Fidelis Threat Advisory #1013
RAT in a Jar: A Phishing Campaign Using Unrecom
In the past two weeks, we have observed an increase in attack activity against the U.S. state and local government, technology, advisory services, health, and financial sectors through phishing emails with what appears to be a remote access trojan (RAT) known as Unrecom. The attack has also been observed against the financial sector in Saudi Arabia and Russia.
As Unrecom is a comprehensive multi-platform Java-based remote access tool, currently not detected by most AntiVirus products, it presents a risk to a large number of potential victims, regardless of operating system. The following is a screenshot of the Unrecom RAT v.2.0 (Version in Spanish):
Over time, various reports in the community have documented the evolution of this tool. This evolution is to be expected, but its low detection rate, recent use this month through phishing emails campaigns against multiple sectors in the U.S. and association with past campaigns involving a variety of RATs captured our attention. The evolution of Unrecom RAT dates from its beginnings as a tool known as Frutas RAT, subsequently branded as Adwind RAT, and now Unrecom RAT.
In 2013, it was reported that Frutas RAT was used in phishing email campaigns against high profile companies in Europe and Asia in sectors such as finance, mining, telecom, and government.
Unrecom RAT provides the attacker with full control over the compromised system, once infected. It has some of the following capabilities:
In the past, variants of the DarkComet and AcromRAT malware have also been observed beaconing to the same Command & Control (CnC) servers used by the Unrecom RAT in this campaign.
This document will provide information about the recent phishing campaigns observed with this RAT and some of the network indicators.
Last week I offered up 10 (±1) questions to ask your security vendors. Today let’s talk about what you should be asking yourself...to stop doing.
Quit investing in security technology over security people.
Every time we get together at one or another conference we hear it again: “security comes from people, process and technology.” There’s a reason—beyond an alphabetizing coincidence—that technology comes last; people and process are the sine qua non of your security program. So make sure your people have the training and support they need to become (and remain) Advanced Persistent Defenders.
Quit leaving security to “just happen.”
I’ve visited a lot of companies, and I’ve met a lot of smart security folks. They’re passionate about security and about protecting their networks. They almost all intuitively know the right things to do, and the right times and reasons to say “no” to one thing or another. Yet they’re often left to do their work in isolation, without the support (or knowledge) of their executives. Sound familiar? Then a crisis hits and this disconnect becomes a big part of your overall risk. Get ahead of it. Learn from your security practitioners and what they’re doing—or wish they were doing—that isn’t necessarily in their job descriptions or policy directives, and then absorb that knowledge into sensible policies that work for the C-suites and the cube farm alike.
Quit selecting vendors without taking independent testing into account.
Where I work we’re all pretty excited about third party independent testing lately. While it’s true that not all of the very latest whiz-bang tech can be put in a well-defined category and subjected to apples-to-apples comparison, third party analysts and testers are almost certainly thinking harder about these new technologies than you are, and they’re equipped with more data than you have time to accumulate, process and understand. Even if your inclination is to take their findings with a grain of salt, find out what they have to say about the companies and products you’re thinking about investing in.
Quit adding security "after."
It's 2014. And we’re still designing products, applications, data centers, companies and all kinds of other stuff without weaving security into their very fabric. The only way to do more good than harm, and to maximize security ROI in the bargain, is to start with security in mind. As a vague vision for an “Internet of things” begins to take shape before our eyes, security becomes less abstract and more about personal (i.e., bodily) safety. Are you part of the solution or part of the problem? If you’re not sure, at least be part of the discussion.
Quit letting Aunt Susie fend for herself.
Remember Aunt Susie? She’s the one we’re actually trying to protect. She’s the family member who doesn’t happen to be part of the information security community. She works in the front office. She manages finances. She invents stuff. She sees to the actual business of your business. She doesn’t want to be inconvenienced by seemingly pointless security measures, but she also doesn’t want her department to lose a week of productivity due to a breach, and she definitely doesn’t want her bank accounts hijacked by a shadowy mobster somewhere.
To normal human beings, all this hacker/breach/APT/malware stuff is at best an unwelcome distraction, but under the surface it makes the world of technology, computers and the Internet seem less friendly and accessible than it needs to be. So let’s be sure we remember whom we’re fighting for when we make security policy or technology decisions.
What bad habits are you trying to quit in your organization? Let’s discuss it in the comments.
Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
A true advanced threat is a “who”, not a “how.” All too often we equate an advanced threat with the new 0-day exploit or targeted malware, but these are not the threats, they are the tactics of the attacker.
Security vendors have pulled the perfect long-con on the world by convincing us that Advanced Threat Defense (ATD) is malware or spear phishing or browser exploits, and ignoring the fact that at the other end of that spear phish is someone with a propensity to break into your network in any way possible. Are we to believe that since advanced malware vendors may detect a new browser exploit that they have actually stopped the attacker from accessing your network? No. True advanced threats, the people that want your data, will pound and pound on the door until they knock it off the hinges. Of course these niche Advanced Tactic Detection ATD products have a place to try to detect a portion of the attempts to breach the network. What is really core to the defense against advanced threats is the ability to find them in your network.
What the heck does a graphic like this have to do with security (or surfing – my other favorite topic)? Well, nothing to do with surfing (except the dude in the front could use a better suit), but a lot to do with security… Please humor me, grab a cup of coffee and read on…
While we are all fighting the good fight against cyber attacks and threats every day, it’s important to also test ourselves in other ways – namely independent lab testing that evaluates vendors based on their technologies’ capabilities. As you may remember from over the summer, we participated in NSS Labs’ Breach Detection System (BDS) test alongside other security vendors – originally ten companies (AhnLab, Damballa, FireEye, Lastline, McAfee, Palo Alto Networks, Sourcefire, Symantec, Trend Micro and Fidelis) were called to the table, but only three (AhnLab, FireEye and Fidelis) were able to make it through and only two (AhnLab and Fidelis) chose to make their results public for our customers.
Turns out, there is a lot of hand waiving, marketing and smoke out there from security vendors, but not a lot of truth in the picture.
On March 14th, Bloomberg BusinessWeek published a lengthy article entitled, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It”. The article highlighted the fact that Target had purchased $1.6M in FireEye advanced threat defense gear that had indeed detected two related pieces of malware on the Target network, but that Target had failed to respond to the alerts issued by the MSSP in Bangalore that was monitoring the equipment.
Unfortunately, we see this all too often in the network incident response investigations we are called on to conduct. Companies pay good money for network security tools with the expectation the technology will protect them from a breach. Unfortunately, that is often not the case! Where is the disconnect? Were the tools oversold? Were they implemented incorrectly? Were they poorly tuned? Or were incident response personnel not properly trained to understand the alerts and data provided by the tools? These are the questions Target and its incident response providers need to grapple with in order to develop effective remediation strategies and avoid a reoccurrence in the future.
A number of subsequent articles focused on whether Target should have reacted to these alerts. Many of the articles provided balanced perspectives on the challenges of responding to a few specific alerts against the background noise of hundreds, often thousands of attacks hitting large networks every day.
What these articles uniformly missed was the crucial question of why did the network security systems employed by Target provide so few actionable alerts….so late in the life cycle of the attack?
Once again, the trifecta of the Fidelis Customer Advisory Board gathering, the AGC Infosecurity Conference and RSA 2014 delivered tremendous insights and validation. The need for speed, which I talked about in my pre-RSA post was a key theme. And after more than 100 hours of conversation with customers, threat researchers, industry colleagues and experts, I am even more certain the only way to minimize the time to threat discovery, containment and remediation is to achieve an optimal combination of technology, knowledge and experience, and threat intelligence.
As I walked the aisles of both the Moscone South and North halls, I found the experience to be a metaphor for what’s going on in the network. There was a lot of noise and promise but also a lack of clarity . I thought the South hall had a better vibe and more energy, and a collection of vendors who are all about innovation. The North hall was more about the “big guys” in cavernous booths, many of whom were talking cybersecurity as a veil over their infrastructure business, rather than a core competency.
However, no matter which hall you were in, everyone’s messages sounded the same, making it virtually impossible for customers to discern what’s real and what isn’t or how each vendor can help them.
Unfortunately, the challenge for customers is far greater than just sifting through the confusing vendor landscape to figure out who meets their needs. For the most part, the disruptive forces were consistent from a year ago – advanced threats, big data, cloud and there was also increasing conversation about the Internet of Things adding complexity to securing this ever expanding attack surface.
What took the RSA 2014 environment from confusing to frenzied was the backdrop presented by the relevance and immediacy of the retailer breaches, the backdoors and privacy issues, potential legislation, and even macroeconomic questions around whether customers outside of the U.S. will shy away from buying technology from American companies. In many cases, it was these topics dominating the conversation in the booths and over drinks and dinner.
One common thread that in our industry to rally around: sharing threat intelligence.
We’ve seen an increasing focus on threat intelligence with more companies offering it than there were a year ago, and the emergence of informal groups acknowledging they have things in common and agreeing to share threat intelligence. Even with this, I believe threat intelligence is truly in its embryonic stage. There are so many questions and opportunities for improvement -- the most significant today being, 1) How can we anonymize threat information so it can be shared more widely across relevant communities – verticals, geographies – to defend against a common enemy?; and 2) How can we improve the fidelity of the feeds?
At the Fidelis Customer Advisory Board meeting, we had overwhelming interest in customers wanting to contribute anonymized threat intelligence information so we can make it actionable on our advanced threat defense platform even more quickly. (In response to this, we are planning to create a virtual community that will enable this, but more on that another day.)
This is good forward progress. But the reality is that no one is satisfied with the threat intelligence available today, primarily because of how noisy networks are and how hard it is to determine what’s real and what isn’t (just like the environment at RSA 2014!). Customers want to know what the 10 most dangerous threats are in their network that they need to hunt down and deal with. They don’t have the ability to hunt and capture 100, and the worst part is they are seeing 1,000 alerts that make the entire process unmanageable.
So as an industry, we have our marching orders: We need to deliver high fidelity, high quality threat intelligence.
We already have analysts aggregating sources of data and coming up with situational awareness about a problem. We need to keep advancing our efforts to fuse that data together and reduce the time it takes to discover valid information in that data. We need to figure out how to factor in classified data that no one can get access to. And we need to do this against a back drop of legislative and privacy issues, in a threat environment that is not standing still, and in a business climate where advancements are outpacing the ability to secure everything. Said another way, in a world in which is it becoming easier, not harder, for an adversary to succeed in having its way with its target.
Is it exciting to be eyeball-deep in cybersecurity? It sure is. Is it scary? It sure is. To-date we’ve primarily dealt with adversaries whose primary goal has been disruption and theft. This has created a critical, global problem. If this turns to destruction, which many are predicting – think making 80,000 cars turn right when the driver wants to turn left ( The Internet of Things)– the criticality of the problem increases exponentially.
It might seem odd as the picture I’ve painted isn’t that encouraging. However I am more optimistic than ever after attending these meetings and shows that the formula is clear…smarter people, better tools and higher fidelity of the threat intelligence are the key to us catching up to the adversary. And I am confident this industry can come together and do it.
I welcome feedback and debate on this perspective.