Monthly Archives: April 2013

Q&A Follow-up – Tools of Engagement: The Mechanics of Threat Intelligence

As a follow-up to our recently held Tools of Engagement - The Mechanics of Threat Intelligence: Analysis, Information Sharing and Associated Challenges webinar, questions answered by presenters Doug Wilson and Jen Weedon are listed below. To view the archived webinar, please click here.

1. We received some questions asking about work being done by Mandiant and others on open source intelligence sharing. We've got some questions about STIX and TAXII in comparison to other frameworks.

To succeed with sharing indicators internally or externally, you have to pick a standardized format. That can be anything, honestly, from a tab-delimited file to complicated XML. If you are looking at sharing outside your organization, there are a couple of different standards that are out there to look at.

OpenIOC is what Mandiant uses for recording and transmitting threat indicators. DHS funds a project through MITRE called STIX, with a transport and exchange mechanism that is called TAXII. IETF also has the MILE working group, which has a protocol named IODEF, which uses RID as its transfer and exchange mechanism. These are all ways of packaging up threat information and shipping them off to other people or organizations. We've been looking at interacting with both groups, and trying to make sure that OpenIOC interacts with both sets of protocols where it can.

A lot of people are still very uncomfortable with the idea of sharing openly, so a lot of the sharing that's happening out there is going to be happening in smaller, closed groups.

The protocols that we have discussed are all open standards, whether somebody is sharing in a small group or somebody is sharing in a large group. Since they are all open and feely available, there's not any restrictions to using them for sharing, and ultimately, we're hoping that there are some corporations out there that are standing up sharing portals - there are also government entities that are doing this as well. We're hoping that ultimately, people will be able to pick the tools that work properly for their particular situation. But whatever standard (or standards) shakes out as being the one most people use, it will need to be something that's open and accessible.

There were several questions about sharing groups. If you're not familiar with the idea of an ISAC, I looking them up online. ISAC stands for Information Sharing and Analysis Center. There's an ISAC Council website that lists a bunch of the ISACs (not endorsed by Mandiant, but for reference: http://www.isaccouncil.org/memberisacs.html). Some of the larger ISACs have their own events and conferences, FS-ISAC is one that is engaged in adopting threat information sharing standards (such as STIX).

There are also specific groups for the Defense Industrial Base, or DIB. Associated with the DoD Cybercrime Center (DC3) is the DoD-DIB Collaborative Information Sharing Environment (DCISE).

2. As an investment bank, how should we advise our clients concerning cyber security audit and compliance prior to making an acquisition?

We have seen threat activity around or related to acquisitions and mergers. Entities should be aware that advanced attackers are often quite aware of business decisions and movements in industries that they're targeting, so you should take this into account when determining how you want to allocate resources for risk management.

We can't directly advise any specific course of action, and folks should consult their counsel or their risk management personnel on specific actions, but on numerous occasions we have been asked to do investigations that center around acquisitions and mergers. We often advise our clients to consider doing threat assessments as part of the due diligence process when they are thinking of acquiring other companies. In addition, we conduct regular analysis on risk factors for companies who may be targeted by advanced threat actors to identify which variables may place them at higher likelihood of being targeted, and why. These variables may include the industry they're in, their intellectual property, strategic partnerships, business strategy, and overseas operations.

3. What are the options - in other words, legal or technical - available to counterattack hackers from world nations who don't respect international laws?

Mandiant does not endorse or support hacking back in any form. We suggest an in-depth incident response life cycle within your organization's network and host, and an ongoing cycle of detection, response and containment. We also suggest reaching out to law enforcement or appropriate authorities responsible for national security

4. What are the most important items to gather and share with a threat team for vulnerability analyses?

An accurate depiction of vulnerabilities in an enterprise can help inform risk management decisions. This should be a two-way communication. A team that deals with threats can prioritize responding to some threats above others if they know certain vulnerabilities or weaknesses exist within their environment, and then the threat team can talk with whoever does the vulnerability assessment if they think certain types of actors are more likely to exploit certain types of vulnerabilities, so those vulnerabilities have a higher priority for getting fixed.

5. What kind of training do you suggest for intelligence analysis, especially cyber threat intelligence analysis?

One of the most important things a company can do, or anyone that does threat intel in an office can do is to get the technical folks and the sort of more traditional intel analysts in the room together to observe sort of how the other side works.

It may not be possible to fully cross-train both types of personnel on each other's disciplines, but the more interaction they have and the more folks get out of their comfort zones with what they're used to doing, the better your teams will understand with each other. Communication is key, especially when dealing with technical and non-technical teams having to work together.

6. Strategic versus tactical - why would individual firms care beyond what protects them from immediate threats? In other words, why would they care about strategic over the tactical?

This gets into debates about attribution, categorization of threats and threat tracking, and what that matters, which is a large topic in and of itself. It really depends on where an organization is in terms of the maturity of its security capabilities.

If an organization's security interests are strictly operational and are just looking at turning stuff away from the firewall and blocking things, the idea of this longer-term view of threat actors is not going to be interesting, because they are just looking at what can immediately stop the bleeding. As an organization becomes more mature in their security posture and starts to evolve it into basing security off of threat intelligence, they will be able to appreciate the use of strategic intelligence. But this requires an investment of a lot more resources, and investment in personnel and programs that are not normally considered standard for traditional "information security" yet.

7. Is threat intelligence a myth?

Again, this depends a lot on the maturity level that a security program is at. It's not a myth, but it might be useless to entities that do not have the resources or focus to do anything with threat intelligence.

We've seen that attribution is one area where people can go down a lot of rabbit holes. Some folks spend a lot of time arguing about the merit of attribution, and can get wrapped around the fact that attribution down to a specific human being is nearly impossible on the Internet. It doesn't necessarily matter who is at the keyboard unless you're a nation state or you're somebody who's going to be somehow doing an international lawsuit against a particular person.

But the groups of actors, and what is motivating these groups to make them want to act against your enterprise, should be of interest to you. If you want to be proactive about securing your network and distributing resources to protect your network, it helps to know that someone is using a particular type of attack and they're not using another set of attacks. This may help you determine how to allocate resources for defense.

If you have less resources, if you have a less mature security posture, if you're not as involved in terms of where you are in the life cycle of getting a sophisticated security program set up - and a lot of people are having a hard time getting down that road because you have the classic problems of justifying your budget, or convincing your CEO that they care - you're not necessarily going to care about a strategic view of threat actors.

But if you're someone who's invested more in security, you have a larger investment in spending money on this and doing some sort of defense that is informed by a strategic viewpoint, it's going to matter a lot more, and we're seeing a lot more major companies turning in this direction, over time. So there could be naysayers, but the market is slowly speaking out against them.

8. What are some resources for analysts and detailed methodologies and curriculums as well as buying threat intelligence and reviews on different products and services?

Without going into specifics on the latter question, there are certainly a lot of industry research organizations that have racked and stacked different threat intelligence providers and their solutions.

I guess it really gets to what you can consume. Like Doug was saying, if you have the resources and the political will inside your organization to consume more strategic intelligence, you may have different needs and pursue different solutions providers.

In terms of developing a threat intel capability, there are certainly lots of firms out there, including Mandiant, who consult on what you need to do to mature in that sense.

9. Is there public or closed IOC sharing platforms besides ioc.forensicartifacts.com?

A couple of other entities out there are using OpenIOC publicly. If you are familiar with the company AlienVault, their lab, when they do posts of threat information and blog posts about malware, will include an IOC as part of their sharing.

We also do that with some of our blog posts and forum posts. Some of those are open and some of those closed to our customers, depending on the level of content. There, unfortunately, is not a wonderful public open sharing site for all of the IOCs out there other than http://ioc.forensicartifacts.com.

Most people are still kind of uncomfortable with the idea of sharing openly, so you're going to see closed communities springing up here and there and, over time, they're going to open up or improve or share with larger audiences. We hope to continue to contribute to that conversation as it evolves.

10. What are the sources of IOCs

IOCs can come from a variety of sources. In Mandiant's case, they are a product of a wide variety of different sets of input throughout our business units, curated over time by our intel team. We capture IOCs from our investigative work, from feedback from our product and managed services customers, and from a wide variety of intel sources, including examining malware and network traffic. Organizations could create IOCs from their own knowledge of threats that they face, but usually they use a combination of their knowledge plus information gleaned from other security or intelligence sources.

11. What kind of IOC would you recommend sharing publicly or just in closed groups, so attackers don't know detection methods?

IOCs don't necessarily give away detection methods. Specific pieces of intelligence may give away sources and methods, and you need to determine risk to your intel sources before sharing anything. However, in most cases, especially if you are already trying to combat an opponent that has launched attacks against your networks, they probably assume that you can capture anything that they may deploy against you. If you are using external sources of intelligence, the situation becomes more complex, which is where having trained intelligence staff and experienced analysts can help you make appropriate decisions. The risk tolerance of each organization is going to be different, so it will likely be something that you will have to tailor to your organization's limits.

12. What are some products that can be used for capturing/managing intelligence?

We have previously discussed the use of threat intel in the form of IOCs. The freely available Mandiant IOC Editor can be used to write and edit IOCs, and Redline can consume IOCs for host based investigations. Both of these complement the commercial Mandiant for Intelligent Response® offering.

Mandiant IOC Editor

Redline

Additionally, during the webinar we were also asked about tools for gathering and cataloging more strategic intelligence. None of these are endorsed by Mandiant. However, some examples of tools to consider are:

Splunk http://www.splunk.com/

Palantir http://www.palantir.com/what-we-do/

Lynxeon http://www.21ct.com/products/lynxeon/

13. Do domains and IPs alone attribute activity to an actor if the actor was seeing using a domain or an IP once?

Attribution to actors is a complicated and time-consuming process. Actors' use of certain domains or IPs as part of their attack infrastructure is only part of the story. Threat groups also frequently share infrastructure, malware, or other tools. There's certainly no 1:1 correspondence between IPs and domains and specific actors, especially if you've only observed the correlation once. They're useful data points for more thorough analysis.

New Targeted Attack On Taiwanese Government & Tibetan Activists Open Up a Can Of Worms – GrayPigeon, Hangame & Shiqiang gang

We observed new targeted attacks targeting various personnel with pro-Tibetan views.  The targets? We’ve seen targets at various branches of the Taiwanese government as well as a professor at the Central University Of Tibetan Studies in India.

Taiwan is a logical target since they have a history of accepting Tibetan refugees. Also, the other target is a professor at the Central University Of Tibetan Studies in India—a institution founded by the first Prime Minister of India with the Dalai Lama himself. It was established in 1967 to educate exiled Tibetans and to preserve Tibetan culture and history.

The attackers, called the "Shiqiang gang", show a consistent modus operandi. They use similar remote administration tool (RAT) payloads, stolen certificates, and seem to target anyone pro-Tibetan. The RAT payload in this attack in called "GrayPigeon," also known as "Huigezi" in Chinese[2]. It is very popular in the Chinese webspace which indicates that the attackers speak the language. The RAT payload has multiple layers of encryption making it harder to identify.

Attack Vector:

The threat arrives in the form of a targeted email with an XLS attachment. The content  of the emails are as shown below in Figure 1 and Figure 2. The email attempts to draw on the sentiments of the Taiwanese government and activists towards the exiled members of the Tibetan government.

[caption id="attachment_1707" align="alignnone" width="584"] Figure 1[/caption]

 

[caption id="attachment_1708" align="alignnone" width="590"] Figure 2[/caption]

The content of both the emails are similar and roughly translate to:

 

To friends who care about the Tibetan government-in-exile

Now we publish this for you <<Tibetan government-in-exile offices in the Americas 2013 for the second half the year with detail list requesting for comments>>

Do not distribute this letter and this is only for friends who care about this

Also hope that you can actively participate in our activities in the second half of the year

                   Office of the Tibetan government-in-exile in the Americas

                    Chinese chief liaison officer Gongga Tashi kungatashi

 

Technical Analysis: How the Attack Works

The attached file in both emails is the same (2010790755b4aca0edc3c50ee8480c0b) When opened, the XLS file exploits CVE-2012-0158 and launches a decoy document as shown in Figure 3. The decoy document contains a ruse as usual and this time it states that Tibetan fonts are missing. In the background, it drops a series of files eventually leading to the launch and execution of 2013soft.dll. This in turn injects a RAT payload in to explorer.exe.

[caption id="attachment_1703" align="alignnone" width="629"] Figure 3[/caption]

Analysis of Payload:

The main functionality lies within 2013soft.dll (28426ddc3c49635c11a2ee72118e9814) and the subsequent DLL it decrypts and injects in to explorer.exe (05eda4aaa49b2409f52cf2356f4a91db).

On inspection of 2013soft.dll, it is evident that this payload contains a rather large resource section. The MAIN stub in resource section holds large amount of data however it appears to be encrypted.

[caption id="attachment_1710" align="alignnone" width="648"] Figure 4[/caption]

On dynamic analysis of the payload, it becomes clear that the Main stub eventually decrypts to the final DLL payload. The stub is loaded into memory and decrypted using the loop shown in Figure 5. It operates on 8 bytes of data at a time and uses the 16 bytes key "1234567890ABCDEF". This, in addition to that fact that it uses the constant value 0x9E3779B9, gives away the algorithm as TEA (Tiny encryption algorithm). The TEA algorithm uses this value as the Delta constant.

[caption id="attachment_1711" align="alignnone" width="427"] Figure 5[/caption]

It then jumps to the decrypted stub after setting the memory region it resides in as executable. The start of this decrypted MAIN stub contains an XOR decryption loop shown in Figure 6. This decryption loop decrypts the remainder of the stub. Notice how the XOR key "0x27691C" is only 3 bytes in length but the EAX pointer is incremented by 4. This means the first byte in every 4 bytes (little endian) is not subjected to XOR.

[caption id="attachment_1713" align="alignnone" width="421"] Figure 6[/caption]

You would think we have the payload after two levels of decryption but not in this case. It jumps to another shellcode, which performs a rolling byte XOR decryption using a 4 byte key on the latter part of the stub.

[caption id="attachment_1714" align="alignnone" width="465"] Figure 7[/caption]

Now we are getting somewhere as we can see an MZ file header interspersed with other characters past the "MinxxxA" marker as shown in Figure 8. This data is then subjected to what appears to be a custom decompression algorithm, following which it is injected into a new instance of explorer.exe

[caption id="attachment_1709" align="alignnone" width="567"] Figure 8[/caption]

The injected DLL payload is a variant of the RAT called "GrayPigeon"[2] also known as "Huigezi" which is popular in the Chinese web space. It is written in Delphi and contains comprehensive functionality. The RAT uses various Pascal modules [3] such as "TscreenCaptureUnit.pas" and "UnitServices.pas" also widely seen on Chinese forums and associated with this RAT.

It creates a mutex "\BaseNamedObjects\windows!@#$" and sets up startup persistence by adding a registry key "\Software\ts\Explorer\run\2013Soft\run = rundll32.exe C:\WINDOWS\2013soft.dll,Player". In this case the RAT was observed key logging and storing the data under C:\WINDOWS\2013soft.log along with the corresponding Window names.

It then uses the same TEA (Tiny Encryption algorithm) described earlier to decrypt the address of the command and control server "help.2012hi.hk". It reuses the key "1234567890ABCDEF" for TEA decryption. It makes a DNS query specifically to Google’s DNS server 8.8.8.8 and it attempts to connect to the resolved server on port 91.

[caption id="attachment_1706" align="alignnone" width="720"] Figure 9[/caption]

We observed the following outbound communication on port 91.

[caption id="attachment_1712" align="alignnone" width="576"] Figure 10[/caption]

This GrayPigeon RAT instance we analyzed had extensive functionality and a summary of the features is listed below:

  • Determine Host name and OS version
  • Ability to log keystrokes and mouse events
  • Ability to capture users screen
  • Ability to use Telnet protocol
  • Ability to send and receive files
  • Sniff URL addresses from Internet Explorer and read form values
  • Get list of active services
  • Ability to shutdown/restart etc.

Connection to Shiqiang Gang:

We mined for other samples talking to the same C&C infrastructure and we found two with the md5sums 4e454584403d5521abea98d21ee26f72 and 7de5485b7dd154a9bbd85e7d5fcdbdec which drop Hangame RAT and GrayPigeon RAT respectively. The RAT payloads in these instances also phone home to help.2012hi.hk. This C&C domain was also referenced in a white paper published by Symantec as part of the overall campaign coined the Elderwood project [4]. The campaign in the current instance and related samples are more in line with Tibetan themed attacks on NGOs and Taiwanese officials. The campaign also heavily uses stolen certificates. These have been attributed with the Shiqiang gang as discussed by Snorre Fagerland from Norman[1] and also discussed by Trend [5] and AlienVault [6].

[caption id="attachment_1705" align="alignnone" width="582"] Figure 11[/caption]

The decoy document associated with 7de5485b7dd154a9bbd85e7d5fcdbdec also has a Taiwanese target as evident from the contents of the document.

[caption id="attachment_1704" align="alignnone" width="791"] Figure 12[/caption]

Also, both these two variants interestingly have digital certificates in the payload [1]. The certificate for 4e454584403d5521abea98d21ee26f72 is a stolen certificate that has already been revoked.

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            38:93:f1:3d:d3:9f:e0:88:fd:f5:4e:e0:08:ae:38:e1

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA

        Validity

            Not Before: Dec  8 00:00:00 2011 GMT

            Not After : Dec  7 23:59:59 2012 GMT

        Subject: C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Xuri Weiye Technology Co., Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, CN=Shenzhen Xuri Weiye Technology Co., Ltd.

 

The certificate for 7de5485b7dd154a9bbd85e7d5fcdbdec appears to be modified manually and is invalid.

 

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            02:fe:4b:0a:55:23:56:65

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=Beijing, L=Beijing, O=CA365, CN=CA365 Free Root Certificate

        Validity

            Not Before: Oct 23 10:47:29 2010 GMT

            Not After : Oct 23 10:47:29 2011 GMT

        Subject: C=CN, ST=shanghai, L=shanghai, O=International Test User, OU=Market, CN=International Test User

 

 Hashes of Analyzed Samples:

References:

[2] http://baike.baidu.com/view/25407.htm

[3] http://en.verysource.com/classicgraypigeoncon-191546.html

[4] http://www.symantec.com/connect/blogs/elderwood-project

[5] http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2012-0158-now-being-used-in-more-tibetan-themed-targeted-attack-campaigns/

[6] http://labs.alienvault.com/labs/index.php/2012/cve-2012-0158-tibet-targeted-attacks-and-so-on/

I would like to thank Darien Kindlund for his assistance in research.