Posted
In the context of the counter improvised explosive device (IED) mission, “left of boom” is what the Washington Post’s Rick Atkinson eluded to when he referenced the moment prior to when an IED explosive is detonated.
For anyone who is familiar with the Lockheed Martin Kill Chain model, or has seen the authors present it; their concept of getting “left of boom” easily translates from the flesh and bone, kinetic world to the virtual one.
Unfortunately for some enterprise security teams, the theory behind proactive cyber security only goes as far as a notion, and is never executed in reality. The good news is that with a disciplined approach, the right processes and automation, many organizations are maturing their processes to enable their enterprise to shift from a reactive model into a proactive one. This allows for threat intelligence to be actioned in a manner that facilitates timely situational awareness, rich context, automated analytics, and a community of shared expertise.
On February 5, 2014, our friends at Kaspersky Lab’s Securelist blog reported details of an Adobe Flash 0-day vulnerability, CVE-2014-0497, being exploited in the wild. As our ThreatConnect Research Team reviewed the report, we ran the blog through the ThreatConnect Analysis feature and something immediately jumped out at us; two of the three malware command and control (C2) domains mentioned as being associated in the report had already been discovered, analyzed, and shared within our ThreatConnect Subscriber Community as part of a previous Incident “20130914A: Tapaoux APT Activity” on October 18, 2013, nearly 4 months prior to the Securelist post.
This means that our ThreatConnect Subscriber Community customers would have had the ability to pre-position mitigation scenarios around this specific adversary infrastructure all the while increasing the attack, sensing and warning around indicators used within this Flash 0-day, months in advance. They would not only have had the host indicators to provide detection and mitigation, but also additional context, related domains, MD5 file indicators, and respective YARA signatures, for detecting the APT implant type.
While one could argue ThreatConnect Research was not able to identify every associated indicator or the exploits, it is worth pointing out that knowledge of the final stage C2 infrastructure would have been an adequate “safety net” to mitigate the threat regardless of which exploit(s), (zeroday or otherwise) were being operationalized. Having foresight of every exploit in an attacker’s arsenal is extremely challenging, if not impossible. When seconds and minutes matter, having a four-month head start with an understanding of adversary infrastructure is a massive amount of time, especially for today’s complex global enterprises. Additionally, organizations leveraging integrated automation with the ThreatConnect API would have had the ability to consume data directly into their security stack (such as IDS & IPS solutions), instrumenting their netDefense processes to act on the shared information in real time.
Rewind to Summer 2013:
ThreatConnect Research began tracking this threat in the summer of 2013, and by September 2013 ThreatConnect Research had observed a series of sustained, targeted APT activity that did not appear to be formally developed across the greater security industry. So, we began to organize our knowledge and enrich it through retrospective analysis, comparison of malware implants, and antivirus detections.
We understood that this activity was a recent extension of an APT threat previously known as “Tapaoux”. This threat was highlighted most clearly in a Contagio Dump post from April 2010, which maintained “Nuclear” themed spearphishes that employed the “Tapaoux” implant. Notable aspects of this implant allowed us to connect it to the CVE-2014-0497 attackers and include the use of encoded JPEG file callbacks, infrastructure hosted in Malaysia, and a consistent “Nuclear” theme within decoy documents among other topics.
Fast-forward to September 12, 2013:
Armed with a baseline of knowledge, on September 12, 2013, ThreatConnect Research found a malicious implant binary that was being hosted from a dynamic DNS URL at http[:]//rank.strangled[.]net/player/viewer.exe (See https://www.virustotal.com/en/ip-address/64.32.28.81/information/ for details). Judging from the type of implant and historic Tools, Techniques, and Procedures (TTPs) used by the threat actor, the URL was likely used to download the payload of a CVE-2012-0158 document exploit that had been spearphished to the intended victim. In this case, the payload MD5: A47F8311D623D585116D1271AF509265 contacts the C2 domains www.mobilitysvc[.]com (which is associated with http://www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability) and www.sqlengine[.]net.
The www.mobilitysvc[.]com callback requests within the URL /jpg/read.php?id=user&file=default.jpg, is a unique indicator specific to this threat. It is also worth noting that this malware implant had been digitally signed with a certificate publisher of “secure.hotelreykjavik[.]is”, an Icelandic hotel and resort, and uses the internal program name of “Explorer System Checker”.
These two executable file attributes are common for malware binaries tied to this threat actor. Analysis of second stage malware that was downloaded and decoded from www.mobilitysvc[.]com led us to the malware mutex artifact “Network_Connection_n”, an example can be found within a ThreatExpert report dated September 2, 2013. The malware implant in this report connects to the C2 domain javaupdate.flashserv[.]net, the second C2 associated with http://www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability.
ThreatConnect Research bundled these indicators along with additional associated threat implants, such as MD5:246292E0FA8D6F90128D4E9FB89FD164, into a single incident“20130914A: Tapaoux APT Activity”, which was then shared with our exclusive Subscriber Community.
Conclusion:
So what does all this mean and why does it matter to those enterprise net defense teams out there who are considering using ThreatConnect as part of their threat intelligence and enterprise security repertoire?
It means getting “left of boom” with an impressive four-month head start of threat indicators that would be used within a zero day attack. It means obtaining the kind of warning that Enterprise CISOs and netdefense personnel only dream of being able to have on their side. This is what ThreatConnect delivers on a daily basis to help make that dream a reality.
We highlight this example to demonstrate that ThreatConnect Research’s intelligence collection and research efforts, on behalf of our Subscriber customers, provides value and that memorializing threat data, contextualizing it through automated analysis and providing it to a larger community for broader consumption and enrichment; gives victim enterprises an unparalleled defensive advantages.
Individually we cannot know all things, so we must play to the strength of a community larger than ourselves – we are stronger together than we are apart. Today’s enterprises need to do more with less, and move faster than their adversaries. With ThreatConnect as your trusted partner, your valuable time is saved and you can proactively make smarter decisions about your network defenses and processes.