Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
Whether in banking or any industry, business needs take precedence; everything else not as tangibly connected to organizational objectives and profitability is regarded as not as important by senior management.
Information security and the concept of CISO have struggled to gain prominence – this despite ISACA’s best efforts, shouting from the rooftop that information security must be part of boards of directors’ agendas and CISOs should be installed, reporting to the CEO.
During the late ’90s, the CISO position was always thought of as something connected to “IT.” It was more data security than information security. Even when I passed my CISA examination in 2005, I was given the role of “Data Security Officer” in my organization, reporting to the VP-IT.
In the banking sector, the CISO position was normally held by somebody handling network security and reported to CTO (GM-IT). We had a position called “head of IT,” and the custom of designating a CIO was quite infrequent.
Then, Reserve Bank of India (RBI) published a comprehensive report and recommendations of the working group on information security, electronic banking, technology risk management and cyber frauds, popularly known as the “Gopalakrishna Committee” report, in January 2011. This report not only mandated that the CISO position be held by a sufficiently senior-level official of the rank of GM/DGM/AGM, but also stated that the CISO report directly to the head of risk management. Thereafter, in most banks, the CISO position was held as a part of the risk management department and reported to GM-Risk Management, alternatively designated as Chief Risk Officer (CRO). Interestingly, the report also mandated that the CISO not have a direct reporting relationship with the CIO.
Not satisfied with the various banks’ response to continuing cyber attacks, RBI came out with a comprehensive cyber security framework consisting of baseline measures on 2 June 2016. Board level sponsorship was mandated, baseline controls were established and strict compliance was required, in addition to having a cyber-crisis management plan. The CISO position assumed huge relevance, and RBI expected the CISO to play a pivotal role.
Within a year’s time, RBI once again came out with a document clearly articulating the CISO role. Apparently wanting significant improvement in remediation of cyber security attacks by banks, the new mandate was for the CISO to directly report to Executive Director (ED) or the equivalent, overseeing the risk management function. Therefore, the CISO now has more board visibility than ever.
In addition, the regulator very clearly positioned the CISO role along with the CRO to establish a strong risk management framework. They both should have strong communication and work together to enable a holistic risk management approach.
This is a very good development, which will make cyber security in the banking sector more effective and the position of CISO more challenging and fulfilling. Both the positions report into the ED with their respective teams. Credit risk management and information risk management (IRM) for backing them.
With credit risk management being a proper discipline, we can soon expect that information risk management will fully mature into a robust discipline as it evolves to defend the entity against continuing cyberattacks and threats, and shapes itself to comply with associated advisories from the regulatory bodies.
Employees are fast becoming the weakest link in the defence against cybercriminals. Sometimes common sense can only go so far, as you need to make sure that best practices around security don’t go in one ear and out the other. Whether through innocent mistakes or because they were targeted for their access to sensitive information, employee error can easily open the door to malware or information theft.
Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Pure compliance-driven approaches have proven to be ineffective for organisations when used for employee security training, usually because it isn’t interesting or personal enough to capture employees’ imaginations. Businesses should focus on educating employees about how to protect their personal data, thereby encouraging employees to enact further security-orientated practices in the workplace.
Employee training may take different forms, including the increasing practice of “gamifying” cybersecurity education programs. Gamification is the process of using gaming mechanics in a non-gaming context, leveraging what is exciting about games and applying it to other types of activities that may not be so fun. Designed with elements of competition and reward, gamification programs are becoming popular because they can be used within a variety of industries.
Many businesses currently use gamification in such areas as customer engagement, and employee education and training to drive performance and motivation. Gaming elements include one-on-one competitions, rewards programs, and more.
There are two key ways business owners can use gamification as a way of addressing cybersecurity in their organisation:
1. Make training more exciting and engaging for employees
Using gamification can help businesses improve their cybersecurity in numerous ways, including showing employees how to avoid cyberattacks and learning about vulnerabilities in software.
Global consulting firm PwC teaches cybersecurity through its Game of Threats. [1] Executives compete against each other in real-world cybersecurity situations, playing as either attackers or defenders. Attackers choose the tactics, methods, and skills of attack, while defenders develop (defence) strategies, and invest in the right technologies and talent to respond to the attack. The game gives executives an understanding of how to prepare for and react to threats, how well-prepared the company is, and what their cybersecurity teams face each day.
Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly.
2. Offer incentives and rewards to encourage desired behaviours
Human error is responsible in most security breaches, with employees feeling pressured to complete work by certain deadlines and as quickly as possible, which can result in them overlooking important company policy regarding security.
For example, running so-called PhishMe campaigns can be a great way to train employees on better email security. These include regular phishing emails sent across the organisation, testing the staff’s response and action.
Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with a material reward, such as a gift voucher.
This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber-secure working environment.
At the heart of any security awareness training is education to teach employees a shared sense of responsibility for the data they work with, and the data they create and use at home. All security awareness campaigns should become part of an ongoing process, not a one-time initiative. Leaders of any business, big or small, can sometimes feel they lack the resources needed to drive an effective cybersecurity education campaign, but this can be done without breaking the bank.
Visual aids work well. Start with some small videos, posters and/or contests as a reminder to drive the message home for all to understand that security is everyone’s responsibility.
‘Fear of God’ tactics do not work. The business goal should be to build a culture of cyber awareness, so treat this like a marketing campaign with the intent to persuade and change the behaviour of an employee.
Short and concise work best. Long emails always get ignored. Keep them short and fun, and ALWAYS ensure it is a top-down approach. Employees look up to their leaders. If the leaders do not embody a cyber-secure culture, why should the employees? The aim is to educate employees about best practices, not force them to be cybersecurity experts. Make it fun and have a laugh, so everyone can learn at the same time.
Reinforcement and follow-up are key. Training is a constant; learn from what works and re-educate as needed. Re-test your newly onboarded, as well as existing, staff members on whether they fall for a phishing email, and check to see how many employees still fail to recognise a fake email. Encourage communication to report a fake and call out departmental groups that may be lagging. The aim is not to single people out, but rather create some healthy rivalry within the organisation.
Eliminating cyber risks in any business is an ongoing process, but it can be managed. We need to foster a way for employees to call out where they question something and re-educate as needed. If employees walk away from the security awareness program questioning before they click on something malicious, you have moved the needle towards being more secure.
In May, US President Trump set into motion a series of requirements to obtain an understanding of where US federal agencies stood in terms of readiness to ward off cyber attacks and assured the American public his administration valued the importance of understanding the risk, mitigating it and building a world-class workforce.
As a CISO for several organizations, including a major healthcare contractor to the US government and a global accounting firm engaged in government contracts, I have watched the evolution of the US federal government’s focus on cyber security with great care. It has always been important, but as the tools and criminals become more sophisticated, our work to benchmark our current status, manage risk and develop a highly skilled workforce of tomorrow becomes even more critical.
My professional association, ISACA, for which I’ve spent over a decade providing information security presentations and certification workshops, and whose work I am highly passionate about, also supports a strong focus on cyber security risk management and workforce development. By mid-July, the federal agencies owe the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) a risk management report or current assessment. It is the next milestone in the US Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. They will need to report information based on FY 2017 FISMA CIO metrics so everyone is reporting based on a consistent methodology. It must be based on 2016-2017 Guidance of Federal Information Security and Privacy Requirements.
Then, the OMB and DHS will use the FISMA metrics to produce agency-specific risk assessments in a report to the President. The results will serve as a way to identify new needs and offer ways to think about how to offer services differently to improve cyber security. In the future, agencies will have to conduct reviews bi-annually.
The order also calls for an action plan for implementing a framework that reduces risks and allows the network to:
Identify
Protect
Detect
Respond
Recover
Aligning with the NIST Special Publications, as well as other associated standards and guidelines, this structure will provide a common vocabulary and process sharing across the agencies. The framework plan is also due in mid-July.
From a cyber security practitioner’s viewpoint, while the timeframe is aggressive, the order is welcomed because 1) it acknowledges the importance of our interconnected government and that risks in one agency or critical infrastructure may impact others; 2) the approach is from a risk management perspective (vs. compliance), and requires an explanation as to why choices were made (strategic, operational, and budgetary considerations) to accept the current level of risk; and 3) it indicates a desire to move to current technology and updated systems.
After the reports and planning are in, there will need to be a time for reflection—a time to analyze our current situation and how we are best served as we enter a new era. Customized training will be critical. Traditional four-year degrees in computer science may not be our path forward in our new world. We’ll need to engage partners from academia, Veterans Affairs (veterans have a strong skill set that could be leveraged) and private industry.
ISACA offers cyber security training and supports exploring opportunities for non-traditional educational training to build a hardened IT infrastructure.
As a cyber security professional who has had the opportunity to see many changes throughout the landscape of my career, I believe thinking differently allows us to offer solutions that will strengthen our borders and build a more prepared workforce.
Todd Fitzgerald, SVP and Chief Administrative Officer, Information Security and Technology Risk, Northern Trust, Chicago
Recently, we discovered a new version of the OceanLotus backdoor in our WildFire cloud analysis platform which may be one of the more advanced backdoors we have seen on macOS to date. This iteration is targeted towards victims in Vietnam and still maintains extremely low AV detection almost a year after it was first discovered. Despite having been in the wild for an extended period of time, the operation appears to still be active. During our analysis, we were able communicate directly with the command and control server as recently as early June 2017.
While there seem to be similarities to an OceanLotus sample discovered in May 2015, a variety of improvements have been made since then. Some of the improvements include the use of a decoy document, elimination of the use of command line utilities, a robust string encoding mechanism, custom binary protocol traffic with encryption, and a modularized backdoor.
Infection Vector
The new OceanLotus backdoor is distributed in a zip file. While we don’t have direct evidence for the initial infection vector we presume it’s most likely via an email attachment. Once the user has extracted the zip file, they see a directory containing a file with a Microsoft Word document icon. The file is actually an application bundle, which contains executable code. (see Figure 1). Once the user double clicks on the purported Word document, the Trojan executes and then launches Word to display a decoy document.
The malware uses the decoy document to help mask the execution of the malware. This technique is a common one for Windows-based malware, but rare on macOS. In order to achieve this layer of obfuscation, the malware author had to trick the operating system into believing the folder is an application bundle despite the .docx extension. Traditionally, macOS malware have emulated legitimate application installers such as Adobe Flash, which was how the previous version of OceanLotus was packaged.
Figure 1. Context menu and file listing
Once the application bundle is launched, it opens a hidden file in the bundle’s Resources folder named .CFUserEncoding which is a password-protected Word document (see Figure 2). It also copies this file to the executable path and essentially replaces the application bundle after persistence has been set up. This would lead the victim to believe that nothing was amiss, as they thought they were opening a Word document and a Word document opened. In this case, the Word file has the name “Noi dung chi tiet.docx”, which is Vietnamese for “Details.”
Figure 2. Decoy document prompts for a password to open the file
Persistence
Compared to the previous version of this backdoor, the persistence mechanism for this remained largely the same. This version creates a Launch Agent that runs when the victim host starts up, where as in the previous version execution was upon when a user logs in. It also copies itself to a different location and filename based on the UID of the user who ran the application.
For a user other than root, it takes the MD5 hash of the structure returned by getpwuid() and breaks the hash down into segments <first 8 chars of hash>-<next 16 chars of hash>-<last 8 chars of hash>. This segmented MD5 hash is prepended with “0000-“ then used as a directory in ~/Library/OpenSSL/ to store the executable file (see Figure 3). If the user is root, the executable is stored in the system wide library directory at /Library/TimeMachine/bin/mtmfs.
It is interesting to note that the executable and plist locations look like legitimate applications.
Figure 3. plist and executable names and locations based on UID
Once the malware has set up persistence, it deletes the application bundle from the executable path leaving the decoy document in its place and launches itself as a service from the new location.
No Command Line Utilities
One of the first things we noticed about this backdoor is the lack of suspicious strings which often times provides context as to what the malware might do on a victim host. In most macOS malware, calls to the system() or exec() functions to run additional scripts are in place. In this case, these were not present nor were there command line utility strings that may easily convey the malicious intention of the application. This shows a deep level of understanding of the macOS platform by the author of this backdoor compared to other threat actors that will commonly copy and paste scripts from the Internet.
The lack of these strings may also double as an anti-analysis technique to make the malware seem less suspicious, especially to basic static analysis.
String Decoding
Since there appear to be no obvious suspicious strings in plaintext, we move onto the possibility of use of encoded, or obfuscated strings.
The string decode routine for this backdoor is an upgrade from previous versions in which strings were XOR encoded with the word “Variable” as a key. The string decode routine now consists of a combination of bit shifting and XOR operations with a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key turns out to be 0, the default XOR key of 0x1B is used. Figure 4 shows a Python implementation of the decode function.
Figure 4. Python implementation of the malware’s string decode function
After decoding the strings (see Figure 5), we can glean that the malware sets up persistence, surveys the victim’s computer, and sends this information back to a server. At this point, it is still not obvious that this malware contains backdoor functionality.
Figure 5. List of decoded strings
Custom Binary Protocol and Encrypted Traffic
The threat actors responsible for this malware appear to have spent some amount of effort to develop their own custom communication protocol. They did not simply use an off-the-shelf web server for their command and control server, as is commonly done. Instead, they created their own command and control mechanism.
The backdoor uses a custom binary protocol on TCP port 443, a well-known port that is unlikely to be blocked by traditional firewalls due to its use in HTTPS connections. The packet seen in Figure 6 is encoded with a combination of bit shifting (see Figure 7) and XOR with a key of 0x1B before it is sent. The bits are always rotated to the left 3 times before doing the XOR operation. This is an improvement from the previous version where the packet was only XOR encoded with a key of 0x1B.
Figure 6. Initial packet sent by the client to the server
Figure 7. Bit shifting function used in the encode/decode routine for network packets
After decoding the packet, we can see a breakdown of different fields. Figure 8 shows the initial packet sent by the client to the server. It is relatively empty aside from the “magic” bytes, length of data and type of communication.
Figure 8. Initial packet sent by the client to the server (decoded)
Depending on the command response sent from the server, a packet may be bigger than 0x52 bytes. Data beyond 0x52 bytes is zlib compressed then encrypted with AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.
We captured live traffic from the server, and observed that the encryption keys sent from the server are ephemeral. This means that each new session with the server is given a different key used to encrypt data sent back and forth within that session. This is a marked improvement compared to the previous version, where only XOR encoding with a one-byte key was used for encryption.
After decoding the packet it receives from the server, the backdoor validates certain fields like the “magic” bytes and makes sure the length of the data being received is not over a certain amount. Throughout the program execution, it also checks and handles any errors that may have been generated.
Command and Control Communications
The command and control server communication sequence is as follows:
The client initiates a session with the server by sending a packet with 0x2170272 in the command field.
The server then responds with an ephemeral encryption key and a command.
The client checks if the received packet from the server is valid.
The client executes the command sent by the server and responds with a zlib compressed and AES encrypted blob of the result then sends this back to the server.
Unlike the previous versions of OceanLotus where the commands can be easily gathered from its strings, the author has obfuscated the functions with constant values. We decoded the following available commands as seen in Figure 9.
Command
Command Description
0x2170272
Initialize
0x5CCA727
???
0x2E25992
receive file from server
0x2CD9070
get info on a file / directory
0x12B3629
delete file / directory
0x138E3E6
???
0x25D5082
execute function from a dynamic library
0x25360EA
send file to server
0x17B1CC4
???
0x18320E0
send victim and computer information together with the backdoor’s watermark
0x1B25503
execute a function from a dynamic library
0x1532E65
execute a function from a dynamic library
Figure 9. List of commands available
Command 0x2170272
When the backdoor is launched, a file is created in /Library/Preferences/.files or ~/Library/Preferences/.files depending on the victim’s user ID. This file (see Figure 10) contains a timestamp and the victim’s name concatenated with the machine’s serial number which is then hashed twice with MD5. This is then copied to a buffer that is 0x110 bytes long and AES encrypted in CBC mode with a null IV and a key of “pth”. It is then saved into the file.
Timestamp + MD5(MD5(<victim’s name + machine serial number>))
After this file is created, the client sends its first packet to the server with 0x2170272 in the command field. The server acknowledges and responds with the same command and the client verifies that the file has been created.
Figure 10. Decrypted contents of ~/Library/Preferences/.files
Command 0x18320E0
The server then sends this command with an ephemeral key shortly after it sends the 0x2170272 command. The client gathers all the data seen in Figure 11, encrypts it with the key provided by the server and sends it back. One thing to note is the Base64 string that is sent in this packet. This string is static in the binary and does not change, which may be indicative of a marker for campaign or version identification.
\x00\x00\x004137674062B3226FE630C24F7DE1021E\xe9\x0f\x00\x00\x00Mac OS X 10.X.X\xb6\x03\x00\x00
\x05\x01\x00\x00f\x00\x00\x00Model ID:iMac8,1\nCPU:Intel(R) Core(TM)2 Duo CPU T7700 @ 2.40GHz\nMemory:4.00\nSerial No:XXXXXXXXXXX\x00\x00\x00\x00
Figure 11. Decrypted contents of a packet sent by the client to the server
Not highlighted in Figure 11 but also included in this packet is the kernel boot time which may be used by the C2 server to help determine if the backdoor is being run in a sandbox environment.
Commands 0x25D5082, 0x1B25503, 0x1532E65
These commands load a dynamic library using dlopen() and obtains a function pointer to execute within that shared library using dlsym(). Unfortunately, we do not know which dynamic libraries or functions are used for each command since these are server supplied and we were not able to capture any communication that used these commands.
However, we can postulate that since the parameters to the functions have the same number of arguments with the first being a fairly large constant similar to the command constants, (see Figure 12) and the backdoor has a function for receiving files, it is possible that these functions correspond to a shared library that the server uploads to the victim host. This means that additional functionality can be added to this backdoor by loading modules directly from the C2 server.
Figure 12. Snippets showing loaded function pointers and their parameters
Conclusion
Most macOS malware in the wild today are not very complex, but threat actors have been quickly improving their tradecraft. The increased level of sophistication and complexity may be indicative of increased targeting of macOS hosts looking to the future. With this OceanLotus attack in combination with recent macOS versions of the Sofacygroup’stoolset, we have now observed multiple espionage motivated threat actors targeting macOS. It is imperative that the same types of strong security practices and policies organizations use to defend Windows devices are applied universally to include macOS devices as well.
Apple has already updated the macOS protection systems to address this variant of OceanLotus.
Palo Alto Networks customers are protected and may learn more via the following:
Samples are classified as malicious by WildFire
Domains and IPs have been classified as malicious and IPS signatures generated
AutoFocus users may learn more via the OceanLotus tag
Indicators of Compromise
Hashes
b33370167853330704945684c50ce0af6eb27838e1e3f88ea457d2c88a223d8b Noi dung chi tiet.zip
Two of the most pressing cybersecurity tasks of our time are the need to dramatically grow the size of the workforce, and to create one that is agile enough to keep up with the shifting sands of today’s business landscape. Infosec Europe’s keynote panel session “Building an Agile Security Team for the Future,” chaired by (ISC)²s EMEA managing director Adrian Davis, saw leading frontline professionals from travel search giants Skyscanner, to transport operator Network Rail and the UK government, discuss how these challenges might be addressed.
The first key insight was that an agile cybersecurity team cannot have fixed, traditional role boundaries. Having fluid job roles allows cybersecurity professionals the ability to learn new skills, aspire to achieve managerial positions and help other business units by working outside their “techie” comfort zones. Crucially, the ability to transcend fixed role boundaries gives the flexibility to adapt to a diverse array of threats. Network Rail CISO, Paul Watts, explained how professionals in his team are constantly talking to, and working with, professionals from other teams and departments, as they recognise that innovations must draw on as wide a pool of expertise as possible, and that cybersecurity now encompasses all business units.
Vicki Gavin, head of information security at The Economist Group explained that the key to achieving a team that transcends traditional role boundaries was to “hire for inclusivity, not exclusivity.” Pruning the job specs helped to draw in a more diverse pool of talent. Women, for example, are less likely to apply for roles with lengthy job specs, unless they believe they are fully competent at each one of them. It is also vital to remove unconscious bias from the recruitment process; for example, building role profiles around the last person who did the role means that recruiters are continuously hiring the same kind of person – largely older males – and failing to open doors to millennials, women and people from other professions.
Rather than exclusively hiring qualified off-the-shelf tech specialists, cybersecurity employers should broaden the talent net by hiring for attributes, rather than qualifications, and investing more in training. Instead of recruiters searching for superman. The truth is that it may be necessary to build superman from scratch. There are many ways to attract new people into the industry, and the answer can be on your doorstep. Watts explained that he found someone in marketing who had an interest in cybersecurity, but no experience in the role. He offered her a brief secondment with his team and she quickly picked up the skills and brought a completely new perspective to the team.
The panel remarked that while traditional recruits to the industry can be risk-averse and afraid of chaos, an agile security team is one that is innovative, prepared to “fail forward” and “doesn’t ask for permission, but asks for forgiveness.”
In a world where cybersecurity transcends any one business department, an agile security team must also be one that can speak the language of every business unit, from the board to the marketing team. It must be a team as diverse as the business it operates in, and a team that has technical knowledge garnished with soft skills. As one panellist remarked “in an increasingly amorphous industry, we need an amorphous workforce.”