Brian Soetaert

As the global business landscape continues to shift, organizations are learning what it takes to secure and scale a remote workforce efficiently. As this “new normal” emerges, a robust identity program must align with an organization’s compliance objectives and combine to form a robust solution set that enables business growth.

In order to address the related financial, legal, operational, and reputational risks, Identity Governance combines a prescriptive blueprint for effectively identifying and converging the foundational pillars of IAM with a right-sized and resilient GRC solution/program. Importantly, this also incorporates a Zero Trust Model of relevant security and technical controls.

As a result, organizations are able to prioritize, manage, and mitigate cyber risks that align with their business goals and objectives.

In part three of our ongoing webcast series Why Identity Governance Really Matters Fishtech Group experts flesh out the ideas covered in the first two webcasts and show practical and relevant examples on how Identity Governance can help you protect your business with modern strategies.

Missed Part 1? Catch the full replay on demand.

As organizations across the world have adapted to large-scale remote workforces, our teams continue to work hard to virtually help our clients minimize risk, maximize efficiency, and maintain compliance. As we do, we’ve made it our aim to grow the amount of education and demonstration about these real-world solutions via our live webcasts.

To make it easier to parse through each webcast to find the discussions that provide the most value to you, we’ve put together a few highlight clips from the four most recent webcasts to help you get a feel for the discussions and subject matter. We will provide links to each webcast under each clip, or you can visit the full page of all of our recent webcasts here.

Enable Your Business to Move Faster & More Securely with Governance As Code

Whether you are in development, operations, or security, DevOps is no doubt on your radar. As enterprises increasingly leverage the cloud to host business applications as part of their digital transformation, security and development teams need to transform how they work together.

In this moderated webinar panel discussion, hear from cybersecurity experts as they address best practices to bridge the gap between InfoSec and DevOps and the principles of security being part of the DevOps evolution. In addition, this webinar will address the following questions:

• How do you ensure compliance controls into your cloud native infrastructure?
• How do I ensure my developers can move quickly while remaining compliant and secure?
• How do you bring all the right technologies together successfully as you go down the automation journey?
• What are the best practices around Governance as Code to spin up resources and configure and manage them on day one, day two, and beyond?

Back to the Office: Solutions for the New Risk Landscape

After an incredibly quick shift to support remote workforces on a massive scale, businesses are now beginning plans to allow their teams back into corporate offices.

As this planning occurs, it is vital to understand what reactionary changes had to be made to accommodate the business needs of remote workers. Fresh strategies and opportunities MUST be identified in order to improve security, governance, and architecture.

This webinar sponsored by Fishtech Group, CyberArk, Ping, and SailPoint focuses on the potential risks that were allowed to accommodate remote workers, how to identify improvement opportunities, and how to apply those solutions from a Strategy, Governance, and Architecture perspective.

Link to full webcast here.

Insider Threat Mitigation: How to Identify, Prioritize and Protect Critical Assets

One of the most overlooked aspects of effective insider threat mitigation is the identification of an organization’s critical assets, which can include intellectual property, people, facilities, systems, customer data, and more.

This webinar will explain why and how to identify the critical assets in your company. We will present a step by step approach to identifying and validating critical assets, identifying and assessing the threats to those assets, evaluating risk appetite and tolerance, and prioritizing the most critical assets.

Participants in the webinar will learn:

• The importance of defining critical assets
• An approach to identify critical assets
• An approach to identify threats to critical assets
• The impact of critical assets on deterrence and protection activities
• The impact of critical assets on detection activities

This approach will help you establish a consistent and recurring process to protect your company’s critical assets against insider attacks.

Link to full webcast here.

Demand More From Your Cloud PAM

Attend this webinar to learn how Cloud PAM differs drastically from a traditional on-premise solution.  Saviynt and Fishtech will discuss client use cases and why a PAM solution needs to be cloud-architected and cloud-delivered to reduce risk, contain cost, and secure identities for applications, data, and infrastructure.

In addition, join us to discuss the following topics:

• How the risk of privileges in the cloud differs from traditional PAM and how to manage the velocity and scale of those changes
• How gaps in legacy PAM solution fail to accommodate the volume of change in the cloud
• How a single solution can meet PAM needs for both IaaS and SaaS
• How to meet the challenges of a multi-cloud ecosystem
• How to secure next-generation cloud workloads including instances/containers, cloud databases, serverless functions and APIs.
• Governing privileged access in your Hybrid Enterprise

Link to full webcast here.

Paying lip service to business continuity planning when times are calm and uneventful is one thing – who’s going to call you on that? It’s a completely different thing when there is a global pandemic that’s providing a true test across the board for organizations’ business continuity plans around the globe.

The impact may feel slightly lessened now that we have been in middle of the COVID-19 pandemic for the last few months, but to drive home the obvious, this was a truly unexpected event that shook many businesses to the core. “But, how could we have planned for a global pandemic?” That is a valid question. Ask anyone a year ago about what the greatest challenges to their business would be in 2020, and very few (if any) would mention anything even slightly resembling the word “coronavirus”.

The more apt question to consider is “how can we plan for future disruptions to our business?” To answer it, let’s start with a question of our own – when was the last time your senior leadership conducted a run through of various scenarios to strengthen the readiness of your corporate assets? Maybe it was pre-COVID-19. If so, that likely had a direct effect on how your organization has adapted to this crisis.

Making Your Business Continuity Plan Work for Your Business

At any time, unforeseen circumstances beyond a company’s control can influence the operational status of a business. To wait until these circumstances are knocking at your door is to throw caution to the wind, at potentially great costs to your organization and employees. The most successful businesses have a series of plans and strategies ready for any challenges that may come their way.

To start, key stakeholders should regularly monitor incidents that may cause a business disruption and/or have a serious impact to operations. It does no good to take a “set it and forget it” approach. The crucial word to look at for business that are ready pre- and post-disruption is “adaptability”. If you put a plan in place that does not adapt to your environment, or to changes in your organization, you will not be adequately prepared to weather the huge challenges that can occur at the drop of a hat.

A business continuity program should ensure Business Continuity Plans are applicable to relevant, realistic risks, and threats to their critical operations. This means adapting more of a playbook mentality, rather than a rigid series of step-by-step protocols. Several companies we have worked with already have business continuity plans in place, but they are oftentimes untested or ill-suited for evolving conditions and potential threats.

Business Continuity management should include strategies and playbooks around:

• Comprehension of basic Business Continuity principles and methods
• Ensuring consistency in business impact analysis to identify critical business functions
• Understanding of the correlation between operations, business continuity, IT disaster recovery, and emergency planning
• Ensuring that the Business Continuity Plan reflects the current hazard risk analysis, mitigation processes, business impact analysis, response management, and recovery strategies
• Encouraging coordination between all company staff while implementing a Business Continuity Plan
• Identifying and initiating appropriate, cost-effective strategies and procedures to recover critical business functions and information assets
• Formally assigning Business Continuity responsibilities to appropriate leadership and ensuring each receives proper training to implement the Business Continuity Plan
• Ensuring that necessary contractual agreements exist for recovery of critical business functions and information resources
• Reviewing, updating, and communicating Business Continuity content changes
• Continually improving the Business Continuity Plan as required
• Testing Business Continuity plans at least annually.
• Conducting Tabletop exercises with senior leadership, so that your business knows what to do in the event of a national, global, or disrupting event.

A list of that caliber can seem daunting, but so are the emergencies they are in place to mitigate. If the strategies above are taken correctly, you can move forward confidently with your organization knowing that you have a plan in place for the next “COVID-19” caliber surprise.

Even a cursory look at the impact this crisis has had on the global business landscape reveals the shocking truth – some organizations have adapted well, and others have failed spectacularly. There are so many examples to show the power of a solid Business Continuity Plan, or lack thereof. It truly is a global case study with a single event as the control. The value of Business Continuity Planning, especially during the digital era, has never been more apparent.

Many organizations rely on us to help them navigate these troubled waters into secure digital transformation. If you are looking for a seasoned guide, let our experts at Fishtech Group help you begin the next steps toward a robust Business Continuity Plan with a number of exercises and actionable steps to help lead your organization to a more secure future. As your team continues to discuss this critical issue, fill out the form below and let us know how we can help.

Executive Summary

“Flattening the curve” refers to efforts to implement community isolation and personal hygiene measures that help keep COVID-19 cases at a manageable level for medical practitioners. In the digital world, you can flatten the curve of COVID-19 phishing incidents by staying vigilant and practicing good email security hygiene. Attackers have adapted to this pandemic by using COVID-19 lures to deliver malware and direct victims to phishing sites, taking advantage of the current global situation and how humans react during stressful times.

The purpose of this blog is to keep you informed on the current phishing emails being delivered to your inbox. Staying updated on trends in the usage of COVID-19 and other lure themes will help your organization stay protected.

COVID-19 Phishing and Malware distribution

Attackers have long taken advantage of public anxiety surrounding global and regional crises and the current pandemic is no exception. During the 1^st quarter of 2020, we have observed a significant number of phishing emails leveraging COVID-19 themes. These emails have included attachments or URLs commonly leading to phishing sites or malware such as Lokibot, NanoCore, and other Remote Administration Tools (RATs). Some recently observed email subjects include the following:

• You missed a call Corona Update
• CDC HEALTH emergency coronavirus COVID-19 Pandemic
• COVID Report
• COVID-19 Payroll Adjustment
• Security Update Stimulus Check Failed

Conducting analysis on an example phishing email resulted in some interesting findings. The following screenshot shows the email subject and attachment but no content. The “From:” section shows “+1917-3757-6473 Notice@nhaschools.com”. “Nhaschools[.]com” is the site for a US National Heritage Academy charter school. At first glance a victim with children attending this school might open the attachment if they see the school’s name and the phrase “Corona update” on the subject line. Other victims might open the attachment to read any information related to the current pandemic.

Looking at the headers, specifically the sender “IP” and “Return path”, we see the following information:

Sender IP: 52.231.152.110

Return-Path: r-nishikawa@ecru-color.com

“You missed a call Corona Update” Email headers

The sender IP can be traced back to South Korea and ecru-color.com appears to be a Japanese styling salon school.

Sender IP Geo Location

Domain from the Return path address

Returning to the email and opening the attachment in a virtual machine, shows the attachment opening a .html document from the email which pretends to be an online web page. These types of phishing emails play a vague voicemail message before the victim is redirected to a phishing page. Performing a right click and selecting view source, shows us the script being used.

Performing a quick google search shows it’s been scanned by the site urlscan.io, 10 times. As we can see, it is an Outlook Web App phishing page which was still active at the time of this writing.

Attackers leverage free, compromised, and dedicated infrastructure to host COVID-19-themed phishing content.

Some examples of recently observed URLs include the following:

• hXXps://cnncoronavirus[.]000webhostapp[.]com/
• hXXps://c0vid19-aid-ca[.]org/
• hXXps://cecollc[.]com/infrastructure/covid/FBG/
• hXXp://coronana[.]000webhostapp[.]com/
• hXXp://gift-covid19[.]000webhostapp[.]com/

How you can stay safe:

While email spam using COVID-19 themes are a relatively new and increasingly prevalent phenomenon, these lures ultimately leverage common social engineering tactics capitalizing on sentiments of fear, anxiety, and curiosity. Once this theme runs its course and dwindles in popularity, it will undoubtedly be replaced by a mix of themes related to current events and common phishing themes like financial transaction, parcel delivery, and file sharing. The positive news is that users can protect themselves from these tactics by improving their awareness and practicing basic security hygiene.

Technology can help to protect users from many of the attacks that attempt to reach inboxes; however, education is the best defense against the phishing attacks that inevitably make it past these defenses. Staying up to date on phishing lure themes that are currently being used and learning how to spot a phishing email will help you flatten the curve.

When reading your emails, ask yourself the following questions:

• Does this email contain a personalized greeting?

If not, it’s likely unsolicited and may be a phishing email, so proceed with caution.

• Is this email attempting to instill fear or a sense of urgency to convince me to act?

If yes, it may a phishing email, so proceed with caution.

• Are there basic grammatical or spelling errors in this email?

If yes, it may a phishing email, so proceed with caution.

• When hovering over links, do I see any signs that they may be malicious?

If you cannot identify the link as a trusted resource, it may be a phishing email, so proceed with caution.

• Do I recognize the sender and was I expecting an email from them?

If not, it may be a phishing email, so proceed with caution.

• Are any brand names being used in the email?

Attackers often use logos to create convincing phishing email, so proceed with caution.

We can help your organization flatten the curve

What is better than technology and education? A combination of human-led and machine-driven security as a service. CYDERES’ 24/7 security as a service gives you the people, process, and technology to help organizations manage cybersecurity risks, detect threats, and respond to security incidents in real time. Take a look below at some of the benefits of having a team of security professionals detecting and mitigating your organization’s threats.  For more information, visit our site and download the full services factsheet at: https://fishtech.group/solutions/security/

• Managed 24x7x365 Security Operations Center (Tiers 1-4)
• Threat detection and triage for all technologies
• Security incident response
• Proactive threat hunting
• Build playbooks (phishing, malware, lateral movement)
• Endpoint detection & response management
• Sole EMDR 100% powered by Chronicle Backstory
• Backstory forwarder 24×7 management and monitoring
• Custom Backstory integrations/parsers

We have been writing multiple blog posts in the last few weeks that have had references to disruptions that have been caused by shifts in the workforce due to COVID-19. Many organizations were so caught off guard by the immense changes that were sprung upon them at such a rapid pace that they didn’t have time to prepare for a largely “work from home” world.

There are many lessons to be learned from what has occurred during this period of disruption, but there is also still a lot to plan for in the coming weeks, including data management strategies.

Data management strategies have become even more important with the expansion of the “work from home” workforce. This is becoming all the more relevant as we prepare staff to return to work inside an office environment – it is critical to understand what has been deployed, to whom, and how.

Many organizations are facing challenges around SaaS applications, especially around visibility and security into new collaboration tools currently in use. The often-reactive measures many organizations have utilized to deploy these remote access solutions has put priceless data at risk.

In today’s post we’re going to be talking about common challenges for data protection with the current remote workforce, and then take a deeper dive on data loss protection strategies so that you can be prepared for the coming weeks and months as the global workforce continues to make huge shifts in operation.

Identity and Access Management

A solid Identity and Access Management program must be a primary tenet of securing a mobile workforce. With a solid Identity and Access Management program in place, you can build upon this firm foundation to evolve to deeper levels of secure remote access to greatly reduce the risk of unauthorized users accessing your organization’s data.

An important step is to achieve a multi-factor authentication approach to move past passwords as your users’ primary authentication tools. This is especially important at a time where users are becoming more mobile and may be using more devices than ever as they work from home, and gradually migrate back to the office.

There are a variety of ways to of achieving multi-factor authentication (MFA), but a huge challenge is implementing MFA at scale throughout the organization. There are great physical devices like security tokens, but they can be difficult to deploy while everyone is apart.

There are other technology solutions that can transform devices like employees’ smartphones into authentication tools so that each user can quickly be onboarded into a MFA program. It is imperative to have a guided and strategic approach so your organization can move quickly, while staying secure by adding an extra layer of protection to your data.

Securing Cloud Applications

Many companies have been using cloud applications for communication and collaboration to help keep their productivity up during this extensive period of work from home. While these tools have been vital, over the last couple months, cloud applications have continued to present potential security risks by way of compliance violations, identity theft, malware infections, and data breaches. Understanding how to address these risks is crucial in today’s changing environment.

There are a number of solutions that can help secure your organization so that your users can continue to safely use cloud applications to keep up productivity and efficiency of work while they are working remotely. One such solution is the implementation of a Cloud Access Security Broker or CASB.

This is a cloud-based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies. A CASB can offer a variety of services such as monitoring user activity, warning administrators about potentially hazardous actions, enforcing security policy compliance, and automatically preventing malware.

We have also talked in a previous blog post about the implementation of Governance as Code to ensure that organizations avoid any potential compliance violations, especially when their workforce becomes increasingly decentralized.

Governance as Code moves your governance, including implementing best security practices, adhering to compliance requirements and standards, and allocating business resources, away from a manual, human-based approach to a more consistent, efficient, and highly repeatable code-based approach.

We Can Help You Navigate This New Normal

We have only scratched the surface of the challenges that have presented themselves to organizations around the world due to the massive migration to remote work over the last couple of months. Fortunately, we have also only scratched the surface of potential solutions to these challenges as well. Though these potential problems aren’t over just yet, we can absolutely help bring stability to this period of uncertainty.

How can Fishtech help?

We recently had a detailed discussion on a webcast that focused specifically on the challenges and solutions around data protection strategies, which you can check out here. This can help give a broader insight on areas you may need to focus on in the coming weeks and months in this state of constant change. Furthermore, we are ready to help give you consultation on your current security posture with our listen-first advisors, and provide guidance on the best way forward with solution-focused technology.

If you are ready to talk about data protection strategies for your organization, fill out the form below, and we will connect you with one of our experts.

Fishtech Group has long been a proponent of securing your business as a data-driven cybersecurity services provider for any computing platform. Over the last four years we have been helping businesses minimize risk, maintain compliance, and increase efficiency in this new, modern cloud-based digital ecosystem.

In the midst of the current COVID-19 crisis, securing the cloud has taken on a new level of importance as a huge portion of the global workforce has moved to working from home. This has created new challenges in cybersecurity, and we want to help organizations meet them head on. So, with this huge change in modern business operations as a backdrop, let us reintroduce ourselves.

Below is a video replay of a recent webcast we did with the International Association of Plastics Distribution (IAPD) talking about how to navigate cybersecurity challenges and secure your business, largely in context of the current COVID-19 crisis. Co-Founders Chuck Crawford (CCO) and Dan Thormodsgaard (CTO) along with Kerry Kilker (EVP/CISO/COO) talk about many foundational aspects of Fishtech Group, and how we are navigating this new normal and steps businesses should be taking to secure themselves in this time of uncertainty. Give it a watch, and if you have any questions of the information you heard in the video, or anything else you may want to know to help secure your business, fill out the form below, and we will connect you with one of our cybersecurity professionals. We hope you are staying safe and healthy.

By now, many of you have heard of the GDPR or the General Data Protection Regulation which is a regulation in EU law on data protection and privacy that was made in 2016, and implemented in 2018.

Companies around the world needed to adapt to the new normal created by this regulation and apply new practices to comply with its rules, often creating huge shifts in their operating practices. Around the time of the regulation’s implementation, you might recall the flood of pop ups on many company’s websites detailing how they were tracking your data, or giving options to review their privacy policies, or even allowing you to opt-in to certain tracking options while citing the GDPR. This was a huge moment in the history of data protection and privacy, and was a stepping stone to where we are at as a global online community today.

Early this year, we reached another pivotal point in the history of data privacy and protection in the United States with the passing of the CCPA, or the California Consumer Privacy Act, which was passed in 2018, and became effective in January 1^st of this year (2020). With the current COVID-19 crisis, we feel as though the noteworthiness of this act has been overlooked, but once the virus begins to get under control, businesses will have to really pay attention to this huge development. Why, you ask? Let’s dive a little deeper.

Why Is the CCPA Important to Your Business?

The intentions of the CCPA are to provide California citizens with the right to:

1. Know what personal data is being collected about them.
2. Know whether their personal data is sold or disclosed and to whom.
3. Say no to the sale of personal data.
4. Access their personal data.
5. Request a business to delete any personal information about a consumer collected from that consumer.
6. Not be discriminated against for exercising their privacy rights.

As an organization, you need to accommodate these new privacy regulations, and it’s important that you get it right because under the CCPA, you are subject to a fine of up to $7,500 per violation.

This penalty can add up quickly, and from how we have seen similar laws develop in the past, many other states will not be far behind, and may have additional language to their regulations. Many businesses are prone to not acting until they absolutely need to, so let us be the first to tell you… You absolutely need to act.

The only problem is, a lot of companies will only act on what they are currently seeing with the CCPA, putting in a lot of effort to cover what may only be part of a future state’s regulations. In this instance, we highly recommend looking forward and getting ahead of this upcoming domino effect by putting best practices into place now that will put you in the best position possible to comply with current and future data and privacy policies. We can help you set up a robust privacy policy for your organization that is forward thinking with the National Institute of Standards and Technology (NIST) Privacy Framework.

NIST Privacy Framework

The National Institute of Standards and Technology had created a well-known cybersecurity framework, which our professionals have been familiar with, and recently released the NIST Privacy Framework, which is related to the cybersecurity framework in a number of ways. This new framework has abstracted privacy concepts to allow for organizations to create target goals within the framework to work their way toward a robust privacy program.

Our familiarity with these NIST frameworks along with the fact that there is often overlap between cybersecurity programs and privacy programs has allowed us to ramp up quickly to help our customers navigate creating privacy programs that help them not only comply with current privacy policies and standards, but put them ahead of the curve for any new laws that may arise in the coming months and years.

When working around something completely new and unfamiliar, our goal is to come in and help assess what targets an organization should be working toward to make their way toward compliance under applicable laws that they need to be operating under, and flesh out their privacy programs to help them get prepared for the future.

If you’re looking to get ahead of this new digital privacy landscape, we’d love to talk about how we can help. Fill out the form below to get in contact with one of our Cyber Risk and Compliance professionals.

Malicious Microsoft documents are an unfortunate gift from email spam campaigns to anyone who has an email account. And like a gift, the senders often try to hide what is inside. Knowing ways to see what is going on within these documents can prove to be valuable during threat hunting. This blog post will walk step by step through the de-obfuscation process of a malicious Microsoft Word document affiliated with Emotet, showing how you can turn these unwelcome gifts into something a little more useful.

Why do this?

Malicious document analysis is something that can be handled by plenty of automated processes. The sample reviewed in this post came from VirusTotal. VirusTotal has features that automatically to provide some of the details found during this exercise. However, sometimes there are documents that an analyst is uncomfortable uploading to online public tools. Knowing what to look for in a malicious document (maldoc) without exposing it to online resources can be very useful.

For this blog post, we will look at a sample document retrieved from VirusTotal that multiple anti-virus vendors flagged as being related to Emotet. The goal is to find the malicious macros, their functionality, and the external resources they communicate to.

Step by step analysis:

For those who want to follow along, the sample being analyzed can be found on VirusTotal here: (https://www.virustotal.com/gui/file/e4ccb75173ae886e8d3bdb9655a963b0ff606b0a63cbcf4deaaf78d6f03de7f8/detection)

The analysis is done on a virtual machine running REMnux, a reverse-engineering Linux toolkit. The first step is to view the data streams that the sample contains using a tool that can be found on REMnux, oledump.py. More information regarding oledump.py can be found here: https://blog.didierstevens.com/programs/oledump-py/

Figure 1: Output from oledump.py showing all the data streams contained in the sample

 The usage of oledump.py is simple, “oledump.py $target_doc” will enable the user to see all the data streams contained in the document along with some useful information. The first column on the left shows the number associated with the stream. This will be useful for further commands with oledump.py. The second column will sometimes be populated with an “M”, which indicates that there are VBA macros. These macros are what this analysis will be attempting to retrieve and deobfuscate. The third column shows the size of the data stream. This also provides useful information, as in general the larger the size the more data available to view.

At this point the analyst can see the streams, their sizes, and whether or not they contain VBA macros. Oledump.py can be further utilized to actually dump the contents of the stream to be analyzed. This can be accomplished with a command like “oledump.py -s $target_stream_number -v $target_doc”. The -s argument is used to denote which stream is to be dumped, and if the analyst wishes to review all the streams at once, can be replaced with a “-a” for all streams. The -v in this example is to have oledump.py attempt to decompress the VBA macros. Sections that do not contain an “M” do not need the -v argument, and in fact an error will be generated if this is tried.

The first “M” in this document is stream 14, this is an ideal place to start the analysis. Running “oledump.py -s 15 -v sample_2” returns the following output:

Figure 2: Oledump.py output of Stream 14

There are a couple of interesting points in this macro. The first is the Document_open() function, which indicates that this macro will run upon the document opening. The second is that it appears to be calling “Tyqsnjabq”. This is not present elsewhere in this data stream, so let’s move on to the next macro, present in stream 15.

Referring back to the oledump.py original output, stream 15 is much larger than stream 14. Please see below for a screenshot of part of the output, including (spoilers!) one of the more important functions:

Figure 3: Oledump.py output of stream 15

Searching for the output does show that the function called in stream 14, Tyqsnjabq() is declared. Due to the function being called earlier in the document, a Document_open() function no less, this is an excellent place to begin de-obfuscation. There are many other functions within this stream; however, malicious actors often include junk functions to slow down and confuse analysis. Using the context clues from the brief check, we did before shows that this one is less likely to be junk.

Figure 4: Top portion of the Tyqsnjabq function from stream 15

The first thing to note when looking at this function is that the variable “wen” declared, there are several things that immediately stand out, including:

Two long strings with the repetitive pattern included:

A string that looks like it may be part of the Win32 provider:

 Another function inside the variable:

And more variables inside the variables:

Referring to Microsoft’s documentation(https://docs.microsoft.com/en-us/dotnet/api/microsoft.visualbasic.strings.chrw?view=netframework-4.8), the VBA function ChrW() returns the character associated with the specified character code. wdKeyS is the wdKey enumeration of the keyboard character “S”, which has a value of 83. (https://docs.microsoft.com/en-us/office/vba/api/word.wdkey) What this all boils down to is a very obfuscated way to write out “S”.

Figure 5: Microsoft documentation showing the value of wdKeyS

The beginning of the variable stands out as the repetition of one pattern: “9_msnnj883hn///”. Searching the rest of the stream for this pattern reveals it is repeated multiple times, including a variable in the Tyqsnjabq function that is just that pattern, and then in a function that contains the pattern in a string which is then split by the variable.

Figure 6: Variables “ski” and “Jtabtmdmfuu being declared. Note that the variable Jtabtmdmfuu is being split by ski which is just the pattern observed throughout the stream.

At this point, it is clear that the string is itself a variable that is helping to obfuscate the strings. Replacing the variable with a null value throughout the document starts to make things a little more clear, for example, the variable “wen” now looks like:

Further, the Jtabtmdmfuu variable in the figure above also helps paint a better picture of what is intended with the wen variable:

This is concatenating the “wen” variable with “w”, which now shows that “winmgmt” is being utilized:

From Microsoft’s documentation (https://docs.microsoft.com/en-us/windows/win32/wmisdk/winmgmt), Winmgmt is the service that allows WMI to run on a local computer, and WMI allows developers, IT administrators, and threat actors… to write scripts and applications to automate specific tasks.

So looking at this variable now, it appears that the macro is using winmgmt attempting to execute something. Let’s try to figure out what that something is by looking at the Cuzfalodaovlu variable.

The first thing to note is that Cuzfalodaovlu is declared in stream 15. However, referring back to the original output from oledump.py, that variable name is shown multiple times in streams 5 through 11. Analysis was begun at stream 7 as it was the largest of these. Perform a stream dump utilizing oledump.py again, this time specifying the output as hex, with a command that looks like “oledump.py -s 7 -x $target_doc.” Take this hex output and convert it using a program like the publicly available CyberChef. https://gchq.github.io/CyberChef/ Please note that CyberChef is also available for download if the target content should not have exposure to the internet.

The output received from CyberChef looks like the following:

Figure 7: Translated hex output from stream 7

The variable “9_msnnj883hn///” is back again. Treating it the same way as before, replacing it with null values, returns what appears to be a base64 encoded string:

Figure 8: base64 encoded string from stream 7. 

Decoding this by once more using CyberChef results it what appears to be a PowerShell script that contains more obfuscation:

Figure 9: Results from decoding the base64 string

From this point, a manual effort will be needed to try and make this the script clearer to understand what is going on. The first part of the process is to make its structure more readable with formatting changes.

Figure 10: Basic beautifying was conducted on this script to increase human readability. 

The second part of the process is to remove unnecessary chaff added by the authors to try and obfuscate the script’s function. While reviewing variables, the ones that were utilized had their names replaced by more meaningful descriptions. While not perfect, this helps show what is going on with this script:

Figure 11: Basic de-obfuscation was conducted, misleading junk declarations were removed, and relevant variables were re-named to things that are more descriptive.

From this de-obfuscated script, the analyst can see that the executable dropped will have the name of “901.exe”. The executable’s content is populated via one of the five URLS observed in the “url_list” variable gathered by “(New-Object.Net.WebClient).downloadfile()”. Finally, there is a check to see the length of the executable item, and if it matches the criteria specified, it will be started.

Reusing some of the same techniques, we can find the actual PowerShell command hidden in stream 11. After exporting the stream using oledump.py, converting from hex, and removing the “9_msnnj883hn///” that were embedded in the strings, the analyst is left looking at the following:

Figure 12: Partially obfuscated PowerShell commands.

The authors of these maldocs like to have all the relevant pieces strewn throughout their documents. Knowing what to look for and to try to maximize the returns on analyst time is important, as is knowing when to step back and stop trying to de-obfuscate everything. At this point in the review, we have gathered the PowerShell command, the base64 encoded string that the PowerShell command will be running, as well as the URLs that the maldoc attempts to create the executable from.

Threat hunt with these findings:

From this point, the analyst can begin making queries. The first and most obvious is to search for those URLs in the environment. Within Chronicle, for example, copy and paste the URLs in the search bar.

Figure 13: Searching for malicious indicators within Chronicle

We can also to create direct queries using other pieces of this. Some of the obfuscation techniques with the PowerShell script itself are useful, as it is doubtful that a legitimate application will leverage some of them:

These are easy to search for within Chronicle; just be sure to utilize the Raw Log Scan when attempting to detect these strings.

Figure 14: Searching for obfuscated strings within Chronicle

These searches return low hanging fruit and are simple enough to implement. The trade-off with these is that many different threat actors are creating malicious documents, and not all of them will obfuscate these commands in the same way. Also, depending on the level of logging an organization has, the logs may not have anything but the base64 decoded string at the command line level.

What would be seen in a Windows event log command line field? PowerShell commands are something that would be expected to see with the base64 encoded string as part of event. Stream 11 provided clues to what that command would look like. “Powershell -w hidden -en” is what is being shown, and this is also something that Chronicle can search for. To break down this command, the “-w hidden” tag changes the window style to hidden, and the “-en” is short for “encoded”, which means that Powershell is expecting an encoded string.

The analyst can then look for the behavior exhibited by this sample as well. Check for PowerShell child processes with the parent process is a Microsoft Office document. Look for instances of new objects being created by PowerShell that have made URL requests to external resources. Looking at the techniques utilized in this maldoc can give the analyst ideas of how to use the log sources at their disposal creatively to identify similar types of documents running in their environments.

Why CYDERES?

CYDERES is the human-led, machine-driven Security-as-as-Service division of Fishtech Group. With CYDERES being technology independent, we have a large group of dedicated information security professionals with a diverse set of experiences. Whether it is analyzing a document that came from an email to determine if it is legitimate or an Emotet carrier, or tracking down the users who may have received such documents from a phishing campaign, CYDERES is here to help augment your security team to provide expert assistance.

IOCs:

How do we define success? Listening to our customers’ business objectives and helping them meet them.

Their success is our success – it’s our constant focus.

You may have seen some recent videos we put out on social media highlighting our customer success teams at CYDERES, often looking at how we approach customer success from the beginning of an engagement. Today, we wanted to highlight what that success looks like on the other end.

We had received some feedback from a client regarding how the CYDERES team mobilized to combat a potential breach in their environment. See the customer’s quote below:

“I wanted to take a quick moment to recognize Fishtech CYDERES for leading the way in assisting our business to secure our environment. In a recent incident, one of our users inadvertently opened a maldoc that attempted to establish a C2 connection in order to exfiltrate data out of our environment.

 

Our security teams worked closely with CYDERES to contain the threat and ensure minimum impact – they reacted quickly and effectively and also took proactive measures to prevent this from happening again in the future. Your teams demonstrated the technical knowledge needed to work this event and provided valuable data needed to remediate the overall threat.

 

In addition, the team is leading the way in identifying and reporting upticks in various alerts and ensuring our team is aware of any notable events hitting our environment. We greatly appreciate your team doing what’s required but also their hunger to learn and become better every day – surely a reflection of the leadership culture at CYDERES. Thanks for your continued support!”

Because our client’s data, intellectual property, and brand integrity are of utmost concern, it’s often difficult to report on this blog the incredible stories of what really happens in the trenches of the ongoing cyber war between our CYDERES professionals and malicious actors. So, when we received this recent feedback, we felt like it was a great opportunity to slightly pull back the curtain.

CYDERES is truly a team of high performing cybersecurity professionals, whose objective is to protect clients like these. It doesn’t fall to just one person as you can see from the feedback above. We are incredibly proud of the work of our colleagues at CYDERES and are happy to get the chance to show that our clients feel the same way.

When your organization engages with CYDERES, you can expect the same level of proficiency, communication, and overall teamwork to protect your organization from threats like these so that you can focus on your business, not your threats.

If you are ready to take the next step into a true, world-class partnership to help detect and remediate your threats, fill out the form below.

Moving at the speed of cloud. You have heard us say that about a couple different areas of our business a time or two. Miles per hour? Dead. This is the new digital reality, speed limits be damned. (This is starting to sound like a digital autobahn… what can we say? We’re car people.)

The adoption of cloud computing has been a huge source of disruption for businesses across the map, due, in part, to the rapid speed of change, and the decentralized implementation of cloud infrastructure within an organization. This adoption has led to incredible innovation and has brought forth many opportunities to grow in unprecedented ways.

Innovation and growth! Full speed ahead! But, wait… didn’t you also hear “decentralized implementation” and “rapid speed of change”? Those are a couple items that we as cybersecurity professionals feel it is our obligation to highlight. These two items in particular open up your organization to many vulnerabilities and potential opportunities for non-compliance in certain industries, and even cyber attacks.

In the pre-cloud world, IT teams were able to manage business applications and infrastructure centrally, with tight governance. As cloud implementation ramped up, this management has undergone a large shift throughout the organization and has left the sole hands of IT and has found its way to members and teams throughout the organization.

While, again, this creates so much more opportunity for agility and growth in some areas of an organization, it can drag down another by creating a strain on IT teams who are now needing to react and adapt to a sprawling infrastructure, and by creating vulnerabilities where there weren’t any before.

What if this trade off wasn’t necessary? Could you get the best of both worlds? That’s where Governance as Code comes in.

What is Governance as Code?

Just as the practice of Infrastructure as Code changed the way deployment and configuration of your applications and infrastructure was managed, Governance as Code moves your governance, including implementing best security practices, adhering to compliance requirements and standards, and allocating business resources, away from a manual, human-based approach to a more consistent, efficient, and highly repeatable code-based approach.

While human hands are still involved across the organization in a number of applications, Governance as Code systems act as an overall guiding hand to help users adhere to organizational best practices.

Many are experiencing audit nightmares having to dig through mountains of evidence to show auditors or internal stakeholders. Because everything is “code” in this scenario, it’s already there – and reporting on deficiencies, as well as areas in the green, is a straightforward exercise.

The Fishtech team has built a platform to solve the problem of mapping and enforcing infrastructure as code against compliance frameworks, utilizing a custom policy engine.

Our goal is to help enable customers to automate business processes by combining technology and compliance. By doing so, we are looking to eliminate the worry for customers who are wondering if they are secure while also increasing efficiencies within the business.

If you are looking to harness the speed of the cloud while keeping your organization efficient, compliant, and secure using Governance as Code, fill out the form below, and we will put you in contact with one of our experts.