CryptoWall 3, the Cyber Threat Alliance and the Future of Information Sharing

Posted on by Rick Howard

Executive Summary

The Palo Alto Networks vision for threat information sharing is that cybersecurity vendors should share the intelligence that they all individually collect with each other and with whomever else has the capacity to consume it. In that way, each vendor can build more innovative products with that superset of intelligence and better protect their combined customer bases because of it.

Project Redstone, the results of which we announced today, was a 90-day proof-of-concept designed to test the value and practicality of security vendors collaborating against one cyber adversary campaign in the summer of 2015: the campaign associated with CryptoWall version 3.  The project showed immediate tactical success and demonstrated the value of such a collaborative information sharing arrangement. That said, the project also identified four capability gaps that Palo Alto Networks must solve in order to share intelligence on 5,000 adversary campaigns, every day in real time: Continue reading "CryptoWall 3, the Cyber Threat Alliance and the Future of Information Sharing"

Understanding and Preventing Point of Sale Attacks

Posted on by Josh Grunzweig

In recent years, there have been a number of high-profile stories involving the compromise of point of sale (PoS) devices. My research often involves deep reverse engineering and analysis of various malware families targeting PoS devices. As such, I’m often asked about the overall threats that these machines face. In this article I hope to provide a high-level view of the threat landscape currently affecting PoS devices.

Background

The term PoS refers to a machine used by businesses to conduct a retail transaction. If you have ever used a debit or credit card to make a purchase, you’ve likely seen these machines. They often run customized hardware and software, however, the underlying operating system (OS) is more commonly some version of Microsoft Windows, often Windows XP or Windows 7. This trend has shifted slightly in recent years with the popularity of mobile PoS devices, most of which run either Android or iOS. While these are becoming more common in smaller businesses, Windows-based PoS machines still make up the majority, and by association are the devices most heavily targeted by attackers. Continue reading "Understanding and Preventing Point of Sale Attacks"

Palo Alto Networks Researcher Discovers Critical IE Vulnerability

Posted on by Ryan Olson

Palo Alto Networks researcher Hui Gao was credited with discovery of a new critical Internet Explorer (IE) vulnerability affecting IE versions 6, 7, 8, 9, 10 and 11. CVE-2015-2548 is included in Microsoft's October 2015 Security Bulletin and documented in Microsoft Security Bulletin MS15-109. Continue reading "Palo Alto Networks Researcher Discovers Critical IE Vulnerability"

Adversaries and Their Motivations (Part 1)

Posted on by Rob Downs

adversaries1

This blog is the first in a series describing adversaries and their motivations. This part in the series presents underlying concepts and the value proposition for exploring who is attacking a network and why. Continue reading "Adversaries and Their Motivations (Part 1)"

Chinese Taomike Monetization Library Steals SMS Messages

Posted on by zhixu

Mobile app creators are often looking for ways to monetize their software. One of the most common ways to do this is by displaying advertisements to users or by offering in-app purchases (IAPs). Mobile monetization platforms create software libraries that authors can embed into their apps to start earning money quickly. We previously highlighted the dangers of installing apps that enable IAPs using SMS messages, as these apps typically have access to all SMS messages sent to the phone.

Continue reading "Chinese Taomike Monetization Library Steals SMS Messages"

Surveillance Malware Trends: Tracking Predator Pain and HawkEye

Posted on by Rob Downs

Malicious actors employ a range of tools to achieve their objectives. One of the most damaging activities an actor pursues is the theft of authentication information, whether it applies to business or personal accounts. Unless specifically mitigated, this theft often allows an unauthorized actor to masquerade as the victim, either achieving immediate gains or creating a platform from which progressive attack campaigns may launch.

There are a number of threats that endanger the critical secrecy of credentials, including poor operational security practices, social engineering, man-in-the-middle attacks, password hash dumping and cracking, and surveillance malware. In this post, Unit 42 examines various trends in a malware threat set within the surveillance malware category: Predator Pain and its latest derivative, HawkEye. Continue reading "Surveillance Malware Trends: Tracking Predator Pain and HawkEye"

Connecting the Dots in Cyber Threat Campaigns, Part 1: Domain Name WHOIS Information

Posted on by Jen Miller-Osborn

There tends to be some mystery around how to properly analyze infrastructure used in cyber attacks. It is a bit of an art, often involving educated guesses to tie components together. However it is important to note the use of the term “educated guesses," as they’re bound by solid data. An educated guess is defined as “a guess based on knowledge and experience and therefore likely to be correct.” Intelligence analysis is akin to taking a bunch of puzzle pieces and figuring out where each belongs. The pieces of different puzzles are often jumbled together, so part of the analysis is determining which piece belongs to which puzzle and then where in that puzzle. From there an analyst has to establish what the whole puzzle most likely looks like, as analysts never have all of the pieces for any given puzzle.

If it sounds difficult, it often is. These missing pieces are often the most challenging part for threat analysts, but thorough research, analysis, and experience can often fill in the gaps. This series of blogs is intended to explain how analysts tie together attacker infrastructure. We’ll start with what is often the first step – domain name WHOIS information. Continue reading "Connecting the Dots in Cyber Threat Campaigns, Part 1: Domain Name WHOIS Information"

Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan

Posted on by Josh Grunzweig

In recent weeks, we have noticed changes in the TeslaCrypt ransomware malware family’s code base. OpenDNS recently discussed some of these changes regarding the encryption techniques in this newest variant. While reverse engineering the underlying code of these samples we discovered that the author of of TeslaCrypt borrowed code from the Carberp malware family in order to obfuscate strings and dynamically load libraries/functions. Continue reading "Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan"

Ticked Off: Upatre Malware’s Simple Anti-analysis Trick to Defeat Sandboxes

Posted on by Richard Wartell

The Upatre family of malware is frequently updated, with the authors adding new features and protecting the malware from detection in various ways. If you aren’t yet familiar with Upatre, it’s one of the most common downloaders in the wild today, typically infecting systems through phishing e-mails and downloading the Dyre banking Trojan to steal victim’s credentials. Recently, the authors of Upatre added a very simple anti-analysis measure in an attempt to defeat sandboxes, which dynamically analyze executables to identify malicious behavior. Continue reading "Ticked Off: Upatre Malware’s Simple Anti-analysis Trick to Defeat Sandboxes"

Understanding Global Application Usage and Threats to Enterprises

Posted on by Bryan Lee

"A single arrow is easily broken, but not ten in a bundle." – Japanese proverb

Is prevention of cyber attacks impossible? Is trying to prevent attacks a waste of time? Should we spend all our time focused on incident response?

These are constant questions in cybersecurity, and while the truth is that we can’t prevent everything, prevention of a significant majority of attacks is indeed possible. With the implementation of strong security policies, regular analysis of trends and tactics, and, most importantly, shared, actionable threat intelligence to feed into our defenses, this can be a reality. Continue reading "Understanding Global Application Usage and Threats to Enterprises"

YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs

Posted on by Claud Xiao

Summary

We recently identified a new Apple iOS malware and named it YiSpecter. YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors. Specifically, it’s the first malware we’ve seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities. Continue reading "YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs"

Dridex is Back and Targeting the UK

Posted on by Brandon Levene

After Brian Krebs reported the September arrests of alleged key figures in the cyber crime gang that developed and operated Dridex, Unit 42 observed a marked decrease in activity related to this banking Trojan – at least until today.  Dridex re-entered the threat landscape with a major e-mail phishing campaign. Leveraging the Palo Alto Networks AutoFocus platform, we identified samples associated with this resurgence.

Malware

True to form, the Dridex crew continues to utilize Microsoft Word Doc files with embedded macros, just as they did at the start of 2015. The Bartalex kit, a favorite for various cybercriminals, constructs these macros to deliver their malicious payload. When a user opens the malicious document, the macro code reaches out to a URL and downloads the Dridex executable. We identified the following associated Microsoft Word Doc files and URLs from today’s campaign: Continue reading "Dridex is Back and Targeting the UK"

Updated PClock Ransomware Still Comes Up Short

Posted on by Josh Grunzweig

In recent years, ransomware families are often glamorized as being some of the most dangerous types of malware. They’ve certainly caused a wealth of damage to end users with some of the more prominent malware families, such as CryptoLocker, CryptoWall, TorrentLocker, and TeslaCrypt infecting millions of users overall.

For readers that might be unfamiliar with ransomware, it’s a type of malware that is responsible for encrypting a user’s files with a key known only to the attackers. Examples of files that might be encrypted include financial documents, home movies, photos, or business-related files. In order to decrypt these files, the victim must provide a ransom, or payment, to the attacker, often in the form of a digital currency. Continue reading "Updated PClock Ransomware Still Comes Up Short"

Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media

Posted on by Robert Falcone

On May 6 and May 11, 2015, Unit 42 observed two targeted attacks, the first against the U.S. government and the second on a European media company. Threat actors delivered the same document via spear-phishing emails to both organizations. The actors weaponized the delivery document to install a variant of the ‘9002’ Trojan called ‘3102’ that heavily relies on plugins to provide functionality needed by the actors to carry out on their objectives.

The 3102 payload used in this attack also appears to be related to the Evilgrab payload delivered in the watering hole attack hosted on the President of Myanmar’s website in May 2015.  Additionally, we uncovered ties between the C2 infrastructure and individuals in China active in online hacking forums that claim to work in Trojan development.

Palo Alto Networks WildFire detected the payload delivered in these spear-phishing attacks as malicious, and the payload was also tagged in Palo Alto Networks AutoFocus as 9002.

UPDATE 9/24/2015: The Palo Alto Networks platform detects the 3012 malware with its spyware signature 9002.RAT.Gen Command And Control Traffic (ID# 14359).

Continue reading "Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media"

More Details on the XcodeGhost Malware and Affected iOS Apps

Posted on by Claud Xiao

A few days ago, we investigated a new malware called XcodeGhost that modifies Xcode, infects iOS apps and is seen in the App Store. We also found more than 39 iOS apps were infected, including versions of some pretty popular apps like WeChat or Didi, potentially affecting hundreds of millions iOS users. We also analyzed XcodeGhost’s remote control functionalities that can be used by attackers to phish or to perform further attacks. In this post we will discuss a few more details since learned about XcodeGhost and its behavior.

Actions to Stop the Attack

Since our post on September 18, Palo Alto Networks has cooperated with Apple, Amazon and Baidu to share samples, threat intelligence and research. All of them have taken actions to stop the attack or to mitigate the security threat. Continue reading "More Details on the XcodeGhost Malware and Affected iOS Apps"

Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow