In the recent past, a Fidelis XPS user reported seeing detections of what appeared to be botnet-related malware. While that customer was protected, we at General Dynamics Fidelis Cybersecurity Solutions decided to take a closer look. The analysis of the malicious code revealed that it appeared to be Andromeda but the delivery infrastructure looked interesting. Further telemetry from our sensors showed that this server in China was also hosting and distributing many other malicious specimens. Analysis of the data revealed a pattern in the filenames. Our analysts used this pattern to discover other systems distributed across the globe serving up various botnet malware, so far assumed to be used in distinct campaigns but clearly related in this case:
Analysis also showed how attackers continue to benefit from the use of globally-distributed hosting providers to perform their malicious activities. Further, the analysis revealed how attackers are hosting and distributing identical copies of the malware from servers in different countries including China, Poland, Russia, and the United States.
For the period of time researched in this activity, we observed the following targeted sectors in the US:
Manufacturing / Biotechnology & Drugs
Professional Services / Engineering
Information Technology / Telecommunications
Government / State
Note that our footprint is largely in the Enterprise space and it is possible that we’re seeing spillover from wider campaigns.
The following diagram illustrates the relationship between some of the malicious servers, malware hosted/distributed, and vertical markets:
The following diagram illustrates the relationship between some of the malicious servers, locations, malware hosted/distributed, and malicious servers to which the malware beacons to with POST requests and to download additional malware:
This document uncovers various servers hosting Bots and other related malware, provides a triage analysis of various pieces of malware hosted by these malicious servers, and provides indicators that network defenders can use to protect their networks.
To see the full report and findings, visit the Fidelis Threat Advisory #1014 here.
Fighting through the noise of breaking breaches and new vulnerabilities, something else in the security industry has been making headlines lately: security research collaboration, often involving vendors that might compete in the marketplace.
The reason for this is fairly obvious - we all face the same common enemy (malicious threat actors targeting organizations’ networks) and it’s important to form a united front. In the battle against cyber threats, this can take shape in different ways:
Coordinated research and action: Whether applied in breach forensics investigations or in the proactive protection technologies that prevent them, strong threat intelligence can be a key advantage against the bad guys. Various players in the security community tend to have their own investigations in progress and certainly possess their own datasets.We in the community find it useful to actively collaborate on such research, often bringing unique capabilities to bear. An example of this might be the revelations around ‘Operation SMN’ involving Novetta, iSight Partners, Microsoft and others. The depth and detail in the report likely could not have been achieved if the entire project had been driven by a single participant.
Enriched research: In numerous cases, an outcome of the open publication of threat intelligence is that other researchers are prompted to search through their datasets, often leading to more findings and a vastly more comprehensive view of the threat activity. There might not be overt collaboration but we’re all paying attention to what is being published and every piece of threat intelligence that is shared provides an opportunity to discover new insights based on our respective research. This often leads to another round of public sharing of data. One of my favorite examples in recent months was Recorded Future with this post on Operation STTEAM.
Individual collaboration: Many of us are present in sharing communities based on trust and even if our day jobs involve working at vendors in a competitive marketplace, we recognize the value in sharing intelligence behind the scenes, again with the common goal in mind.
It has simply been one hell of a year. We've seen shocking vulnerabilities in technologies that are supposed to be the bedrock of our digital lives: the "Heartbleed" SSL vulnerability and the "Shellshock" bash bugs shook our confidence in any software's ability to keep its promises about security. We've seen a continuing and unabated string of high profile credit card breaches. There's a long list of companies falling like dominoes to online bad guys and yet this list includes companies you'd rightly expect to have the right combination of security people, process and technology to keep their names out of the papers. What the hell is going on?
"Our adversaries are out for the whole ball of wax: stealing the ball, setting fire to the wax factory and giving away forty billion free candles."
I've been in this business long enough to approach headline after headline with a degree of cynicism. There's more than enough hysteria to go around about the shifting threat landscape, and with each ever-more-breathless headline I've been shrugging it off with a few tried-and-true themes: "if they want you bad enough they are going to get you." "Retailers haven't been substantially harmed by decades of credit card breaches; they buy identity protection for those affected and they move on." "This is a very hard problem and there's no solving it with technology alone." "You don't have to run faster than the bear, just faster than your buddy." And so on.
Many -- and I do mean MANY -- companies are playing chess every day and don’t even realize it. They’re not playing a fun game where win-or-lose, nothing happens. They are playing a game where the stakes are high and the cost to win may not be quantifiable. You are probably thinking, “What is she talking about…?” Well, I’m talking about cybersecurity.
When your opponent gets in your network, they take over. They watch your every move and every time you see a glimpse of their moves, they change their plans and adjust their tactics. Just like a chess match, they are watching you and adjusting their strategy based on your reactions to their moves.
Here’s where things start to change: they are not necessarily looking for checkmate; in fact oftentimes, they are actively avoiding it. They want to ensure the game continues, so they can keep moving around silently and evade detection so valuable information like intellectual property and customer information can continue to be absconded.
I just got done reading the DTCC’s White Paper entitled Cyber Risk – A Global Systemic Threat (PDF). The white paper outlines seven recommendations for policymakers that they state will further an “aggressive agenda to combat cyber threats.” Four of the seven recommendations refer to information sharing between and among governments and businesses.
Information sharing is a fabulous idea, but is easier said than done. Everyone in my field of cybersecurity agrees that information sharing is a good thing. If you show me your signatures, then I’ll show you mine. If my NG firewall finds a new 0-day CryptoWall variant, then it would be helpful to share this with other companies so they don’t get hit by the same variant. Obviously, reciprocation of sharing is expected, or in actuality, hoped for with the myriad of SLAs and annual maintenance contracts organizations have with cloud-enabled security tools.
Everybody today is so busy with their day to day operations and duties, we often only focus on putting out the fires that we are faced with at any given moment. It is hard to find time to take care of “good housekeeping” items, let alone preparing for something that may never happen. Unfortunately, being the victim of a cyberattack is much more a question of “When” not “If.”
Building an incident response plan is something that every company should do immediately if they haven’t done so already. For companies that have a “Playbook” already, it is vital that you conduct exercises so the plan gets committed to “muscle memory” as much as possible.
One of the first items to define in your plan is the Incident Response Team (IRT) roster. Some members are obvious like information technology and security staff as well as the appropriate management up to and including the CIO and CISO. Other, less obvious members should be General Counsel, CFO and public relations. Network breaches are often the subject of costly civil litigation and definitely news worthy. It is imperative that messaging to regulators, investors, and customers is done in a timely, accurate and appropriate manner. Improper messaging can and has caused significant damage to brands and reputations.
You may have seen the news yesterday from General Dynamics Fidelis Cybersecurity Solutions that we have expanded our partnership with Bit9 + Carbon Black. We’re pretty excited about this news as it will allow our Network Defense and Forensics team to use Carbon Black to supplement our network visibility and reveal the entire “kill chain” of the attack.
Anyways, given our growing partnership I was curious about their thoughts on the recent trend of high-profile data breaches and the collection historical data so I sent some questions over to Ben Johnson, chief security strategist at Bit9 + Carbon Black (@chicagoben). You can see our exchange below.
Q:Given the high-profile nature of recent data breaches, how do you see the cybersecurity landscape changing? And, what is the most important thing for IT security staff to understand as we move forward in the ever advancing world of advanced and targeted attacks?
The list of vulnerabilities that are collectively known as Shellshock keeps growing. There are many parallels to Heartbleed that have been widely noted, including the memorable names that distinguish them from the classic CVE. And while we try to assess which has the bigger impact, there are a few key distinctions that are worth noting:
Announcement/Patch cycle: While some members of the security community were notified under embargo, the general announcement for Heartbleed was concurrent with the availability of the OpenSSL patch. This meant that the announcement started a frenzied patch cycle but for the most part, remedial activity was fairly focused. Shellshock, on the other hand, broke open without an upstream patch having been made available and even when the patch was released, it was clear early on that it was insufficient so the pervasive vulnerability persisted. This has been compounded by the series of other vulnerabilities that have been discovered in the days since.
Stealth: Remember that the exploits with Heartbleed, ranging from login credential theft to getting a server to cough up it’s private keys from memory, was achievable more or less silently, with no activity that would be noted or logged by the typical system. Shellshock is a classic remote exploit vulnerability. Whether it involves getting co-opted into a bot or a more sneaky backdoor, some amount of coverage for the secondary activity is achieved through robust security practices. For this reason alone, Heartbleed remains the scarier vulnerability in my books.
Surface Area: Heartbleed was a direct, frontal assault on OpenSSL. Shellshock affects a range of services with very little in common, other than the use of Bash. This will no doubt lead to an extended remediation cycle for Shellshock.
Ease of Use: The number of exploitation techniques for Shellshock has proliferated over the last few days and the first bot proof-of-concept code was published within hours of the vulnerability having been announced. Widespread familiarity with the utilities involved (Apache, Bash etc) has meant that there’s a lot of experimentation going on. Heartbleed exploits certainly evolved too but the deviation from the original POCs was limited.
This isn’t meant to be a comprehensive list but some differences in impact that are emerging even as we understand the full ramifications.