Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
Yesterday brought news that a cyber attack caused widespread data destruction in the South Korean banking and media sectors. Researchers at General Dynamics Fidelis Cybersecurity Solutions obtained a copy of the malware involved in the attack and have some preliminary results to share. Our compliments to the talented folks at Alien Vault Labs, whose research on this subject can be viewed on their blog.
For purposes of our research, we’ll call this specimen “239ed75323.exe." It’s a malicious file capable of wiping data in disk drives. One of the areas it targets is the disk’s Master Boot Record (MBR), without which a computer cannot load its operating system. Multiple variants of this malware were observed in the community.
The malware writes a 512 bytes pattern to the disk. This pattern contains a repeating pattern of the word “HASTATI."
It was observed that the malware didn’t overwrite this pattern over the whole disk, so there is still data that can be recovered. We will release further information on a recovery process in an advisory to follow shortly.
The malware also tries to shut down security tools from the following two South Korean companies:
- AhnLab, Inc. (AhnLab Policy Agent process)
- HAURI Inc. (ViRobot ISMS process)
The file we examined has the following attributes:
File Size: 24576
PE Time: 0x510A4706 [Thu Jan 31 10:27:18 2013 UTC]
Name Entropy MD5
.text 5.42 0dcfb44a4e0fe644774322087d904c8e
.rdata 2.97 95998eb10fd4f37dae63af28f22e1c97
.data 0.58 0962d66235e80031b7bcfcbdb4335546
At time of analysis, antivirus tools identified the file as follows:
Reversing the file revealed some of the following code responsible for writing the wiping pattern to the disk:
General Dynamics Fidelis Cybersecurity Solutions researchers detonated the malware in a controlled environment and confirmed it does indeed overwrite the disk with a repeating “HASTATI” pattern. The following will show the area in the VMDK disk before and after it was overwritten with the pattern:
First area at disk offset 0x3D0000 (location of MBR in virtual disk):
According to Wikipedia, the word “HASTATI” refers to “a class of infantry in the armies of the early Roman Republic who originally fought as spearmen, and later as swordsmen. They were originally some of the poorest men in the legion, and could afford only modest equipment, light amour and a large shield, in their service as the lighter infantry of the legion. Later, the Hastati contained the younger men rather than just the poorer, though most men of their age were relatively poor. Their usual position was the front battle line of the legion. They fought in a quincunx formation, supported by light troops.” J. Rickard, writing in a December 2002 article on HistoryOfWar.org, adds “the Hastati were expected to take the first clash of battle and blunt the enemy attack before the second line, the Principes took over and won the battle.”
The following are the two processes the malware tries to shutdown/kill:
Researchers from the General Dynamics Fidelis Cybersecurity Solutions Network Defense and Forensics and Threat Research teams continue to monitor and study this event. Results of our research into a process for recovering a system infected by this attack will be released shortly.
Alien Vault Labs: Information about the South Korean banks and media systems attacks
Dark Reading: 'Loud' Data-Annihilation Cyberattacks Hit South Korean Banks, Media Outlets
Naked Security: DarkSeoul: SophosLabs identifies malware used in South Korean internet attack
SecureList: South Korean 'Whois Team' attacks
Posted by ThreatGeek at 11:16 AM in advanced malware, Advanced Persistent Threat, advanced threats, cyber threat intelligence, cyber threat security, cybercrime , data breaches , incident response, intelligent network forensics, network forensics, network surveillance , network visibility, prevent cyber attacks, prevent data breaches, protect against APT, threat geek, threat intelligence | Permalink | Comments (0)
Article Introduction: “IT pros can be excused for feeling besieged by the influx of user-owned smartphones and tablets that are linking up to corporate WLANs, email systems and Web apps. But employees are only one source of IT's stress. The other is vendors. Companies large and small are stampeding IT into buying MDM software and services as the wonder app to fix all their BYOD security problems. But MDM isn't a silver bullet, nor necessarily needed for all situations, particularly at SMBs.”
Article Introduction: “Let's face it: Everybody makes dumb mistakes at work. But these days, employee ignorance about the impact of certain IT technologies, a lack of controls around critical infrastructure and data, and a legion of employees armed with way too many system privileges are drowning enterprises in a potent cocktail of risk factors.”
Article Introduction: “Advanced cybersecurity threats, whether they are posed by cyber criminals, hacktivists or nation-states, have been damaging organizations for years. Leveraging social engineering, spear phishing, custom malware, and stolen credentials, they have been evading detection and stealing intellectual property and customer data seemingly at will.”
Ryan Vela's commentary: Cumulatively, the eight creative tactics presented by Joe Goldberg are very beneficial for any company in which its revenue lines rely on an integrated IT environment. I would recommend that such companies incorporate all of these tactics into its security posture, with the exception of honeypots. The implementation of these tactics should be measured as a part of the whole and its individual benefit to mitigate risk. For some companies, each item will be tailored higher or lower depending on its business need and risk requirements. When weighing the necessity of each tactic individually and all cumulatively, a company should engage outside consultants. Outside consultants are able to view the forest for the trees or see the whole picture without feeling stuck in the business tunnel. These consultants offer a valuable guide that will see things that may be overlooked and could save the company significant costs in the long term.
Article Introduction: “An Adobe (NSDQ:ADBE) Reader zero-day exploit has surfaced in a new wave of attacks targeting activist groups and is dropping an advanced piece of malware, according to researchers analyzing the new threat.”
Article Introduction: “Since the start of the year, hackers have been exploiting vulnerabilities in Java to carry out a string of attacks against companies including Microsoft, Apple, Facebook and Twitter, as well as home users. Oracle has made an effort to respond faster to the threats and to strengthen its Java software, but security experts say the attacks are unlikely to let up any time soon.”
The ThreatGeek Top 5 is a weekly post that identifies relevant industry news and stories. Check in to stay up to date with the latest happenings throughout the industry
Passage of the cybersecurity bill has stalled in the Senate as Democrats and Republicans show few signs of compromise over the scale of governmental provisions for infrastructural protection.
An oft-overlooked detail about Stuxnet, Duqu, and Flame is that the attacks all targeted Windows machines in Iran even though Windows isn't allowed to be sold there under U.S. export restriction laws. Software smuggling and pirating are commonplace there, including for Windows.
The Pacific Northwest National Laboratory (PNNL), in conjunction with McAfee, revealed a report that fully examines the current challenges facing critical infrastructure and key resources as well as identifying specific risks and vulnerabilities in the evolving cyber threat landscape.
Security expert Dan Clements is building a virtual "lost and found" box for data, a concept he hopes companies suffering from data breaches will embrace to find out just how bad the damage is.
Google's Android mobile platform is the target of a new variant of a widely used malware capable of stealing personal information. The latest Zeus malware masquerades as a premium security app to lure people into downloading the Trojan, Kaspersky Lab reported Monday. The fake security app, called the Android Security Suite Premium, first appeared in early June with newer versions released since then.
The ThreatGeek Top 5 is a weekly post that identifies relevant industry news and stories. Check in to stay up to date with the latest happenings throughout the industry.
The initial infection vector of Flame is known and a patch is available to prevent it from happening. Furthermore, Kaspersky Labs reports the botnet used for Command and Control (CnC) went down shortly after they began investigating it. Like any fire, which needs air, fuel and heat to exist, removal of one component promptly puts the fire out. In this case, removing its communication network has stopped the Flame, at least for now.
It has been observed that Flame attacks a potential victim by waiting until a user connects to Microsoft Windows Update and then redirects that request, using a fake security certificate linked to Microsoft’s trust, to get the user to install a malicious Windows Update. Even fully patched Windows operating system computers can be infected. Microsoft has cancelled the bad certificate and posted security advisory 2718704 on how this security certificate compromise is being performed and a Knowledge Base article under the same number with a patch you can run to remove it now. The patch is also being done through Microsoft Update, which as described, may or may not be the best option for the update. With the communication network and now the initial infection vector closed, you’d think the Flame was out.
That has not stopped the marketing engine from throwing more fuel to fire in order to keep the Flame alive. Headlines such as, “Security researchers: Flame malware is a “nightmare scenario” and “Meet Flame, the Nastiest Computer Malware Yet” continue to add hype in order to “Fan the Flame” and keep the hysteria going.
Bit9 of Waltham, Mass. had this to say: "Have you heard of Flame – the latest high-profile cyber-attack – and are you concerned that you are vulnerable to attacks like it? Gartner released a report on Flame and recommended using ‘whitelisting’ approaches for critical servers whenever possible and to “go beyond simple signature or pattern detection.'"
Whitelisting is an increasingly complex task with tremendous overhead and like anything in security, it isn’t a magic bullet nor will any of the other solutions being presented as a cure for Flame.
Bit9’s report goes on to say, “The attack began in the fall of 2011 and stretched into spring 2012. During that eight-month period, the Bit9 customer was consistently attacked by Flame, but Bit9 stopped the malware from executing on any of the customer’s servers, laptops or PCs."
Eight-months of ongoing attacks and log entries which resulted in no exfiltration, but was a pleasure for the analysts involved I am sure.
Even the infographic folks want some of this action.
Personally, I’ve seen malware using hundreds of domains on botnets with thousands of nodes and hundreds of IPs that span the globe. So where is the truth in the hype? How bad is Flame? Is it over?
The truth is that Flame, while nasty, isn’t the end of the world as we know it. It’s another piece of malware you need to know about and need to know how to defend against. It has been spotted around the globe but featured prominently in the Middle East, which indicates the initial release point. Kaspersky Labs, CrySyS Lab and the Iranian CERT team have investigated this malware and found it to do all of the same things existing malware could already do and took many of those features and stitched them together. The initial infection vector is known and a patch is available. The CnC network has been quiet for days since it was investigated by Kaspersky Labs. As to whether the Flame threat is over, it seems that for the moment it is at least quieting down. Whether the malware creators will make some changes and give it another go remains to be seen. What we have now is time to apply the appropriate patches, clean infected machines, set up our detection and wait to see what happens next. Oh, and not fall for all the hype-- the sky isn’t falling.
Fidelis Security Systems has released a policy update for Fidelis XPS customers to detect the Flame malware on the network in three ways: signature based (already updated) on the MD5 signatures of the malware components to detect them traversing your network, IP based on the CnC communication servers which are known and finally protocol based on indicators present within the CnC communication itself. If you have applied the Microsoft patch as stated in Knowledge Base article 2718704 and have Fidelis XPS in place, you are already protected from Flame, without any additional fanning needed.
http://venturebeat.com/2012/06/05/security-researchers-flame-malware-is-a-nightmare-scenario/, Retrieved June 6, 2012
http://mashable.com/2012/06/04/flame-malware/, Retrieved June 6, 2012
https://www.bit9.com/files/Press_Release_Flame_FINAL.pdf, Retrieved June 6, 2012
Posted by ThreatGeek at 12:00 PM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, cybercrime , Darian Lewis, data breach prevention, data breach prevention solution, data breaches , NAV, network analysis and visibility , prevent cyber attacks, protect against APT, situational awareness, threat assessment , threat geek | Permalink | Comments (0)
Want a THREATtoon on your blog or website? Great! Simply cite the cartoons original Threat Geek URL under the image and you’re good to go.
The annual RSA Conference—held just a few weeks ago in San Francisco—is usually a good place to gauge the state of the security industry. While I agree with Peter George’s observation that nation state-sponsored cyber attacks dominated the majority of attendee’s attention spans this year, there was something else that also caught my attention.
Going into the conference, I was fully prepared for mobile security to be a dominant theme—though I thought it would center more on mobile device management (MDM), which seemed to be where people are focusing today. What really struck me was the huge tilt toward BYOD, or “Bring Your Own Device”—specifically, the leniency of security measures and willingness of companies to allow employees to deploy any device they please on their network.
In hearing some of the leaders speak at various sessions, I was shocked to learn that we are past the point of conversation with BYOD; it’s a foregone conclusion. This is not a “how do we want to deal with this” discussion anymore, it’s a “this is here, there is no stopping it, so make it work and (oh, by the way…) provide security” issue. It was apparent that CISOs and CSOs are scrambling to figure out how to deal with this. It’s really like the Wild West out there.
From a security perspective, my first reaction is: FORGET IT. I don’t care how productive it can make a workforce. I might let your iPhone on our network, but I’m not even discussing an iPad or any other tablet you might have without the appropriate controls in place. I try to put myself in the shoes of CISOs and I think I’d be pounding on someone’s desk saying no way. Let’s let them chose their own device, phone or tablet—more of a move towards CYOB—but with BYOD, I don’t see a way to do it right now. This takes borderless security to a whole different level.
While some companies use an employee access agreement (and possibly a software agent) to control and monitor what devices are permitted to access the network, there seems to be a movement away from making that the standard. The focus seems to be on trying to figure out a way to allow personal devices on networks without imposing an agent of some kind, which is potentially disastrous. The false sense of comfort that mobile devices are secure reminds me of the way Mac users perceived their devices a few years ago: “I don’t need antivirus protection for a Mac, there aren’t any Mac viruses”.
Well, in the past year you have seen a significant rise in threats from a Mac perspective, and the same can be predicted for new waves of personal devices.
I sat in on one particular session at RSA that really conveyed the uncertainty behind managing this problem. Towards the end, the floor opened up for a Q&A, and the discussion was dominated by attendees who stood up and talked about how they are struggling with the legal implications of BYOD.
“Does anyone here have any tips or precedents they can share?” someone asked.
Essentially, with a free-range BYOD mentality, companies are bringing in unnecessary risks just to boost morale and/or productivity. You’re just opening up yourself to a bevy of threats that you wouldn’t have otherwise. I’m still trying to figure out the justification of the upside.
And let’s not forget about the legal implications here. Imagine if something catastrophic happened inside a network—and it came from an employee’s corporate-issued device. The company has the right to seize that device and forensically discover what happened.
In many cases with personal devices, the company is forfeiting its ability to grab that device. The employee can walk out the door with it because, after all, it’s their device. You can bet the bad actors and nation states know about this trend and are looking to exploit any weak spot they can find.
Recently I got caught up watching the “Secret Service Files” on the National Geographic channel, and one of the agents was quoted as saying something along the lines of, “If it were up to me, the President would never leave the White House.”
How does this relate to BYOD management? Well, if you ask those in charge of any type of security—network or presidential—what their ideal situation would be, of course they would want all potential vulnerability eliminated from the equation. But we know that’s not possible.
So what we need to do is find a compromise and eliminate the grey area surrounding BYOD. Companies are knowingly inviting new risks with personal devices, but most already have made up their minds to do it anyway. We need to strike a balance.
So what do you think? How can we even out the risk-scales?
It’s not that this train has left the station; it’s at full speed barreling out of control. Let’s get this BYOD issue back on track before it’s too late.
Posted by ThomasPaulLyons at 12:52 PM in advanced threats, content inspection, content monitoring, content protection, cybercrime , data breach prevention, data breaches , information flow , network forensics, network surveillance , network visibility, protect against APT, situational awareness, threat geek, threat intelligence , Tom Lyons | Permalink | Comments (0)
The first event of RSA week for me is the America's Growth Capital Conference where I’ve been a featured presenter on security topics for the past eight years. A few Mondays ago, which was security day at AGC, I was impressed to see that the number of participating companies had risen to a new high of 114 and would cover the spectrum of topics from advanced persistent threats (APTs) to mobile devices to security in the cloud.
I was asked to participate on a panel discussion around the issue of nation states and state sponsored cyber attacks, which is an area of great interest to me and a topic that Fidelis has been front and center on for the last several years.
While dealing with viruses and other malicious attacks from hackers has been under the purview of the CISO and CSO since the advent of the network, in speaking with my peers at RSA, many of them are now feeling overwhelmed by the increase in attacks emanating from nation states.
In our conversations it was clear to me that mitigating everyday threats in the form of a virus, worm, or botnet was one thing; taking on an adversary with a level of sophistication and unlimited resources made possible through private government funding was another. Simply put, they are being outgunned by the likes of China and Russia and are in desperate need of assistance.
Complicating matters were the other topics driving discussion at this year’s RSA conference that followed AGC: cloud, mobility, and big data. Enterprises are making a big push into these areas for the purpose of increasing productivity and streamlining operations. However, in the process, these are areas that are going to open more opportunities for state sponsored attacks and will certainly be exploited by those looking for financial or political gain.
Our corporate value in this country is largely based on intellectual property (IP) and for that reason, many enterprise level security officers are pacing the floors at night wondering what they can do to combat this level of threat. Unlike physical assets, once IP is stolen, it is gone for good and can severely weaken the value of a company. As an example, pharmaceutical companies spend billions on researching and developing drugs every year (95+ percent which will never make it to market) in the hope of finding a few successes. These successes fund the research and sustain company value. If the formula for one of these drugs was to be stolen and end up in Beijing, years of discovery will be meaningless as the market will be flooded with counterfeit options at a fraction of the price.
People are worried about security in this country and they have a right to be. The development of new business tools is also opening new channels to be exploited. The buzz at RSA was palpable and it was one the most well attended shows in years. Despite the wishes of some in an enterprise, the role of security is not going away. In fact, one could argue that it is really just beginning.
Posted by Peter George at 12:11 PM in advanced malware, APT prevention, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, data breaches , Peter George, prevent cyber attacks, prevent data breaches, protect against APT, situational awareness, threat geek | Permalink | Comments (0)
Does the rise of Anonymous and LulzSec herald a new online era? Does it represent a fundamental shift in the landscape that suddenly changes everything? Let's take a fresh, clearheaded look at what's been happening lately.
Online protest is a perfectly natural and predictable phenomenon. Just as a continuum exists in real life ("IRL," as my kids are saying) between nonviolent protest and destructive, violent rage, the same continuum exists online between mainstream websites going dark to peacefully protest SOPA/PIPA last month, and people who feel that nonviolent protest is inadequate to spur necessary change. When it comes to protest, a well-worn set of philosophical and political arguments apply to violence and nonviolence, regardless of whether one chooses the digital or the analog world as a venue for protest. (Further reading: Henry David Thoreau, Martin Luther King, Jr., and Leo Tolstoy, contrasted with Leon Trotsky, Malcolm X, and George Orwell.)
The potential for an innocent bystander to be harmed by online protesters, however, may exceed the potential in the real world, where it is more risky to commit violence. After all, in physical space you can be seen, you can be tracked, you can be arrested, you can be jailed. These risks are more easily mitigated online than they are IRL. If the risk of being caught factors into a protester's calculus about whether to use violence, then online violence is simply a more logical choice than physical violence. While international authorities have recently engaged in conspicuous enforcement activities, these actions may have little impact on the mindset of groups and individuals that make up hacker collectives. Online violence is still an option for those who choose to employ it, and changing this fact without ruining the Internet will be monumentally difficult.
This leaves enterprises in a sort of "wild west" state, as I argued in my "Lawless" blog post last year. Society's real-world defenses don't map very effectively to the online world, leaving us to try to defend ourselves as best we can. And against a potential infinity of attackers, that is a very difficult task indeed.
My recommendation for enterprises is to expand their security thinking. Guns, guards and gates (real and virtual) will always be a part of the picture, but there's much more to do:
Josh Corman and Brian Martin are looking at this topic quite closely, having participated in a panel discussion about Anonymous at DEFCON last year. They're gradually releasing installments of a 7-part series called "Building a Better Anonymous" that is quite insightful.
How do you see Anonymous? Is online activism prompting you to adopt new strategies? We invite your comments.
Posted by Will Irace at 04:23 PM in advanced malware, advanced threats, APT prevention, cyber threat security, cybercrime , data breaches , prevent cyber attacks, prevent data breaches, protect against APT, threat assessment , threat geek, threat intelligence , wikileak , Will Irace | Permalink | Comments (1)
Ever hear or say, “…we need to do things differently”?
I hear it quite often, and it’s true—speaking in the context of fighting advanced threats. What usually ends up happening? The same old thing, but with new tools.
What needs to be done differently in our business is to lean forward into the problem and be more suspect of all content, especially in new ways. Capture as much data about this suspect content, automate its analysis and provide results along with the session and objects to first level responders.
Many environments have a SOC, which in turn work on alerts fed in from products. Often times they may not know why the alert came in or what it is about, and then forward upstream. It eventually ends up with the Incident Response team, who needs to gather data from other systems to try and piece together what happened. They have many tools they use to dissect, analyze and try to figure it out, but in the end 80%-90% of the results are benign. This is the business process and it takes time and money to vet.
My question to you is: what can be done differently?
Build a better business process by compressing the workflow through automation, better information and response time. Put forensics up front as opposed to at the end—just like open heart surgery.