Posted
Have you ever taken the time to consider how you and your colleagues view cyber security? Does your security team share common viewpoints, or are there unique philosophical differences? Do you all follow the same processes or do you each have your own unique way of doing things? It is these individual perspectives and experiences that we all gather over time that can influence a larger organizational security culture either positively or negatively. In some cases, the topic of security elicits various emotional responses, wherein security becomes more of an emotion, and less of a state of being.
Consider your drive to work this morning; you took steps to do things that made you feel more secure while avoiding things that made you feel vulnerable. In the book Decisive, authors Chip and Dan Heath do an excellent job explaining the “Four Villains of Decision Making”: Narrow Framing, Confirmation Bias, Short-term Emotion and Overconfidence; and highlighting how these “villains” influence our individual decision making processes. When the “Four Villians” define the rules of your organizational security culture, executing against a security strategy becomes futile. Options go out the window, increasing the likelihood of knee jerk over-reactions or “passive” status quo responses to various security events.
- Narrow Framing: Narrow Framing limits our choices to few options. This restriction on our ability to consider other alternatives is often self-imposed, where our options may not only be just limited to a “this OR that” decision, but a “this AND that” decision.
- Confirmation Bias: Confirmation Bias focuses on only the data points that support a particular belief while ignoring empirical evidence that casts doubt or otherwise disproves an alternate hypothesis.
- Short-term Emotion: Decision making while under the influence of emotion can cloud the ability to think into the long term. Rational thought needs objective reasoning without partiality, emotions can bind our decisions to individual preferences and beliefs.
- Overconfidence: Overconfidence artificially limits your options because you are boxed into a rigid belief and decision-making mindset versus having an open receptive attitude that may lead you to consider other alternative choices.
We’re proud to work side-by-side with many organizations who fight the “Four Villians” on a daily basis and make immediate and impactful decisions that makes their work easier, more affordable and their security culture more open.
Executive Summary:
In the following case study, we will highlight an example of how Thermo Fisher Scientific (formerly Life Technologies) has effectively removed the “Four Villains” from impacting their long-term organizational security strategy. By integrating ThreatConnect into their corporate threat intelligence and information security processes, Thermo Fisher Scientific adopted processes to memorialize and iteratively monitor security threats of interest to them. They also took a proactive lead within their industry and pioneered a private ThreatConnect information sharing Community dedicated to vetted members of the Medical and Health Industry.
Thermo Fisher Scientific adopted ThreatConnect within their enterprise network defense processes to better aggregate, analyze and act on security threats relevant to them or their industry. In working collaboratively with the ThreatConnect Research Team, Thermo Fisher Scientific was better enabled to obtain dynamic enrichments and additional context to their pre-existing knowledge around a given threat (Spindest). As they increased their understanding of this threat, they were also able to save costs in time and analytic resources, allowing them to quickly pre-position mitigations and proactively preempt the enterprise against future attacks from this threat.
We believe it is time that we offer the same opportunity to the entire Biomedical & Life Sciences Industry. Together we are stronger than we are apart. By expanding the number of participants in our private Medical and Health industry Community, we are providing a private information sharing community exclusively for vetted health, medical and science industry leaders such as Thermo Fisher Scientific. As ThreatConnect users, these members have taken a proactive threat intelligence approach and been able to fast-track their decision making process. Now, let’s get to the meat about how Thermo Fisher Scientific was able to quickly identify and mitigate the risks posed by a specific threat. We’ll also delve into the continued benefit they receive by leading and participating within their private industry group and the ongoing support it receives from ThreatConnect Research.
Background:
Since August 2013, ThreatConnect Research has been tracking a Chinese Advanced Persistent Threat (APT) group that has been observed with a heavy, industry-specific targeting emphasis on the biomedical and life sciences industries. This threat has been identified using a malware implant specifically known as “Spindest” or “Backdoor.Apocalipto”. This threat appears to have been in use for some time, and has been primarily observed being delivered from URLs on compromised intermediary websites along with other possibly initial infection vectors such as spearphishing operations. The implant generally uses dynamic command and control (C2) infrastructure, and is likely also tied to the Chinese APT sub-group known as “Nitro”, the very same group that deployed the CVE-2012-4681 Java zero day exploit in August of 2012.
Initial Discovery:
In mid August 2013, Thermo Fisher Scientific leveraged ThreatConnect to share details of a targeted spearphish that was directed against their organization. The entities targeted were key employees responsible for developing costly cutting edge medical research. The email message was written in broken English, and was crafted to appear as if it came from an internal IT Helpdesk. The email contained instructions to download what appeared to be an update to a Cisco VPN Client from an intranet resource. This email immediately raised red flags with the Theromo Fisher Scientific users who were targeted, and the message was quickly quarantined by the security team, then analyzed jointly by both Theromo Fisher Scientific personnel and ThreatConnect Research. Upon review, the spearphishing message was identified as containing a link to an executable file from the URL [http]://76.2.125[.]239/update/vpnclient-win-msi-5.0.07.0410-k9.exe. This file (MD5: DBCC94B6A30DCC9BBFF43D76FF594703) is a malicious backdoor dropper variant known by its antivirus detection as “Spindest,” and dropped a second stage file MD5: 7517A0250F5F32123CE2398FAAB22513 to %TEMP%Mcafee_INFOsmss.exe. The second stage smss.exe then contacts the C2 server protal.inc[.]gs, performing HTTP GET requests for pseudorandom text files that follow the pattern [SixNumbers]n.txt. Examples of this callback include /150078n.txt, /167125n.txt, etc. The malware also does POST requests for Active Server Pages (.asp) files with five or six numbers in the name, such as /80562.asp and /114234.asp. At the time of analysis, the C2 domain protal.inc[.]gs overlapped with other infrastructure that was also confirmed to be used by this malware type. This bi-directional collaboration and dynamic enrichment allowed Thermo Fisher Scientific to quickly preposition mitigations around the secondary adversary infrastructure that had been staged but not operationalized against them.
Most of these overlapping C2 domains, such as eb.shop[.]tm, it.listen-it[.]com, and sun.shell[.]la, have been confirmed through open source data to be C2 domains for the same implant type for analysis reports of the same malware implant type which connects to this overlapping C2 node.
Ongoing Activity:
AUGUST 2013 – NOVEMBER 2013
This malware threat type has been observed in ongoing activity since mid-August 2013. On October 22, 2013, the executable file MD5: 96968A4D1CC9B00AE85108773312468A was submitted to VirusTotal. This binary has a 2013-10-09 compile date, which is notable following the August activity. This malware matches the implant type from August, and connects to the attacker registered command and control domain www.easyoce[.]com, which shares the IP address 122.10.6[.]26 (Hong Kong) with the possibly malicious domain www.moonorz[.]com. The easyoce[.]com C2 domain was registered by the Chinese email address registrant of jyhjhdfgd[@]163[.]com. More recently, on November 7, 2013, ThreatConnect Research retrieved a file MD5: CD3B31CFB13B405A4C28A2F44CAF4ECE which is very similar to the dropper MD5: DBCC94B6A30DCC9BBFF43D76FF594703 which was observed in August 2013 attempt against ThermoFisher Scientific. This new binary dropped the implant smss.exe with MD5: C0D57380CC17E2AA39807F9FC96BF001, which calls out to the domain nexfin.undo[.]it. The term “nexfin” within the C2 domain name is significant, as this likely refers to a specific brand name cardiac monitoring device. When considering the August 2013 targeting of a specific biomedical and life sciences industry member, as well as the nature of the keyword “nexfin” in C2 naming convention as a likely campaign identifier. It is most likely that this threat has been tasked with offensively conducting cyber espionage and is actively targeting valuable intellectual property regarding medical technologies and biomedical breakthroughs.
As of the November 2013 activity, this threat consists of the malicious file MD5: 78CA2FDA87C52C4EA722B211BFEFA23A, which has a 2013-10-09 compile date and connects to the dynamic C2 domain protal.ftp[.]sh, which resolves to an IP address hosted with Nobis Technologies at 23.80.182[.]176 (Los Angeles, CA).
DECEMBER 2013 – JANUARY 2014
In late December 2013, ThreatConnect Research observed new Spindest APT activity that was using malware and command and control (C2) infrastructure themed as software clients for Cisco and Citrix enterprise network management solutions. This activity also extended into the 2014 new year and is likely still being operationalized by the threat actors.
On December 18, a ZIP file called CitrixReceiverWeb.zip (MD5: 6B1D5C5AEAEA5EBDDBA08DE048ED4EDE) was submitted to VirusTotal. The ZIP contained a Spindest dropper implant of the same name, MD5: D1E949AE098A2BFA8B933076C26BD95F, which then dropped a second stage backdoor MD5: 94C3CBC237461C2585EAB172C6023444. The backdoor connects to citrix.zapto[.]org, which overlaps with the likely related dynamic domain cisco.servepics[.]com. Also, it is worth noting that for a short moment on January 15, 2014, the citrix.zapto[.]org domain was pointing to the well known malicious APT C2 IP address of 223.25.233[.]248 (Singapore).
This malicious node has been used in various Poison Ivy and Spindest APT campaigns, and is likely associated with the “Nitro” threat actor (see http://blog.trendmicro.com/trendlabs-security-intelligence/the-nitro-campaign-and-java-zero-day/). On December 19, a similar implant cisco_vpn_client_update.exe (MD5: 2312F48EAE8AD916C8E23ABE0DDD0E5E) was sent to VirusTotal. This particular implant variation drops the second stage backdoor MD5: 715EB98B71D918BD30AACC7768F8C4E6 to C:Documents and Settings<USER>Local SettingsApplication DataCisco VPNvpn.exe. This backdoor then connects to the likely compromised legitimate host of security.smv[.]hk, which appears to be a website associated with a technology company called Smartvote Limited (SMV), a manufacturer of interactive smart board technology and related components. A VirusTotal Community user @sandreas noticed MD5: 715EB98B71D918BD30AACC7768F8C4E6 and commented stating that it was likely related to Nitro, further enhancing the confidence of ThreatConnect Research’s original attribution assessment.
On the second day of the New Year 2014, another implant (MD5: 91028A35265BF91D7B47D0901713C994) was submitted to VT. This implant dropped MD5: E1C7D1FB37168237725CE818B36F6C29 to the path at C:Documents and Settings<USER>Local SettingsApplication DataCisco VPNobj.exe and connected to citrix.neon[.]org.
Conclusion:
ThreatConnect offers its users more than the ability to collaborate within communities or with ThreatConnect Research. The real story lies in implementing mature cooperative threat intelligence practices supported by a mature platform and processes that allow organizations to first privately aggregate, analyze and act on their Threat Intelligence. Forward leaning organizations such as Thermo Fisher Scientific and others leaders within the medical and health industry understand that to act, they need to make decisions, to make decisions, they need all of the information available. This is why they manage and enrich knowledge of threat activity within ThreatConnect. Organizations of all shapes and sizes often have challenges when it comes to making decisions and acting quickly. Beware, the “Four Villians” are lurking, they will rear their ugly heads, and stall progress. However, with a comprehensive and progressive security culture that seeks a mature threat intelligence platform with mature processes; organizations can increase efficiencies, adopt community as a modern security control, and act on information in real time. Heavy-handed arguments laden with risk-aversion to information sharing can be minimized by exploiting the opportunity to gather all of the facts through collaboration and community before taking action. Aggregating and analyzing data in ThreatConnect makes the “Action” process faster and more streamlined – enabling those organizations to defend against common threats and save their organization time and treasure at the end of the day. It’s time to take the advantage, change our security culture and learn what it takes to enable one another to be effective against common threats. The medical and life sciences community has already stepped up. What about you?
- Are you a member of the Medical and Health industry?
- We want you to join, register and ask about your industry community. Contact us at sales@threatconnect.com to learn more about getting involved.
The indicators and context within this blog as well as detection signatures and additional information has already been shared within ThreatConnect Communities as the following incidents:
- Cisco VPN Update PHISH
- 20131022C: Spindest APT Activity
- 20131107A: Nexfin Spindest APT Malware
- 20131111A: Protal Spindest APT Malware
- 20131218A: CitrixReceiverWeb Spindest APT
- 20131219A: Cisco VPN Client Update Spindest APT
ThreatConnect Research will continue to monitor this threat activity and provide updates to ThreatConnect Communities.