jaeson schultz technical leader · threat landscape the number of cve entries in 2016 so far is 239...

Jaeson Schultz

Technical Leader

Insights On Emerging Threats

Who Am I?

• Jaeson Schultz – jaeson@cisco.com@jaesonschultz (Twitter)

– Over 20 years specialising in thwarting abuse of security protocols like SMTP, HTTP/S, and DNS

– Former manager of the SpamCop DNSBL – An IP address-based blacklist which has taking the fight to the spammers for over a decade

– Assisted in design and development of the Cisco IronPort Anti-Spam content scanner and I’ve also developed some of the architecture & content detection for Cisco’s Web Security Appliance, Cloud Web Security, and Next Generation Firewall products.

– Most recently as Technical Leader for Talos, I perform Security Research, Author Blog/Whitepaper Publications, Speak at Conferences, and evangelise Cisco Security.

– Little Lebowski Urban Achiever

3

THREAT LANDSCAPE

The number of

CVE Entries in

2016 so far is

239

6453

790318%

Decrease inCVE Entries from

2014 to 2015

2011 2012 2013 2014 2015

THREAT LANDSCAPE

1.5 Million

THREAT LANDSCAPE

THREAT LANDSCAPE

THREAT LANDSCAPE

THREATS DON’T GO AWAY,

HOW DO WE ADDRESS IT?

Cloud to Core

Coverage web requests a day

16

BILLION

email messages a day

500

BILLION

AMP queries a

day

18.5

BILLION

MULTI-TIERED DEFENCE

Cloud to Core Coverage• WEB: Reputation, URL Filtering, AVC

• END POINT: Software – ClamAV, Razorback, Moflow

• CLOUD: FireAMP & ClamAV detection content

• EMAIL: Reputation, AntiSpam, Outbreak Filters

• NETWORK: Snort Subscription Rule Set, VDB –

FireSIGHT Updates & Content, SEU/SRU Product

Detection & Prevention Content

• Global Threat Intelligence Updates

MULTI-TIERED DEFENCE

Talos is divided into 5 departments

Open Source

Public Facing Tools• Threat detection and

prevention: Snort, ClamAV,

Razorback, & Daemonlogger

• Vulnerability detection and

mitigation: Moflow, FreeSentry

Open Inte l l igence

Today’s Plan

• Rombertik

• Ransomware

• Windows 10

• Teslacrypt

• Cryptowall 4

• SSH Psychos

• IP Address Hijacking

• Reverse Engineering Tech Support Scammers

• Malvertising

• Rigging for Compromise – Rig Exploit Kit

• Angler Exposed

Rombertik

LEADING THREAT INTELLIGENCE

Rombertik

• Multiple layers of obfuscation

• Hooks into user’s browser

to read credentials & other

sensitive info

• Propagates via spam and

phishing

Code Paths. .

LEADING THREAT INTELLIGENCE

Rombertik

ACTION TAKEN:

• Identify malware

• Encourage best security practices

• AMP, CWS, ESA, Network Security, WSA

LEADING THREAT INTELLIGENCE

Rombertik

LEADING THREAT INTELLIGENCE

Rombertik

Rombert ik

Rombert ik

Ransomware

25

26

27

LEADING THREAT INTELLIGENCE

CRYPTOWALL 3.0

• Data is the new target

• Ransomware

• Becoming more popular

• Using more evasive techniques

Your Fi les are Protected by a “Free

Windows 10 Upgrade”

Do you remember

Threat

• Talos discovered email spam campaign

• Shortly after Windows 10 release

Payload

• CTB-Locker is Ransomware Payload

CTB Locker

• Unparalleled visibility

• Quick and effective detection and Response

LEADING THREAT INTELLIGENCE

TeslaCrypt

ACTION TAKEN:

• Created TeslaCrypt Decryption Tool

• Open Source command line utility

• Users can decrypt their files

themselves

LEADING THREAT INTELLIGENCE

TeslaCrypt

Symmetric

Files NOT asymmetrically

encrypted with RSA 2048

Actual Encryption AES CBC 256-bit

Open Source: Decryption Tool

Knock off ransomware

Why would people pay??

Honor amongst Thieves?

TeslaCrypt Demo

- CryptoWall Version 4 -

The Evolution continues

CryptoWal l Vers ion 4

• Notorious

ransomware

• Version 1 first seen

in 2014

• Distributed via

Exploitkits and

Phishing Emails

• Fast Evolution

Detai led Inst ruct ions

Vict ims View – Ful l Local izat ion

CryptoWall 4 checks local region settings with an undocumented API Call

Following regions are excluded from infections:

Russian - Kazakh - Ukrainian - Uzbek - Belarusian - Azeri - Armenia … other Eastern Europe

countries

Fi le Encrypt ion

Temp.AES256

key15/10/07 12:39 <DIR> .15/10/07 12:39 <DIR> ..15/10/07 12:36 78,971 1.jpg15/10/07 12:39 154,330 2.jpg15/10/07 12:36 123,240 3.jpg…

1.jpg

RSA publickey

random.xyz

Encrypted AES256 key

Other data

Encrypted 1.jpg

Temporary AES key can only be decrypted with the private RSA key

Network Communicat ion

Initial announcement to C2

C2 Server ACK

Send PubKey, TOR domains, PNG wallpaper

Request PubKey, TOR domains, PNG wallpaper

Operation successful. Files encrypted. Done.

Verify PubKey and start encrypting files ….

Cry

pto

Wal

l Mal

war

e

Co

mm

and

an

d C

on

tro

l Ser

ver

C2 Server ACK

In fect ion Process Deta i ls

• One encryption thread

per logical volume

• Exclude CDROMs

• Exclude volumes with

“HELP_YOUR_FILES.PNG”

• When done:• Write

“HELP_YOUR_FILES.PNG”

to volume root

• Report success to C&C

no

Binary downloaded and executed

Injected into explorer.exe

Makes itself persistent (registry run key)

Injecting in svchost (main malware logic)

Delete all shadow copies

Dropper checkes if config files existsTry downloading pubkey and files from C2 server

Got files from C2 server ?

Pubkey valid (check hash) ?

Create config file

yes

Encrypt files and show message(s)

no

Clean up and Exit Process

noyes

Sleep 3seconds

yes

SSHPSYCHOS

If it doesn’t work you’re just not using enough

BRUTEFORCE

SSH Psychos Update

SSHPsychos

• Brute Force SSH Attacks until

password guess

• 300K Unique Passwords

• Login from different address

space

• Drop DDoS Rootkit on server

• Accounted for 1/3 of all SSH

Traffic ON THE INTERNET

SSH Brute Force

Attempts

SSH Psychos Update

SSHPsycho

VICTORY

• Engaged Level 3 and another major ISP

• Sudden Pivot

• Null Routed

• Call to Action

• Effectively limited

• Downloaded blocked by standard technology

IP Address Hi jack ing

49

50

51

52

53

And the problem cont inues …

BGP Stream (@bgpstream)

Reverse Social Engineering

Tech Support Scammers

Tech Support

• Fraudulent actors masquerading

as “legitimate” tech support have

been on the rise for the past 8

years

• Talos has been monitoring the

creation of fake tech support sites

to better understand how they

operate.

The Setup

“Tro jan Vi rus”

You can listen and watch the entire interaction here: https://youtu.be/toKLOYxVkJM

Tracking the Scammers

• After the call, Talos began investigating who was behind this tech support

scam

• Our investigation lead us to two individuals

Taking Act ion

• Talos reached out the parent company of VOIP operator to get the number shut down.

• Talos contacted TeamViewer, alerting them of the abuse and reporting the ID used by

the these scammers.

• Finally, Talos submitted a complaint to the United States Federal Trade Commission

(FTC)

Online Advertising

ONLINE ADVERTISING

A big, fat, opportunity

• Ad Injection

Rewrite web pages with extra ads

• PUAs

Adware downloads

• Clickfraud

Hidden frames, with random clicking that

generate hits.

• Malvertising

A favorite of kits such as Angler; use the

ad platform to direct browsers to a

compromised server.

A major news s i te

26 Domains

39 Hosts

171 Objects

557 Connections

Rigging Compromise – RIG EK

Rig EK - Overv iew

Patching: A Window of Opportuni tyUsers not moving quickly to the latest Flash versions or updating the patches creates an opportunity for Angler and other exploits to target the vulnerability.

Rig EK - Findings

Rig EK - Response

Angler Exposed

Overv iew

• Deep Data Analytics July 2015

• Telemetry from compromised users

• ~1000 Sandbox Runs

• July 2015

• Angler Underwent several URL

Changes

• Multiple “Hacking Team” 0-Days

added

• Ended with tons of data

Detect ion Chal lenges

• Hashes

• Found 3,000+ Unique Hashes

• 6% in VT

• Most detection <10

• Encrypted Payloads

• Using Diffie-Hellman Encryption for IE Exploit

• Unique to each user

• Domain Behaviour

• DDNS

• Adversary Owned Domains

• Hard Coded IP

• Domain Shadowing

Explo i t Deta i ls

“Hacking Team” Adobe Flash 0days

CVE-2015-5119, CVE-2015-5122

IE 10 and 11 JScript9 Memory

Corruption Vulnerability

CVE-2015-2419

IE OLE Vulnerability

CVE 2014-6332

No JAVA !

Adobe Flash

CVE

2014-6332

Silverlight

Findings• IP Infrastructure

• Only 10-15 Unique IP’s hosting Angler Daily

• Hosting Information• Found 60%+ Angler activity for month at two providers

• Limestone Networks• Hetzner

• HTTP Referers• Found Thousands of Different Referer headers• Malvertising

• Lots of top websites seen directing to Angler• News Sites, Real Estate, Sports, Popular Culture

• Redirection from obituaries

Angler Demo

Breakthrough

• Partnered with Limestone Networks

• Gathered Images of Systems

• Network Captures

• Level-3

• Continued collaboration after SSHPsychos

• Netflow Data Key to Investigation

• Undiscovered Findings directly related to the data

• Proxy Server Configuration

• Health Monitoring

A Look Ins ide Angler

Server Deta i ls

• NGINX Server

• Proxy all traffic to single back-end exploit server

• Health Server Monitoring Activity

• GET Request resulting in HTTP 204

• Ability to Pull Access Logs

• Ability to Remotely Delete Access Logs

• Netflow identified ~150 Angler Servers being monitored

• Scope

• Access Log

• 90K Unique IP’s in 13 Hours

• Massive malvertising Campaign – Major websites affected

Proxy & Heal th Conf ig

Show Me The Money

The Money

Response

• Drove out of Limestone resulting in significantly lower activity

• Published Community Rules for Front-End & Back-End Communication

• Blacklisted all servers

• Blacklisted all domains

• Working with Providers resulted in huge returns

• Exposed Largest Angler Actor Active on Internet Today

Act iv i ty

INTELLIGENCE COMMUNITIES

Talos works to promote collaborative and

thorough understanding of network security

threats through a number of community

programs.

Project Aspis – collaboration between Talos and host providers

• Talos provides expertise and resources to identify major threat actors

• Providers potentially save significant costs in fraudulent charges

• Talos gains real world insight into threats on a global scale, helping us

improve detection and prevention, making the internet safer for everyone

CRETE – collaboration between Talos and participating customers

• Talos provides a FirePower NGIPS sensor to deploy inside the customer network

• Talos gathers data about real world network threats and security issues

• Customers receive leading-edge intel to protect their network

AEGIS – information exchange between Talos and participating members

of the security industry

• Open to partners, customers, and members of the security industry

• Collaborative nexus of intelligence sharing in order to provide better

detection and insight into worldwide threats

talosintel.com

@talossecurity

@jaesonschultz