atlseccon 2016
TRANSCRIPT
Emerging Threats The State of Cyber Secur ity
E a r l C a r t e r / @ k u n g c h i u T h r e a t R e s e a r c h e r , C i s c o Ta l o s
About Myself
• Earl Carter • Threat Researcher, Cisco Talos • Over 20 Years in Network
Security • 3rd Degree Black Belt
Taekwondo
Cloud to Core Visibility web requests a day
16 BILLION
email messages a day
600 BILLION Endpoint malware queries a day
18.5 BILLION
Professional Appearance
• Talos discovered email campaign • Began shortly after Windows 10
release
Windows 10 Spam
Payload: CTB-Locker Ransomware
Simple But Effect ive
Resume Spam Campaign
• Pretends to be employee resume • Short-lived and Effective • Includes Zip file attachment
The Infect ion Chain
Tax Scams Gone International
Overview
• 9 Different Countries • English & 3 Other Languages • Occurring year round • Attacks • HTML Forms & Malicious Attachments • Links to Malicious Sites
Tax Scams Gone International
One Campaign Spanning 3 Countr ies
US, UK & Canada
Common Subjects
Claim your tax refund You are eligible to receive a tax refund Tax Refund Notification Australian Taxation Office tax refund confirmation! Tax Refund New Message Alert! Tax Refund (Ref # 782167) - $687.00 CDN Tax Refund (Ref # 782167) 687.00 GBP Tax Refund (Ref# 782167) $687.00 USD Tilbagebetaling af skat - DKK 7122,00 Skatteåterbäring: 6120.20 SEK Rimborso fiscale per 2014-2015
Interest ing IRS Twists
IRS Forgiving Debt? Your Identity was Stolen
Impersonating Tax Seminars
IRS: Tax and Payroll Updates for 2016 Reminder: Annual Tax Update Handling Federal and State Tax Levies With Ease. Register Now!
Sample Subjects
Attacking SSH Servers
SSHPsychos
• Brute Force SSH Attacks until password guess
• 300K Unique Passwords • Login from different address
space • Drop DDoS Rootkit on server • Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force Attempts�
Collaborat ing with Level 3
SSHPsychos
ACTION TAKEN: • Engaged Level 3…
and other providers • Sudden Pivot • Null Routed • Call to Action • Effectively Limited
VICTORY After Action
• Multiple Pivots • Continuous Blocks • Group Effort • Eventually They
Stopped
Angler Exposed
Drive-by Download Attacks
• The act of downloading something unintentionally, usually malicious
• No need to click to download • Malvertising is a common vector
Malvert is ing
• Content varies by system • Content varies by user • Content varies by visit
Lots of Noise
CNN 26 Domains 39 Hosts 171 Objects 557 Connections
What is an exploit k i t?
• A software package designed to exploit vulnerable browsers and plugins
• Blackhole was the first major exploit kit
Monetizat ion of Hacking
There are three main payload types: • Ransomware
• Cryptowall, Teslacrypt
• Click-fraud agents • Bedep
• Miscellaneous • trojans, keyloggers, spyware
Taking a Close Look
• Deep Data Analytics July 2015 • Telemetry from compromised users • ~1000 Sandbox Runs
• July 2015 • Angler Underwent several URL
Changes • Multiple “Hacking Team” 0-Days added
• Ended with tons of data
Detect ion Challenges
• Hashes • Found 3,000+ Unique Hashes • 6% in VT
• Most detection <10 • Encrypted Payloads
• Using Diffie Helman Encryption for IE Exploit • Unique to each user
• Domain Behavior • DDNS • Domain Shadowing • Adversary Owned Domains • Hard Coded IP
Exploit Detai ls
“Hacking Team” Adobe Flash 0days CVE-2015-5119, CVE-2015-5122 IE 10 and 11 JScript9 Memory Corruption Vulnerability CVE-2015-2419 IE OLE Vulnerability CVE 2014-6332
Adobe Flash
CVE 2014-6332
Silverlight
Unique Referers
Unique Referers By Day July 2015
Unique IP Addresses Per Day
IP Address / ASN Relat ionship
Angler HTTP Requests by Provider July 2015
Shutt ing Down the Source • Partnered with Limestone Networks
• Angler Infrastructure • Level-3
• Magnitude and Scale • Collaborated with OpenDNS
• Visibility into DNS Infrastructure
The Backend Infrastructure
Angler Vict ims
Potent ial Revenue
To play with the numbers, please visit: http://talosintel.com/angler-exposed/
CryptoWall Version 4 The Evolution Continues
Overview
• Notorious ransomware • Version 1 first seen in 2014 • Distributed via Exploitkits and Phishing Emails • Fast Evolution
CRYPTOWALL 4.0
Fi le Encrypt ion
Temp. AES256
key 15/10/07 12:39 <DIR> . 15/10/07 12:39 <DIR> .. 15/10/07 12:36 78,971 1.jpg 15/10/07 12:39 154,330
2.jpg 15/10/07 12:36 123,240
3.jpg …
1.jpg
RSA public key
random.xyz
Encrypted AES256 key
Other data
Encrypted 1.jpg
Temporary AES key can only be decrypted with the private RSA key
Network Communicat ion
Initial announcement to C2
C2 Server ACK
Send PubKey, TOR domains, PNG wallpaper
Request PubKey, TOR domains, PNG wallpaper
Operation successful. Files encrypted. Done.
Verify PubKey and start encrypting files ….
Cryp
toW
all M
alw
are
Com
man
d an
d Co
ntro
l Ser
ver
C2 Server ACK
Excluded Local Regions
• CryptoWall 4 checks local region settings with an undocumented API Call
• Following regions are excluded from infections: • Russian • Kazakh • Ukrainian • Uzbek • Belarusian • Azeri • Armenian • … other Eastern Europe countries
Excluded Dir/Fi les/Ext
Extensions: exe, dll, pif, scr, sys, msi, msp, com, hta, cpl, msc, bat, cmd, scf Directories: windows, temp, cache, sample pictures, default pictures, Sample Music, program files, program files (x86), games, sample videos, user account pictures, packages Files: help_your_files.txt, help_your_files.html, help_your_files.png, thumbs.db
Vict ims View – Ful l Local izat ion
Detai led Instruct ions
SamSam: The Doctor Will See You, After He Pays The Ransom
Sam Sam Targets Healthcare
• Exploits Jboss Vulnerability • Moves Laterally • Targeted Across Organization • Used recently against multiple hospitals
Communicat ing with Threat Actors
Payment Process
Payment Evolut ion
Summary
• Exploiting Network Vulnerabilities • JBoss
• Laterally targets multiple systems • Payment is in Bitcoin • Obtain Private Key via Blog Comment
Smoke & Mirrors
Rombertik
• Multiple layers of obfuscation • Hooks into user’s browser
to read credentials & other sensitive info
• Propagates via spam and phishing
Hard to Detect
Anti-analysis1
User downloads packed executable
Packed Executable performs excessive activity to flood tracing tools.
Performs series of checks to make sure environment is safe for it to proceed in.
Decrypts unpacking shellcode to memory and executes.
Rombertik
ACTION TAKEN: • Identify malware • Encourage best security practices • AMP, CWS, ESA, Network Security, WSA
Hard to Ki l l
Launches copy from desired location.
Preparation is complete.
Persistence2
Checks to see if executable is in desired location, copies to desired location if not.
Decrypts executable.
Unpacking shellcode
111111111100000001111111100000000001101000000000000000000000111111000000111111000000011111111111100001010110000001111100000111111111111100000000111111000001111111110101101011000000000011111000000000000000000000111111111100000000000010001100100000011111100000000000000111111000000001111111111111010010110000111100000000111100010010
Executable launches self again and overwrites new copy with unpacked executable code.
Rombertik
Software Integr ity & Nasty Surpr ises
Rombertik Malicious Behavior3
Compute 32 bit hash from resource, compare values.
If values do not match, encrypt and wipe victim’s data.
If values match, inject spy code into web browsers.
Send intercepted data to web server.
Unpacked executable
001101001100010101100101101011001000110010100101101001001010110010110101001011010001011010110101101001000100100010101110010100101101010011101011100101010010010101100
1011100000111111000111001111100011110011110000011000000000110010000000010001100000110101101100111111000
00000000111100000000000111000111110001
11000111000000100111100000001110001001111111110
110000000000110=
http:// http://
Angler Exploit K it Evolves Again
• Parameter Changes: • New Gate • Registered Domains
URL Changes
Old Format
New Format
New Gate
New Gate
New Actor
talosintel.com
@TalosSecurity @kungchiu