Author: Dr. Philip Cao

Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Posted on

Analysis: CryptoWall 3.0, Dyre and I2P

For a moment, put yourself in the shoes of a cyber criminal. You’ve collected an array of tools (malware), built up your infrastructure (command and control (C2) servers) and you have a process to make money off your hard work. You wake up on Monday morning and the domains your carefully built malware uses for command and control are shut down. Some security researcher has taken control of them, completely halting your operation. This would certainly be good news to anyone reading this blog, but for the criminal it’s a big setback and source of frustration. These kinds of takedowns are the impetus for some of the most impressive developments in malware technology over the last decade.

Takedown-Resistant Command and Control

Once attackers have infected a PC through some exploit or social engineering, one of their major challenges is keeping control of that system. Antivirus programs running on the PC are trying eradicate the threat, the command and control domains and IPs are being added to blacklists and blocked by networks around the world. Many malware authors have taken to building complex mechanisms to ensure that their malware is resistant to these kind of blocks and takedowns. Some of the more innovative mechanisms include:

  • Peer-to-peer (P2P) Networks: Rather than relying on a single (or small) number of failure ports for command and control, P2P bots communicate with other infected systems that can relay commands from the attacker. These systems aren’t perfect though, as Operation b49proved in the takedown of Waldac.
  • Domain Generation Algorithms (DGAs): Why use one domain for command and control when you could use 100, or 1,000, or more? DGAs work by algorithmically generating possible C2 domains that change over time. The attacker often only needs to register one of these domains to ensure control of the network. Conficker, one of the most well-known DGA-based botnets generated 50,000 possible domains each day in it’s final variant.

These mechanisms are often only used when the primary (and simpler) C2 mechanism has been shut down, but their use makes shutting down a botnet much more challenging.

Abusing I2P

Last year we highlighted two malware families on this blog: CryptoWall 2.0 and Dyreza/Dyre. CryptoWall is one of multiple ransomware families that generated income for the attacker by encrypting files on the infected PC with a private key that is in the control of the attacker. The attacker then charges a ransom (normally around $500) to give up the key that will unlock the files. In October, CryptoWall 2.0 began using the Tor anonymity network to serve web pages to infected users who wanted their encrypted files back. In this case a legitimate service (Tor) was being abused by CryptoWall so it could avoid having its C2 servers shut down. Presently another anonymity network, I2P is being abused by both the latest version of CryptoWall (3.0)and the Dyre banking Trojan.

While I2P is far less popular than Tor, it provides similar functionality to the user. I2P is an overlay network on top of the Internet that creates encrypted links between nodes that are running the I2P software. I2P users can access specific I2P services that are only accessible on I2P, or access Internet resources without exposing their IP address.

In the case of CryptoWall 3.0, the malware is attempting to access multiple .i2p resources only accessible through I2P, also known as “eepSites.”

  • proxy1-1-1.i2p
  • proxy2-2-2.i2p
  • proxy3-3-3.i2p
  • proxy4-4-4.i2p
  • proxy5-5-5.i2p

The CryptoWall 3.0 uses I2P in the same way CryptoWall 2.0 used Tor, to give the victim access to a decrypting service to get their files back.

The Dyre banking Trojan has multiple C2 mechanisms, including encrypted HTTPS requests to a list of hard-coded IP addresses, a DGA generating 1,000 new domains each day as well as an I2P based plugin. These many C2 mechanisms make Dyre much more difficult to fully take down than a simple single (or small group) of C2s. the following IP address are known Dyre C2 servers.

  • 228.17.152
  • 228.17.155
  • 228.17.158
  • 78.103.85
  • 114.0.58
  • 203.50.17
  • 203.50.69
  • 153.35.133
  • 183.172.196
  • 56.214.130
  • 56.214.154
  • 239.209.196
  • 172.179.9
  • 172.181.164
  • 172.184.75
  • 23.8.68
  • 59.2.42
  • 248.224.75
  • 25.134.53
  • 25.138.12
  • 25.145.179
  • 190.139.178
  • 23.196.90
  • 23.61.172

It’s not possible to list all of the domains generated by the DGA, which is the main advantage of this mechanism.

To protect your network from the I2P communication used by both Dyre and CryptoWall 3.0, the easiest route is simply to identify I2P traffic and block it completely. While there are certainly many legitimate reasons to use an anonymity network, many organizations should be weary of I2P (or Tor) traffic transiting their network. Palo Alto Networks App-ID technology can identify I2P traffic as well 51 other tunneling applications.

[Palo Alto Networks Blog]

Posted on

How To Protect Yourself From the Latest CTB-Locker Campaign

CTB-Locker is a well-known ransomware Trojan used by crimeware groups to encrypt files on the victim’s endpoints and demand ransom payment to decrypt the files back to their original state.  Earlier this week we detailed a new CTB-Locker campaign and why legacy security products won’t protect enterprise networks.

In this blog post we will detail how to protect yourself from CTB-Locker, even if you aren’t protected by Palo Alto Networks next-generation enterprise security.

Since our first blog post on the campaign, here are some updates:

  • We discovered another campaign that started on January 21, and you can see a few paragraphs below the malicious sites used.
  • We can see that during four campaigns over at least three months, attackers kept the IP 213.186.33.4 and 213.186.33.19 in three out of four campaigns. The other servers appear to have been used only for single campaigns.
  • Six of the 20 malicious sites we’ve identified are still live as of this posting, and this is the one of them:

 

There are two possible scenarios for sites like this:

  1. The attackers have gained unauthorized access to those servers or specific websites and planted C&C inside a legitimate website.
  2. The attackers bought this website and have added what appears to be “legit” content to disguise its real purpose.

User Awareness

Here are some things to watch out for:

  • The below icon is used by the attacker against at least two of our protected customers. (Of course, it can be easily replaced by the attacker.)

  • Suspicious file extension (SCR) is almost always malicious (especially if you received it from unknown sender).

New IOC

  • Additional  Mutex 93031785
  • Full server list – you can block traffic to this sites on port 443:

  • The latest campaign is still going on – we have just discovered about 70 new hashes: 
please see attached .csv file.
  • One attack  from the newest campaign called “industriestr_3-7_49832_freren.scr”  (using joefel.com site) is unknown to VirusTotal. Sha256:  614f3d7ef084f12e9034f3723a8016783ced90240c0425fc9fc2324e7d1b5d2e

Conclusion

Earlier this week we identified new CTB-Locker campaigns. Palo Alto Networks Enterprise Security Platform protects from CTB-Locker in a way legacy security solutions can’t.

The above data should help in identifying and understanding CTB-Locker a bit better, but these are temporary solutions. Solving this endless cat-and-mouse game means upgrading to next-generation security. Learn more about Palo Alto Networks Enterprise Security Platform here.

[Palo Alto Networks Blog]

Posted on

What Makes Advanced Malware So Scary?

Malware is code that is written to accomplish a malicious purpose. In most cases the malware also has the ability to spread or infiltrate other systems or programs. Sometimes the malware’s purpose is just to show off the author’s hacking prowess, but more recently the purpose has typically been to make money, steal information or cause damage. In some cases, the scope of the malicious intent and damage has been to such an extent that we call it cyberterrorism or cyberwarfare. Think of the recent attack on Sony, which appears to be prompted by the film The Interview.

Over the years, types of malware are often given colorful and even scary names. Viruses, worms and Trojan horses were terms coined in the 1980s for various types of malicious code. More recently, we have described certain attacks as advanced persistent threats (APTs) and advanced malware. Advanced malware tends to be targeted, stealthy, evasive and adaptive. This compared to previous types of malware that generally tried to spread to as many programs or systems as possible, often in an indiscriminate and “noisy” fashion.

APTs are advanced malware which The US National Institutes of Standard (NIST) defines as follows:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

The definition is a bit heavy, but completely in line with the concept that advanced malware has a clear “who” behind it that is writing the code to attack a specific target and carry out a specific mission. The attack is likely to be against a targeted enterprise or even certain individuals like systems administrators within an enterprise. Moreover, the malware is likely to be multipronged with a variety of different ways and techniques to infiltrate a system and extract the desired information. It can be patient and wait for some time before attacking. Also, it will adapt to conditions and try different methods automatically.

Finding and blocking this type of code can be difficult for traditional antivirus software because chances are the attack will never have been seen before. This means that no antivirus signature will have been created for the malware. Behavior blocking and reputation-based antivirus techniques might be somewhat effective. For instance, since the malware will likely try to extract and send confidential data somewhere, that type of unusual behavior might be discoverable and blocked. However, the people creating advanced malware are likely to test their creations’ evasive and stealth capabilities against most popular antivirus and security products.

So who writes this stuff? While individual hackers might write advanced malware, more often it is the product of dedicated teams from nation states, organized crime groups or terrorist organizations. Advanced malware is built and tested with a degree of professionalism and dedication similar to that found in legitimate software product teams.

Scared? You’re not alone. One in five respondents noted that their organization has already experienced an APT attack in a recent ISACA survey, and 66 percent believe it is only a matter of time before their organization is hit by one. Additionally, 92 percent believe that APTs are a serious threat.

So what can an organization do to protect against advanced malware? Improved training and multiple layers of security are clearly part of the answer, and ISACA’s Cybersecurity Nexus (CSX) has a helpful guide on the subject available.

I also discussed the reality of advanced malware in an article for Processor. Read the full article here.

Rob Clyde, CISM
CEO, Adaptive Computing

[ISACA]

Posted on

Hotel Wi-Fi May Not Be the Most Secure Way to Surf

Forget the hotel Wi-Fi. Now that the Federal Communications Commission is cracking down on hotels and other businesses trying to force you to use their networks, it’s time to consider a more secure way to connect to the Internet.

The FCC warned businesses Tuesday that Wi-Fi blocking violates the Communications Act, and it’s an illegal move that it will be “aggressively investigating.”

“Protecting consumers from this kind of interference is a priority area for the FCC enforcement bureau,” said Chairman Tom Wheeler in astatement.

Wi-Fi blocking made headlines last October, after Marriott International agreed to pay a civil fine of $600,000 to resolve such an FCC probe. The investigation found that employees at Marriott’s Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, had prevented guests from connecting to the Internet via their own Wi-Fi hotspots, while charging them for access to the hotel’s network.

Read MoreThe real cost of an auto insurance claim

According to the American Hotel and Lodging Association, just 11 percent of hotels charge for in-room Internet access, down from 23 percent in 2012. Fees can vary widely, with prices starting as low as $4 per day, or ranging up to $25 as part of a broader resort fee.

Some properties offer basic access for free, with a charge for more bandwidth; at Marriott, Rewards club members get free basic access and can pay $5 to $7 per day, depending on the market, for premium access.

The hotel group later petitioned the FCC for the ability to block guests’ personal Wi-Fi. “Marriott has a strong interest in ensuring that when our guests use our Wi-Fi service, they will be protected from rogue wireless hot spots that can cause degraded service, insidious cyberattacks and identity theft,” it said in a statement after the October ruling.

But after criticism from guests as well as companies including Googleand Microsoft, the hotel group backtracked earlier this month and said it would not block guests’ access.

Security experts say the FCC’s reinforcement of consumer choice bodes well for those looking to keep their data secure. “Any time you’re connecting to a public network, whether it’s in a coffee shop, a bookstore or a hotel, there are some basic things you need to think about,” said Geoff Webb, senior director of solution strategy for security management firm NetIQ. Namely, whether there’s someone else with malicious intent using the same network to grab some of the data you’re transmitting.

“A lot of these connections are relatively secure,” he said. But “there’s a risk that you don’t know who’s listening in.”

Read MoreAre you leaving money on the table at work?

More hotels are expected to offer free Wi-Fi to guests this year. Marriott began offering all Rewards club members basic free Wi-Fi earlier this month, with elite members getting a faster connection.Starwood Hotels & Resorts and Hyatt Hotels also have plans to expand guest access to free Wi-Fi access this spring.

Consumers planning to use one of those hotel or other public networks could benefit from a virtual private network, or VPN, said Ryan Olson, Unit 42 intelligence director for security firm Palo Alto Networks. VPNs encrypt all data going to or from your computer, helping protect you from anyone eavesdropping.

Plenty of companies offer that protection for traveling employees to secure business communications; consumers can sign up for free or low-cost VPN services such as Hotspot Shield Elite, proXPN or VPN Direct.

A better option might be the one that businesses have tried to block: Turning your phone into a personal hot spot to connect a laptop or other device to the Internet. (The logistics and cost will depend on your device, wireless carrier and data plan.) If you configure the connection securely, “those are definitely a better choice,” said Luke Klink, a security programs strategy consultant for Rook Security.

Read MoreRetirement planning isn’t just about the money

If you must use a public Wi-Fi network, make sure you have the right one. “There are tools out there that [hackers] can use to create access points that look just like the one you’re trying to get onto,” said Klink. Ask a hotel or coffee shop employee for the right network name and password to avoid joining a like-named rogue that will capture all the data you transmit.

Regardless of how secure you think the connection is, use caution when surfing anywhere that’s not home or work, said Olson. Skip online banking and other financial transactions, and avoid sending sensitive documents and emails. “If all you’re going to do is watch Netflix, that’s fine,” he said.

[CNBC]

Posted on

Data Privacy Day: How ISACA Will Advance Privacy Best Practices in 2015

Today marks Data Privacy Day, and ISACA is proud to be a champion of this initiative. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. The debate over privacy seems to have shifted to a larger discussion about new types of personal information, such as location information, browsing history, Internet of Things data, individual rights and enterprise use of personal data. This expanding debate results from the proliferation of technologies, opportunities for enterprises to gain value by leveraging new data items and government’s interest in e-government initiatives. This includes taking action to protect citizens and promoting the economic opportunities that personal data use brings. The volume of personal, and often sensitive, data being collected and shared by organizations today is growing exponentially—largely because of technology advances, lower data storage costs, the rise of the Internet of Things and the emergence of major data brokerage companies.

Currently, there is a global set of privacy principles in the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (2013) . In the last couple of years, the principle of accountability has received renewed attention as a means to promote and define organisational responsibility for privacy protection.

To help the global community implement a corresponding privacy management program, ISACA created a Privacy Guidance Task Force. Its first task was to conduct a survey regarding enterprises’ privacy governance structures and how various privacy issues and concerns are addressed. Clearly, one of the main obstacles is the complex international legal and regulatory landscape. While everybody may be in agreement on the principles, their implementation through laws and/or regulation differs across the world and, in some cases, in the same country, by state and industry sector. Obviously, business may only influence the lawmakers to try to harmonize their position. This will be difficult as privacy is a cultural issue. ISACA’s survey was recently conducted, and results will be published in the near future.

Enterprises need to embed privacy as an integral component of their overall governance, risk management and compliance (GRC) frameworks. Embedding privacy into GRC frameworks requires a holistic approach. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and information.

As a result, the next Task Force action is to create practical guidance explaining how the COBIT 5 enablers may be used for implementing privacy in practice. It will provide specific guidance related to all enablers:

  1. Information privacy policies, principles and frameworks
  2. Processes, including personal data privacy—specific details and activities
  3. Privacy-specific organisational structures
  4. In terms of culture, ethics and behaviour, factors determining the success of privacy governance and management
  5. Privacy-specific information types for enabling information security governance and management within the enterprise
  6. Service capabilities required to provide privacy and related functions to an enterprise
  7. People, skills and competencies specific for privacy

This will constitute a framework that can be tailored to any organization. Large companies with locations in multiple jurisdictions may need to consider different internal oversight mechanisms than small or medium sized companies with a single establishment. Similarly, programs for companies that deal with large volumes of personal data will need to be more comprehensive than those of companies who handle only limited amounts of personal data. The sensitivity of the data processed may also impact the nature of a privacy management program, as even a very small company may handle extremely sensitive personal data.

With the survey and practical guidance targeted to be published in 2015, ISACA will continue on its mission to contribute effectively to the promotion of privacy and data protection best practices.

Yves LeRoux, CISM, CISSP
Principal Consultant at CA Technologies

[ISACA]

English
English
Exit mobile version