Over the past few days there have been a variety of reports about the Havex RAT (Remote Access Trojan), Energetic Bear RAT, Backdoor.Oldrea, and Trojan.Karagany. Enclosed is an update with specific mitigations Palo Alto networks has added in addition to Threat Mitigation best practices to leverage the full Palo Alto Networks Solution. The Palo Alto team has been tracking Havex for quite a while and are regularly finding samples via WildFire and providing coverage via AV and additional indicators via URL filtering. AV malware naming is challenging as Havex is also known as Backdoor.Oldrea, Energetic Bear RAT, and Trojan.Karagany.
Palo Alto Networks has added the following Specific Threat Mitigation
URL Filtering – PAN-DB Specific Mitigation
Similar to any other malware family or threats, Palo Alto Networks customers should leverage the entire solution for Threat Mitigation
Best Practices for Threat Prevention Coverage and Mitigation:
Reduce the Attack Surface:
-Look for TCP and UDP-unknown traffic which can be indicative of the various trojans and RATs that are communicating outbound
-Use SSL decryption on webmail at a minimum to prevent targeted attacks and watering hole attacks to personal email addresses.
-A single malicious RTF file, PDF or Office document is all it takes to own an organization and bypass all your protection when you don’t have visibility into SSL communications.
-Block or at least warn via continue page on all PE (portable executables), .EXEs from being installed by employees
-Consider blocking all additional high-risk targeted attack content types such as RTF files, .SCR files, .HLP files and .LNK files
Prevent Known Attacks:
Consider inline blocking with a strict IPS policy. Prevent the client-side vulnerability from being exploited with a drive-by download and dropping the malware on the system.
Suspicious DNS – Investigate and remediate ANY suspicious DNS queries. These are most likely infected systems!
-Block on Malware domains, as well as proxy avoidance, and peer2peer.
-Use a “Continue page” on unknown category websites
Focus on Prevention of Unknown and 0-day Malware:
-Forward all incoming PE files to Wildfire to determine if any malicious executables are downloaded
-Forward all high-risk targeted attack documents types to Wildfire incoming Office Documents , PDFs and Java files to Wildfire for analysis
-Ensure RTF files are blocked or forward to WildFire at a minimum.
-Wildfire will automatically see the malicious behavior and push out AV signatures, DNS and CnC signatures to prevent additional employees from being infected.
-Look at the Botnet Report to ensure you haven’t missed already infected systems.
-Use the PanOS 6.0 feature to ensure you are finding already infected systems easily.
-Recommend that employees not install Adobe Reader, Flash and Java updates if these pop-up. Consider installing all updates for users or have users visit the websites directly. Malware authors will prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates – but these can be part of the infection vector.