2017.10.16

MRGEffitas:ProtectionComparisonofProxyandNGFWarchitectureagainstRATandransomwareC&C

Version:2.2

1

1 TableofContents

1 TABLEOFCONTENTS 1

2 INTRODUCTION 3

2.1 EXECUTIVESUMMARY 3

2.1.1 KEYFINDINGS 4

3 TESTDETAILS 8

3.1 AREFERENCENETWORK 8

3.2 LABNETWORK 9

3.3 DETAILEDRESULTS 9

3.3.1 CUSTOMTCPANDUDPC&C 9

3.3.2 ICMPTUNNEL 10

3.3.3 HTTPCHANNELWITHOUTPROXYSUPPORT 11

3.3.4 DNSTUNNELING 12

3.3.5 LEAKINGINTHESYNPACKETS–FIRESTORMATTACK 14

3.3.6 LEAKDATAINSINGLEREQUEST-RESPONSE 16

3.3.7 FIREWALLEVASIONTECHNIQUES 16

3.3.8 PROXY-AWAREMALWAREUSINGHTTPC2 17

3.4 RESULTSOFTHERATTESTS 20

3.5 COMPARISONOFEXPLICITPROXYANDTHENEXT-GENERATIONFIREWALLARCHITECTURE 21

3.5.1 ANOTEONIPV6 21

4 CONCLUSION 23

5 APPENDIX 24

5.1 RECENTEXAMPLESOFRATSATTACKINGENTERPRISES 24

2

5.1.1 REGINRAT–ICMP,HTTP,HTTPS 24

5.1.2 PLUGXRAT–DNS,ICMP,HTTP,HTTPS 24

5.1.3 POISONIVYRAT–DNS,HTTP,HTTPS 25

5.2 ABOUTMRGEFFITAS 27

3

2 Introduction

Inatraditionalenterprisearchitecture,clientsuseanexplicitweb-proxytoaccessweb-basedresourcesontheInternet.Theclientbrowsersareconfiguredtousethisweb-proxywheneverthebrowsertriestoaccesstheInternetoverHTTP/HTTPSprotocol.

UnifiedThreatManagementandNext-generationFirewall(NGFW)architecturedonotneedanexplicit-proxybecausebyinspectingthetraffic,theproductcanactasatransparentproxyfromasecuritypointofview.NGFWcanfiltermaliciousURLs,inspectprotocol,etc.

The focusof this test is to checkwhat kindof commandand control (C&C) techniques and tunnelingtechniquesexist,andhowthesewillbeblockedorallowedbytheNGFWandbytheproxyarchitecture.

Thistestdoesnotdealwithhowthemalwaregotontothevictimsystem,thefocusofthistest is theC&Ccommunicationonly.

2.1 Executivesummary

The focusof this test is to findout the securitydifferencesof theNGFWandproxyarchitecture, andhowthiscanaffectmalwarecommandandcontrolchannels.

For this test, we researched the differentwaysmalware can communicatewith the C&C server.WecategorizedthesedifferenttechniquesandtestedthesedifferentC&Cchannelswithbothinanexplicitproxyconfigurationandinanext-generationfirewall(NGFW)configuration.

4

2.1.1 Keyfindings

1. Malware that are not proxy-aware will be unable to reach C&C channels using HTTP in anenvironment securedwith a proxy due to the lack of a default route to the internet. NGFWenvironments have an active default route and will pass the traffic, assuming no filteringmechanisms intervene.Thereare currently in-the-wildexamplesofmalwareC&Ccomms thatfunctioninaNGFWenvironmentbutnotinaproxyenvironment.

Figure1-In-the-wildmalwareusingHTTPprotocolasC&C

5

2. DNStunnelingbypassestheNGFWfirewall.Inastrictproxyconfiguration,clients(workstations,notebooks) are not allowed to resolveDNS names outside the company. ThusDNS tunnelingdoesnotwork.Therearein-the-wildmalwaresusingthisDNStunnelingtechnique,forexample,thePlugXAPTfamily(see5.1.2fordetails).

Figure2-OutputoftheDNStunnelingC&C

6

3. ItispossibletoleakdataintheNGFWarchitecturefromtheclientworkstationsbysendingdatainpacketswiththeSYNflagset.It isevenpossibletoleaktoserverswhichareblockedbythefirewall policy. This attack was first discovered by Cynet1 and is called Firestorm. Proxyarchitectureisnotvulnerabletothisattack.

Figure3-NetworkcaptureoftrafficleakingdatainSYNpackets

1https://www.cynet.com/blog-firestorm/

7

4. ItispossibletoleakdataintheNGFWarchitectureusingport80(HTTP)overaprotocolwhichdoesnotconformtotheHTTPprotocol.First,theclientworkstationsendsarequestwithdata(not conforming to the HTTP protocol) to the C&C server. After that, the server replies withsome other data and finally the client closes the connection. The proxy architecture is notvulnerable to this kind of C&C channel. We found multiple in-the-wild malwares where theinitialhandshakewasabletoleakdatatotheattackersintheNGFWarchitecture.

Figure4-DataleakedbytheQuasarRAT

5. If amalwareusesHTTPprotocol (orwebsockets) for communication and supports theuseofproxies,itcanbypassboththeNGFWandtheproxyarchitecture.Wefoundmultipleinstancesofmalwareusingthistechnique.BasedontheimplementationandconfigurationoftheNGFWortheproxy,theseattackscouldbeblockedeitherviadomainreputationorbysignatures.AnydecentAdvancedPersistentThreatactor cancreateaC&C infrastructurewithagooddomainreputationandwithaC&Cprotocolwhichisnotdetectedbysignatures.

This report focuseson security comparison froman architectural point of viewanddoesnot addressperformance(e.g.,caching),TCO,maintenance,etc.differences.

8

3 Testdetails

BoththeNGFWandtheproxyproductareconfiguredinthefollowingway:

1. HTTPandHTTPScommunicationareallowed.Websiteswithunknownreputationareallowed.2. In theproxy configuration, allDNS requests from the clients areblockedat theedge firewall.

TheDNSrequestscomingfromtheproxyareallowedthroughtheedgefirewall.3. IntheNGFWconfiguration,clientsareallowedtoresolveDNSnames.DNSresolutionisneeded

fortheHTTPandHTTPScommunicationtowork.4. Allotherprotocolandcommunicationareblocked.

We do not name the proxy or theNGFWproduct in this report because the focus of this test is thedifferenceoftheNGFWandproxyarchitecture,andnottheimplementationdifferences.

3.1 Areferencenetwork

Webelievethatanidealreferencesecurenetworkshouldworkthefollowingway:

1. ClientsareallowedtobrowseHTTP/HTTPSwebsites2. Clientsareallowedtoreade-mails(out-of-scopeofthistest)3. Clientsandserversareallowed toaccessanythingelseoutsideof thecompanyonawhitelist

basis.

9

3.2 Labnetwork

During our test, we created an environment which conforms to the reference secure network. Thefollowingdiagramexplainsthetestlabsetup:

Figure5-Examplediagramofthetestsetup

One client workstation is allowed to communicate with the Internet only through the HTTP/HTTPSproxy.TheotherworkstationclientisallowedtocommunicatewiththeInternetthroughtheNGFW.

3.3 Detailedresults3.3.1 CustomTCPandUDPC&C

Alargeportionofmalware,especiallyRemoteAccessTrojan’s(orRemoteAdminTool)usecustomTCPorUDPprotocolsinthecommandandcontrolchannel.

WetestedthefollowingRATfamiliesinourtestwhichusedthiscustomC&C:

• Darkcomet• NJRat

10

• JRat• PoisonIvy• Gh0st• PlugX

These C&C communication channels are blocked by default by both NGFW and proxy architecture.NGFWwillblock thisbecause theprotocolwillnotmatchwith thedestinationport inuse.Theproxyarchitecturewillblockthisbecauseontheedgefirewalltheseconnectionswillbeblockedbydefault.

NGFW:Pass Proxy:Pass

3.3.2 ICMPtunnel

Somemalwareandtunnelingtoolsusethe ICMPprotocoltoexfiltratedata.Basedonourexperience,ICMP isusuallyblockedat theedge firewalls in thecaseof traditional firewalls,when itcomes to theproxyconfiguration.WedonothaveenoughdataonwhatisthebestpracticewithNGFWfirewalls. IfICMPistypicallyblocked,NGFWwillblocktheICMPtunnelaswell.

It is important to note that for IPv6 to work, some ICMPv6 packets should be allowed through thefirewall.Thisactionwillopenan ICMPtunneltotheoutsideworld,wheneverclientsare inanetworkwhere IPv6 is supported. Our test lab did not support IPv6 so we could not test this scenario.https://tools.ietf.org/html/rfc4890section4.3.1discussesthesetypesofmessages.

Forexample, theReginAPTmalware (see5.1.1 fordetails)usedandPlugXRAT (see5.1.2 fordetails)usesICMPforC&C.

WetestedwiththePingtunnelandwithaPlugXsample.

Figure6-PlugXRATC&Candbuilder

11

Figure7-PingtunneltoolC&Ccommunication

Unfortunately, both the Pingtunnel tool and the PlugXRATwas buggy, andwe could not control themachine,althoughbothhadafulltwo-wayC&Cchannel.Wearecertainthatifthesetoolsworked,theNGFWwouldnotblockitifICMPisallowed.

NGFW:Pass/configurable Proxy:Pass/configurable

3.3.3 HTTPchannelwithoutproxysupport

MalwarewhichusesHTTPprotocol tocommunicatewiththeC&Cserver,butwhichdoesnotsupportproxies,arebydefaultallowedthroughtheNGFWfirewall,butblockedintheproxyarchitecture.Thereisin-the-wildmalwareusingthistechnique.

Figure8-In-the-wildmalwareusingHTTPprotocolasC&C

12

We used an Illusion bot in our tests, which used HTTP as a C&C, but it cannot use the HTTP proxy.Becausethemalwarecannotusetheproxy,theC&Ccommunicationdroppedattheedgefirewall.

We also tested with XtremeRAT which used HTTP protocol, but the NGFW blocked it by signaturematching.

NGFW:Fail Proxy:Pass

3.3.4 DNStunneling

DNStunnelingisatechniquewheretheC&CcommunicationmasqueradesinDNSpackets.Itcanbeveryeffective fromtheattacker’spointofview,becausethere isnoneed foradirectconnectionbetweentheattackersandthevictims,astheseDNSqueriesandresponsesare.

ThePlugXAPTgroup(see5.1.2fordetails)usesDNStunnelingintheirRATmalware.Duringthetest,wecouldnotfindaworkingsamplewheretheC&Cwasalsoupandacceptingtheconnections.TheCobaltStrike tool can also useDNS tunneling and is also sometimes used by attackers, although it is a tooldevelopedforpenetrationtesters.

Inourtest,weusedtheDnscattool.https://wiki.skullsecurity.org/Dnscat

During the test, we uploaded and downloaded files between the client and the server. We used aremoteshellforinteractivecommandexecution.

13

Figure9-OutputoftheDNStunnelingC&C

14

Based on our experience in most organizations using web proxies, the workstations are allowed toresolvedomainnamesfromtheInternetbydefaultthroughtheirprimaryDNSserver(typicallyadomaincontroller).AlthoughitispossibletohardenthenetworkagainstthiseasilybynotconfiguringforwarderDNS servers. In this case theworkstations use a DNS serverwhich only resolves internal hostnames.MeanwhileallDNStrafficcomingfromtheworkstationsshouldbeblockedattheedgefirewall inthisconfiguration.

AshortscreencastaboutDNStunnelinginNGFWarchitecturecanbefoundhere:

https://youtu.be/dsDUa-MvUs0

AshortscreencastaboutDNStunnelinginproxyarchitecturecanbefoundhere:

https://youtu.be/86jF1Pc7sfw

NGFW:Fail Proxy:Pass/configurable

3.3.5 LeakingintheSYNpackets–Firestormattack

SYNpacketsarejustbasicTCPpacketswiththeSYNflagset.Thus,everySYNpacketcanhaveaTCPdatapayload. This attackwas firstdiscoveredbyCynet2 and is calledFirestorm.During the tests,wewereabletovalidatetheseresults.ThisattackdoesnotuseafullC&Cchannel,asitispossibletosenddataonly from the client to the server, but any SYN,ACK responsewith the TCPdata payloadwill not bereceivedbytheclient.Itisinterestingthatitisevenpossibletoleaktoserverswhichareblocked.

Inourtestconfiguration,weallowedHTTPandHTTPSprotocolandallowedaccesstoGoogleonly.TheFirestormclientwasabletoleakdatatoourwebserver,whichisoutsideofthegoogle.comdomain.

2https://www.cynet.com/blog-firestorm/

15

Figure10-NetworkcaptureoftrafficleakingdatainSYNpackets

Inaproxyconfiguration,theproxyinitiatestheTCPconnectiontothewebserver,soitisnotpossibletoleakdatathisway.

AshortscreencastabouttheFirestormattackintheNGFWarchitecturecanbefoundhere:

https://youtu.be/rXdlOVrh4I4

AshortscreencastabouttheFirestormattackintheproxyarchitecturecanbefoundhere:

https://youtu.be/pofYqaNclAE

NGFW:Fail Proxy:Pass

16

3.3.6 Leakdatainsinglerequest-response

TheNGFWarchitectureallowstwopacketstopassthroughafterthe3-wayhandshake.ThesepacketscanbeusedtocreateafullC&Cchannel.Thesepacketsshouldnotconformtotheprotocol

ItispossibletoleakdataintheNGFWarchitectureusingport80(HTTP)overaprotocolwhichdoesnotconformtotheHTTPprotocol.First,theclientworkstationsendsarequestwithdata(notconformingtotheHTTPprotocol)totheC&Cserver.Afterthat,theserverreplieswithsomeotherdataandfinallytheclient closes the connection.We foundmultiple in-the-wildmalwarewhere the initialhandshakewasabletoleakdatatotheattackersintheNGFWarchitecture.

Figure11-DataleakedbytheQuasarRAT

TheproxyarchitectureisnotvulnerabletothiskindofC&Ccommunication.

We testedwith theQuasarRAT,whichalready leaked information in the firstpacket. In thismethod,althoughtheC&Cisblocked,theattackersknowtheirattackwassuccessful.TheyjusthavetoworkontheirC&C.

AshortscreencastaboutleakingdatainthefirstTCPpacketsinNGFWarchitecturecanbefoundhere:

https://youtu.be/-49SmujCpfM

NGFW:Fail Proxy:Pass

3.3.7 Firewallevasiontechniques

There are many firewall evasion techniques which completely bypasses a NGFW firewall. Thevulnerabilitiesarean implementation issuewith theNGFW itself.Althoughthesebypassesareknownforalongtimeandexistinthelatestbuilds,theydemonstratethat,inpractice,thesebypasseslastforalongtime.

Forthistest,weusedtheHTTPevadertoolfoundonhttp://http-evader.semantic-gap.de. Intotal,71differentevasionsweredetected.

17

Figure12-71firewallevasionfound

Forexample,thefollowingbypasseswerefound–71intotal:

• sizefollowedbychar\000• chunkedwithsomejunkchunkextension• double Transfer-Encoding: first chunked, last junk. Also, Content-length header. Served

chunked.• content-encodingdeflatebutwithdoublecontinuationline,servedwithdeflate• servedgzip+deflate+gzip,separatecontent-encodingheader• headerend\n\r\n• invalidstatuscode,onlysingledigit• …

The proxy configuration is not vulnerable to such evasion attacks because a proxy interprets andsometimes overwrites theHTTP requests.Meanwhile, anNGFW tries to parse theHTTP request andblocksitifsomethingmaliciousisfound.

NGFW:Fail Proxy:Pass

3.3.8 Proxy-awaremalwareusingHTTPC2

If a malware uses HTTP protocol (or websockets) for communication and meanwhile the malwaresupportstheuseofproxies,itcanbypassboththeNGFWandtheproxyarchitecture.

We foundmultiple in-the-wildmalware using this technique. For example,Meterpreter is commonlyusedin-the-wild.AlthoughMeterpreterstartedinboththeNGFWandtheproxyconfiguration,theshellwasbrokenbecausebothproductsdetectedandblockedit,eitherviasignaturesorsomeotherway.Butthisblockingwasduetoreactivetechnologies,andnotbecauseofthedifferencebetweentheproxyandNGFWarchitecture.

18

WealsotestedwiththeleakedHackingTeamScoutmodule.AllScoutC&Cpacketswereblockedbytheproxy.

Figure13-HackingteamScoutmodulewithmalformedrequest

This Scout module leaked critical information in the NGFW configuration from the machine (likeprogramsinstalled,hardware/OSinformation)beforetheconnectionwasclosed.Forunknownreasons,theNGFWblockedtheC&Cbeforetheclientwasabletosendthescreenshotstotheserver.

Figure14-InformationstolenfromtheworkstationbytheHackingteamscoutmoduleinaNGFWarchitecture

WealsotestedbotharchitecturewithamodifiedHiddentearransomwaresample.HiddenTearisusing.NETlibraries,thusitisproxy-awarebydefault.IftheC2serverisonaserverisonadomainwhichisnotblacklisted,bothproxyandNGFWarchitectureallows theC&Ccommunication,and this results in theuserfilesbeingencrypted.

Based on the implementation and configuration of the NGFW or the proxy, these attacks could beblockedeitherviadomainreputationorbysignatures(asitwasthecasewithMeterpreter).Anydecent

19

AdvancedPersistentThreatactorcancreateaC&CinfrastructurewithagooddomainreputationandaC&Cprotocolwhichisnotdetectedbysignatures.

NGFW:Fail Proxy:Fail

20

3.4 ResultsoftheRATtests

Thefollowingtablesummarizestheresults:

NGFW Proxy

CustomTCPandUDPC&C Pass PassICMPtunnel Pass/configurable Pass/configurableHTTPchannelwithoutproxysupport Fail PassDNStunneling Fail PassLeakingintheSYNpackets–Firestormattack Fail PassLeakdatainsinglerequest-response Fail PassFirewallevasiontechniques Fail PassMalwareusingHTTPandproxy Fail Fail

21

3.5 Comparisonofexplicitproxyandthenext-generationfirewallarchitecture

We can conclude that the proxy architecture is more secure by default compared to the NGFWarchitecture because the architecture itself breaks multiple C&C channels, tunneling protocols, andevasiontechniquesbydefault.Thisresultisin-linewiththebaseprincipleofwhytheproxyarchitecturewasborninthe80’sandspreadinthe90’s3.

Theproxyarchitectureaddsmultipleextra layersof security to thenetwork compared to theNGFW.First,anymalwarewhichdoesnotknowhowtouseHTTPproxieswillbeblockedimmediately.Second,byinitiatingtheTCPconnectionsfromtheproxytothewebserver,theproxywillnotbesusceptibletofirewall evasions (TCP, IP layer). The sameapplies toevasionsused in theHTTPprotocolbecause theproxy understands and interprets every header sent and received. Meanwhile, because the DNSresolutionhappensattheproxyserver,itiseasytoblockallDNStunnelingjustbynotallowinginternalclientstoresolveexternalIPaddresses.

3.5.1 AnoteonIPv6

EversinceNAT (NetworkAddressTranslation)becamewidespread in the ‘90s, it isnotan issue (fromonespecificpointofview)whenclientsconnectedtothewebserversdirectlywithoutaproxy,becausethe server could not connect back to the client due to NAT. Because the web server only saw theexternalIPoftheclient,andconnectingtotheexternalIPdoesnotconnecttotheclient.

The situation will change as IPv6 becomesmore andmore common.Whenever a client workstationconnectstotheIPv6webserverdirectly,thewebserverlearnstheIPv6addressoftheclient,andwiththis information, other parties might try to connect to the client’s IPv6 address directly for a shortperiod.ThiswindowoftimedependsontheclientOS,butit isusually24hoursforaclienttousethesameIPv6address,whichmeansthattheIPv6addresswillworkfor12hoursonaverage.

AnydecentfirewallshouldblockincomingIPv6packetsfromtheInternettotheworkstations.However,mistakeshappenall the time.Asmentioned in3.3.2, some ICMPv6packets should travel through thefirewall,whichmeansthewholeInternetshouldbeabletosendsomepacketstotheworkstations.Thissetupcanbeexploited,forexample,ifthenetworkstack(networkdriver,ICMPimplementation,etc.)oftheworkstationisvulnerable.

Inaproxyconfiguration,theclientdoesnotevenhavetoknowthatthewebserverisusingIPv6.Inthiscase, theclientdoesnothave to speak IPv6 to connect toan IPv6webserverbecause theclient cancommunicateover IPv4with theproxyand theproxywilluse IPv6 toconnect to thewebserver. It isenoughifthewebproxycanaccesstheIPv6Internet.ThismeanstheInternetshouldbeabletoaccesstheproxyonly,andtheInternetcanlearnonlytheIPv6addressoftheproxy,andnottheIPaddressoftheworkstations.

3https://www.w3.org/History/1994/WWW/Proxies/Reasons.html-from1994

22

TheconclusionofthisIPv6sectionisthatintheIPv4worldNATprovidedanaddedlayerofprotectionbybreaking the end-to-end communication. In the IPv6world, this end-to-end communicationbringsback some security risks. But when a company uses a web proxy, this end-to-end communication isprotected by the proxy itself, by hiding the clients from thewebservers, similar toNAT. In anNGFWarchitecture,theclientswillnotbeprotected,andsomepackets(e.g.ICMP)willreachtheworkstationsfromtheInternet.Althoughthisisrare,ICMPpacketscanexploitvulnerabilitiesintheOperatingSystemnetworkstack.

ImplementingIPv6throughoutawholeenterpriseisstillachallengetoday.

23

4 Conclusion

The proxy architecture is more secure by default compared to the NGFW architecture because thearchitecture itselfbreaksmultipleC&Cchannelclasses, tunnelingprotocolsandevasiontechniquesbydefault.Byblockingaccesstothesedifferentchannels,ITandITSECcanfocusmonitoringandpoliciesontheremainingchannel(malwareusingHTTP/HTTPSwithproxysupport).

NGFW Proxy

CustomTCPandUDPC&C Pass PassICMPtunnel Pass/configurable Pass/configurableHTTPchannelwithoutproxysupport Fail PassDNStunneling Fail PassLeakingintheSYNpackets–Firestormattack Fail PassLeakdatainsinglerequest-response Fail PassFirewallevasiontechniques Fail PassMalwareusingHTTPandproxy Fail Fail

24

5 Appendix

5.1 RecentexamplesofRATsattackingenterprises

In the following sections, we will provide a brief overview of some of the samples which use C&Cchannelsdiscussedpreviously.

5.1.1 ReginRAT–ICMP,HTTP,HTTPS

https://cdn.securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

“For more than a decade, a sophisticated group known as Regin has targeted high-profile entitiesaroundtheworldwithanadvancedmalwareplatform.Asfaraswecantell,theoperationisstillactive,althoughthemalwaremayhavebeenupgradedtomoresophisticatedversions.Themostrecentsamplewe’veseenwasfroma64-bitinfection.Thisinfectionwasstillactiveinthespringof2014.

From some points of view, the platform reminds us of another sophisticated malware: Turla. Somesimilarities include the use of virtual file systems and the deployment of communication drones tobridge networks together. Through their implementation, codingmethods, plugins, hiding techniquesand flexibility, Regin surpasses Turla as one of themost sophisticated attack platformswe have everanalyzed.”

https://en.wikipedia.org/wiki/Regin_(malware)

“Regin is stealthy and does not store multiple files on the infected system; instead it uses its ownencrypted virtual file system (EVFS) entirely contained within what looks like a single file with aninnocuousnametothehost,withinwhichfilesareidentifiedonlybyanumericcode,notaname.TheEVFSemploysavariantencryptionoftherarelyusedRC5cipher.RegincommunicatesovertheInternetusing ICMP/ping, commands embedded in HTTP cookies and custom TCP and UDP protocols with acommandandcontrolserverwhichcancontroloperations,uploadadditionalpayloads,etc.”

5.1.2 PlugXRAT–DNS,ICMP,HTTP,HTTPS

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

“InJune2015,theUnitedStatesOfficeofPersonnelManagement(OPM)announcedthat ithadbeenthetargetofadatabreachtargetingtherecordsofasmanyasfourmillionpeople.Later,FBIDirectorJames Comey put the number at 18 million. The data breach, which had started in March 2014 orearlier,wasnoticedbytheOPMinApril2015. Ithasbeendescribedby federalofficialsasamongthelargest breaches of government data in the history of theUnited States. Information targeted in thebreach includedpersonally identifiable informationsuchasSocialSecuritynumbers,aswellasnames,datesandplacesofbirth,andaddresses.Thehackwentdeeperthaninitiallybelievedandlikelyinvolvedtheftofdetailedsecurity-clearance-relatedbackgroundinformation.

On July 9, 2015, the estimate of the number of stolen records had increased to 21.5 million. Thisincluded records of people who had undergone background checks, but who were not necessarily

25

current or former government employees. Soon after, KatherineArchuleta, the director ofOPM, andformerNationalPoliticalDirectorforBarackObama's2012reelectioncampaign,resigned.”

https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/

“OneoftheUS-CERTteam’sfirstmoveswastoanalyzethemalwarethatSaulsburyhadfoundattachedtomcutil.dll.Theprogramturnedouttobeonetheyknewwell:avariantofPlugX,aremote-accesstoolcommonlydeployedbyChinese--speakinghackingunits.ThetoolhasalsoshownuponcomputersusedbyfoesofChina’sgovernment,includingactivistsinHongKongandTibet.Themalware’scodeisalwaysslightlytweakedbetweenattackssofirewallscan’trecognizeit.

ThehunttofindeachoccurrenceofPlugXcontinuedaroundtheclockanddraggedintotheweekend.Asleeping cot was squeezed into the command post, where temperatures became stifling when thebuilding’sairconditionersshutoffasusualonSaturdaysandSundays.”

5.1.3 PoisonIvyRAT–DNS,HTTP,HTTPS

http://blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html

http://securityaffairs.co/wordpress/57212/apt/poison-ivy-rat-china.html

https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

“Wekby is a group that has been active for a number of years, targeting various industries such ashealthcare, telecommunications, aerospace, defense, and high tech. The group is known to leveragerecently released exploits very shortly after those exploits are available, such as in the case ofHackingTeam’sFlashzero-dayexploit.

Themalware used by theWekby group has ties to the HTTPBrowsermalware family, and uses DNSrequestsasacommandandcontrolmechanism.Additionally,itusesvariousobfuscationtechniquestothwart researchers during analysis. Based on metadata seen in the discussed samples, Palo AltoNetworkshasnamedthismalwarefamily‘pisloader’.

…ThisdiscoveredfilewasfoundtobeaninstanceofthecommonPoisonIvymalwarefamily”

5.1.3.1 TheRSAhackwithPoisonIvy

https://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/

“RSA has provided more information on the high-profile attack against systems behind the EMCdivision'sflagshipSecurIDtwofactorauthenticationproduct.

…

26

Theattackitself involvedatargetedphishingcampaignthatusedaFlashobjectembeddedinanExcelfile.Theassault,probablyselectedafterreconnaissanceworkonsocialnetworkingsites,wasultimatelyaimedatplantingback-doormalwareonmachinesonRSA'snetwork, according toablogpostbyUriRivner,headofnewtechnologies,identityprotectionandverificationatRSA.

Inthiscase,theattackersenttwodifferentphishingemailsoveratwo-dayperiod.Thetwoemailsweresent to two small groupsofemployees; youwouldn't consider theseusersparticularlyhighprofileorhighvaluetargets.Theemailsubjectlineread"2011RecruitmentPlan".

The email was craftedwell enough to trick one of the employees to retrieve it from their Junkmailfolder,andopentheattachedexcelfile.Itwasaspreadsheettitled"2011Recruitmentplan.xls".

The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flashvulnerability(CVE-2011-0609).Asasidenote,bynowAdobehasreleasedapatchforthezero-day,soitcannolongerbeusedtoinjectmalwareontopatchedmachines.

Rivner compared the hack to stealth bombers getting past RSA's perimeter defenses. He said manyother high profile targets, such as Google via the Operation Aurora attacks, had been hit by such"Advanced Persistent Threats" (an industry buzzword that often boils down to a combination oftargetedphishingandmalware).

In the caseof theRSA attack the assault involved a variant of thePoison Ivy Trojan.Once inside thenetwork,theattackercarriedoutprivilegeelevationattackstogainaccesstohighervalueadministratoraccounts.Suchsteppingstoneattacksallowhackerstojumpfromcompromisedaccesstoalowinterestaccount onto accountswith farmore privileges before carrying out the endpurposeof amulti-stageassault,normally theextractionof commerciallyor financially sensitive information. Even thoughRSAdetected the attack in progress hackers still managed to make off with sensitive data, as Rivnerexplains.”

27

5.2 AboutMRGEffitas

MRG Effitas is a UK based, independent IT security research organization that focuses on providingcutting-edgeefficacyassessmentandassuranceservices,andthesupplyofmalwaresamplestovendorsandthelatestnewsconcerningnewthreatsandotherinformationinthefieldofITsecurity.

MRGEffitas’origindatesbackto2009whenSvetaMiladinov,anindependentsecurityresearcher,andconsultant,formedtheMalwareResearchGroup.ChrisPickardjoinedinJune2009,bringingexpertiseinprocessandmethodologydesign,gainedinthebusinessprocessoutsourcingmarket.

The Malware Research Group rapidly gained the reputation of the leading efficacy assessor in thebrowserandonlinebankingspaceand,due to increasingdemand for its services,was restructured in2011andbecameMRGEffitas,withtheparentcompanyEffitas.

Today,MRGEffitashasa teamofanalysts, researchersandassociatesacrossEMEA,UATPandChina,ensuringatrulyglobalpresence.

Since its inception, MRG Effitas has focused on providing ground-breaking testing processes andrealistically modeling real-world environments in order to generate the most accurate efficacyassessmentspossible.

MRG Effitas is recognized by several leading security vendors as the leading testing and assessmentorganization in the online banking, browser security and cloud security spaces and has become thepartnerofchoice.

Ouranalystshavethefollowingtechnicalcertificates:

Offensive Security Certified Expert (OSCE), Offensive Security Certified Professional (OSCP), MalwareAnalysis (Deloitte NL), Certified Information Systems Security Professional (CISSP), SecurityTube LinuxAssemblyExpert,SecurityTubePythonScriptingExpert,CertifiedPenetrationTestingSpecialist (CPTS),ComputerHackingForensicsInvestigator(CHFI),andMicrosoftCertifiedProfessional(MCP).