application usage and threat report · palo alto networks | application usage and threat report 2...

Palo Alto Networks | Application Usage and Threat Report 1

APPLICATION USAGE AND THREAT REPORT

Research by Unit 42

https://www.paloaltonetworks.com/threat-research.html


The impact of data breaches is ever increasing, and more of our private data than ever is being stolen. As security professionals, defending our organizations can often times seem like a monumental, almost impossible task. Yet, there has never been as much focus, data, or development available to the security industry as there is today. It is only the small proportion of truly advanced adversaries that have proven to be resourceful, developing new tactics, techniques, and procedures as seen fit; whereas, the majority of adversaries reuse old tactics, techniques, and procedures, simply because they are effective and require little to no effort in execution. Even within the most sophisticated groups, commonalities exist within the attack lifecycle, which can be used to identify and stop them.

With this knowledge, we, as security professionals, must turn the tables on the adversaries and make it increasingly difficult and cost inefficient to launch an attack. The first step to this type of proactive defense is the sharing of tactics, techniques, and procedures, as well as threat intelligence in an open and free manner throughout the entire security community, including this report. The more we know about our adversaries, the harder it will be for them to successfully execute an attack, which allows us to proactively defend our organizations in a targeted manner, versus the traditional “find the needle in the haystack” model of reactive defense.

In this year’s Application Usage and Threat Report, Unit 42, the Palo Alto Networks® threat intelligence team, examines key trends across the threat landscape and application usage, including topics on how organizations can educate users and utilize controls to effectively reduce the attack surface available to an adversary, the potential effects of non-standard network activity, the reuse of legacy attack tactics, and the benefits of open threat intelligence sharing.

Overview

https://www.paloaltonetworks.com/threat-research.html


Key Findings

Adversary dossiers for major threat actor groups The tactics, techniques and procedures (TTPs) used by three major threat actor groups, including their targets, motivations and methods, which can be used to better protect your organization.

Remote access application usage is rampant across all industries and regions79 unique remote access applications were found to be in use across all regions and industries.

SaaS-based application usage has continued to grow year over yearThe number of SaaS-based applications discovered on customer networks has grown about 15 percent every year, from 218 applications to 306 applications.

Nearly half of all portable executables analyzed by WildFire were found to be malicious

Over 40% of all email activity examined via WildFire containing a file attachment was found to be malicious in nature

Macro-based malware has seen a resurgence and is among the most popular type of malware being distributed to usersThe two most numerous examples are Dyre and Dridex: 10.2 percent of all sessions marked with malicious activity in WildFire was related to Dyre and Dridex.

Current world events are being weaponized rapidly and used to piggyback attacksThe average time to weaponization was 6 hours from the initial reporting of a world event; some events taking as little as 3 hours to weaponization.

p4

p4

p6

p8

p10

p11

p14

p16


Adversary Dossiers

Known AliasesAnunuk

OriginRussia and Ukraine nexus

MotivationFinancial gainSome evidence of cyber espionage

SummaryResponsible for the theft of hundreds of millions of dollars from various financial institutions beginning in late 2013

Used a number of techniques such as group transfers or withdrawls from compromised systems

CARBANAK

A critical element of understand your organization’s risk posture is gaining intelligence on the adversary groups that may attempt to breach your network. The concept of attribution has been a hotly debated topic across the security industry, with some research organizations attempting to pinpoint the geographic location of the group, or reveal the names of the individuals launching the attacks. We believe in a different kind of attribution, that focuses on the Tools, Tactics, and Procedures (TTPs) employed by the adversaries, which is a more actionable set of intelligence. Once you understand Indicators of Compromise (IOCs), such as command and control infrastructure, malware deployed, or methods of initial compromise, you can build preventative controls to stop them at every point in the attack lifecycle.

Gaining context around the adversary will also allow teams to prioritize their response efforts. For instance, organizations in government sectors will be more concerned by cyber espionage activity, versus a financial services organization, who would be more interested in cyber crime targeting financial gain. Below, we have gathered a set of profiles on three major threat actor groups, which security teams can use to understand if they could be targeted by the groups, and how to reduce their risk of being successfully breached.

Targeted Regions/IndustriesInitial targeted region was Russia

In early 2014 attacks against United States and rest of Europe was observed

Attacks against China region have also been observed

Primarily targeted money processing services, ATMs, and financial accounts

Tactics and Tools DeployedUtilizes the malware family known as Carbanak

Commonly delivered via spear-phishing email containing a malicious Office document or control panel (CPL) file

Malware provides backdoor remote access and data exfiltration features

Once a patient zero system has been compromised, additional reconnaissance is performed to identify ATMs, financial accounts, or other areas where money can be transferred


Known AliasesQuedagh

OriginRussia nexus

Motivation Cyber espionage

SummaryCyber espionage group attributed to Russian nexus

First disclosed publically in October 2014

Known attacks began December 2013 and continued into 2014

Attributed to using the BlackEnergy Trojan to execute espionage activity against industrial control system (ICS) environments

SANDWORM

SHELLCREW

Targeted Regions/IndustriesEurope regionTelecommunicationsEnergyGovernmentU.S.-based education institutionsICS environments

Tactics and Tools DeployedUtilizes two variants of the BlackEnergy Trojan

Has utilized a zero-day vulnerability (CVE-2014-4114) in the past for malware delivery

Also uses spear-phishing attacks

Developed custom plugin modules for BlackEnergy Trojan which allows for remote access, network traversal, keylogging, credential harvesting, network capturing, and screen capturing

Known AliasesShell CrewDeep PandaAxiomGroup 72

OriginChina nexus

MotivationEspionage

SummaryA technically sophisticated and likely well-funded, state-sponsored APT group

Have used multiple zero days and can move very quickly once inside a network.

Known to layer different malware throughout a network to maintain persistence, as well as harvest and use legitimate network and remote access credentials.

Targeted Regions/IndustriesHealthcareGovernmentManufacturingDefenseAerospaceIndustrialPro-democracy NGOEnergyTelecommunications Academic institutions

Tactics and Tools DeployedUtilizes doppelganger command and control domains to dupe users and obfuscate activity

Heavy usage of spear-phishing and watering hole attacks to deliver malware or harvest credentials

Have been known to user zero day vulnerabilities

Has also been known to use legitimate network administration tools with legitimate compromised credentials

−Malware families known to be used −Poison Ivy −Gh0st −Derusbi −Scanbox

JournalistsThink-tanksMediaSpecific companies affectedPremera Blue CrossAnthem

−OPM −Bit9 −RSA

−Sakula −Zxshell −Zox family −PlugX


Remote Access Application Usage

6

Microsoft Remote Desktop

teamviewer

telnet

Citrix

VNC

Fastviewer

gotomypc

pcanywhere

LOGMEIN

other (cited)

other

APAC

EMEA

AMER

Japan

Banking

Education K-12

Higher Education

Energy

Financial

Federal Gov

State & Local Gov

Healthcare

High Tech

Hospitality & Leisure

Insurance

Manufacturing

Media & Entertainment

Non-profit

Pharmaceuticcals

Professional Services & Legal

Retail

Service Providers

Transportation & Logistics

65 14 12 3 6

26 24 6 28 6 28

44 14 5 12 16 9

18 29 15 4 14 5 9 6

13 65 18 4

63 10 6 4 4 8 5

75 7 3 9 6

18 47 4 19 3 9

31 18 14 24 3 2 8

12 38 423 14

21 11 2 11 48 25

12 24 9 6 237 4 6

43 11 4 17 2 13 2 8

14 44 6 30 6

23 11 58 3 5

44 19 9 13 11 4

43 22 5 12 7 3 8

72 165 5 2

24 11 9 48 3 5

11 20 32 922 6

17 1144 11 6 3 3 5

34 24 33 6 3

28 22 386 6

RSH

Remoteview

Splashtop

Supremo

Ammyy

VMware

RSH Synergy

Remoteview PCOIP

Netviewer

Ammyy

Bomgar GotomyPC

RSH

Vertical trends (each bar represents 100%)


teamviewer

telnet

Citrix

VNC

Fastviewer

gotomypc

pcanywhere

LOGMEIN

other (cited)

other

APAC

EMEA

AMER

Japan

Banking

Education K-12

Higher Education

Energy

Financial

Federal Gov

State & Local Gov

Healthcare

High Tech


Insurance

Manufacturing


Non-profit

Pharmaceuticcals


Retail

Service Providers


65 14 12 3 6

26 24 6 28 6 28

44 14 5 12 16 9

18 29 15 4 14 5 9 6

13 65 18 4

63 10 6 4 4 8 5

75 7 3 9 6

18 47 4 19 3 9

31 18 14 24 3 2 8

12 38 423 14

21 11 2 11 48 25

12 24 9 6 237 4 6

43 11 4 17 2 13 2 8

14 44 6 30 6

23 11 58 3 5

44 19 9 13 11 4

43 22 5 12 7 3 8

72 165 5 2

24 11 9 48 3 5

11 20 32 922 6

17 1144 11 6 3 3 5

34 24 33 6 3

28 22 386 6

RSH

Remoteview

Splashtop

Supremo

Ammyy

VMware

RSH Synergy

Remoteview PCOIP

Netviewer

Ammyy

Bomgar GotomyPC

RSH

Geographic trends (each bar represents 100%)


teamviewer

telnet

Citrix

VNC

Fastviewer

gotomypc

pcanywhere

LOGMEIN

other (cited)

other

APAC

EMEA

AMER

Japan

Banking

Education K-12

Higher Education

Energy

Financial

Federal Gov

State & Local Gov

Healthcare

High Tech


Insurance

Manufacturing


Non-profit

Pharmaceuticcals


Retail

Service Providers


65 14 12 3 6

26 24 6 28 6 28

44 14 5 12 16 9

18 29 15 4 14 5 9 6

13 65 18 4

63 10 6 4 4 8 5

75 7 3 9 6

18 47 4 19 3 9

31 18 14 24 3 2 8

12 38 423 14

21 11 2 11 48 25

12 24 9 6 237 4 6

43 11 4 17 2 13 2 8

14 44 6 30 6

23 11 58 3 5

44 19 9 13 11 4

43 22 5 12 7 3 8

72 165 5 2

24 11 9 48 3 5

11 20 32 922 6

17 1144 11 6 3 3 5

34 24 33 6 3

28 22 386 6

RSH

Remoteview

Splashtop

Supremo

Ammyy

VMware

RSH Synergy

Remoteview PCOIP

Netviewer

Ammyy

Bomgar GotomyPC

RSH

Remote access tools date back to the origins of networked computing, when processing power was contained in centrally located, room sized computers and dumb terminals were used to remotely access them. It was simply more efficient to allow users to access their data and the computational resources remotely from their own terminals in a concurrent manner rather than have each individual user walk up to the mainframe and interact with it, one by one. These very first instances of remote access tools all assumed a high level of trust because for the most part, the dumb terminals only had access to the mainframe and vice versa, using physical isolation from other networks. As networked computing grew however, along with the advent of the Internet where now all systems were somehow connected, the high level of trust could not be assumed; yet, these types of applications still exist and are actively used where the high level of trust is still assumed.

Our research found seventy-nine unique remote access applications to be in use globally across over 6,600 organizations. Several organizations, largely in higher education, were found to have over forty unique remote access applications on their networks alone. Over 4,400 organizations were found to have five or more different remote access applications running on their networks. Globally and across all industries, remote access application usage consisted of 48% Microsoft Remote Desktop, 16% Teamviewer, 11% Citrix, 9% VNC, 8% telnet, and 8% all other applications.

Each region had a diverse distribution of remote access applications, from the number of applications used to their volume of usage.

Applications


AmmyIn recent years, the legitimate remote access application known as Ammyy® has commonly been leveraged by adversaries in ‘vishing’ or voice phishing attacks1, 2, 3. These attacks have been largely targeted at English-speaking countries and have been fairly successful in duping users into installing the remote access application and giving the adversary access to their systems.

The attack generally starts with a user receiving a phone call from a person purporting to be from Microsoft, Dell, or even their own organization’s IT department. The adversary may then claim that the user’s system has been discovered to be infected by some form of advanced malware and the user must now install a specific application (Ammyy) to

7

remove it. The adversary then directs the user to either the official Ammyy website to download the server software or to another website that hosts the server software. The adversary then asks the user for the code that the Ammyy software generates, giving them complete access to the user’s system. At this point the adversary may claim the malware infection has been fixed or may begin to load actual malware onto the now remotely controlled system to hold the user at ransom or perform other nefarious activities. The industries with the most number of sessions captured for Ammyy usage were Federal Government, Manufacturing, and Energy.

What does this mean?With such a variety of remote access application usage across enterprise networks, it is no wonder that these applications are oftentimes being leveraged and exploited for malicious activity by threat actors. Telnet and rsh, due to the era of their creation, were not established for password authentication or encryption and thus pass all of their activity in cleartext. This is a major vulnerability and could potentially be exploited with ease by an adversary. Microsoft Remote Desktop and Citrix have their own set of security vulnerabilities, and using client-less or cloud-based remote access applications also carry their own specific risks on how they are even secured in the first place. The biggest issue of using remote access applications, however, is that once an attacker has gained access, they now have effective control over the host with the remote access application server running on it, without having to compromise the affected host or attacking it using any other exploits.

Risks are additionally increased as more end users are given privileges to digital resources and begin installing unauthorized remote access applications. For a user, this makes sense – remote access applications to their workstation, for example, allows them to continue to do work when they are remote or at home. With this type of usage, however, due to bypassing the organization’s IT department and security teams, the application is often deployed in an insecure manner and not using best practices, which leads to using default passwords or at times bypassing any security controls that may have been in place by the organization.

Remote access application usage is widespread, regardless of region or industry. With the ever-increasing usage of virtual systems, the cloud, and the Internet of Things, remote access application usage will, in turn, continue to increase. Restricting usage of remote access applications is unfeasible and inefficient, but implementing proper usage policies and controlling the deployment of these applications is feasible and must be practiced by all organizations.

1 http://resources.infosecinstitute.com/phishing-techniques-similarities-differences-and-trends-part-iii-vishing/2 http://www.networkworld.com/article/2605887/microsoft-subnet/zero-day-opens-the-way-to-hack-back-against-fake-microsoft-tech-support-scammers.html3 http://www.ammyy.com/en/admin_mu.html


SaaS-based Application TrendsOrganizations are adopting SaaS-based application services at a breakneck pace. These applications continue to redefine the network perimeter, providing critical functionality and efficiency, while at the same time introducing potential new security and data risks if not properly controlled. Often, individual or departments will begin using un-sanctioned SaaS services, creating a “shadow IT” environment, further complicating the visibility into day-to-day user activity and the security of sensitive data.

Between 2012 and 2015, we found a 15% increase in usage of SaaS applications on customer networks, highlighting the continued importance of assessing the security and data risks these services introduce.

Looking deeper into the category of applications that comprise the 316 dataset, we found that overwhelming these applications fell into two categories: email (38%) and file storage (40.7%). These figures are concerning, due to the fact that a large portion of this activity is likely non-sanctioned usage of unknown or uncontrolled applications. In most enterprises that do SaaS applications, users are provided access to a specific list of services the enterprise

has deemed acceptable or suitable for business purposes. Given the large percentage of usage and the high number of unique SaaS applications observed, it can be concluded that users are likely not following these types of usage policies, and are instead engaging in rampant usage of non-sanctioned SaaS applications. This further increases the risk of data leakage to enterprises, due to the lack of visibility from regular logs or notifications from the unauthorized SaaS storage providers, as well as additional risk of the intermeshing of users’ personal email and work emails, which may cause situations where a user may be attacked on their personal emails and the adversary then pivots to the work email account.

2012 - 2013

218 259

2013 - 2014

316

2014 - 2015

Unique Saas Applications In Use


What does this mean?The constant battle between security professionals and end users has been the level of usability that a user needs, and to what extent we are willing to sacrifice security for it. SaaS services shine the light on this issue further, in large part because at this point in most users’ Internet career, the use of SaaS is a normal, everyday occurrence. The use of Gmail to check their email, Dropbox to upload some files, or iCloud to synchronize their pictures is a part of their everyday workflow. Deploying policies to completely prevent this type of behavior can be impractical, given the widespread, and often business-relevant usage of these applications. Ideally,

dropbox

outlook-web-online

gmail-base

google-docs-base

skydrive-base

crashplan

yunpan

boxnet-base

signiant-base

icloud-base

webex-base

office-on-demand

google-drive-web

sharepoint-online

naver-mail

barracuda-backup

mozy

vidyo

naver-ndrive

ms-lync-online

wetransfer

yahoo-mail

carbonite

qq-mail

4shared

21.33%

16.09%

12.01%

7.65%

5.69%

3.97%

3.52%

2.34%

2.12%

1.91%

1.91%

1.56%

1.17%

1.11%

1.11%

0.98%

0.96%

0.93%

0.83%

0.75%

0.68%

0.58%

0.58%

0.55%

0.54%

17.42%

17.17%

16.28%

13.86%

3.22%

2.35%

2.33%

2.22%

1.93%

1.79%

1.55%

1.34%

1.33%

1.16%

1.07%

1.03%

0.94%

0.92%

0.86%

0.83%

0.62%

0.61%

0.51%

0.47%

0.46%

qq-mail

4shared

outlook-web-online

icloud-base

dropbox

gmail-base

skydrive-base

yunpan

google-docs-base

naver-line

computrace

yahoo-mail

webex-base

qq-mail

ms-office365-base

google-drive-web

ms-lync-online

yammer

icloud-mail

prezi

sharepoint-online

boxnet-base

netop-on-demand

netease-mail

aim-mail

daum-mail

viber-baseviber-base

BY BANDWIDTH BY SESSION

Usage of Top 25 SaaS-based applications

organizations have a multi-pronged approach that does not blindly restrict usage, but ensures that only authorized SaaS applications are in use, layered with the visibility and security controls required to ensure the sanctity of organizations’ security posture and data. Lastly, regular user education about SaaS services in general, and why it may be a risk to the enterprise, should be regularly performed. Asking security professionals to secure SaaS applications is oftentimes a challenging task for both the requester and the implementer, but it is something that will be required even more so as industries move more and more toward these applications and services.


Unknown Threat Data and Analysis

SMTP 78.291%

Webbrowsing 18.201%

pop3 2.895%

imap 0.256%

ftp 0.129%

http-proxy 0.065%

flash 0.036%

webdav 0.017%

soap 0.014%

yunpan 0.014%

email 41.1%

remote access 16.5%

mngmnt8.2%

internetutility6.2% instant-messaging 1.5%

file-sharing 1.4%

general-business 1.2%

proxy 0.9%

office-programs 0.6%

audio-streaming 0.5%

Applications delivering unknown malware:Understanding the application attack surface facing your organization is a critical tool security teams can use to understand the risk posture of their organization. From a volume-based perspective it is clear that web browsing and SMTP still reign supreme as a delivery vector, being responsible for 96% of total malicious sessions. Adversaries are well aware of the pervasive nature of these applications throughout most organizations, meaning they can represent the quickest and easiest route to infection. With this knowledge in mind, most security organizations have implemented the majority of their defenses on these two points, and for good reason.

Taken another way, our data shows that about 4% of malicious sessions are delivered via applications other than web browsing and SMTP. The essential question becomes: are you prepared for the 4%? Just this small percent represents hundreds of thousands of malicious sessions, and we believe also trends toward use by more sophisticated adversaries.

Ensuring that unknown threats cannot get into your organizations through SMTP and web-browsing is a good way to create a strong “front door,” but you have to consider all the alternate routes adversaries will take, including using applications such as FTP, Webdav or Yunpan, as we see above. Security teams must consider every possible application attack vector that exists across their network as the “widows, cracks and holes in the roof,” because attackers will certainty not stick to just walking in through the front door.

New for this year, Palo Alto Networks Unit 42 team used the AutoFocus™ intelligence service to data-mine and analyze malware-specific activity from WildFire™.

Top 10 applications delivering unknown threats by session (WildFire) Percent of Malicious Sessions


Applications delivering unknown malware by application subcategory:The below observations provides information on the number of malware samples delivered via each application category, compared to the total samples seen within that category. For instance, the below chart shows that out of all the content observed over remote access applications, 16.5% of it was malware. Taken together with the volume-based information in the previous section, this data allows you to prioritize your security efforts on the applications and categories used most by attackers.

Top 10 percent of malicious content detected by per application subcategory (WildFire) Percent of Malicious

SMTP 78.291%

Webbrowsing 18.201%

pop3 2.895%

imap 0.256%

ftp 0.129%

http-proxy 0.065%

flash 0.036%

webdav 0.017%

soap 0.014%

yunpan 0.014%

email 41.1%

remote access 16.5%

mngmnt8.2%

internetutility6.2% instant-messaging 1.5%

file-sharing 1.4%

general-business 1.2%

proxy 0.9%

office-programs 0.6%

audio-streaming 0.5%


Time for PE!Portable executables (PE), commonly known as program files or files ending with the extension ‘.exe’ were found be prevalent throughout the WildFire data and highly malicious in nature, with about 82.4 percent of observed executables categorized as malware, including a whopping 49 percent of unique samples. This type of activity is not surprising; using a PE to launch an attack on a potential victim is the most direct method, as it generally does not require additional exploit code or packaging to be successful. Instead, using PEs relies on the unaware user to trust the executable file to be launched. To further increase the chance of successful exploitation of the user, a common tactic used by adversaries is the use of double extensions, where a file may actually be a PE with the .exe extension, but the adversary will append a familiar document extension such as .doc, .pdf, or .jpg before the .exe extension, and even go so far as to change the icon of the file so that it is in-line with the file it purports to be.

Gone Phishin’Examination of the session data in how potential malware is delivered also served an interesting, yet again, not surprising finding in that phishing attacks are rampant and widespread. Phishing in various forms has been in use by adversaries from the very beginning, and continues to be used due to its efficacy. Much like PEs, phishing generally requires no additional exploitation by the adversary, other than attaching a malicious file to the phishing email or simply pasting a link to a website hosting the malicious file. It is no wonder adversaries continue to use phishing as a main tactic and vector for attack.

For the timeframe of this report, about 41.4 percent of all emails with a file attachment observed via WildFire were found to contain malicious code or behavior. Of note as well is that advanced or nation-state-sponsored adversaries are just as likely to use phishing attacks as a profit-driven cybercriminal. Much like the examination of portable executables, this is a significant percentage of malicious activity occurring over email and, in general, should be a cause for great concern.

What does this mean?90 percent of all laptops and desktop computers still consist of various flavors of Microsoft Windows, and due to the lack of vulnerabilities to exploit when using portable executables to launch an attack, all of these systems are in essence, vulnerable. Automated preventative measures must be deployed as a first line of defense before a user is given the potential opportunity to launch an unknown and possibly malicious executable file. Preventatives measures could include technology such as URL filters, file type filters (such as warning users before downloading an executable, or outright blocking them), malware sandboxes, or other endpoint technologies.

These technologies are also incredibly important when it comes to phishing attacks, as, historically, users have been found to be unable to fend for themselves when it comes to social engineering-type attacks. Due to the prevalence of email as a communication method between users, unlike PEs, email cannot simply be blocked. Whitelisting is not a valid tactic either as there are absolutely legitimate reasons why a user may need to contact another user, who is not in a whitelist, via email or receive email from a user who is not whitelisted. This leads us to two potential solutions to reduce the attack surface: automated preventative measures using technology, and user education.


Global Application Usage SnapshotThe rise of applications in the business environment is nothing new. We continue to see more applications, being used by more people on a continual basis. When looking through our data, a few key facts stood out: the categories of applications that were being used most often, and the sheer number of applications within those categories. Below, you can find the number of application variants in use on a global level, with individual regional breakdowns by application subcategory and the top 25 applications found in the Appendix at the end of the report.

13

FILE SHARING

186

MANAGEMENT

171

PHOTO / VIDEO

137

IP PROTOCOL

129INSTANT MESSAGING

100INTERNET UTILITY

98

SOCIAL NETWORKING

90

GENERAL BUSINESS

89

REMOTE ACCESS

79

VOIP VIDEO

71INFRASTRUCTURE

64EMAIL

62

GAMING

59

ENCRYPTED TUNNEL

48

INTERNET CONFERENCING

48

STORAGE BACKUP

45AUDIO STREAMING

42WEB POSTING

36OFFICE PROGRAMS

35PROXY

35

SOFTWARE UPDATE

29ERP CRM

27

DATABASE

25ROUTING

23SOCIAL BUSINESS

18AUTH SERVICE

15

Highlights: − 10% of all applications in

use are file sharing, which could represent potential data security risk for orga-nizations, for a total of 186 applications.

− 137 photo video appli-cations, meaning users are accessing a myriad of often non-work related applications from corpo-rate devices, which could impact productivity or deliver malware, or nearly 8% of all applications.

− 4.5% of all applications are remote access, and as we saw earlier in this report, can present a major secu-rity risk, for a total of 79.

Total number of applications per subcategory


In 1995, the first macro-based malware, WM/Concept, was unleashed upon the public and began the initial wave of macro-based malware targeting the Microsoft Word® and Excel® applications. Twenty years later, adversaries appear to have rediscovered macro-based malware and are using it as an effective and efficient attack vector against users.

The (re)Rise of Macro Malware

What is a macro?Macros were originally developed for the Microsoft Office® suite as a way to automate repetitive tasks or share tasks between different users. The system was designed so that a user could use a simple feature to record a repetitive task, which would then automatically be transcribed into a language known as Visual Basic for Applications (VBA). The macro automated the task and the VBA code could then be shared with other users.

Unfortunately, macros were not designed with security in mind; functionality was the main goal and macros allowed users to be more productive by speeding up repetitive tasks. While the intentions of macros in Microsoft Office documents were altruistic, the unfortunate side effect was the creation of an easy-to-use and effective vehicle for malicious code.

The most famous and well-known macro-based malware was the Melissa virus in 1999. It was distributed within a Word document that would gather the first 50 entries from a user’s address book and then mail a copy of the macro-infected Word document to each entry via Microsoft Outlook®. Once the recipients opened the document, the cycle would continue ad nauseam. Due to the sheer, overwhelming number of infected systems attempting to send out emails in a much smaller Internet, the Melissa virus placed many major email servers into a denial-of-service state, causing significant impact due to loss of productivity and remediation actions needed.

Where are we now?In response to the Melissa virus event and other macro malware, Microsoft placed multiple mitigations in place to prevent the spread of macro-based malware. In Office 2003, only digitally signed macros could be run by default. In Office 2007, the letter “m” was appended to the usual Office file extensions (.docxm, .xlsxm, .pptxm) to signify that the file contained a macro. Finally, in Office 2013, macros were simply turned off by default, showing users a notification if a macro was embedded in the document they had opened. The actions taken by Microsoft significantly reduced macro-based malware infections and, in turn, reduced the popularity of macro-based malware usage by adversaries.

No good deed goes unpunished, however. In the last decade, as the Internet surged in popularity and necessity, a generation of users now exist who have never used macros or are even aware of what they are due to the dormancy of macros, in general. Users have a tendency to have a singular goal in mind, which is to accomplish the given task at hand. This causes users to ignore warnings or pop-up messages indicating potential danger ahead because, to them, these buttons and dialogues are simple barriers to their productivity. The lack of awareness and a focus on getting to the user’s desired content or task has led to a sudden resurgence in the usage of macro-based malware as users unwittingly are enabling macros in Office documents more and more often.

The two most observed malware families delivered via macro abuse are the Dridex and Dyre malware families. In the timeframe of this report, 10.2 percent of all activity flagged as malicious involved these malware.

While the intentions of macros in Microsoft Office documents were altruistic, the unfortunate side effect was the creation of an easy-to-use and effective vehicle for malicious code.


Dridex4 Dridex is a banking Trojan descended from the GameOver Zeus family of malware. Its functions are extremely similar to the well-known GameOver Zeus variants such as Cridex5, targeting online banking credentials and containing configurations to mimic logins for financial institutions. Dridex differs from its malware relatives, however, in the fact that it utilizes macro-embedded Office documents to load itself onto potential victim hosts, where it then begins harvesting banking credentials. Well over 99 percent of Dridex sessions were delivered over various email protocols or web browsing.

What does this mean?Although extremely numerous and popular at this time, both Dridex and Dyre/Upatre are fairly easy to prevent from entering an organizational environment, due to the usage of simple delivery mechanisms, such as a file attachment to an email or an email containing a link to a suspicious file. Still, examining the sheer volume of macro-based malware demonstrates that macro-based malware is a real threat to enterprises. Organizations may need to begin including specific user education on macros, explaining what they are, what they do and, lastly, what users need to be aware of to prevent malicious activity from occurring.

99 percent of these sessions were over various email protocols of web browsing

4 http://researchcenter.paloaltonetworks.com/2014/10/dridex-banking-trojan-distributed-word-documents/5 https://blogs.mcafee.com/mcafee-labs/banking-malware-dridex-arrives-via-phishing-email

Dyre/UpatreUpatre is the name of the malware downloader, generally delivered via a macro-based malware Office document, which then retrieves Dyre (Dyreza), a banking Trojan similar in function to GameOver Zeus and its variants. In addition, Upatre utilizes the Microsoft Outlook email client to send itself out to additional victims, effectively worming its way across the Internet. As with Dridex, over 99 percent of these sessions were over various email protocols of web browsing.


24h6h4h3h

Average weaponization time

Ferguson Police Shooting

ISIS Tunisa

Germanwings Crash

12h

12 HOURS 24 HOURS

Weaponization of World EventsAbuse of current events in cyberattacks is not a new discovery; weaponization of regularly scheduled world events such as the Olympics or the FIFA World Cup is extremely common and something to be expected when defending our organizations. As the world gets more and more connected, however, and with the continued surge of social media as a valid news outlet, world news is traveling faster than ever; thus, an ever-increasing variety of lures to weaponize are available at the adversary’s fingertips.

Ferguson Police ShootingOn August 9th, 2014, the fatal shooting of Michael Brown by a police officer sparked significant unrest and demonstrations in the town of Ferguson, Missouri. The unrest continued for months, culminating with continued protests after the announcement of the chief of police’s resignation on March 11th, 2015. In the early hours of March 12th, 2015, two police officers were shot outside a Ferguson police station.

As news outlets began to report on this story, in roughly four hours time Palo Alto Networks observed an email pass through the WildFire cloud using the headline of an article in the Washington Times as the subject line using a spoofed Washington Times email address. The email contained a file attachment which was properly identified as malicious.

ISIS Tunisia AttackOn March 19th, 2015, the Wall Street Journal posted an article on their website regarding the terrorist group Islamic State taking responsibility for a deadly attack on a museum in Tunisia’s capital.

Within three hours of the initial reporting, Palo Alto Networks observed an email pass through the WildFire cloud using the exact same subject as the title of the news article, utilizing a spoofed Wall Street Journal email address. The email contained a malicious attachment identified as part of the Dyre/Upatre email worm family.

Germanwings CrashOn March 24th, 2015, Germanwings Flight 9525 crashed in the French Alps, killing all 144 passengers and six crew members. On March 27th, 2015, multiple news outlets began to report that the co-pilot may have had hidden mental illness and crashed the plan deliberately.

In less than three hours of media outlets reporting this story, Palo Alto Networks again observed the weaponization of the event, observing an email with the title of an NBC News article as the subject line being sent to multiple users using a spoofed NBC News email address. The email contained a malicious executable payload which was found to be a part of the Dyre/Upatre email worm family by Wildfire.

Why do these work?Humans are by nature curious creatures. In the mythology of Pandora’s box, the first woman, Pandora, is given a sealed box by the Greek gods, with strict instructions never to open it. Curiosity comes over Pandora, however, and she eventually does open the box. Unfortunately, the box contained death and all the other evils that would eventually befall mankind. Much like Pandora, users, even if given strict instructions never to open unknown files or email messages, will, at some point, be overcome by curiosity and do exactly that. The main issue lies in the

fact that users are not faced with a single Pandora’s box, however; they are constantly faced with a barrage of Pandora’s boxes and other threats, any of which may be the single point of entry an attacker needs to compromise an organization’s infrastructure.

Examining the time delta of weaponizationSeveral world events were examined for evidence of weaponization, and generally, any given world event widely reported in news outlets was found to be weaponized within six hours on average, several even within three hours.


What does this all mean?Threat actors can and will utilize any potential attack vector they can, with no regard for morality. They will prey on our natural curiosity and emotions to easily gain access to a system or to lure us into opening a potentially malicious file. In the sample of world events analyzed, the median time of weaponization from the initial reporting of a world event was thirteen hours with the time to weaponization as short as three hours. These attacks generally used file attachments purporting to be media files or other documents associated with the world event. Users, as well as security organizations, must maintain situational awareness of current events worldwide to understand when and why attacks may occur more often.


The Application Usage and Threat Report (September 2015) from Palo Alto Networks examined nearly 7,000 networks worldwide over 20 industries from April 1, 2014 to April 1, 2015, consisting of over 65 petabytes of data. Nearly 2,700 unique applications were found on these enterprise networks and over 675,000 distinct types of threats were logged. In addition, we examined data from WildFire via the AutoFocus threat intelligence service, combing through millions of unique malware samples and sessions collected during the same time period.

Demographics and Methodology

7000 networks20+ industries

65+ petabytes

2700 uniqueapplications

675,000+ distinct types of threats


Recommendations

1. Deploy automated prevention systems at all layers of infrastructure that are also able to execute preventative actions at every stage of the attack lifecycle. The sheer volume of attacks faced by an enterprise network is too significant not to have automated preventative measures in place and rely instead on manual mechanisms. Many of the highly publicized breaches in the last few years have had successful detections of the initial breach, yet due to a lack of automated prevention, adversaries were not able to be stopped before exfiltration and additional damages were incurred.

2. Find the usage policy balance in the organization. A too-strict usage policy will cause users to be-come frustrated and find workarounds to their problems. A too-lenient usage policy will increase the attack surface for an adversary and potentially leave too many vulnerabilities in the organization’s infrastructure. Organizations must be able to quickly and automatically identify authorized applications and non-authorized applications, and then apply control measures on both.

3. Maintain situational awareness for, not just the cyberthreat landscape, but also world events. Constantly reacting to security incidents is a zero-sum game; organizations must be able to proactively put preventative measures in place, as much as possible, to be able to concentrate on the truly unknown attacks. Organizations should be constantly gather-ing and collating data based on intelligence sharing, open source intelligence, or deriva-tions from closed source intelligence.

From the Palo Alto Networks datasets, including information from over 7,000 networks and the AutoFocus service, it is apparent that the biggest risk to enterprises is the users themselves. Users are constantly faced with a barrage of attacks, both old and new, as well as self-installed, potential points of entry. User education must be an emphasis throughout all organizations, with a trend toward automated prevention systems at every stage of the attack lifecycle and every layer of an organization’s infrastructure. This, in combination with the continued emphasis on open and free threat intelligence sharing will allow organizations to take on a proactive, targeted defensive posture. Data breaches are a significant cost to organizations; why not make it costly for adversaries to execute their attacks as well?

Summary


The following section contains an overview of application usage. Content is broken down into global and regional categories — and further subcategorized by application session and bandwidth percentage.

Appendix


file-sharing

management

photo-video

ip-protocol

instant-messaging

internet-utility

social-networking

general-business

remote-access

voip-video

infrastructure

email

gaming

encrypted-tunnel

internet-conferencing

storage-backup

audio-streaming

web-posting

office-programs

proxy

software-update

erp-crm

database

routing

social-business

auth-service

186

171

137

129

100

98

90

89

79

71

64

62

59

48

48

45

42

36

35

35

29

27

25

23

18

15

Global Application usage by Subcategory


file-sharing

management

photo-video

ip-protocol

instant-messaging

internet-utility

social-networking

general-business

remote-access

voip-video

infrastructure

email

gaming

encrypted-tunnel


storage-backup

audio-streaming

web-posting

office-programs

proxy

software-update

erp-crm

database

routing

social-business

auth-service

186

171

137

129

100

98

90

89

79

71

64

62

59

48

48

45

42

36

35

35

29

27

25

23

18

15

Americas Application usage by Subcategory


file-sharing

management

photo-video

ip-protocol

internet-utility

instant-messaging

social-networking

general-business

remote-access

voip-video

infrastructure

gaming

email

encrypted-tunnel


storage-backup

audio-streaming

office-programs

proxy

software-update

web-posting

erp-crm

database

routing

social-business

auth-service

165

158

129

128

94

87

84

76

71

61

60

57

54

45

41

41

40

30

29

29

27

24

22

22

17

14

Europe, the Middle East and Africa Application usage by Subcategory


file-sharing

management

photo-video

ip-protocol

instant-messaging

internet-utility

social-networking

general-business

remote-access

voip-video

infrastructure

email

gaming

audio-streaming

encrypted-tunnel


storage-backup

proxy

web-posting

office-programs

software-update

erp-crm

routing

database

social-business

auth-service

174

144

132

128

89

89

89

78

74

65

59

58

58

42

42

40

40

33

31

30

28

24

22

21

17

15

Asia Pacific Application usage by Subcategory


file-sharing

ip-protocol

photo-video

management

internet-utility

social-networking

instant-messaging

general-business

remote-access

infrastructure

voip-video

gaming

email

audio-streaming

encrypted-tunnel


storage-backup

web-posting

software-update

office-programs

database

proxy

routing

erp-crm

social-business

auth-service

138

121

115

101

81

75

65

56

55

51

51

47

43

37

34

31

31

27

26

23

19

19

17

15

13

10

Japan Application usage by Subcategory


dns web-browsing

ssl ping http-proxy bittorrent

snmpv2 ntp snmp-base facebookbase

ldap snmpv1 netbiosns

icmp

kerberos smtp ms-ds-smb skype-probe googleanalytics

zabbix syslog mssqldb

twitterbase

msrpc traceroute

37.7 17.9

9.1 7.0 2.6 2.3

2.0 1.5 1.3 1.1 0.9 0.9 0.8 0.7

0.7 0.5 0.005 0.4 0.4 0.4 0.4 0.3 0.30.7 0.3

Global Top 25 Applications by Session (percent of total sessions)


dns web-browsing

ssl ping bittorrent

snmpv2 http-proxy facebookbase

ntp snmp-base ldap snmpv1 netbiosns

msrpc icmp kerberos smtp googleanalytics

ms-ds-smb traceroute skypeprobe

twitterbase

zabbix syslog mssqldb

34.3 17.9

12.6 6.7 1.9

1.9 1.9 1.4 1.3 1.1 1.0 0.8 0.8

0.8 0.7 0.7 0.6 0.6 0.5 0.5 0.4 0.4 0.4 0.3 0.3

Americas Top 25 Applications by Session (percent of total sessions)


dns web-browsing

ping http-proxy snmp-base

ldap snmpv2 bittorrent snmpv1 netbios-ns kerberos msrpc

facebook-base ntp zabbix icmp smtp sip syslog mssqldb

googleanalytics

skypeprobe

bigbrother

ssl

ms-ds-smb

32.3 16.7

7.6 3.6 3.0

2.3 2.1 1.7 1.7 1.4 1.1 1.0

0.9 0.8 0.7 0.7 0.7 0.6 0.5 0.5 0.5 0.4 0.4

9.0

0.7

Europe, the Middle East and Africa Top 25 Applications by Session (percent of total sessions)


dns web-browsing

ping ssl bittorrent http-proxy

snmpv2 ntp facebookbase

snmpv1 icmp msrpc netbiosns

sopcast kerberos

snmp-base syslog skype-probe qq-base ldap zabbix soap ms-ds-smb chargen ppstream

43.0 19.0

7.8 4.8 3.6 2.7

2.4

0.56 0.52 0.49 0.40 0.39 0.36 0.36 0.34 0.32 0.29

1.0 0.8 0.7 0.6 0.6 0.6 0.6 0.6

Asia Pacific Top 25 Applications by Session (percent of total sessions)


ntp ssl http-proxy ping

47.54 16.32

6.51 5.98 4.58 4.53

1.31 1.16 1.12 1.09 1.06 0.76 0.57 0.46 0.45 0.45

0.17zabbix0.17

ldap0.18

dropbox0.19

skype-probe0.22

ssh0.31

snmpv10.33

google-analytics0.34

facebook-base0.38

ssdp

snmpbase

bittorrent icmp web-crawler packetixvpn

snmpv2 canonbjnp

smtp netbiosns

twitterbase

dns web-browsing

Japan Top 25 Applications by Session (percent of total sessions)


web-browsing

ssl

ms-ds-smb tivolistoragemanager

http-video netbackup netflixstreaming

ssh

youtube-base

mssql-db

http-proxy backup-exec bittorrent

oracle

emc-networker

flash

facebook-base ftp

nfs

vmware

smtp appleappstore

ms-update

rtmp

snap-mirror

16.3

13.8

8.2

4.0

3.5 3.3 2.4

2.4

2.3

2.2

1.9 1.8 1.8

1.7

1.3

1.3

1.3 1.2

1.1

0.9

0.90.8

0.8

0.7

0.6

Global Top 25 Applications by Bandwidth (percent of Global bandwidth)


web-browsing

ssl

ms-ds-smb netflixstreaming

http video tivolistoragemanager

youtubebase

mssql-db

oracle

backupexec

facebookbase

ssh

flash

nfs

netbackup

bittorrent appleappstore

msupdate

httpproxy

smtp

vmware

rtmp

ftp fasp

dropbox

16.5 5.54.6

4.1

3.8

2.2

2.0

1.9

1.8 1.61.6

1.5

1.3

1.2

1.11.0

0.9 0.90.8

0.8

0.8

0.7 0.7

0.6

16.3

Americas Top 25 Applications by Bandwidth (percent of Global bandwidth)


web-browsing

ms-ds-smb

ssl tivolistoragemanager

netbackup

http-proxy

mssql-db

emc-networker http-video oracle

ftp ssh backup-exec

youtube-base

bittorrent

nfs

snapmirror vmware smtp

arcserve

hpdataprotector

facebookbase

flash

emcdatadomain

msrpc

14.7

12.9

9.4

8.4

5.1

4.2

3.1

2.7 2.3 2.3

2.1 1.8 1.7

1.6

1.3

1.2

1.2 1.2 1.1

0.01

0.01

0.8 0.8

0.7 0.6

Europe, the Middle East and Africa Top 25 Applications by Bandwidth (percent of Global bandwidth)


web-browsing ms-ds-smb netbackup

bittorrent http video youtube-base

emcnetworker

backup exec

mssql-db

http-proxy

flash

vmware facebookbase

ssh

msrpc

ftp

oracle rtmfp

rtsp

nfs

rtmp

smtp

mysql

ssl

msexchange

16.8 10.5 6.9

4.1 3.5 3.4

2.5

2.2

2.0

1.8

1.4

1.21.1

0.9

0.9

0.8 0.8

0.7

0.7

0.7

0.7

0.7

12.9

0.9

0.9

Asia Pacific Top 25 Applications by Bandwidth (percent of Global bandwidth)


ssh

web-browsing

ssl

ms-ds-smb http proxy

ftp youtubebase

dropbox

msupdate

appleappstore

smtp ipsec-esp rsync

emcrecover-point

flashbittorrent

itunesbase

gmailbase

niconicodouga

ms-rdp

msrpc

webcrawler

dns

httpvideo

twitterbase

24.4

20.6

12.9

3.7 3.3

3.11.7

1.5

1.4

1.3

0.013 1.1 0.1

0.9

0.90.7

0.7

0.6 0.6

0.6

0.6

0.5

0.5

1.8

0.8

Japan Top 25 Applications by Bandwidth (percent of Global bandwidth)


Palo Alto Networks 4401 Great America ParkwaySanta Clara, California, 95054

+1-408-753-4000 main+1-866-320-4788 sales+1-866-898-9087 supportwww.paloaltonetworks.com

Copyright ©2015.Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloalto-networks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

http://www.paloaltonetworks.com

http://www.paloaltonetworks.com/company/trademarks.html



application usage and threat report · palo alto networks | application usage and threat report 2...

Documents