Application Usage and Threat Report

APPLICATION USAGE AND THREAT REPORT

Research by Unit 42

Palo Alto Networks | Application Usage and Threat Report 1 Overview

The impact of data breaches is ever increasing, and more of our private data than ever is being stolen. As security professionals, defending our organizations can often times seem like a monumental, almost impossible task. Yet, there has never been as much focus, data, or development available to the security industry as there is today. It is only the small proportion of truly advanced adversaries that have proven to be resourceful, developing new tactics, techniques, and procedures as seen fit; whereas, the majority of adversaries reuse old tactics, techniques, and procedures, simply because they are effective and require little to no effort in execution. Even within the most sophisticated groups, commonalities exist within the attack lifecycle, which can be used to identify and stop them.

With this knowledge, we, as security professionals, must turn the tables on the adversaries and make it increasingly difficult and cost inefficient to launch an attack. The first step to this type of proactive defense is the sharing of tactics, techniques, and procedures, as well as threat intelligence in an open and free manner throughout the entire security community, including this report. The more we know about our adversaries, the harder it will be for them to successfully execute an attack, which allows us to proactively defend our organizations in a targeted manner, versus the traditional “find the needle in the haystack” model of reactive defense.

In this year’s Application Usage and Threat Report, Unit 42, the Palo Alto Networks® threat intelligence team, examines key trends across the threat landscape and application usage, including topics on how organizations can educate users and utilize controls to effectively reduce the attack surface available to an adversary, the potential effects of non-standard network activity, the reuse of legacy attack tactics, and the benefits of open threat intelligence sharing.

Palo Alto Networks | Application Usage and Threat Report 2 Key Findings

Adversary dossiers for major threat actor groups The tactics, techniques and procedures (TTPs) used by three major threat actor groups, including p4 their targets, motivations and methods, which can be used to better protect your organization.

Remote access application usage is rampant across all industries and regions 79 unique remote access applications were found to be in use across all regions and industries. p6

SaaS-based application usage has continued to grow SaaS-based application usage has grown 46% over the past 3 years, including more than 316 apps. p8

Nearly half of all portable executables analyzed by WildFire were found to be malicious p10

Over 40% of all email activity examined via WildFire containing a file attachment was found to be malicious in nature p11 p4 Macro-based malware has seen a resurgence and is among the most popular type of malware being distributed to users p14 The two most numerous examples are Dyre and Dridex: 10.2 percent of all sessions marked with malicious activity in WildFire was related to Dyre and Dridex.

Current world events are being weaponized rapidly and used to piggyback attacks The average time to weaponization was 6 hours from the initial reporting of a world event; some events taking p16 as little as 3 hours to weaponization.

Palo Alto Networks | Application Usage and Threat Report 3 Adversary Dossiers

A critical element to understand your organization’s risk posture is gaining intelligence on the adversary groups that may attempt to breach your network. The concept of attribution has been a hotly debated topic across the security industry, with some research organizations attempting to pinpoint the geographic location of the group, or reveal the names of the individuals launching the attacks. We believe in a different kind of attribution; one that focuses on the Tools, Tactics, and Procedures (TTPs) employed by the adversaries, which is a more actionable set of intelligence. Once you understand Indicators of Compromise (IOCs), such as command and control infrastructure, malware deployed, or methods of initial compromise, you can build preventative controls to stop them at every point in the attack lifecycle. Gaining context around the adversary will also allow teams to prioritize their response efforts. For instance, organizations in government sectors will be more concerned by cyber espionage activity, versus a financial services organization, who would be more interested in cyber crime targeting financial gain. Below, we have gathered a set of profiles on three major threat actor groups, which security teams can use to understand if they could be targeted by the groups, and how to reduce their risk of being successfully breached.

CARBANAK

Known Aliases Targeted Regions/Industries Anunuk Initial targeted region was Russia In early 2014 attacks against United States and rest of Origin Europe were observed Russia and Ukraine nexus Attacks against China region have also been observed Motivation Primarily targeted money processing services, ATMs, and Financial gain financial accounts Some evidence of cyber espionage Tactics and Tools Deployed Summary Utilizes the malware family known as Carbanak Responsible for the theft Commonly delivered via spear-phishing email containing a of hundreds of millions of malicious Office document or control panel (CPL) file dollars from various financial institutions beginning in late Malware provides backdoor remote access and data 2013 exfiltration features Used a number of techniques Once a patient zero system has been compromised, such as group transfers or additional reconnaissance is performed to identify ATMs, withdrawls from compromised financial accounts, or other areas where money can be systems transferred

Palo Alto Networks | Application Usage and Threat Report 4 SANDWORM Known Aliases Targeted Regions/Industries Quedagh Europe region Telecommunications Energy Origin Government Russia nexus U.S.-based education institutions ICS environments Motivation Tactics and Tools Deployed Cyber espionage Utilizes two variants of the BlackEnergy Trojan Summary Has utilized a zero-day vulnerability (CVE-2014- Cyber espionage group 4114) in the past for malware delivery attributed to Russian nexus Also uses spear-phishing attacks First disclosed publically in Developed custom plugin modules for BlackEnergy October 2014 Trojan which allows for remote access, network Known attacks began traversal, keylogging, credential harvesting, network December 2013 and capturing, and screen capturing continued into 2014 Attributed to using the BlackEnergy Trojan to execute espionage activity against industrial control system (ICS) environments

SHELLCREW Known Aliases Targeted Regions/Industries Shell Crew Healthcare Journalists Deep Panda Government Think-tanks Axiom Manufacturing Media Group 72 Defense Specific companies Aerospace affected Industrial Premera Blue Cross Origin Pro-democracy NGO Anthem Energy −−OPM China nexus Telecommunications −−Bit9 Academic institutions −−RSA Motivation Espionage Tactics and Tools Deployed Utilizes doppelganger command and control domains to dupe Summary users and obfuscate activity A technically sophisticated Heavy usage of spear-phishing and watering hole attacks to and likely well-funded, state- deliver malware or harvest credentials sponsored APT group Have been known to user zero day vulnerabilities Have used multiple zero days and can move very quickly Has also been known to use legitimate network administration once inside a network. tools with legitimate compromised credentials Known to layer different −−Malware families known to be used −−Sakula malware throughout −−Poison Ivy −−Zxshell −−Gh0st a network to maintain −−Zox family −−Derusbi −−PlugX persistence, as well as harvest −−Scanbox and use legitimate network and remote access credentials.

Palo Alto Networks | Application Usage and Threat Report 5 APAC Banking 65 14 12 3 6 13 65 18 4

EMEA Education K-12 26 24 6 28 6 28 63 10 6 4 4 8 5

RSH Splashtop AMERICAS Higher Education 44 14 5 12 16 9 75 7 3 9 6

Japan Energy Remote18 29 15 Access4 14 5 9 6 Application18 47 Usage4 19 3 9 Remoteview Supremo Financial 31 18 14 24 3 2 8 Applications Geographic trends (each bar represents 100%) Vertical trends (each bar represents 100%) APACAPACFederal Gov BankingBanking Microsoft Remote Desktop 6565 12 38 3144214 1212 3 63 6 14 1313 6565 1818 4 4

teamviewer Ammyy

telnet EMEAEMEAState & Local Gov EducationEducation K-12 K-12 Citrix 2626 21 2424 11 2 116 6 284828 6 62828 25 6363 1010 6 64 44 48 8 5 5

VNC RSHRSH SplashtopSplashtop Fastviewer AMERICASAMERICASHealthcare HigherHigher Education Education 12 24 9 37 6 2 4 6 gotomypc 4444 1414 5 51212 1616 9 9 7575 7 7 3 93 9 6 6 pcanywhere VMware LOGMEIN JapanJapanHigh Tech EnergyEnergy 43 11 4 17 2 13 2 8 other (cited) 1818 2929 1515 4 41414 5 59 9 6 6 1818 4747 4 41919 3 93 9 RSH Synergy other RemoteviewRemoteview SupremoSupremo Hospitality & Leisure FinancialFinancial 14 44 6 30 6 3131 1818 1414 2424 3 2382 8

Insurance FederalFederal Gov Gov 23 11 58 3 5 Remote access tools date back to theMicrosoftMicrosoft origins Remote Remote ofDesktop Desktop networked 1212 3838 3 423 42 1414 computing, when processing powerteamviewer teamviewerwas contained in centrally AmmyyAmmyy telnettelnetManufacturing StateState & &Local Local Gov Gov located, room sized computers and dumb44 terminals 19were 9used13 to11 4 CitrixCitrix 2121 1111 2 112 11 4848 2525 remotely access them. It was simplyVNC VNCmore efficient to allow users Media & Entertainment FastviewerFastviewer HealthcareHealthcare to access their data and the computational43 resources22 remotely5 12 7 3 8 1212 2424 9 9 3737 6 62 42 46 6 gotomypcgotomypc Remoteview PCOIP from their own terminals in a concurrentpcanywherepcanywhere manner rather than VMwareVMware Non-profit have each individual user walk up toLOGMEIN LOGMEINthe mainframe and interact HighHigh Tech Tech 72 5 16 5 2 4343 1111 4 41717 2 132 13 2 82 8 otherother (cited) (cited) with it, one by one. Netviewer RSHRSH SynergySynergy otherother Pharmaceuticcals HospitalityHospitality & &Leisure Leisure These very first instances of remote access tools24 all assumed11 9 a48 high level of 3 5 1414 4444 6 6 3030 6 6 trust because for the most part, the dumb terminals only had access to theAmmyy mainframe and vice versa, using physical isolationProfessional from Services other networks.& Legal As InsuranceInsurance 11 20 32 22 9 6 2323 1111 5858 3 53 5 networked computing grew however, along with the advent ofBomgar the InternetGotomyPC where now all systems were somehow connected,Retail the high level of trust ManufacturingManufacturing could not be assumed; yet, these types of applications17 44 still exist and11 are 11 6 3 3 5 4444 1919 9 9 1313 1111 4 4 actively used where the high level of trust is still assumed. RSH Service Providers MediaMedia & &Entertainment Entertainment 34 24 33 6 3 Our research found seventy-nine unique remote access applications to be 4343 2222 5 51212 7 7 3 83 8 in use globally across more than 6,600 organizations. Several organizations, RemoteviewRemoteview PCOIPPCOIP Transportation & Logistics Non-profitNon-profit 28 22 6 38 6 largely in higher education, were found to have over forty unique remote 7272 5 51616 5 52 2 access applications on their networks alone. Over 4,400 organizations were NetviewerNetviewer found to have five or more different remote access applications running on PharmaceuticcalsPharmaceuticcals 2424 1111 9 9 4848 3 53 5 their networks. Globally and across all industries, remote access application AmmyyAmmyy usage consisted of 48 percent Microsoft Remote Desktop, 16 percent ProfessionalProfessional Services Services & &Legal Legal Teamviewer, 11 percent Citrix, 9 percent VNC, 8 percent telnet, and 8 1111 2020 3232 2222 9 9 6 6 percent all other applications. BomgarBomgar GotomyPCGotomyPC RetailRetail Each region had a diverse distribution of remote access applications, from 1717 4444 1111 1111 6 63 3 53 5 the number of applications used to their volume of usage. RSHRSH ServiceService Providers Providers 3434 2424 3333 6 63 3

TransportationTransportation & &Logistics Logistics 2828 2222 6 6 3838 6 6

Palo Alto Networks | Application Usage and Threat Report 6 Ammyy In recent years, the legitimate remote access application remove it. The adversary then directs the user to either the known as Ammyy® has commonly been exploited by official Ammyy website to download the server software adversaries in ‘vishing’ or voice phishing attacks1, 2, 3. These or to another website that hosts the server software. The attacks have been largely targeted at English-speaking adversary then asks the user for the code that the Ammyy countries and have been fairly successful in duping users software generates, giving them complete access to the into installing the remote access application and giving the user’s system. At this point, the adversary may claim the adversary access to their systems. malware infection has been fixed or may begin to load actual malware onto the now remotely controlled system The attack generally starts with a user receiving a phone to hold the user at ransom or perform other nefarious call from a person purporting to be from Microsoft, Dell, or activities. The industries with the most number of sessions even their own organization’s IT department. The adversary captured for Ammyy usage were Federal Government, may then claim that the user’s system has been discovered Manufacturing, and Energy. to be infected by some form of advanced malware and the user must now install a specific application (Ammyy) to

What does this mean? With such a variety of remote access application usage across enterprise networks, it is no wonder that these applications are oftentimes being leveraged for malicious activity by threat actors. Telnet and rsh, due to the era of their creation, were not established for password authentication or encryption and thus pass all of their activity in cleartext. This is a major vulnerability and could potentially be exploited with ease by an adversary. Microsoft Remote Desktop and Citrix have their own set of security vulnerabilities, and using client-less or cloud-based remote access applications also carry their own specific risks on how they are even secured in the first place. The biggest issue of using remote access applications, however, is that once an attacker has gained access, they now have effective control over the host with the remote access application server running on it, without having to compromise the affected host or attacking it using any other exploits. Risks are additionally increased as more end users are given privileges to digital resources and begin installing unauthorized remote access applications. For users, this makes sense – remote access applications to their workstation, for example, allow them to continue to do work when they are remote or at home. With this type of usage, however, due to bypassing the organization’s IT department and security teams, the application is often deployed in an insecure manner and not using best practices, which leads to using default passwords or at times bypassing any security controls that may have been put in place by the organization. Remote access application usage is widespread, regardless of region or industry. With the ever-increasing usage of virtual systems, the cloud, and the Internet of Things, remote access application usage will, in turn, continue to increase. Restricting usage of remote access applications is unfeasible and inefficient, but implementing proper usage policies and controlling the deployment of these applications is feasible and must be practiced by all organizations.

1 http://resources.infosecinstitute.com/phishing-techniques-similarities-differences-and-trends-part-iii-vishing/ 2 http://www.networkworld.com/article/2605887/microsoft-subnet/zero-day-opens-the-way-to-hack-back-against-fake-microsoft-tech-support-scammers.html 3 http://www.ammyy.com/en/admin_mu.html

Palo Alto Networks | Application Usage and Threat Report 7 SaaS-based Application Trends

Organizations are adopting SaaS-based application services at a breakneck pace. These applications continue to redefine the network perimeter, providing critical functionality and efficiency, but at the same time introduce potential new security and data risks if not properly controlled. Often, individuals or departments will begin using un-sanctioned SaaS services, creating a “shadow IT” environment, further complicating the visibility into day-to-day user activity and the security of sensitive data.

Between 2012 and 2015, we found a 46 percent increase suitable for business purposes. Given the large percentage in usage of SaaS applications on customer networks, of usage and the high number of unique SaaS applications highlighting the continued importance of assessing the observed, it can be concluded that users are likely not security and data risks these services introduce. following these types of usage policies, and are instead engaging in rampant usage of non-sanctioned SaaS Looking deeper into the category of applications that applications. This further increases the risk of data leakage comprise the 316 dataset, we found that overwhelming to organizations, due to the lack of visibility from regular these applications fell into two categories: email (38 logs or notifications from the unauthorized SaaS storage percent) and file storage (40.7 percent). These figures providers, as well as additional risk of the intermeshing of are concerning, due to the fact that a large portion of users’ personal email and work emails, which may cause this activity is likely non-sanctioned usage of unknown or situations where a user may be attacked on their personal uncontrolled applications. In most organizations that do emails and the adversary then pivots to the work email SaaS applications, users are provided access to a specific account. list of services the organization has deemed acceptable or

Unique Saas Applications In Use

316

259

218

2012 - 2013 2013 - 2014 2014 - 2015

Palo Alto Networks | Application Usage and Threat Report 8 Usage of Top 25 SaaS-based applications

BY BANDWIDTH BY SESSION

dropbox 21.33% 17.42% outlook-web-online outlook-web-online 16.09% 17.17% icloud-base gmail-base 12.01% 16.28% dropbox google-docs-base 7.65% 13.86% gmail-base skydrive-base 5.69% 3.22% skydrive-base crashplan 3.97% 2.35% yunpan yunpan 3.52% 2.33% google-docs-base boxnet-base 2.34% 2.22% naver-line signiant-base 2.12% 1.93% computrace icloud-base 1.91% 1.79% yahoo-mail webex-base 1.91% 1.55% webex-base office-on-demand 1.56% 1.34% qq-mail google-drive-web 1.17% 1.33% ms-office365-base sharepoint-online 1.11% 1.16% google-drive-web naver-mail 1.11% 1.07% ms-lync-online barracuda-backup 0.98% 1.03% yammer mozy 0.96% 0.94% icloud-mail vidyo 0.93% 0.92% prezi naver-ndrive 0.83% 0.86% sharepoint-online ms-lync-online 0.75% 0.83% boxnet-base wetransfer 0.68% 0.62% netop-on-demand yahoo-mail 0.58% 0.61% netease-mail carbonite 0.58% 0.51% aim-mail qq-mail qq-mail 0.55% 0.47% daum-mail viber-base 4shared 4shared 0.54% 0.46% viber-base

What does this mean? The constant battle between security professionals and have a multi-pronged approach that does not blindly end users has been the level of usability that a user needs, restrict usage, but ensures that only authorized SaaS and to what extent we are willing to sacrifice security applications are in use, layered with the visibility and for it. SaaS services shine the light on this issue further, security controls required to ensure the sanctity of the in large part because at this point in most users’ Internet organizations’ security posture and data. Lastly, regular user career, the use of SaaS is a normal, everyday occurrence. education about SaaS services in general, and why it may The use of Gmail to check their email, Dropbox to upload be a risk to the organization, should be regularly performed. some files, or iCloud to synchronize their pictures is Asking security professionals to secure SaaS applications a part of their everyday workflow. Deploying policies is oftentimes a challenging task for both the requester and to completely prevent this type of behavior can be the implementer, but it is something that will be required impractical, given the widespread and often business- even more so as industries move more and more toward relevant usage of these applications. Ideally, organizations these applications and services.

Palo Alto Networks | Application Usage and Threat Report 9 Unknown Threat Data and Analysis

New for this year, Palo Alto Networks Unit 42 team used the AutoFocus™ threat intelligence service to data-mine and analyze malware-specific activity from WildFire™.

Top 10 applications delivering unknown Applications delivering unknown malware: threats by session (WildFire) Understanding the application attack surface facing your Percent of Malicious Sessions organization is a critical tool security teams can use to understand the risk posture of their organization. From a

yunpan 0.014% volume-based perspective it is clear that webaudio-streaming browsing 0.5% soap 0.014% and SMTP still reign supreme as a delivery vector,office-programs being 0.6% Web webdav 0.017% responsible for 96 percent of all malicious sessions.proxy 0.9% browsing flash 0.036% general-business 1.2% 18.201% imap Adversaries are well aware of the pervasive nature of these 0.256% http-proxy 0.065% internet file-sharing 1.4% applications throughout mostutility organizations, meaning they ftp 0.129% instant-messaging 1.5% offer the quickest and easiest6.2% route to infection. With pop3 2.895% this knowledge in mind, most security organizations have mngmnt implemented the majority8.2% of their defenses on these two applications, and for good reason. SMTP 78.291% Taken another way, our data shows that about 4 percent of malicious sessions is deliveredremote via applications other than web browsing and SMTP.access The essential question becomes: 16.5% are you prepared for the 4 percent? Just this small percentage represents hundreds of thousands of malicious sessions, and we believe also trends toward use by more sophisticated adversaries. Ensuring that unknown threats cannot get into your organizations through SMTP and web-browsing is a email good way to create a strong41.1% “front door,” but you have to consider all the alternate routes adversaries will take, including using applications such as FTP, Webdav, or Yunpan, as we see above. Security teams must consider every possible application attack vector that exists across their network as the “widows, cracks, and holes in the roof,” because attackers will certainty not stick to just walking in through the front door.

Palo Alto Networks | Application Usage and Threat Report 10 Top 10 application subcategories by Applications delivering unknown malware by percentage of malicious sessions application subcategory: (WildFire) The observations on the left provide information on the number of malware samples delivered via each application Percent of Malicious yunpan 0.014% audio-streaming 0.5% category, compared to the total samples seen within that soap 0.014% office-programs 0.6% category. For instance, the chart shows that out of all the Web webdav 0.017% proxy 0.9% content observed over remote access applications, 16.5 browsing flash 0.036% general-business 1.2% 18.201% imap percent of it was malware. Taken together with the volume- 0.256% http-proxy 0.065% internet file-sharing 1.4% based information in the previous section, this data allows utility ftp 0.129% instant-messaging 1.5% 6.2% you to prioritize your security efforts on the applications pop3 2.895% and categories used most by attackers. mngmnt 8.2%

SMTP 78.291% remote access 16.5%

email 41.1%

Palo Alto Networks | Application Usage and Threat Report 11 Time for PE! Gone Phishin’ Portable executables (PE), commonly known as program Examination of the session data in how potential malware files or files ending with the extension ‘.exe’, were found is delivered also served an interesting, yet again, not to be prevalent throughout the WildFire data and highly surprising finding in that phishing attacks are rampant and malicious in nature, with about 82.4 percent of observed widespread. Phishing in various forms has been in use by executables categorized as malware, including a whopping adversaries from the very beginning, and continues to be 49 percent of unique samples. This type of activity is not used due to its efficacy. Much like PEs, phishing generally surprising; using a PE to launch an attack on a potential requires no additional exploitation by the adversary, other victim is the most direct method, as it generally does than attaching a malicious file to the phishing email or not require additional exploit code or packaging to be simply pasting a link to a website hosting the malicious file. successful. Instead, using PEs relies on the unaware user It is no wonder adversaries continue to use phishing as a to trust the executable file to be launched. To further main tactic and vector for attack. increase the chance of successful exploitation of the user, For the timeframe of this report, about 41.4 percent of all a common tactic used by adversaries is the use of double emails with a file attachment observed via WildFire were extensions, where a file may actually be a PE with the found to contain malicious code or behavior. Of note as .exe extension, but the adversary will append a familiar well is that advanced or nation-state-sponsored adversaries document extension such as .doc, .pdf, or .jpg before the are just as likely to use phishing attacks as a profit-driven .exe extension, and even go so far as to change the icon of cybercriminal. Much like the examination of portable the file so that it is inline with the file it purports to be. executables, this is a significant percentage of malicious activity occurring over email and, in general, should be a cause for great concern.

What does this mean? 90 percent of all laptops and desktop computers still consist of various flavors of Microsoft Windows, and due to the lack of vulnerabilities to exploit when using portable executables to launch an attack, all of these systems are, in essence, vulnerable. Automated preventative measures must be deployed as a first line of defense before a user is given the potential opportunity to launch an unknown and possibly malicious executable file. Preventatives measures could include technology such as URL filters, file type filters (such as warning users before downloading an executable, or outright blocking them), malware sandboxes, or other endpoint technologies. These technologies are also essential when it comes to phishing attacks, as, historically, users have been found to be unable to fend for themselves when it comes to social engineering-type attacks. Due to the prevalence of email as a communication method between users, unlike PEs, email cannot simply be blocked. Whitelisting is not a valid tactic either as there are absolutely legitimate reasons why a user may need to contact another user, who is not in a whitelist, via email or receive email from a user who is not whitelisted. This leads us to two potential solutions to reduce the attack surface: automated preventative measures using technology, and user education.

Palo Alto Networks | Application Usage and Threat Report 12 Global Application Usage Snapshot

The rise of applications in the business environment is nothing new. We continue to see more applications being used by more people on a continual basis. When looking through our data, a few key facts stood out: the categories of applications that were being used most often and the sheer number of applications within those categories. Below, you can find the number of application variants in use on a global level, with individual regional breakdowns by application subcategory and the top 25 applications found in the Appendix at the end of the report.

Total number of applications per subcategory Highlights: FILE SHARING IP PROTOCOL INSTANT INTERNET UTILITY −− 10% of all applications in MESSAGING use are file sharing, which 186 129 100 98 could represent potential data security risk for organizations, for a total of 186 applications. −− 137 photo video appli- SOCIAL VOIP VIDEO INFRASTRUCTURE EMAIL NETWORKING cations, meaning users 71 64 62 are accessing a myriad of 90 often non-work related MANAGEMENT applications from corpo- rate devices, which could 171

impact productivity or GAMING STORAGE AUDIO deliver malware, or nearly BACKUP STREAMING GENERAL 59 8% of all applications. BUSINESS 45 42 −− 4.5% of all applications are 89 WEB OFFICE PROXY remote access, and as we POSTING PROGRAMS saw earlier in this report, 35 ENCRYPTED 36 35 can present a major secu- TUNNEL rity risk, for a total of 79. PHOTO / VIDEO 48 137 REMOTE ACCESS SOFTWARE DATABASE ROUTING 79 UPDATE INTERNET 25 23 CONFERENCING 29 48 ERP CRM SOCIAL AUTH 27 BUSINESS SERVICE 18 15

Palo Alto Networks | Application Usage and Threat Report 13 The (re)Rise of Macro Malware

In 1995, the first macro-based malware, WM/Concept, was unleashed upon the public and began the initial wave of macro-based malware targeting the Microsoft Word® and Excel® applications. Twenty years later, adversaries appear to have rediscovered macro-based malware and are using it as an effective and efficient attack vector against users.

What is a macro? Where are we now? Macros were originally developed for the Microsoft Office® In response to the Melissa virus event and other macro suite as a way to automate repetitive tasks or share tasks malware, Microsoft put multiple mitigations in place to between different users. The system was designed so that prevent the spread of macro-based malware. In Office 2003, a user could use a simple feature to record a repetitive only digitally signed macros could be run by default. In Office task, which would then automatically be transcribed into a 2007, the letter “m” was appended to the usual Office file language known as Visual Basic for Applications (VBA). The extensions (.docxm, .xlsxm, .pptxm) to signify that the file macro automated the task and the VBA code could then be contained a macro. Finally, in Office 2013, macros were shared with other users. simply turned off by default, showing users a notification if a macro was embedded in the document they had opened. While the intentions of macros in Microsoft The actions taken by Microsoft significantly reduced macro- Office documents were altruistic, the based malware infections and, in turn, reduced the popularity unfortunate side effect was the creation of macro-based malware usage by adversaries. of an easy-to-use and effective vehicle for No good deed goes unpunished, however. In the last malicious code. decade, as the Internet surged in popularity and necessity, a generation of users now exist who have never used macros or are even aware of what they are due to the dormancy Unfortunately, macros were not designed with security in of macros, in general. Users have a tendency to have a mind; functionality was the main goal and macros allowed singular goal in mind, which is to accomplish the given task users to be more productive by speeding up repetitive at hand. This causes users to ignore warnings or pop-up tasks. While the intentions of macros in Microsoft Office messages indicating potential danger ahead because, to documents were altruistic, the unfortunate side effect was them, these buttons and dialogues are simple barriers to the creation of an easy-to-use and effective vehicle for their productivity. The lack of awareness and a focus on malicious code. getting to the user’s desired content or task has led to a sudden resurgence in the usage of macro-based malware as The most famous and well-known macro-based malware users unwittingly are enabling macros in Office documents was the Melissa virus in 1999. It was distributed within a more and more often. Word document that would gather the first 50 entries from a user’s address book and then mail a copy of the macro- The two most observed malware families delivered via infected Word document to each entry via Microsoft macro abuse are the Dridex and Dyre malware families. Outlook®. Once the recipients opened the document, In the timeframe of this report, 10.2 percent of all activity the cycle would continue ad nauseam. Due to the sheer, flagged as malicious involved these malware. overwhelming number of infected systems attempting to send out emails in a much smaller Internet, the Melissa virus placed many major email servers into a denial-of-service state, causing significant impact due to loss of productivity and remediation actions needed.

Palo Alto Networks | Application Usage and Threat Report 14 Dridex4 Dyre/Upatre Dridex is a banking Trojan descended from the GameOver Upatre is the name of the malware downloader, generally Zeus family of malware. Its functions are extremely similar delivered via a macro-based malware Office document, to the well-known GameOver Zeus variants such as which then retrieves Dyre (Dyreza), a banking Trojan similar Cridex5, targeting online banking credentials and containing in function to GameOver Zeus and its variants. In addition, configurations to mimic logins for financial institutions. Upatre utilizes the Microsoft Outlook email client to send Dridex differs from its malware relatives, however, in the itself out to additional victims, effectively worming its way fact that it utilizes macro-embedded Office documents to across the Internet. As with Dridex, over 99 percent of load itself onto potential victim hosts, where it then begins these sessions were over various email protocols of web harvesting banking credentials. Well over 99 percent of browsing. Dridex sessions were delivered over various email protocols or web browsing. 99 percent of these sessions were over various email protocols of web browsing

What does this mean? Although extremely numerous and popular at this time, both Dridex and Dyre/Upatre are fairly easy to prevent from entering an organizational environment, due to the usage of simple delivery mechanisms, such as a file attachment to an email or an email containing a link to a suspicious file. Still, examining the sheer volume of macro-based malware demonstrates that macro-based malware is a real threat to enterprises. Organizations may need to begin including specific user education on macros, explaining what they are, what they do and, lastly, what users need to be aware of to prevent malicious activity from occurring.

4 http://researchcenter.paloaltonetworks.com/2014/10/dridex-banking-trojan-distributed-word-documents/ 5 https://blogs.mcafee.com/mcafee-labs/banking-malware-dridex-arrives-via-phishing-email

Palo Alto Networks | Application Usage and Threat Report 15 Weaponization of World Events

Abuse of current events in cyberattacks is not a new discovery; weaponization of regularly scheduled world events such as the Olympics or the FIFA World Cup is extremely common and something to be expected when defending our organizations. As the world gets more and more connected, however, and with the continued surge of social media as a valid news outlet, world news is traveling faster than ever; thus, an ever-increasing variety of lures to weaponize are available at the adversary’s fingertips.

Why do these work? fact that users are not faced with a single Pandora’s box, Humans are by nature curious creatures. In the mythology however; they are constantly faced with a barrage of of Pandora’s box, the first woman, Pandora, is given a Pandora’s boxes and other threats, any of which may be the sealed box by the Greek gods, with strict instructions single point of entry an attacker needs to compromise an never to open it. Curiosity comes over Pandora, however, organization’s infrastructure. and she eventually does open the box. Unfortunately, the box contained death and all the other evils that would Examining the time delta of weaponization eventually befall mankind. Much like Pandora, users, even Several world events were examined for evidence of if given strict instructions never to open unknown files weaponization, and generally, any given world event widely or email messages, will, at some point, be overcome by reported in news outlets was found to be weaponized curiosity and do exactly that. The main issue lies in the within six hours on average, several even within three hours.

12 HOURS 24 HOURS

3h 4h 6h 12h 24h

ISIS Tunisa

Germanwings Crash

Ferguson Police Shooting

Average weaponization time

Ferguson Police Shooting ISIS Tunisia Attack Germanwings Crash On August 9th, 2014, the fatal shooting of On March 19th, 2015, the Wall Street On March 24th, 2015, Germanwings Michael Brown by a police officer sparked Journal posted an article on their website Flight 9525 crashed in the French Alps, significant unrest and demonstrations regarding the terrorist group Islamic State killing all 144 passengers and six crew in the town of Ferguson, Missouri. The taking responsibility for a deadly attack members. On March 27th, 2015, multiple unrest continued for months, culminating on a museum in Tunisia’s capital. news outlets began to report that the with continued protests after the co-pilot may have had hidden mental Within three hours of the initial reporting, announcement of the chief of police’s illness and crashed the plan deliberately. Palo Alto Networks observed an email resignation on March 11th, 2015. In pass through the WildFire cloud using In less than three hours of media outlets the early hours of March 12th, 2015, the exact same subject as the title of reporting this story, Palo Alto Networks two police officers were shot outside a the news article, utilizing a spoofed again observed the weaponization of the Ferguson police station. Wall Street Journal email address. The event, observing an email with the title As news outlets began to report on this email contained a malicious attachment of an NBC News article as the subject story, in roughly four hours time Palo Alto identified as part of the Dyre/Upatre line being sent to multiple users using a Networks observed an email pass through email worm family. spoofed NBC News email address. The the WildFire cloud using the headline of email contained a malicious executable an article in the Washington Times as the payload which was found to be a part of subject line using a spoofed Washington the Dyre/Upatre email worm family by Times email address. The email contained Wildfire. a file attachment which was properly identified as malicious.

Palo Alto Networks | Application Usage and Threat Report 16 What does this all mean? Threat actors can and will utilize any potential attack vector they can, with no regard for morality. They will prey on our natural curiosity and emotions to easily gain access to a system or to lure us into opening a potentially malicious file. In the sample of world events analyzed, the average time of weaponization from the initial reporting of a world event was thirteen hours with the time to weaponization as short as three hours. These attacks generally used file attachments purporting to be media files or other documents associated with the world event. Users, as well as security organizations, must maintain situational awareness of current events worldwide to understand when and why attacks may occur more often.

Palo Alto Networks | Application Usage and Threat Report 17 Demographics and Methodology

The Application Usage and Threat Report (September 2015) from Palo Alto Networks examined nearly 7,000 networks worldwide over 20 industries during a 12 month time period, consisting of over 65 petabytes of data. Nearly 2,700 unique applications were found on these enterprise networks and over 675,000 distinct types of threats were logged. In addition, we examined data from WildFire via the AutoFocus threat intelligence service, combing through millions of unique malware samples and sessions collected during the same time period.

7000 networks 20+ industries

unique 65+ 2700 applications petabytes

675,000+ distinct types of threats

Palo Alto Networks | Application Usage and Threat Report 18 Summary

From the Palo Alto Networks datasets, including information from over 7,000 networks and the AutoFocus service, it is apparent that the biggest risk to enterprises is the users themselves. Users are constantly faced with a barrage of attacks, both old and new, as well as self-installed, potential points of entry. User education must be an emphasis throughout all organizations, with a trend toward automated prevention systems at every stage of the attack lifecycle and every layer of an organization’s infrastructure. This, in combination with the continued emphasis on open and free threat intelligence sharing will allow organizations to take on a proactive, targeted defensive posture. Data breaches are a significant cost to organizations; why not make it costly for adversaries to execute their attacks as well?

Recommendations

1. Deploy automated prevention systems at all layers of infrastructure that are also able to execute preventative actions at every stage of the attack lifecycle. The sheer volume of attacks faced by an enterprise network is too significant not to have automated preventative measures in place and rely instead on manual mechanisms. Many of the highly publicized breaches in the last few years have had successful detections of the initial breach, yet due to a lack of automated prevention, adversaries were not able to be stopped before exfiltration and additional damages were incurred.

2. Find the usage policy balance in the organization. A too-strict usage policy will cause users to be- come frustrated and find workarounds to their problems. A too-lenient usage policy will increase the attack surface for an adversary and potentially leave too many vulnerabilities in the organization’s infrastructure. Organizations must be able to quickly and automatically identify authorized applications and non-authorized applications, and then apply control measures on both.

3. Maintain situational awareness for not just the cyberthreat landscape, but also world events. Constantly reacting to security incidents is a zero-sum game; organizations must be able to proactively put preventative measures in place, as much as possible, to be able to concentrate on the truly unknown attacks. Organizations should be constantly gather- ing and collating data based on intelligence sharing, open source intelligence, or deriva- tions from closed source intelligence.

Palo Alto Networks | Application Usage and Threat Report 19 Appendix

The following section contains an overview of application usage. Content is broken down into global and regional categories — and further subcategorized by application session and bandwidth percentage.

Palo Alto Networks | Application Usage and Threat Report 20 Global Application usage by Subcategory

file-sharing 186 management 171 photo-video 137 ip-protocol 129 instant-messaging 100 internet-utility 98 social-networking 90 general-business 89 remote-access 79 voip-video 71 infrastructure 64 email 62 gaming 59 encrypted-tunnel 48 internet-conferencing 48 storage-backup 45 audio-streaming 42 web-posting 36 office-programs 35 proxy 35 software-update 29 erp-crm 27 database 25 routing 23 social-business 18 auth-service 15

Palo Alto Networks | Application Usage and Threat Report 21 Americas Application usage by Subcategory

Palo Alto Networks | Application Usage and Threat Report 22 Europe, the Middle East and Africa Application usage by Subcategory

file-sharing 165 management 158 photo-video 129 ip-protocol 128 internet-utility 94 instant-messaging 87 social-networking 84 general-business 76 remote-access 71 voip-video 61 infrastructure 60 gaming 57 email 54 encrypted-tunnel 45 internet-conferencing 41 storage-backup 41 audio-streaming 40 office-programs 30 proxy 29 software-update 29 web-posting 27 erp-crm 24 database 22 routing 22 social-business 17 auth-service 14

Palo Alto Networks | Application Usage and Threat Report 23 Asia Pacific Application usage by Subcategory

file-sharing 174 management 144 photo-video 132 ip-protocol 128 instant-messaging 89 internet-utility 89 social-networking 89 general-business 78 remote-access 74 voip-video 65 infrastructure 59 email 58 gaming 58 audio-streaming 42 encrypted-tunnel 42 internet-conferencing 40 storage-backup 40 proxy 33 web-posting 31 office-programs 30 software-update 28 erp-crm 24 routing 22 database 21 social-business 17 auth-service 15

Palo Alto Networks | Application Usage and Threat Report 24 Japan Application usage by Subcategory

file-sharing 138 ip-protocol 121 photo-video 115 management 101 internet-utility 81 social-networking 75 instant-messaging 65 general-business 56 remote-access 55 infrastructure 51 voip-video 51 gaming 47 email 43 audio-streaming 37 encrypted-tunnel 34 internet-conferencing 31 storage-backup 31 web-posting 27 software-update 26 office-programs 23 database 19 proxy 19 routing 17 erp-crm 15 social-business 13 auth-service 10

Palo Alto Networks | Application Usage and Threat Report 25 Global Top 25 Applications by Session (percent of total sessions)

dns web-browsing 37.7 17.9

ssl ping http-proxy bittorrent 9.1 7.0 2.6 2.3

snmpv2 ntp snmp-base facebook ldap snmpv1 netbios icmp base ns 2.0 1.5 1.3 1.1 0.9 0.9 0.8 0.7

msrpc kerberos smtp ms-ds-smb skype-probe google zabbix syslog traceroute mssql twitter analytics db base 0.7 0.7 0.5 0.005 0.4 0.4 0.4 0.4 0.3 0.3 0.3

Palo Alto Networks | Application Usage and Threat Report 26 Americas Top 25 Applications by Session (percent of total sessions)

dns web-browsing 34.3 17.9

ssl ping bittorrent 12.6 6.7 1.9

snmpv2 http-proxy facebook ntp snmp-base ldap snmpv1 netbios base ns 1.9 1.9 1.4 1.3 1.1 1.0 0.8 0.8

msrpc icmp kerberos smtp google ms-ds-smb traceroute skype twitter zabbix syslog mssql analytics probe base db 0.8 0.7 0.7 0.6 0.6 0.5 0.5 0.4 0.4 0.4 0.3 0.3

Palo Alto Networks | Application Usage and Threat Report 27 Europe, the Middle East and Africa Top 25 Applications by Session (percent of total sessions)

dns web-browsing 32.3 16.7

ssl ping http-proxy snmp-base 9.0 7.6 3.6 3.0

ldap snmpv2 bittorrent snmpv1 netbios-ns kerberos msrpc 2.3 2.1 1.7 1.7 1.4 1.1 1.0

facebook-base ntp ms-ds-smb zabbix icmp smtp sip syslog mssql google skype big db analytics probe brother 0.9 0.8 0.7 0.7 0.7 0.7 0.6 0.5 0.5 0.5 0.4 0.4

Palo Alto Networks | Application Usage and Threat Report 28 Asia Pacific Top 25 Applications by Session (percent of total sessions)

dns web-browsing 43.0 19.0

ping ssl bittorrent http-proxy 7.8 4.8 3.6 2.7

snmpv2 ntp facebook snmpv1 icmp msrpc netbios sopcast kerberos base ns 2.4 1.0 0.8 0.7 0.6 0.6 0.6 0.6 0.6

snmp-base syslog skype-probe qq-base ldap zabbix soap ms-ds-smb chargen ppstream 0.56 0.52 0.49 0.40 0.39 0.36 0.36 0.34 0.32 0.29

Palo Alto Networks | Application Usage and Threat Report 29 Japan Top 25 Applications by Session (percent of total sessions)

dns web-browsing 47.54 16.32

ntp ssl http-proxy ping 6.51 5.98 4.58 4.53

snmp bittorrent icmp web-crawler packetix snmpv2 canon smtp netbios twitter base vpn bjnp ns base 1.31 1.16 1.12 1.09 1.06 0.76 0.57 0.46 0.45 0.45

facebook-base google-analytics snmpv1 ssh skype-probe dropbox ldap zabbix ssdp 0.38 0.34 0.33 0.31 0.22 0.19 0.18 0.17 0.17

Palo Alto Networks | Application Usage and Threat Report 30 Global Top 25 Applications by Bandwidth (percent of Global bandwidth)

web-browsing ms-ds-smb tivoli 8.2 storage 16.3 manager 4.0

http-video netbackup netflix 3.5 3.3 streaming 2.4

ssh http-proxy backup-exec bittorrent 2.4 1.9 1.8 1.8 ssl

13.8 oracle facebook-base ftp youtube-base 1.7 1.3 1.2 2.3

nfs smtp apple 1.1 0.9 appstore emc-networker 0.8 1.3 mssql-db 2.2 ms-update snap- flash vmware 0.8 mirror 0.9 0.6 1.3 rtmp 0.7

Palo Alto Networks | Application Usage and Threat Report 31 Americas Top 25 Applications by Bandwidth (percent of Global bandwidth)

web-browsing ms-ds-smb netflix 5.5 streaming 16.5 4.6

http video tivoli 4.1 storage manager 3.8

youtube backup facebook ssh base exec base 1.6 2.2 1.8 1.6 ssl

16.3 ﬂash bittorrent apple 1.1 appstore mssql-db 1.5 1.0 2.0 ms http smtp update proxy 0.8 nfs 0.9 0.9 1.3 oracle vmware ftp fasp 1.9 0.8 0.7 0.7 netbackup 1.2 rtmp 0.8 dropbox 0.6

Palo Alto Networks | Application Usage and Threat Report 32 Europe, the Middle East and Africa Top 25 Applications by Bandwidth (percent of Global bandwidth)

web-browsing ssl tivoli 14.7 9.4 storage manager 8.4

netbackup emc-networker http-video oracle 5.1 2.7 2.3 2.3

ftp ssh backup-exec ms-ds-smb 2.1 1.8 1.7 http-proxy 12.9 4.2 youtube-base snapmirror vmware smtp 1.6 1.2 1.2 1.1

bittorrent arcserve facebook flash mssql-db 1.3 base 3.1 0.01 0.8 0.8 nfs hp emc msrpc 1.2 data data protector domain 0.01 0.7 0.6

Palo Alto Networks | Application Usage and Threat Report 33 Asia Pacific Top 25 Applications by Bandwidth (percent of Global bandwidth)

web-browsing ms-ds-smb netbackup 16.8 10.5 6.9

bittorrent http video youtube-base 4.1 3.5 3.4

emc mssql-db vmware facebook ssh ssl networker 2.0 1.2 base 0.9 12.9 2.5 1.1 msrpc oracle rtmfp 0.9 0.8 0.8 http-proxy 1.8 backup exec ms rtsp rtmp exchange 0.7 0.7 2.2 0.9 smtp ﬂash 0.7 1.4 ftp nfs 0.9 0.7 mysql 0.7

Palo Alto Networks | Application Usage and Threat Report 34 Japan Top 25 Applications by Bandwidth (percent of Global bandwidth)

ssh ssl 24.4 12.9

ms-ds-smb http proxy 3.7 3.3

ftp http youtube 3.1 video base web-browsing 1.8 1.7

20.6 dropbox smtp ipsec-esp rsync 1.5 0.013 1.1 0.1

emc twitter gmail niconico ms recover- base base douga update point 0.8 0.6 0.6 1.4 0.9 bittorrent ms-rdp web ﬂash 0.7 0.6 crawler apple 0.9 0.5 appstore itunes msrpc dns 1.3 base 0.6 0.5 0.7

Palo Alto Networks | Application Usage and Threat Report 35 Palo Alto Networks Copyright ©2015. 4401 Great America Parkway Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Santa Clara, California, 95054 Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks +1-408-753-4000 main mentioned herein may be trademarks of their respective companies. +1-866-320-4788 sales +1-866-898-9087 support www.paloaltonetworks.com

Palo Alto Networks | Application Usage and Threat Report 36