Author: Dr. Philip Cao

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)

 

1. Cloud security will become less cloudy

It’s amazing how fast things change. It was not that long ago that cloud computing skeptics said that no one will use the cloud for business applications because of the security issues. Now we hear from customers that they are moving entire datacenters – not just select applications – to the cloud. Why? Ubiquity is one reason. Reduced costs are another. Finally, they are realizing that security — specifically next-generation security — can be used to protect their applications and data from advanced cyber attacks. But traditional, port-based security technologies cannot exert the same levels of control.

With the recent release of our VM-Series for both Amazon Web Services and KVM joining Citrix SDX and VMware ESXi and NSX support, 2015 will be the year that customers can protect their public, private or hybrid cloud-based applications using the next-generation firewall and advanced threat prevention features found in our enterprise security platform. Further clarifying cloud security will be the elimination of the time-lag between virtual machine provisioning and security deployment through the use of native automation features such as VM-monitoring, dynamic address groups and the XML API.

2. The benefits of network segmentation based on Zero Trust will be realized

During a recent customer visit, a tenured networking professional challenged our discussion around network segmentation based on Zero Trust principles, stating he had been segmenting the network for security for years. “So what’s new here?” he asked. Conceptually there is nothing new here; rudimentary network segmentation can be done by routers, switches and even firewalls. The key difference is in the level of granularity by which we can segment the network.

The rash of recent high profile breaches — where attackers hide in plain sight on the network — points to the need for segmentation principles that are more advanced than mere port, protocol or subnet. As the conversation with this networking professional continued, I pointed out that with the application identity, a view into the content and knowledge of who the user is, we can segment business critical data and applications in a far more granular fashion than rudimentary segmentation would allow.

Specifically, we can verify the identity of specific business applications, forcing its use over standard ports and validating the user identity. We can find and block rogue or misconfigured applications — all the while inspecting the application flow for file types, and blocking both known and unknown threats. In 2015, I expect to see many organizations continue to re-think how they are segmenting their network and applying Zero Trust principles of Never Trust – Always Verify using the application, the respective content and the user as the basis for policy enforcement. The benefits our customers will begin to realize include improved security posture with less administrative effort.

3. 2015: The year of focus

According to IDTheftCenter.Org, 2014 had, as of Dec 2, 708 data breaches resulting in the loss of more than 81 million records. That represents data from roughly 25 percent of the U.S. population and the year isn’t even over. So in the spirit of Christmas, my last forward looking 2015 entry isn’t a prediction but a wish. While I don’t believe we will ever know the details behind the 700+ breaches, it’s safe to say that there were multiple steps along the way where someone could have said, “We could have been more focused here.” My 2015 wish is that users, netsec professionals and executives all become more focused on their respective network security responsibilities.

• Users: Focus on the fact that you are integral to network security – even though you may not see yourself as an attack target, you can easily be an attack entry point. So here are some simple steps to lessen that risk. Count to five and think about the link you are clicking on. Look closely at it, and if you have doubts, don’t click. Say yes to your software (e.g., IE, Adobe, Firefox, etc.) updates as they often times include patches to vulnerability exploits — aka attack vectors. Lastly, think about what you do on your company network this way. It’s your benefits, payroll, and other personal data that are at risk, not just the company’s data.
• Netsec professionals: I wish you had more time, but I’m a realist. My wish for you all is that you be more focused (than you already are) on things that appear out of the norm: strange traffic patterns or application usage in the datacenter, odd outbound behavior around the use of RDP, SSH or TeamViewer, odd data or application access requests. What we do know about many of these attacks is that the activity was hiding in plain sight using common applications – focus and vigilance may help us stop the progress of these attackers.
• Executives: 2014 showed that not only your company reputation, but also your career is on the line. In 2015 you should focus on becoming more knowledgeable about your data. Where is it stored? Where it is going on the network? Is encryption in use? What SLAs are in place if it is stored externally? With that information in hand, ask your brightest netsec minds what else can you do to protect the data.

 

Datacenter security is among many industry-specific topics planned for Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.

 

In late October, we began examination of a VBA-initiated Infostealer campaign. This blog post follows up on additional information we gathered on related malware and associated actors.

Pivot On Initial Predator Pain Sample C2

In our previous post, we identified two Command and Control (C2) fully qualified domain names (FQDNs) for the initial Predator Pain sample analyzed: mail.rivardxteriaspte.co[.]uk and ftp.rivardxteriaspte.co[.]uk. We were interested in seeing whether any other malware samples had been observed communicating with these FQDNs and, if so, to which malware family they belonged.

Leveraging the Palo Alto Networks WildFire platform, we found an additional 14 samples that communicated with one or both of these C2 FQDNs between December 27, 2013, and August 1, 2014 (Table 1).

While anti-virus (AV) detections varied widely, all of these samples belong to the Predator Pain keylogger malware family. Additionally, a number of samples were also packaged with the Limitless keylogger, most likely for its exfiltration capabilities. Although Limitless is easily modified, one clear indication that it is employed is a default POST request over TCP/80 to the following URL:

http://www.limitlessproducts[.]org/Limitless/Login/submit_log.php

Both of these keylogger packages are available in the cybercrime underground for less than $40 USD, with cracked versions available for free (albeit with potentially unwanted “features”). The samples observed had the following capabilities (ordered by prevalence):

• Collection of system information
• Web browser password extraction
• E-mail password extraction
• Screenshot capture
• Logging of web browser activity
• Logging of e-mail activity
• Logging of chat activity
• Internet Download Manager password extraction

Figure 1 presents a malware-centric view of identified samples, categorized under the dominant malware family of Predator Pain.

The newly identified samples were almost exclusively downloaded from one domain, nova.co[.]in, which resolved for some time to the same IP as the download domain for the initially analyzed Predator Pain sample, 209.160.24.197. Sometime between mid-March and the first of August, the nova.co[.]in IP resolution shifted to 209.160.26.174. The download domain view of those samples for which data was available can be found in Figure 2.

The broader set of malware also revealed five samples that reached out to Pastebin, as an additional C2-oriented request. Associated Pastebin pages were no longer active when checked in November 2014. Figure 3 depicts the C2 communications for samples.

Additional Actor Analysis

In our last post for this campaign, we attributed the focal Predator Pain sample to an actor that goes by the handle “Skozzy”. The profile for the related malware enumerated above further supports this attribution, given the shared C2 infrastructure and dominance of two malware packages favored by this actor.

In an attempt to gain further insight into this actor, we also performed a pivot on WHOIS registrant information for the initial Predator Pain sample’s C2 domain. This revealed a “Josh Frank” (sometimes “Josh Franks”, “Franks Josh” or “Josh Frank Kelvin”) persona, which in turn was confirmed as associated with both 419 and dating scams, under at least the following e-mail addresses:

• frankjosh61[at]yahoo.com
• frankjosh60[at]yahoo.com
• joshfrank615[at]yahoo.com (potential)

Additionally, this persona is known to register domains under two organizations, “Xteria pte” and “Amorex”, and has been observed using registrant contact information and/or social engineering references from Malaysia or the United Kingdom. Correlated domains lean towards financial (e.g., banking, brokerage) and dating themes, with registrar activity observed for associated domains as late as October 2014. A sampling of domains linked to this persona follows:

• maybnk2u-malaysia[.]net
• lexusmalaysia[.]com
• attaccq[.]com
• ahaldarazi[.]com
• tegbet[.]com
• acemovement[.]com

While it cannot be said with certainty that “Skozzy” and “Josh Frank” refer to the same individual, it is clear that there is a tie between the two in terms of motivations and objectives: financial gain through personal and/or business fraud.

Expanding on Actor Motivations and Objectives

As noted in the previous blog post on this topic, “roles across nation state, cybercrime, hacktivist and ankle-biter/script kiddies are not mutually exclusive and – in fact – continue to become fuzzier over time.” Actors using tools such as Predator Pain and Limitless have a myriad of options at their disposal for information collection. This extends into an equally broad range of potential malicious uses for that information. It also further blurs the lines between malicious actor categories, translating into increased challenges in characterization/qualification and attribution for cyber attacks.

Opportunism further extends within each of these malicious actor categories – especially with greater availability and a lower cost of entry for increasingly sophisticated and effective tools. One example is the shift by some cybercrime actors away from information theft from individuals and instead scaling up towards higher-yield attacks against companies and organizations. Clever application of insider, sensitive information gleaned from such tools can serve as a multiplier to the perceived legitimacy and potential impact of more precise second-stage social engineering and/or malware attacks.

With the demonstrated success of such tools and techniques to date, we anticipate continued growth in the number of these types of attacks in the future. The Palo Alto Networks Enterprise Security Platform can prevent, address and minimize the risk of these and other associated threats. Learn more about the platform here.

[Palo Alto Networks Blog]

As 2014 comes to a close, our subject matter experts check in on what they see as major topics and trends for the new year. (You can read all of our 2015 predictions content here.)

Although financial institutions have long allocated resources to security, they have often been under siege, and have frequently been victims of some of the largest breaches in recent years.

Bottom line: they still need to do more. Here are a few of my predictions on this industry for 2015:

1. The pace of investment will accelerate and companies with best-in-class security will stand out.

2015 will see a change in the level of innovation and investment, and overall spending and investment in resources will accelerate, driven by companies that have kept pace with security, implementing all best practices, from network segmentation to systematic patching.

Organizations that have best in class security will stand out from others who still need to catch up. We’ll know this because hackers will prey on the least protected companies as low hanging fruit – easy to spot.

2. More regulations will surface for segments that are core to the integrity of the international financial markets including trading exchanges.

In 2014, the SEC in the US and its Office of Compliance Inspections and Examinations (OCIE) issued an alert focusing on the cybersecurity preparedness of institutional investment organizations and capital markets. More than 50 registered investment brokers and advisers were surveyed on their level of preparedness.

This exercise is just one of many examples showing that more guidelines and, potentially, regulations will be crafted to ensure a consistent and higher level of security in financial markets. The SEC guidelines and survey documents can be used today as a resource to evaluate your security posture. Use the alert to close any gaping holes in your defenses!

3. 2015 will see the start of the overhaul of the payment processing segment, especially in the US.

American credit cards have historically been lagging behind the rest of the world when it comes to security. While the US market will slowly migrate to chip and pin cards, the market is now opening for more innovative payment technologies.

Unfortunately, priorities on new payment technologies are still based on costs and fees more than security. 2015 will most likely be the year where the adoption of Apple Pay or Google Wallet by consumers get weighed against merchants’ preference for alternative CurrentC because of its lower fee model.

Just like any other new and hyped technology, Apple Pay and virtual payment schemes will no doubt become prime hacking targets. Securing payment processes should remain a top priority for any business.

 

The challenge of securing financial services organizations is among many industry-specific topics planned for Ignite 2015, where you will tackle your toughest security challenges, get your hands dirty in one of our workshops, and expand your threat IQ. Register now to join us March 30-April 1, 2015 in Las Vegas — the best security conference you’ll attend all year.

 

We’re pleased to announce that Palo Alto Networks has won in the Government Security NewsHomeland Security Awards category for Best Network Security/Enterprise Firewall.

We were also announced as a finalist in the Best Anti-Malware Solution category.

 

The GSN 2014 Homeland Security Awards Program was organized to honor distinguished vendors of IT Security and Physical Security products and solutions and the dedicated federal, state, county and municipal government agencies, whose combined efforts help to keep the United States secure.

You can view the full list of Homeland Security Awards winners here.

[Palo Alto Networks Blog]