloaded by the second stage dropper does contain media, it is, again, a decoy.
The actual flash component of this file is roughly 16kb, leaving approximately 200kb of the file unaccounted for. The second stage dropper contains decoding routines that decode the arbitrary binary data into an executable file.
The executable file is dropped in %appdata%/Roaming and appears to try and emulate legitimate software names: TimbuktuDaemon, SearchIndexer, RtkAudioService64, dirmngr, o2flash, and usbrefs64. This file was not observed on VirusTotal until July 9 and has extremely low detection rates [VT: 3/54].
It appears that the authors of this particular iteration of the CozyCar group’s malware internally call it “miniDionis” according to pdb strings left in the binary (c:\BastionSolution\Shells\Projects\miniDionis4\miniDionis\obj\Release\miniDionis.pdb). It also appears to be an iteration on the “forkmeimfamous” aka Seaduke malware analyzed by Unit 42 in a previous blog [4].
The malware stores 2 files in the %temp% directory: a configuration file and a secondary dll. The configuration file’s name matches the final characters of the bot_id that is contained within as per the sample below:
Figure 2. .net disassembly of the primary payload shows the author’s name for the project, “miniDionis”.
Analysis of the secondary dll file (name matches [A-Z0-9]{1}\.tmp) indicates that its primary function is to serve as a cleanup mechanism for the dropped binary. This is likely an attempt to thwart forensic investigations.
Further examination of memory dumps taken following the execution of miniDionis reveals some clues into the beaconing activity exhibited. The malware stores configuration values in memory as key:value pairs:
“user_agent”:“Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko”
}
The configuration of miniDionis is a JSON blob with several important sections, which are described in the table below:
Key
Functionality
autoload_settings
dictionary containing values which control the malware’s behavior when executing via persistence mechanisms
app_name
subkey of autload_settings, defines the value to be used as the malware’s name
delete_after
subkey of autload_settings, boolean value that defines whether the executable is to be deleted after exectuing
exe_name
subkey of autload_settings, defines the value to be used as the exectuable file’s name
cookie_name
defines the value in which cookie data will be stored
enable_autoload
boolean value which controls persistence
first_run_delay
time in seconds to delay initial beaconing after execution
host_scripts
dictionary containing the location of C2s
key_id
equivalent to the bot_id; also used to derive values in C2 comms
keys
dictionary containing an AES key and AES IV
aes
aes value
aes_iv
aes_iv
user_agent
HTTP User-Agent header to be used when communicating with a C2
Table 1. ‘miniDionis’ configuration keys
Network Communications
The functional payload of this Trojan starts by creating a Mutex by splitting the “bot_id” value in the configuration on the hyphen (“-“) and using the second portion of the split string (specifically, “01MRLXW” in the case of this configuration).
From a functionality standpoint, the Trojan uses the concept of tasks that are processed and completed using a pool of threads. To obtain tasks, the Trojan will issue an HTTPS request to the C2 server (“host_scripts” in the configuration) that resembles the following example beacon:
The Trojan manually creates the cookie in this HTTP request. The cookie contains ciphertext that the Trojan creates based on the “bot_id” in the JSON configuration. The Trojan compresses the “bot_id” string using zlib and then encrypts it using the RC4 algorithm using a generated key. The generated key is a SHA1 hash of two randomly created strings: the first of which is between 2 and 8 bytes long and the second is between 1 and 7 characters in length.
The ciphertext of the “bot_id” is then based64 encoded and finally the appended to the “cookie_name” (“SSID=”) in the configuration and sent within the HTTP request to the C2 server.
Unit 42 did not observe the first random string (between 2 and 8 characters in length) sent to the C2 in the first beacon, which would be required by the C2 to reproduce the exact SHA1 hash used as a key to generate the ciphertext in the cookie. Upon further examination we believe that the C2 will not be able to decrypt the cookie in the first beacon. Instead, the C2 will respond to the first beacon with data that the Trojan will use to extract a string, using a function named TrExtractKey seen in Figure 3, to replace the first random string used to generate the SHA1 hash.
Once the C2 and Trojan have synchronized using this string, the C2 will be able to decrypt subsequent network beacons because the Trojan includes the random string between 1 and 7 characters that makes up the second half of the SHA1 hash within the cookie field before the ciphertext.
Figure 3. TrExtractKey Function Used by MiniDionis to Obtain String from C2 to Synchronize Keys
The C2 communications, and several of the commands we will discuss in this blog, include a rather interesting technique to manually handle HTTP redirection, such as the HTTP 301 Moved Permanently and HTTP 302 Found status codes.
The technique used to handle these redirections involves checking for the presence of a “Location” field within the HTTP headers of the server response, then using regular expressions to parse the HTML within server response to find the appropriate URL.
The code contains three regular expressions to parse the HTML to locate the URL, the first of which is “<a.*?>.*?</a>” that locates all of the tags associated with link within the HTML.
The second regular expression of “onclick=\”Accept();\”” locates only links within the HTML with a specific “onclick” action.
The last regular expression of “href\\s*=\\s*(?:[\”‘](?<1>[^\”‘]*)[\”‘]|(?<1>\\S+))” to obtain the correct URL to interact with as the C2 server.
Command handler
Once the C2 and Trojan have synchronized and can decrypt their network communications the C2 server will begin responding to beacons from the Trojan with JSON blobs.
Unit 42 has not received any JSON blobs from an active C2 server, but based on static analysis of the Trojan determined the JSON would look as follows:
The Trojan takes this JSON blob and adds each task in the list into a pool for processing. Separate worker threads access this pool of tasks and process the commands and perform the necessary activities.
Unit 42 analyzed the Trojan’s command handler and found several commands, as seen in Table 2, which allows the threat actors to carry out a full range of activities on the system.
Command
Sub-Command
Description
cmd
Checks for subcommands within the ‘data’ section, if not it attempts to run the ‘data’ using “cmd /c <data>’
cd
Changes directory
pwd
Returns current working directory
cdt
Change to temporary directory
:set_update_interval
Sets the timeout between network beacons
:proxy
Configures proxy information
:exit
Exits the Trojan and responds to the C2 server with “Bye!”
:wget
Downloads a file from a specified URL
:uploadto
Uploads a file to a specified URL
exec
Launches an application and waits for it to exit
execw
Launches an applications and does not wait for it to exit
upl
Uploads or downloads from a list of files to or from the C2 server
srv
Sends system information from the compromised system to the C2 server
Table 2. Available Commands within MiniDionis’ Command Handler
Conclusion
The actors behind the CozyDuke framework are highly sophisticated, motivated, and have become increasingly bold in their campaigns.
We recommend that other security practitioners review the included Indicators of Compromise (IoCs) to ensure they have not been targets in this campaign, and add the appropriate security controls to prevent future attacks.
This group is reliant on social engineering, and thus, user education remains of paramount importance.
Palo Alto Networks customers using WildFire were protected from this campaign. All known elements of this campaign have been accurately identified by WildFire as malicious.
